Human resources administrator
Personal data processing is a very substantial part of the work of a human resources administrator. It is therefore important to read up on the requirements and principles surrounding personal data processing.
Personal data
‘Personal data’ means all pieces of information that can directly or indirectly identify a person, such as name, personal identity number and email address. This means that almost all information about people can be personal data, at least when several pieces of data are processed together. Personal data also include ‘sensitive personal data’ such as genetic data or health data. Read more about sensitive personal data below.
To put it simply, everything you do with these personal data – collection, adaptation, storage or whatever – is processing.
Sensitive personal data
‘Sensitive personal data’ are data about:
-
racial or ethnic origin
-
political opinions
-
religious or philosophical beliefs
-
trade union membership
-
health
-
a person’s sex life or sexual orientation
-
genetic data
-
biometric data that uniquely identify a person.
As a rule, sensitive personal data may not be processed, but the General Data Protection Regulation (GDPR) allows a number of exceptions, one of which is consent.
General principles
Any personal data processing must follow the principles of the GDPR. You must therefore always take these principles into account when processing personal data. The fundamental principles are:
-
the principle of lawfulness, fairness and transparency,
-
the principle of purpose limitation,
-
the principle of data minimisation,
-
the principle of accuracy,
-
the principle of storage limitation, and
-
the principle of integrity and confidentiality.
To learn more about the general principles, read the document here.
Lawful basis
For processing of personal data to be lawful, it must be based on at least one of six possible lawful bases. These are:
-
Consent
-
Contract
-
Legal obligation
-
Protection of vital interests
-
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority
-
Balance of interests (legitimate interest). This basis, however, may not be used by public authorities in the performance of their tasks.
Note that ‘consent’ will very rarely be used as a lawful basis at Uppsala University, so before you decide that your processing has consent as its lawful basis you should read through all the other bases to see if you can find one that is more appropriate. To learn more about the lawful bases and when each of them may be appropriate, read more here. Much of the personal data processing involved in human resources administration rests on a contract law basis, i.e. staff employment contracts.
Controller and processor
Often more than one actor is involved in the processing of personal data and it is important to know which of the actors is responsible for the processing.
Controller – The legal or natural person that determines the purposes and means of the processing of personal data is the controller and is responsible for the personal data processing. Controllers process data ‘on their own behalf’, as it were: they decide what will be done with the data, e.g. collection and storage, what the purpose of the collection and storage is and how it will be done. It is important to remember that it is Uppsala University in its capacity as legal person, not individuals at the University, that is the controller of processing operations where the University determines the objectives and means of processing.
Processor – The controller can entrust another legal or natural person with the task of performing personal data processing. The processor then carries out the processing ‘on another person’s behalf’. The way in which the processor is to process the data must be specified in a data processing agreement (DPA). The Legal Affairs Division has produced a DPA template. Do you need a DPA template? Get in touch with juravd@uadm.uu.se.
Joint controllers – If two or more persons together determine the purpose and means of processing, they may be joint controllers. In that case, they must draw up an agreement that clearly sets out who is responsible for what. Would you like help with this? Contact the Legal Affairs Division: juravd@uadm.uu.se.
It is important for every division/department to take stock of their processing operations and any controller–processor relations between the University and another party.
The right of data subjects to information and extracts from records
It is important that the University knows which personal data we process and where they are held so that we can provide correct information to those whose personal data we process. The first step in making this possible is to notify the University’s central register of records of all processing operations.
Rights of data subjects
Data subjects have a right to know that we process their personal data. For more information about the rights that data subjects can exercise in relation to the University.
Data protection policy
Uppsala University has drawn up a data protection policy on the treatment of personal data at the University. You can find the policy here.