4.3 Personal data processing in thesis work

The General Data Protection Regulation, together with a number of Swedish laws attached to it, imposes strict demands on all work on personal data being performed correctly. Therefore, if you are thinking of using personal data for your degree project, there is a lot to think about. This text provides a brief overview of the steps necessary for the processing of personal data to be correct. In addition to the rules governing personal data, depending on what you intend to process, there may be additional legislation to take into consideration, and you should have an overall discussion with your supervisor about what information is to be processed and plan accordingly.

Step 1 - Must personal data be processed?

The first question is whether it is really necessary to process personal data? If the work to be done can be performed without processing personal data, then this is preferable. If you do not process personal data, then the requirements of the General Data Protection Regulation do not apply, which makes the work easier. However, it is important to remember that personal information includes all information that can be linked directly or indirectly to a living person, which means that it is not only names, national identification numbers, DNA or portrait photos that constitutes personal data, but it can also be a combination of more anonymous data, which together make it possible to identify an individual.

Step 2 - Define the purpose of the processing and what information must be collected

Before the practical work begins, it is important to identify what information is to be collected and why. For those who are doing a degree project this is not a difficult task. The purpose of the processing is simply to be able to carry out the study necessary to substantiate your work. It is, however, important that you think this through and formulate the purpose as well as you are aware of what information is necessary to achieve it.

Step 3 - Register your processing

Any processing of personal data must be recorded in the university’s records of personal data processing. You can find the registry at Anmälan om personuppgiftsbehandling_thesis and fill in the purpose of the treatment, what types of information you intend to collect and process, your contact details, how long the data will be saved (if possible), if any third party will participate in the work on personal data and how the information will be protected. After logging in to the records, there are help texts and explanations for each type of information to be entered. The records must not contain any of the collected personal data, only a list of what is collected and processed so that the university has control over what processing is in progress. The university is the controller, and as such, formally responsible for the personal data being processed throughout the university, and this also applies to degree projects.

Step 4 - Determine how the information is safely stored and processed during work

The collected information must be processed safely. Keeping personal data in your home directory is recommended. The home directory also has sufficient security for sensitive personal data (such as data on racial or ethnic origin, political views, religious or philosophical beliefs, union membership, genetic and biometric information, and information about a person's health, sex life or sexual orientation). The university also provides a number of additional services that may be practical at work such as Box and Sunet Survey. These may be used for non-sensitive personal data. External services (tools not provided through the university) may not be used for any kind of personal data. This applies, for example, to Dropbox, Google docs, iCloud and others.

Step 5 - Determine what parts of the information are to be erased or archived when the processing is completed

Personal data may not be retained for longer than is necessary and should be erased when no longer needed. At the same time, there may be parts of the information that must be preserved to be able to substantiate the conclusions of the thesis work or because they are necessary for future processing. Therefore, before the practical work starts, it is important to decide what will happen to the collected personal data afterwards. What information is to be retained and what is to be erased? During the course of the work, there may be a need to rethink the original plan, but it is important that there is a basic plan, especially in order to answer questions from the data subjects.

Step 6 - Obtain consent, inform the data subjects and collect the necessary personal data

Personal data may only be processed if there is a legal basis for the treatment. The General Data Protection Regulation specifies a number of grounds that are considered admissible, but for a degree project, it is in practice only consent that may be used (if it is not possible to use consent, you should discuss this with your supervisor and the Data Protection Officer to see if another solution can be found). Using consent as a basis means that the data subject gives his or her active consent to the processing. This means in practice that you clearly describe what information you want to collect, what it is to be used it for and by whom, how long the data will be used, that there is a possibility to request to see the collected the information and that it is possible to contact the Data Protection Officer or Datainspektionen with complaints. After the data subjects have read the information, he /she can consent to the treatment and the processing of the data is then permitted. It is important to know that consent must be documented and stored so that it can be presented upon request and that the data subject is entitled to withdraw his / her consent at any time. If the data subject has agreed to the treatment, sensitive data may also be processed (note that sensitive data imposes high security requirements in the processing).

Step 7 - Process the collected information

Provided that the previous steps have been taken, this is formally a simple step that does not require any further action in connection with the General Data Protection Regulation. At the same time, this is in practice the main work.

Step 8 - After processing, delete or archive personal data as needed

Together with the processing, this is also a simple step, as the practical work has been completed. The material that has been processed should now either be transferred for archiving or deleted as decided in Step 5. Erasing the information is the usual but in some cases the material should be kept.