Student projects with personal data

If you intend to write a student project with personal data, for example where you are going to interview people or study judgments, there are certain things you need to keep in mind. You will be carrying out a processing of personal data for which the university is the data controller, and you therefore need to ensure that you meet certain requirements according to the GDPR with the support of your supervisor.

Below are detailed descriptions of what you need to think about and support in assessing whether you process personal data in your work.

What is personal data?

Personal data can be widely different information that is attributable to an individual. For example, name, identification number, location information and character traits. Examples of personal data are address, e-mail, IP addresses, car registration number. A recording or an interview with an identifiable individual is always considered to contain personal data. The concept of personal data is very broad.

Read more about personal data on the The Swedish Authority for Privacy Protection's website.

• The Swedish Authority for Privacy Protection.

What is the difference between personal data and sensitive personal data?

Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Personal data such as mother tongue or home language can also be sensitive personal data as these can in some cases indirectly trace to ethnic origin.

Read more about sensitive personal data on The Swedish Authority for Privacy Protection's website.

• The Swedish Authority for Privacy Protection

Processing of sensitive personal data

The starting point of the GDPR is that it is forbidden to process sensitive personal data.

An exception to the prohibition against processing sensitive personal data in thesis work is when the student writes his/her thesis work within the framework of a research project that has received ethical approval from the ethical review authority. Another exception is if the participant has explicitly given their consent. In order for consent to be valid, it must, among other things, be voluntary, unconditional, revocable, and there must not be an unequal power relationship in relation to the person asking for the consent.

• See consent form template
  

The main rule is that students should not process sensitive personal data in their student projects. A treatment of this kind must therefore never be started before you have received approval from your supervisor/department.

Processing of sensitive personal data must always be carried out restrictively and with high demands on organisational and technical security measures. Among other things, this type of information may not be emailed and only stored in the student user's H:. Talk to your institution to get support.

Other privacy-sensitive processing

In addition to the processing of sensitive personal data, there are other types of processing that are also considered to entail an increased risk to personal integrity. Examples of this are:

• Processing of a large amount of personal data.
• Aggregations and interconnections of different sets of data to create new information.
• Transfer of personal data to a country outside the EU.
• Processing of a large amount of personal data about an individual or a group of individuals.
• Recordings of individuals, valuation information, complete social security numbers, social conditions, etc.

If your student project entails any of the listed types of privacy-sensitive processing, the supervisor must be made aware of this in particular.

Recommended storage areras and software

When processing personal data in your student work, it is important that the security of the data is guaranteed. In order for a service to be safe to use, it is required that the necessary risk analyses have been carried out and that an agreement is in place with the service.

The University recommends that information entered is stored on your user in H: or OneDrive to ensure protection and backup. Sensitive personal data may only be stored at H:.

When it comes to collecting data in forms, it is suggested that Microsoft Forms or LTU Survey be used, as the university has agreements with these. Collection via paper forms is also an option. For sensitive personal data, paper forms are the only sufficiently secure alternative for student projects. The storage of paper forms with sensitive information should take place in a locked space at the university.

The supervisor must be informed especially if services and storage spaces other than the recommended ones are used.

Digital interviews

When it comes to recording and possible transcription, it is suggested that Teams or Zoom be used. Note, however, that in a Teams meeting with only two participants, a video recording of the meeting will be created automatically if transcription is chosen (it works with audio recording for three or more participants). Ask the participant to turn off the camera if the video function must be used. Ask your supervisor for help and advice.

Basic questions before you start

Once you have decided that you want to do a student project where you handle personal data, you will initially need to answer the following questions. Write down the answers and save them together with other material related to the work. Your supervisor will need to take part of your answers in order to support you in the management. The information is also important in order to be able to fill in the register of the university's personal data processing activities.. The documentation is also important if there are follow-up questions from participants.

Questions

For what purpose is the data collected? It must be specific, specifically stated and justified purposes.

What personal data must be processed to achieve the purpose? How sensitive is the data? It is not permitted to process more personal data than is necessary for the purpose, and the more sensitive the data, the higher the requirements for security measures.

How long should you keep the data? They should be deleted when they are no longer needed.

What software etc. do you intend to use?

How will you protect your personal data, for example so that unauthorised persons do not gain access to it and so that it is not lost or destroyed?

Information for those who participate

Everyone who participates in the study has the right to receive information to understand what the data will be used for, how long it will be stored and how it will be protected, among other things. Participation is always voluntary, and if someone gets in touch and tells us that they do not want to participate afterwards, we will delete the information if possible.

• See template information text on separate page
  

When to provide information

If you collect information directly from a participant, the information (the completed information template) must be submitted before the information is collected. This is so that the person who participates knows what we should do with the data and why.

If you obtain the information from someone else, such as an authority, information must be provided within a reasonable period of time after you have received the personal data, but no later than within one month. The same information template is used, with the addition of where the information has been retrieved from.

If it is impossible to provide the data subject with information or if it would entail a disproportionate effort, in particular in the case of the use of personal data obtained from statistical databases, information does not need to be provided.

Information about a study, and the answer that someone wants to participate, can usually be taken in digitally. If sensitive personal data is revealed through participation, e.g. If interviews only take place with people suffering from a certain illness, handling should not take place via email. In such cases, telephone or letter can be used.

What do I do if more sensitive information comes in than I had anticipated?

Before the work begins, you always need to think through what questions you want answered and what risks that information entails. To avoid receiving more sensitive information than you intended, it is important that you think about how you will ask the questions and whether you need to inform the interviewees that they should think about not touching certain areas. If this still happens, you need to inform the interviewee that you need to stick to the topic. The information that has been collected must be handled in a sufficiently secure manner. Get help from your supervisor to find out the sensitivity of the data. If you are not going to use the information in your work, it is suggested that it be removed immediately.

Writing the paper

If you carry out a student project where you collect personal data, it is also important that you handle the data carefully in the text you create. The recommendation is not to print names or other identifying information in the report itself. If it would be absolutely necessary, you must first ensure with the interviewee that it is ok. If you quote or refer to a named person, the person must also be given the opportunity to approve the text before publication. If you make notes or transcripts of interviews, it is recommended that the interviewee is given the opportunity to take part in these and verify the content.

Rights of the data subject

The person whose data is collected has certain rights vis-à-vis the University as a data controller, such as the opportunity to access the data processed in the study free of charge and, if necessary, to have any errors corrected. Participants can also request that data be deleted and that the processing of personal data be restricted. See more about rights here.

If the data subject contacts you as a student with a request to use one of their rights, you must contact your supervisor.

Deletion of collected personal data

Personal data may only be stored for as long as it is necessary to fulfil the purpose of the collection. Personal data that you have collected within the framework of your student project must therefore be deleted when the course has been completed and grades have been submitted.