Teacher/supervisor
If you are a teacher/supervisor at the University, it is important that you are able to give your students guidance on processing personal data. Uppsala University is the personal data controller for processing performed by students as part of their education. Therefore, please read up on how to frame a consent request, for example, for use by a student interviewing individuals for a project as part of their studies.
It is also important that you think about the personal data processing you do in your capacity as teacher/supervisor. For example, if you circulate an attendance list with the names of the students participating in your course, it is important to try to minimise the data that other students can see. You can do this by making sure that personal identity numbers are not included in lists. Personal identity numbers should only be processed when necessary to establish a person’s identity. If it is possible to do this just by using the name, processing the personal identity number is not considered necessary in this situation.
Personal data
‘Personal data’ means all pieces of information that can directly or indirectly identify a person, such as name, personal identity number and email address. This means that almost all information about people can be personal data, at least when several pieces of data are processed together. Personal data also include ‘sensitive personal data’ such as genetic data or health data. Read more about sensitive personal data below.
To put it simply, everything you do with these personal data – collection, adaptation, storage or whatever – is processing.
Sensitive personal data
‘Sensitive personal data’ are data about:
-
racial or ethnic origin
-
political opinions
-
religious or philosophical beliefs
-
trade union membership
-
health
-
a person’s sex life or sexual orientation
-
genetic data
-
biometric data that uniquely identify a person.
As a rule, sensitive personal data may not be processed, but the General Data Protection Regulation (GDPR) allows a number of exceptions. One such is consent.
Bear in mind that sensitive personal data can include disabilities, students’ physical or mental health, and religious belief. Having said that, Uppsala University recommends against using email to communicate sensitive personal data. You may only do this when absolutely essential. Remember that a telephone call can be a very good alternative to an email.
General principles
Any personal data processing must follow the principles of the GDPR. You must always take these principles into account when processing personal data. The fundamental principles are:
-
the principle of lawfulness, fairness and transparency,
-
the principle of purpose limitation,
-
the principle of data minimisation,
-
the principle of accuracy,
-
the principle of storage limitation, and
-
the principle of integrity and confidentiality.
To read more about the fundamental principles, see the document here.
Lawful basis
For processing of personal data to be lawful, it must be based on at least one of six possible lawful bases. These are:
-
Consent
-
Contract
-
Legal obligation
-
Protection of vital interests
-
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority
-
Balance of interests (legitimate interest). This basis, however, may not be used by public authorities in the performance of their tasks.
Note that ‘consent’ will very rarely be used as a lawful basis at Uppsala University. Before you decide that your processing has consent as its lawful basis you should read through all the other bases to see if you can find one that is more appropriate. To learn more about the lawful bases and when each of them may be appropriate, read more here.
Processing by students
Students may process personal data when this is necessary, for a clear purpose and on a lawful basis. They must also comply with the general principles and inform the data subjects. It is important to provide notification of processing by students to the University’s central register of records. It is important that you as teacher/supervisor inform the students of this. You can access the University’s register of records here.
Rights of data subjects
Data subjects have a right to know that we process their personal data. For more information about the rights that data subjects can exercise in relation to the University.
Impact assessment
Sometimes an impact assessment may be necessary before beginning to process personal data. If you believe your student’s/doctoral student’s/etc. intended processing requires an impact assessment, you should contact the data protection officer who will help you to proceed. When determining whether you need to conduct an impact assessment, you should ask yourselves:
Does the processing of personal data involve:
-
a substantial risk that human rights and freedoms may be violated?
-
profiling, the results of which will then be used to automatically categorise/evaluate individuals?
-
extensive amounts of sensitive personal data and/or data on criminal records?
-
extensive collection of personal data?
The assessment can be conducted by considering whether:
-
the processing methods jeopardise the quality, authenticity or integrity of the data;
-
the method for continuous control of the processing is effective;
-
any identified risks associated with the processing can be counteracted;
-
procedures are in place for the notification of personal data breaches.
(Human rights and freedoms = right to life, liberty and personal security; freedom from slavery and servitude; freedom from torture and cruel, inhuman or degrading treatment; equality before the law; right to fair public hearing; freedom from arbitrary arrest, detention or exile; freedom from interference with privacy, family, home and correspondence; right to free movement; right to own property; right to freedom of belief and religion; freedom of opinion and expression; right of peaceful assembly and association.)
Information security
When you conduct research, you must ensure that all information management in your activities meets the University’s requirements for good information security. Systems and storage solutions used in this connection need to be analysed in terms of security, as does the management of these solutions, together with any personal equipment used in your own information management.
The foundation of secure treatment of information is laid by conducting a classification of information – an activity in which the level of protection that the information warrants is determined in the light of confidentiality, accuracy and accessibility. The results of information classifications are used as input in a subsequent stage, known as a requirement analysis, in which the security of the systems and storage solutions used are analysed. The University’s Risk Management Procedures (UFV 2018/211), including appendices, provide guidance on the conduct of information classifications and requirement analyses.
The University’s Procedures for Secure Information Management (UFV 2018/668) provide guidance on secure information management in general, as well as specific information regarding the use of cloud services.
You will find these documents in the University’s “Goals and regulations”, but they are also available on the page https://mp.uu.se/web/info/stod/sakerhet/informationssakerhet, along with additional material relating to the GDPR and information security. If you need help with security classification, please get in touch with the University’s information security officer here.