General Data Protection Regulation (GDPR) - teach and supervise
4.2.4 Comment on step 4
Step 4 - Determine how the information is safely stored and processed during work
The collected information must be processed safely. Keeping personal data in your home directory is recommended. The home directory also has sufficient security for sensitive personal data (such as data on racial or ethnic origin, political views, religious or philosophical beliefs, union membership, genetic and biometric information, and information about a person's health, sex life or sexual orientation). The university also provides a number of additional services that may be practical at work such as Box and Sunet Survey. These may be used for non-sensitive personal data. External services (tools not provided through the university) may not be used for any kind of personal data. This applies, for example, to Dropbox, Google docs, iCloud and others.
Safety measures
The most basic security measure is never to collect more data than needed for the processing. Information that is not available can never be compromised or misused. Because of this, the information collected should be the least amount necessary. If it is possible to carry out the work using completely anonymous information, as mentioned earlier, this is preferable. If it is necessary to be able to connect information to a person, it may be appropriate to make a connection that requires access to a key that links the person to the information and is stored separately. Data protected in this way is called pseudonymized. It is still personal data according to the regulation, but the security is significantly improved because only those who need to make the connection have access to the key.
The storing of personal data shall be such as to ensure adequate protection of the data. The sensitivity of the data and the damage they may incur to the data subject should be balanced against the costs and technical possibilities of protection. In short, the student's home directory has sufficient security to store even sensitive personal data and is a suitable storage location. This cannot be said about most online storage solutions, which means that they may not be used to handle personal data. For example, in order to be allowed to use third parties in the processing of personal data, a processing agreement has to be signed with the processor, and this has only been done for the tools provided through the university. It is, because of this, important to note that only the services provided through the university, may be used for processing personal data and only the home directory for the storage of sensitive personal data.
If sensitive personal information is to be processed
Information on racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic and biometric data, and information about a person's health, sex life or sexual orientation is considered sensitive data and may not be processed at all unless there is a specific exception which allows treatment. For a degree project, consent is such an exception, and the data may be processed if the data subject has consented to the treatment. It is important to emphasize that, as always, the consent must be informed and freely given and specific to the process. It must be documented and saved so that it can be displayed as needed. The consent can be revoked at any time and continued treatment with consent as a basis is not permitted. Sensitive information places high demands on administrative and technical safeguards and all such material should be kept in the student's home directory. If this is not possible, the storage must have at least equivalent technical and administrative protection.