Processing of personal data in student projects
Processing of personal data
This text provides a brief overview of the steps that are necessary for the handling of personal data to be correct in your degree project.
In addition to the rules that apply to personal data, depending on what your degree project is about, there may be additional rules to take into account. You should therefore always have a discussion with your supervisor about what information to handle and plan accordingly.
For questions about the information: dataskyddsombud@bth.se
For registration of processing: Register the processing
Step 1 – Does personal data need to be processed?
The first question is whether it is really necessary to process personal data?
If the project can be done without processing personal data, this is preferable. If you do not process personal data, the requirements of the General Data Protection Regulation do not apply, which makes the work easier. However, it is important to remember that personal data includes all information that can be directly or indirectly linked to a living person, which means that it is not only such things as name, social security number, recording of an interview or portrait photo that is personal data, but it can also be a combination of more anonymous information that together makes it possible to identify an individual.
Step 2 – Define the purpose of the processing and what data must be collected
Before the practical work begins, it is important to clarify what data will be collected and why. For those doing to do a degree project, this is not a difficult task, but the purpose of the treatment is simply to be able to perform the investigation that is necessary to support your work, but it is important that you think through and formulate the purpose as well as that you are clear about what information is necessary to reach it.
Step 3 – Register the processing
Each processing of personal data shall be registered in BTH’s register of personal data processing.
You report the processing of personal data via a form where you briefly fill in the purpose of the processing, what types of data you intend to collect and process, your contact information, how long the data will be saved (if possible), whether any other party will participate in the work with the personal data and how the information will be protected. The register should not contain any of the collected personal data, but only a list of what is collected and processed so that the university has control over what processing is ongoing. BTH has formal responsibility for the personal data processing carried out throughout its operations, and this also applies to degree projects.
Step 4 – Decide how the information will be stored and handled securely during work
Collected information must be processed in a secure manner. Storing collected personal data in your home directory (J:) is recommended.
The home directory also has sufficient security for sensitive personal data (sensitive personal data includes data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data and data on a person’s health, sex life or sexual orientation). BTH also provides a number of additional services that can be useful at work, such as OneDrive. These may be used for personal data that is not sensitive.
External storage services (tools not provided through the university) may not be used for personal data. This applies, for example, to Dropbox, Google docs, iCloud and more.
Step 5 – Decide which parts of the information should be deleted and retained when the work is complete
Personal data shall not be kept longer than necessary and shall be deleted when they are no longer needed.
At the same time, there may be parts of the information that must be preserved in order to be able to substantiate the conclusions of the degree project or because they are necessary for future treatments. Before the practical work starts, it is therefore important to decide what will happen to the collected personal data afterwards.
Which data should be retained and which should be deleted? During the course of the work, there may be reason to reconsider the original plan, but it is important that there is a basic plan, not least to be able to answer questions from the data subjects (the people whose data is collected).
Step 6 – Obtain consent, inform data subjects and collect the necessary personal data
Personal data may only be processed if there is a legal basis for the processing.
The General Data Protection Regulation specifies a number of grounds that are considered permissible, but for a degree project, in practice only consent can be considered (if it is not possible to use consent, you should discuss this with your supervisor and the data protection officer to see if it is possible to find another solution). Using consent as a basis means that the data subject gives their active consent to the processing.
In practice, this means that you clearly state what data you want to collect, what it will be used for and by whom, for how long the data will be used, that there is an opportunity to request to see the collected information and that there is an opportunity to turn to the Data Protection Officer or the Privacy Protection Authority with complaints. After the data subject has read the information, he/she can give his/her consent to the processing and it is then permitted to process the data. It is important to know about consent that it must be registered and saved so that it can be retrieved if necessary and that the data subject has the right to withdraw their consent at any time.
The consent must therefore be made in writing (digital signing is also acceptable). If the data subject has consented to the processing, sensitive data may also be processed (note that sensitive data places great demands on the security of the processing).
Step 7 – Process the collected material
Provided that the previous steps have been performed, this is a formally simple step that does not require any further action. At the same time, in practice, this is the main work.
Step 8 – After processing, delete or archive the personal data material as needed
Together with the processing, this is also a simple step as the practical work is now completed. The material that has been processed should now either be transferred for preservation/archiving or deleted as you decided in step 5.
Contact the university’s data protection officer and note that the processing has ended.