Financial administrator (financial administration staff)
Financial administrators deal with personal data every day. It is therefore important to think about how you deal with these data and to have appropriate procedures in place.
Personal data
‘Personal data’ means all pieces of information that can directly or indirectly identify a person, such as name, personal identity number and email address. This means that almost all information about people can be personal data, at least when several pieces of data are processed together. Personal data also include ‘sensitive personal data’ such as genetic data or health data. Read more about sensitive personal data below.
To put it simply, everything you do with these personal data – collection, adaptation, storage or whatever – is processing.
Sensitive personal data
‘Sensitive personal data’ are data about:
-
racial or ethnic origin
-
political opinions
-
religious or philosophical beliefs
-
trade union membership
-
health
-
a person’s sex life or sexual orientation
-
genetic data
-
biometric data that uniquely identify a person.
As a rule, sensitive personal data may not be processed, but the General Data Protection Regulation (GDPR) allows a number of exceptions. One such is consent. This means that if you are going to process sensitive personal data in your research, for example, the individuals whose personal data you obtain need to consent to this. Consent is subject to certain conditions – read more here. Information about sickness absence in a pay slip is one example of sensitive personal data.
General principles
Any personal data processing must follow the principles of the GDPR. You must always take these principles into account when processing personal data. The fundamental principles are:
-
the principle of lawfulness, fairness and transparency,
-
the principle of purpose limitation,
-
the principle of data minimisation,
-
the principle of accuracy,
-
the principle of storage limitation, and
-
the principle of integrity and confidentiality.
If you would like to learn more about these principles, read the document here.
Lawful basis
For processing of personal data to be lawful, it must be based on at least one of six possible lawful bases. These are:
-
Consent
-
Contract
-
Legal obligation
-
Protection of vital interests
-
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority
-
Balance of interests (legitimate interest). This basis, however, may not be used by public authorities in the performance of their tasks.
To learn more about the lawful bases and when each of them may be appropriate, read more here.
Controller and processor
Controller – The legal or natural person that determines the purposes and means of the processing of personal data is the controller and is responsible for the personal data processing. Controllers process data ‘on their own behalf’, as it were: they decide what will be done with the data, e.g. collection and storage, what the purpose of the collection and storage is and how it will be done. It is important to remember that it is Uppsala University in its capacity as legal person, not individuals at the University, that is the controller of processing operations where the University determines the objectives and means of processing.
Processor – The controller can entrust another legal or natural person with the task of performing personal data processing. The processor then carries out the processing ‘on another person’s behalf’. The way in which the processor is to process the data must be specified in a data processing agreement (DPA). The Legal Affairs Division has produced a DPA template. Do you need a DPA template? Get in touch with juravd@uadm.uu.se.
Joint controllers – If two or more persons together determine the purpose and means of processing, they may be joint controllers. In that case, they must draw up an agreement that clearly sets out who is responsible for what. Would you like help with this? Contact the Legal Affairs Division: juravd@uadm.uu.se.
Data protection policy and rights of data subjects
Uppsala University has drawn up a data protection policy on the treatment of personal data at the University. You can find the policy here.
Rights of data subjects
Data subjects have a right to know that we process their personal data. For more information about the rights that data subjects can exercise in relation to the University.