Processing of personal data refers to, in principle, any handling of personal data, such as entering, storing, scanning, photographing, editing, analysing, printing, emailing, scanning for viruses, backing up and deleting data.
What is considered regular personal data?
Personal data is any kind of information that can be directly or indirectly linked to a living person. This means that not only names and personal identity numbers are personal data, but also people's user names, Umu-id, email or IP addresses, biometric data, physiological status and voice recordings. When you know who has submitted an answer to a survey, the answer is also considered personal data.
Combinations of data can also be regarded as personal data if the combined information can be used to link the data to a natural person. Even if no name, personal identity number or address is registered, any other registered data will be regarded as personal data if the information enables you to identify a particular individual.
What is considered sensitive personal data?
According to the General Data Protection Regulation, sensitive personal data are data that can reveal racial or ethnic origin, political opinion, religion or beliefs, trade union membership, sexual orientation, or personal data concerning genetic, biometric or health status. Health data can, for instance, be sickness absence, pregnancy or medical consultations.
Even if information is not classed as sensitive personal data, it can also be sensitive to someone’s integrity or be classed as particularly worthy of protection. This could be salary figures, transgressions of the law, assessing details such as notes from a development discussion, results from personality tests or personality profiles, information regarding someone’s personal life or social circumstances. Personal identity numbers are regarded as personal data particularly worthy of protection.
Are you writing a project where you process personal data?
First of all, you need to classify all the personal data you wish to process. Are they regular personal data or sensitive or integrity sensitive personal data?
If you are processing regular personal data
Use the tools and services the University refers to, in this case Office 365. Your supervisor or teacher will set up a team in Teams that only you and your teacher or supervisor will have access to. All data is to be collected, stored and processed through the Team.
To process personal data, you need individual consent from each person whose personal data you intend to process. Template for consent (In English) Template for consent (In Swedish)
If you are processing sensitive personal data or personal data that merit special protection
The General Data Protection Regulation states that the processing of sensitive personal data is prohibited, however there are some exceptions from this prohibition. In some cases, it may add value for students to be allowed to process sensitive personal data or personal data that merit special protection. However, the legal scope for this is very limited.
Even if Umeå University has made the assessment that there are legal possibilities for a student to process sensitive personal data or personal data that merit special protection, please note that there are currently no sufficiently secure technical solutions in place to process this type of personal data. Please contact your faculty if you have any questions.
For a student to be allowed to process this type of data, the project must have been conducted under ethically acceptable terms.
The faculty your department belongs to can assess the suitability of the processing of personal data for the needs of the education.
Only approved IT services may be used when processing personal data.
Collaboration site for student project that contains sensitive personal data