Head of division/head of department
As head of division or head of department, you have a responsibility to ensure that the division’s or department’s employees have the information they need to be able to process personal data correctly under the GDPR and supplementary national legislation. Guidance documents such as a personal data policy and guidelines for email are available to help you and them. Your staff will also find information on the intranet (Medarbetarportalen) about points that are good to bear in mind when processing personal data at Uppsala University. There they can read the information they need in their particular role by clicking on the role description that fits them best. If anyone wants more information, they can read more under the other role descriptions or on the general page.
Above all, it’s a good thing to keep a record of personal data processing. ‘Personal data’ means all pieces of information that can directly or indirectly identify a person, such as name, personal identity number and email address. This means that almost all information about people can be personal data, at least when several pieces of data are processed together. Personal data also include ‘sensitive personal data’ such as genetic data or health data. To put it simply, everything you do with these personal data – collection, adaptation or whatever – is processing. Read more about personal data and sensitive personal data below.
Important advice
-
Make sure you inform your staff about the GDPR.
-
Draw up policy documents and working documents that are tailored to your particular division/department and make it easier to implement the GDPR provisions.
-
Take stock of and document the processing operations you perform. Submit notification of these to the University’s register of records here (if you are the controller). Read more about when and how to submit notification of personal data processing below.
-
Determine what lawful basis you have for your processing operations. Read more about this below or read the in-depth information here.
-
Do you have any relations with processors? If so, you need to draw up an agreement on this. Read more about processors below. Notification of processors is also required. You can do that here.
-
Be sure to provide clear information about what to do in the event of a suspected personal data breach. Read more here.
-
Coordinate work on information security aspects. Information classification is one method you can use to determine what level of protection is necessary and sufficient. More about information security. If the department/division has its own systems, these need to be included in the requirement analysis. The results of information classifications and requirement analyses can be used as a basis for the department/division’s local information security procedures. Copies of information classifications and requirement analyses should be sent to the Security and Safety Division.
General principles
Personal data processing may feel complicated and unclear, but with the right approach, it’s not difficult to get it right. First and foremost, the GDPR contains a few general principles to bear in mind.
The fundamental principles are:
-
the principle of lawfulness, fairness and transparency,
-
the principle of purpose limitation,
-
the principle of data minimisation,
-
the principle of accuracy,
-
the principle of storage limitation, and
-
the principle of integrity and confidentiality.
If you would like to learn more about these principles, read the document here.
Lawful basis
For processing of personal data to be lawful, it must be based on at least one of six possible lawful bases. These are:
-
Consent
-
Contract
-
Legal obligation
-
Protection of vital interests
-
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority
-
Balance of interests (legitimate interest). This basis, however, may not be used by public authorities in the performance of their tasks.
Note that ‘consent’ will very rarely be used as a lawful basis at Uppsala University, so before you decide that your processing has consent as its lawful basis you should read through all the other bases to see if you can find one that is more appropriate. To learn more about the lawful bases and when each of them may be appropriate, read more here.
Controller and processor
Often more than one actor is involved in the processing of personal data and it is important to know which of the actors is responsible for the processing.
Controller – The legal or natural person that determines the purposes and means of the processing of personal data is the controller and is responsible for the personal data processing. Controllers process data ‘on their own behalf’, as it were: they decide what will be done with the data, e.g. collection and storage, what the purpose of the collection and storage is and how it will be done. It is important to remember that it is Uppsala University in its capacity as legal person, not individuals at the University, that is the controller of processing operations where the University determines the objectives and means of processing.
Processor – The controller can entrust another legal or natural person with the task of performing personal data processing. The processor then carries out the processing ‘on another person’s behalf’. The way in which the processor is to process the data must be specified in a data processing agreement (DPA). The Legal Affairs Division has produced a DPA template. Do you need a DPA template? Get in touch with juravd@uadm.uu.se.
Joint controllers – If two or more persons together determine the purpose and means of processing, they may be joint controllers. In that case, they must draw up an agreement that clearly sets out who is responsible for what. Would you like help with this? Contact the Legal Affairs Division: juravd@uadm.uu.se.
It is important for every division/department to take stock of their processing operations and any controller–processor relations between the University and another party.
The right of data subjects to information and extracts from records
It is important that the University knows which personal data we process and where they are held so that we can provide correct information to those whose personal data we process. The first step in making this possible is to notify the University’s central register of records of all processing operations. You can do that here if Uppsala University is the controller and if Uppsala University is the processor.
The head of division/head of department is not personally responsible for notification of all processing operations. However, it is their responsibility to ensure that it is done, for example, by informing staff about the existence of a register of records and designating an internal person/persons responsible for notification.
Rights of data subjects
Data subjects have a right to know that we process their personal data. For more information about the rights that data subjects can exercise in relation to the University.
Personal data breaches
A personal data breach is a breach of security that may pose a risk to people’s rights and freedoms. The risk may involve someone losing control of their data or their rights being curtailed. If, for example, data about one or more data subjects have been destroyed, lost or become available to someone who does not have a right to them, a personal data breach has occurred. To find out how to report a personal data breach, see the document here.
The role of the data protection officer
The overarching and most important task of the data protection officer (DPO) is to monitor Uppsala University’s compliance with the GDPR’s regulations on personal data processing. This task includes:
-
establishing procedures that facilitate notification of how the organisation processes personal data to a register of records.
-
encouraging a good data protection culture, verifying that the organisation follows regulations and internal policy documents, and following up divergences.
-
providing information and advice on personal data processing to the general public and to staff and members of the University.
In addition, the DPO is the contact person in relation to the highest administrative level and supervisory authorities for issues relating to personal data processing at the authority (the University). The DPO has no decision-making powers. It is the controller (Uppsala University) that is responsible for the legal and secure performance of personal data processing in compliance with GDPR regulations. However, the DPO makes recommendations on the handling of specific cases that must be taken into account. If the controller chooses to dismiss the DPO’s recommendations, this divergence must be justified in writing and documented.
The DPO also provides advice on impact assessments that may need to be made in connection with certain types of personal data processing that pose a significant risk to human rights and freedoms or are particularly large-scale.