The General Data Protection Regulation’s foundations
The General Data Protection Regulation applies as law for all EU Member States from 25 May 2018. The Regulation will involve a great deal of changes for those who process personal data and strengthens the rights of the individual in terms of personal privacy.
All processing of personal data must adhere to the fundamental principles, as indicated in the General Data Protection Regulation. The principles essentially imply that personal data may only be collected for certain legitimate purposes, that no more data than necessary may be processed, and that the data cannot be saved for any longer than necessary. It is also important to keep in mind that the personal data must always be handled in a secure manner.
An overall intention with the new rules in the General Data Protection Regulation is to emphasise that the person processing personal data must take responsibility for compliance with the regulations and to show this through written documentation. Therefore, it is very important that you as an employee have basic knowledge concerning the rules that dictate the processing of personal data.
Some basic terms
Personal data denotes any information relating to an identified or identifiable natural person. The determining factor is that the data, individually or in combination with other data, can be linked to a living individual. Typical personal data includes a Swedish national registration number, name, address and IP number, but several factors that can be jointly linked to a natural person can also be regarded as personal data.
Even if those processing the data do not know or even have the ability to identify the person in question, this may be classed as the processing of personal data. In order to determine whether a natural person is identifiable, consideration should be given to any means that may be used, either by the controller or by another legal or natural person, to directly or indirectly identify the natural person. As long as there is, for example, a code key saved somewhere that allows the data to be linked to a particular person, this is considered personal data.
Processing of personal data
Processing of personal data is a very comprehensive term. All forms of action regarding personal data are considered as the processing of personal data, from the collection of data to the deletion or destruction of personal data.
Examples of personal data processing are, as defined in the General Data Protection Regulation, collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination and finally the actual erasure or destruction of the personal data. Keep in mind that, printing personal data on printers and sending e-mails, always involves the processing of personal data.
The controller is the party that determines the purposes and means of processing personal data.
Who is responsible for the processing of students’ personal data?
The Jönköping University School is the controller for the processing of personal data which is carried out within the respective school’s activities. This applies not only to the processing of teachers and administrative staff, but as a general rule, the university is also responsible for the processing of personal data that the students perform within the framework of the education. If a student, for example, processes personal data in their academic work, the processing is therefore covered by the regulations in the General Data Protection Regulation and it is the Jönköping University School’s responsibility to ensure that the rules are followed.
However, there are situations with certain exceptions. If a student, for example, is engaged in placement studies (VFU), it is generally the placement host that is the controller when a student performs various work duties within, for example, a school or healthcare services (in the same way that the placement host is the controller when its employees process personal data).
Fundamental principles for the processing of personal data
All processing of personal data must adhere to the fundamental principles as indicated in the General Data Protection Regulation (Article 5 of the GDPR). When students at Jönköping University processes personal data, the university must therefore ensure and be able to demonstrate that the processing fulfils the requirements below
- The data shall be processed in a legal, accurate and transparent manner in relation to the person whose personal data we process, i.e., the data subjects (legality, accuracy and transparency).
- The data shall be collected for specific, explicit and legitimate purposes and not subsequently processed in a manner that is non-accordant with these purposes (purpose limitation).
- The data shall be adequate, relevant and not too comprehensive in relation to the purposes for which it is being processed (data minimisation).
- The data shall be accurate and if necessary updated (accuracy).
- The data may not be stored in a form that allows the identification of the data subject for a longer time period than is necessary for the purposes for which the personal data is being processed (storage minimisation).
- The data shall be processed in a manner that ensures the appropriate security of personal data (privacy and confidentiality).
These are the fundamental principles for all processing of personal data and all activities shall be viewed in the light of the above points.
The students’ processing of personal data requires consent
The departure point in the General Data Protection Regulation is that every person owns their own personal data. Persons that, for example, shall participate in a study must therefore personally have the opportunity to assess whether the personal data that concerns him/her shall be processed. In order for this to be possible, each individual must first be provided with information about what personal data processing means, and then be given the opportunity to decide if he or she agrees to the processing (informed consent).
Sensitive personal data
Certain personal data is by nature particularly sensitive and therefore has stronger protection in the General Data Protection Regulation. This is known as sensitive personal data. Sensitive personal data means details about race or ethnic origin, political views, religious or philosophical convictions, union memberships, genetic data, biometric data in order to clearly identify a natural person, details concerning health, or details about a persons sex life or sexual preference. Personal data such as mother tongue or native language may also be sensitive personal data that may in certain cases indirectly deduce to ethnic origin.
The departure point of the General Data Protection Regulation is that processing sensitive personal data is prohibited.
Processing of sensitive personal data in academic work
There are some exceptions to the prohibition on processing sensitive personal data in the General Data Protection Regulation, although the treatment must always be strict and with high demands on organisational and technical security measures. The extensive possibilities of processing sensitive personal data for research purposes provided by the General Data Protection Regulation and the Ethical Review Act do not apply to first or second-cycle education as this is not considered research.
Govt. Bill 2007/08:44 Certain ethical review issues etc. also state that “the government believes that it is not reasonable to expect that students who undergo first or second-cycle education have with certainty gained knowledge and insight to the extent required to ensure protection for those involved in research. Students should therefore not be subject to the liability that is implied when conducting activities involving people and where there is a risk of injury to these people, physically, psychologically or in terms of privacy.”
The only exception to this rule is when students write their academic paper within the context of a research project at Jönköping University which has received ethical approval from a regional ethical review committee.