2.3.3 Students’ processing of personal data

Linnaeus University is not only responsible for the treatments performed in administration and research but also for the students' processing as long as they are part of the education. This means that if a student establishes a processing of personal data, the same rules apply as for other treatments at the university. There must be permitted grounds for the treatment, the principles must be followed (the processing must be legal, open, correct, appropriate and task-minimized), the data subject must be informed and the treatment must be registered in the local records (Anmälan om personuppgiftsbehandling).

Students may establish personal data processing in the course of their education, for example, when writing a thesis. It is important that those who work as supervisors are well aware that the rules for personal data processing also apply to our students and can support them. The university has, as a help and support, developed an information document addressed directly to students who will process personal data, and this covers the most common questions (available as part of this material). Additional support is available through the Data Protection Officer.

It may be difficult to find a basis for students' processing apart from consent, which makes it even more important to understand the importance of providing accurate information to the data subjects and to collect and save the consent. Of course, this only applies to treatments that include personal data, and it may be advisable to consider before the thesis work whether it is necessary for the work to contain personal data or if it could be solved with anonymous data not covered by the General Data Protection Regulation. It is important to remember that the requirements apply not only to the final project but also to the material used to produce it, which means that if the completed work does not contain personal data but has been processed in order to produce the final work, then  the requirements in accordance with the General Data Protection Regulation apply. It is also important to remember that pseudonymized data are considered personal data, and therefore, it is necessary that there is no possibility of recreating a link between the data and the physical person for them to be considered anonymous.

What a student may collect with consent as a basis for treatment is not limited, but the information may not be more comprehensive than necessary and should be collected for a specific and explicit purpose. The collection, handling and storage must be carried out in a safe manner which corresponds to the sensitivity of the data and, just as in the case of other treatments, an impact assessment is to be conducted if it is likely that the treatment may lead to a high risk for the rights and freedoms of the data subject. On what occasions an impact assessment is required, and for assistance with the assessment itself, contact the Data Protection Officer.

It is especially important for those who act as supervisors to know that a student’s processing is also covered by the university's responsibilities and rules and that there is an information text for students who will process personal data.