Umeå University is responsible for the personal data processing that students conduct as part of their studies, for instance when students process personal data in a degree thesis. Consequently, it is important that students process personal data in accordance with the requirements of the General Data Protection Regulation (GDPR). There are procedures in place to support supervisors or teachers guiding students who process personal data. Information to students is also available on the student web on umu.se.
Processing personal data in a student project (umu.se/student)
If the student's thesis is part of a research project at Umeå University
If a student's thesis is conducted as part of a research project at Umeå University, the student must follow the same guidelines for personal data processing as applies to the rest of the research project.
It is important that a student's processing of personal data uses the same secure storage space and authorisation structures as the rest of the research project.
Classified data is coved by confidentiality
When a student conducts studies in a research project at Umeå University, the student is covered by the same confidentiality obligations as an employee at the University.
Independent student projects or equivalent
For an independent student project or equivalent that is not included in a research project, other rules apply regarding how a student may process personal data.
Requirements for consent and information
Processing of sensitive, integrity sensitive and non-sensitive personal data in an independent student project requires individual consent from each person participating in the study and whose personal data is being processed. It is important that each individual whose personal data will be processed is informed of this before the person gives their consent to participate in the study.
Students must use the designated consent template for this purpose.
Template for consent (English)
Template for consent (Swedish)
Faculties determine the use of sensitive and integrity sensitive data
Processing of sensitive personal data is generally forbidden according to the General Data Protection Regulation. The regulation also limits the possibility to process integrity sensitive personal data, for instance criminal offences. Additionally, an independent student project or equivalent cannot undergo ethical review.
It may still be valuable that students on first and second-cycle levels are allowed to process sensitive or integrity sensitive personal data in an independent student project. However, the legal scope for this is very limited.
- For a student to be allowed to process sensitive or integrity sensitive personal data in an independent student project, it must be possible to ensure that the project has been conducted under ethically acceptable terms.
- Within the scope of the rule and procedure, each faculty may establish how suitability assessment is to take place. This assessment should balance the educational needs of such processing against the risks that may arise to a person's health, safety and personal integrity. Guidelines must state what function is to make decisions, and what function is to ensure that the basis for such a decision is made clear and documented.
- It must also be evident what function is responsible for the practical processing of consents and information, and that only approved IT services and tools are used for the processing of personal data in student work.
There may also be reason to state in what situations it is suitable to seek advice from the Ethical Review Agency.
No confidential data may be used in independent student projects
In an independent student project or equivalent, students may not process confidential data, for instance classified data obtained from other authorities. Such data must be pseudonymized – preferably anonymized – before the student is to access it.
IT and digital tools for the processing of personal data
Students' processing of personal data in student theses or equivalent, for instance the collection, processing and storage of data, is to take place within the University's control. This means that students must use the storage spaces and tools assigned by the University.
It is important to make early decisions on what types of personal data will be processed in a student project – sensitive, integrity sensitive or non-sensitive personal data.
The type of personal data that will be processed, also determines the protection value of the data, how to process the data, and what storage solutions must be chosen.
Read more about data classification and a guide to classifying data.
When sensitive personal data is not being processed
It is allowed to process regular personal data in Office 365.
If a student wants to process regular personal data, the data should be processed in a team in Teams. The course coordinating department should create a team in Teams, and for each degree or theses the department creates a channel that only the student, the teaches and the supervisor has access to. An alternativ could be that the teacher or supervisor creates a private channel in a team and invites the students.
All data is to be collected, stored and processed through the Team.
When the grade of an independent student project has been reported in the Ladok student registry, the course coordinating department must ensure that the personal data is deleted and that the student's access to the Team is removed in accordance with the applicable records management plan.
It is not allowed to process sensitive and integrity sensitive personal data in Office 365.
If you have any questions regarding how to create a team in Teams you can always contact Servicedesk.
When sensitive and integrity sensitive personal data is to be processed
Currently, there are no services, tools or storage spaces available for students to process such data. When such services, tools or storage spaces are available to students to process sensitive personal data, information of such will be offered.
Until then, please consider if the processing of sensitive personal data is necessary for the student to complete his or her project, or if the work can be completed with non-sensitive personal data only.
If something happens to the personal data
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
All employees that are made aware of a possible personal data breach regarding personal data that Umeå University is responsible for has a duty to report such an incident.
Personal data breaches are reported to firstname.lastname@example.org.
Learn more about personal data breaches.
If a student detects that something has happened to person data in the student's work, the student must notify his or her department or supervisor who is then responsible for reporting the incident as a personal data breach.