Frequently asked questions
Students' personal data processing at the Bachelor’s and Master’s levels
What responsibility does the university have for students' processing of personal data?
As a general rule, the university is responsible for personal data for the processing of personal data that students carry out within the framework of the educational programme, for example in connection with academic papers. This means that the course coordinator is responsible for ensuring that the processing takes place in accordance with the provisions of the General Data Protection Regulation and that the university is responsible for any violations of the regulation.
To the main rule there is one exception. During VFU/student placements/internships, it is the internship that is the data controller for the processing of personal data that students carry out within the framework of the work, in the same way that the internship is the data controller when its employees process personal data.
What is personal data and what is actually meant by processing?
Personal data is any information that alone, or in combination with other information that you or someone else has access to, directly or indirectly, can be linked to a natural person who is alive. For example, name, email address, IP address and various kinds of electronic identities. Photos and videos of people, or a person's voice, are examples of other common personal data.
Processing means everything you can do with personal data electronically. For example, collect, annotate, photograph, film, stream, record, store, read, compile, copy, upload, and publish.
When are students allowed to process personal data?
According to the university's decided rules, course components must, as a general rule, be designed in such a way that students do not need to process personal data to achieve the course objectives. This also applies to the choice of subject for academic papers and degree projects, etc.
In exceptional cases, students may process personal data, if it is deemed necessary to achieve the course objectives. The course coordinator is then responsible for providing information and guidance on how the treatment should take place.
Students may only process personal data if the person whose personal data is to be processed consents to the processing. Students' personal data processing thus always requires consent. Please note that consent can always be revoked with the result that the data may not be processed, which may result in the loss of all or part of the student's work.
Students should use the university's consent templates. The templates are aimed at the course coordinator and require the course coordinator to take part in and, where applicable, adapt the content and distribute them to the students who will process personal data.
What kind of personal data are students allowed to process?
Students may never, within the framework of the educational programme, process personal data that is sensitive in the sense of the GDPR or personal data that is otherwise considered privacy-sensitive. The background to this is, among other things, that the legislature believes that it is not reasonable to expect that students undergoing education at the Bachelor’s and Master’s levels have had time to acquire knowledge and insight to the extent required to handle potentially sensitive personal data.
Sensitive personal data means all data that may reveal ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, trade union membership, data on health, sex life and sexual orientation, as well as confidential data, protected data, information on violations of the law, certain information about economic conditions, as well as descriptions and values of personal characteristics and conditions, or conditions which is otherwise close to the private sphere.
During VFU/student placements/internships, students may process personal data, including sensitive personal data, to the extent that the internship allows the processing. In the event that students are allowed to process sensitive personal data at the internship, for example in healthcare, these may not be included in a thesis, reporting, or the like that is carried out within the framework of the education.
Does the university have consent templates?
Yes, the university's website contains templates for obtaining consent in both Swedish and English. The templates are aimed at course coordinators and require the course coordinator, where applicable, adapt the content and distribute them to the students who will process personal data.
Does consent have to be collected in paper form?
Provided that no personal data is included in the completed work submitted to the university, it is possible to obtain consent electronically. These are cases where students conduct interviews, surveys, observations, etc., but where there is no need to use personal data that has emerged during the data collection phase of the finished work.
When consent is to be obtained electronically, it should be done by the person who is to give consent printing the consent document, signing it, scanning or photographing the document with their mobile phone, and emailing the document back.
Consent should be signed by hand. Normally, it is therefore not appropriate for the person giving consent to do so by emailing that they "agree to the above," "agree to attached" or the like.
How long are students allowed to save collected personal data?
A fundamental principle of the GDPR is that personal data may not be stored longer than is necessary for the purpose of the processing of personal data. Students must therefore delete collected personal data from all storage locations as soon as the data is no longer necessary but no later than upon the grading of the assignment, provided that the student passes the assignment. If the student does not delete the personal data, it means a violation of the General Data Protection Regulation for which the university is responsible.
Can written assignments, degree projects, etc. contain personal data?
As a general rule, completed student projects should not contain any personal data other than the names of the students who submitted the assignment for assessment. The submitted works become official documents and with that comes certain obligations for the university. For example, the works may only be culled (deleted) according to law or other statutes (normally two years after grading). The university is also obliged to disclose the works to anyone who requests it in accordance with the principle of public access to official documents. This means, among other things, that if a person who is part of the student's work were to withdraw their consent, it is possible that the university cannot delete the personal data (work) without violating the law (for example, if the said two-year limit has not passed yet). And if the university were to continue to save the data, the university would violate the Data Protection Regulation. Thus, completed student projects should not contain any personal data other than the names of the students who performed the work, as otherwise there may be a conflict between the university's legal obligations and force the university to violate the law.
It is also important to remember that the university is responsible for personal data as long as the personal data processing is ongoing, for example storage in the university's learning platform or publication in DiVA. Responsibility continues even after the students have completed their studies. It is therefore important that the course coordinator ensures that obtained consents are preserved and kept in an orderly fashion and that there are clear procedures for how to handle a revoked consent, perhaps several years after the work was submitted and the student no longer studies at the university.
Is recording an interview personal data processing?
Recording of a person with sound and/or image is always personal data processing. This applies even if no names or other personal data are mentioned on the recording, as a person's voice or image itself is to be considered personal data. In order for recording to be allowed, it is required that the course coordinator considers it necessary to achieve the course objectives. In addition, the consent of the interviewee is required. Please note that the person to be interviewed always has the right to say no to recording. Recording may then not take place.
Normally, recordings of interviews are used as memory support, instead of notes during the interview. Often there is no need to link the information that has emerged in the interview to the person interviewed. In these cases, the recording should be transcribed anonymously as soon as possible (personal data is excluded in the text) and then deleted. The processing of personal data then ceases and the consent must be destroyed.
Are students allowed to conduct interviews via video call?
Yes, but keep in mind that when interviews are conducted via video call, personal data is processed in the form of image and voice about the participants, even if it is not recorded. Interviews via video call therefore always require consent.
For interviews via video call, Zoom should be used. It is not allowed to use other video telephony programs such as Google Meet, Microsoft Teams, Skype, Slack, etc.
What about surveys and personal data?
Students who want to conduct surveys should use the web-based survey tool Sunet Survey. It is not allowed to use other survey tools such as SurveyMonkey, Google Forms, Zoho Survey and others.
It is not allowed to collect personal data through survey questions in Sunet Survey. The survey questions should therefore be designed so that no personal data is collected. Since no personal data is then processed, consent to personal data processing is also not required.
Where personal data is to be collected through survey questions, paper-based surveys should be used. In this case, consent to the processing of personal data must also be obtained from those who are to answer the survey.
Distribution of online surveys
The university can help distribute student surveys to other students at the university. The distribution takes place by posting information about and with a link to the survey in the university's learning platform.
Please note that it is not allowed for students themselves to distribute surveys through marketing platforms and email marketing services that involve personal data processing, such as MailChimp, ActiveCampaign, GetResponse, etc.
Contact the Faculty Support Office for help with the distribution of surveys.