1. Must personal data be processed?
Is it really necessary to process personal data? Can you complete your survey without processing personal data, then do so!
Remember that personal information includes all information that can be linked directly or indirectly to a living person – not only names, national identification numbers, DNA or portrait photos – but also combinations of more anonymous data, which together make it possible to identify an individual.
2. Define the purpose of the processing and what information must be collected. Identify what information is to be collected and why.
For you who are doing a degree project the purpose of the processing is simply to be able to carry out the study necessary to substantiate your work. It is, however, important that you think this through and formulate the purpose of the thesis, and define what information is necessary to achieve your purpose.
3. Report that you are planning to use personal data
The University data protection officer must record each processing of personal data.
Report personal data processing
The records must not contain any of the collected personal data, only a list of what is collected and processed so that the University has control over what processing is in progress. The University is formally responsible for personal data being processed throughout the University, and this also applies to degree projects.
4. Determine how the information is safely stored and processed during work
The collected information must be processed safely. We recommend that you keep your collected personal data in your home directory on University servers.
Personal file space
The home directory also has sufficient security for sensitive personal data (such as data on racial or ethnic origin, political views, religious or philosophical beliefs, union membership, genetic and biometric information, and information about a person's health, sex life or sexual orientation).
Office 365, including OneDrive and Forms, may be used for processing and storing of non-sensitive personal data.
Other external services (tools not provided through the university) may not be used for any kind of personal data.
5. Determine what parts of the information are to be erased or archived when the processing is completed
Personal data may not be retained for longer than is necessary and should be erased when no longer needed. At the same time, there may be parts of the information that must be preserved to be able to substantiate the conclusions of the thesis work or because they are necessary for future processing.
Therefore, before the practical work starts, it is important to decide what will happen to the collected personal data afterwards. What information is to be retained and what is to be erased?
During the course of the work, there may be a need to rethink the original plan, but it is important that there is a basic plan, especially in order to answer questions from the data subjects.
6. Obtain consent, inform the data subjects and collect the necessary personal data
Personal data may only be processed if there is a legal basis for the treatment.
The General Data Protection Regulation specifies a number of grounds that are considered admissible, but for a degree project, it is in practice only consent that may be used (if it is not possible to use consent, you should discuss this with your supervisor and the Data Protection Officer to see if another solution can be found).
Using consent as a basis means that the data subject gives his or her active consent to the processing. This means inpractice that you clearly describe:
- what information you want to collect
- what it is to be used it for and by whom,
- how long the data will be used,
- that there is a possibility to request to see the collected the information and
- that it is possible to contact the Data Protection Officer or the Swedish Authority for Privacy Protection (DPA) with complaints.
After the data subjects have read the information, he/she can consent to the treatment and the processing of the data is then permitted.
It is important to know that consent must be registered and stored so that it can be presented upon request and that the data subject is entitled to withdraw his/her consent at any time. The consent must be documented and the university will develop a consent form that can be used.
If the data subject has agreed to the treatment, sensitive data may also be processed.
Instructions for treatment of consents
Template for informational letters and consent
7. Process the collected information
Now you can begin your actual work with the personal data.
8. After processing, delete or archive personal data as needed
When your thesis is finalized, and approved, your working material usually should be deleted. The consent forms should not be deleted at this point. After you've deleted the content, send an email to email@example.com, and report that you have deleted all personal data from your working material. When you have received a reply to this email, follow the instructions in that email, and go to step 9.
9. Inform your informants that the work is finalized
Send a standardized email to your informants, using the bcc: function, to inform them that all their data, including their consent forms, are deleted, and that the processing has stopped.