Doctoral student/researcher
As a doctoral student/researcher, you need to know how to process personal data correctly as this is often involved in a doctoral student/researcher’s tasks. The information below indicates what you should think about if you are a doctoral student carrying out personal data processing.
Personal data
‘Personal data’ means all pieces of information that can directly or indirectly identify a person, such as name, personal identity number and email address. This means that almost all information about people can be personal data, at least when several pieces of data are processed together. Personal data also include ‘sensitive personal data’ such as genetic data or health data. See further below.
To put it simply, everything you do with these personal data – collection, adaptation or whatever – is processing.
Data protection policy
Uppsala University has drawn up a data protection policy on the treatment of personal data at the University. You can find the policy here. There you will also find information about the rights that data subjects can exercise with respect to Uppsala University and that you are often required to inform the data subjects about, for example, when you obtain consent.
General principles
Any personal data processing must follow the principles of the General Data Protection Regulation (GDPR). You must always take these principles into account when processing personal data. The fundamental principles are:
-
the principle of lawfulness, fairness and transparency,
-
the principle of purpose limitation,
-
the principle of data minimisation,
-
the principle of accuracy,
-
the principle of storage limitation, and
-
the principle of integrity and confidentiality.
If you would like to learn more about these principles, read the document here.
Lawful basis
For processing of personal data to be lawful, it must be based on at least one of six possible lawful bases. These are:
-
Consent
-
Contract
-
Legal obligation
-
Protection of vital interests
-
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority
-
Balance of interests (legitimate interest). This basis, however, may not be used by public authorities in the performance of their tasks.
Note that ‘consent’ will very rarely be used as a lawful basis at Uppsala University. Before you decide that your processing has consent as its lawful basis you should read through all the other bases to see if you can find one that is more appropriate. To learn more about the lawful bases and when each of them may be appropriate, read more here.
Sensitive personal data
‘Sensitive personal data’ are data about:
-
racial or ethnic origin
-
political opinions
-
religious or philosophical beliefs
-
trade union membership
-
health
-
a person’s sex life or sexual orientation
-
genetic data
-
biometric data that uniquely identify a person.
As a rule, sensitive personal data may not be processed, but the GDPR allows a number of exceptions. One such is consent. This means that if you are going to process sensitive personal data in your research, for example, the individuals whose personal data you obtain need to consent to this. Consent is subject to certain conditions – read more here.
Controller and processor
Often more than one actor is involved in the processing of personal data and it is important to know which of the actors is responsible for the processing.
Controller – The legal or natural person that determines the purposes and means of the processing of personal data is the controller and is responsible for the personal data processing. Controllers process data ‘on their own behalf’, as it were: they decide what will be done with the data, e.g. collection and storage, what the purpose of the collection and storage is and how it will be done. It is important to remember that it is Uppsala University in its capacity as legal person, not individuals at the University, that is the controller of processing operations where the University determines the objectives and means of processing. Consequently, as a doctoral student/researcher you are not the controller as regards any processing you perform in your research – it is Uppsala University that is the controller. However, it is important that you are well informed about the implications of personal data processing, as you are not allowed to process data unlawfully.
Processor – The controller can entrust another legal or natural person with the task of performing personal data processing. The processor then carries out the processing ‘on another person’s behalf’. The way in which the processor is to process the data must be specified in a data processing agreement (DPA). The Legal Affairs Division has produced a DPA template. Do you need a DPA template? Get in touch with juravd@uadm.uu.se.
Joint controllers – If two or more persons together determine the purpose and means of processing, they may be joint controllers. In that case, they must draw up an agreement that clearly sets out who is responsible for what. Would you like help with this? Contact the Legal Affairs Division: juravd@uadm.uu.se.
The right of data subjects to information and extracts from records
It is important that the University knows which personal data we process and where they are held so that we can provide correct information to those whose personal data we process. The first step in making this possible is to notify the University’s central register of records of all processing operations. You can do that here if Uppsala University is the controller and if Uppsala University is the processor.
Rights of data subjects
Data subjects have a right to know that we process their personal data. For more information about the rights that data subjects can exercise in relation to the University.
Impact assessment
Sometimes you may need to conduct an impact assessment before you begin to process personal data. If you believe your intended processing requires an impact assessment, you should contact the data protection officer who will help you to proceed. When determining whether you need to conduct an impact assessment, you should ask yourself:
Does the processing of personal data involve:
-
a substantial risk that human rights and freedoms may be violated?
-
profiling, the results of which will then be used to automatically categorise/evaluate individuals?
-
extensive amounts of sensitive personal data and/or data on criminal records?
-
extensive collection of personal data?
The assessment can be conducted by considering whether:
-
the processing methods jeopardise the quality, authenticity or integrity of the data;
-
the method for continuous control of the processing is effective;
-
any identified risks associated with the processing can be counteracted;
-
procedures are in place for the notification of personal data breaches.
(Human rights and freedoms = right to life, liberty and personal security; freedom from slavery and servitude; freedom from torture and cruel, inhuman or degrading treatment; equality before the law; right to fair public hearing; freedom from arbitrary arrest, detention or exile; freedom from interference with privacy, family, home and correspondence; right to free movement; right to own property; right to freedom of belief and religion; freedom of opinion and expression; right of peaceful assembly and association.)
Information security
When you conduct research, you must ensure that all information management in your activities meets the University’s requirements for good information security. Systems and storage solutions used in this connection need to be analysed in terms of security, as does the management of these solutions, together with any personal equipment used in your own information management.
The foundation of secure treatment of information is laid by conducting a classification of information – an activity in which the level of protection that the information warrants is determined in the light of confidentiality, accuracy and accessibility. The results of information classifications are used as input in a subsequent stage, known as a requirement analysis, in which the security of the systems and storage solutions used are analysed. The University’s Risk Management Procedures (UFV 2018/211), including appendices, provide guidance on the conduct of information classifications and requirement analyses.
The University’s Procedures for Secure Information Management (UFV 2018/668) provide guidance on secure information management in general, as well as specific information regarding the use of cloud services.
You will find these documents in the University’s “Goals and regulations”, but they are also available on the page https://mp.uu.se/web/info/stod/sakerhet/informationssakerhet, along with additional material relating to the GDPR and information security. If you need help with security classification, please get in touch with the University’s information security officer here.