News from the Legal Affairs Office

Here you will find news and information from the Legal Affairs Office.

2024-03-01 Checklist for research projects

The Legal Affairs Office has, within the framework of the research data management project, updated the checklist for research projects on Aurora. The new checklist has a broader scope and covers many more subject areas and issues that arise in research than the previous version. The new version also covers the entire research process.

Some of the areas that are included are ethics, secure handling of research information, personal data processing, laboratory safety, collaboration, publishing and making research data available. The checklist serves as reference for researchers.

There are many rules that must be followed during a research process. In this checklist, we have compiled information to make it easier for researchers to adhere to legislation, regulations and principles that regulate research. Demonstrating that your research is conducted securely and legally instils confidence in you as a researcher and in Umeå University as the entity responsible for research.

The previous version of the checklist focused on what research projects that process personal data needed to do before starting a research project.

You can access the checklist here: Checklist for research projects


2024-01-26 Guide on sharing research data in research collabortations. 

Sharing research data is a natural aspect of research projects and can involve different types of recipients in different locations. Research data is covered by regulations to protect various interests. The Legal Affairs Office has, within the scope of the project Research Data Management (in Swedish), developed a guide for researchers on what need to be decided when research data is shared with collaborators.

You will find the guide on the pages regarding legal aspects in research. Before you as a researcher share research data with external collaborator you always have to perform a confidentiality assessment. You also need to take into consideration if you process personal data. What impact the regulation has on the sharing of information is affected by, among other things, the content of the data and if the receiver is located in Sweden, in the EU/EEA or in another country.

In the guide you will find checklists for sharing research data in different example situations and in-depth information regarding public documents and confidentiality provisions as well as rules on personal data protection. There is also a description on how to make a confidentiality assessment.

You are always welcome to contact the Legal Affairs Office if you need support with conducting a confidentiality assessment or if you have other questions concerning the legal framework affecting your research. In some cases mentioned in the guide the Legal Affairs Office must be consulted.

2024-01-12 Now you can report your processing of personal data directly online. 

Now you can report your p2rocessing of personal data directly through the link that you will find on the pages about personal data management. 

Earlier everyone that was going to report personal data processing had to e-mail the Legal Affairs Office to access the form. Now you can find the link directly on Aurora. 

Each research project and new IT-systems in which personal data are processed ais to be reported to the central registry for personal data processing at the University before the processing of personal data begins. You can find more information about personal data management and when personal data processing must be reported on our pages. 

2024-01-10 Do you send e-mails with many recipients? 

At the start of the term, it is common for the legal affairs office to receive questions from students, prospective students and the like who have reacted to email dispatches that have come from institutions at the university. The emails may, for example, have been sent to everyone who was admitted to courses or who had other contact with a certain course given at the institution. What the students have reacted to is that all recipients were visible in the messages. The students have wondered if this does not violate GDPR?

To avoid students feeling that the university does not handle their personal data in accordance with GDPR, there is, regarding the question of how email is addressed, a simple way to live up to the basic principle of data minimization in GDPR. By using "Bcc" instead of the usual address box "To", the recipients of the email will not see who else has received the message.

To handle email in accordance with GDPR, you should always ask yourself if it is important, based on the purpose of the message, that all recipients are openly stated in the address field when you send email to many people. By using "Bcc" instead of the usual address box "To", the recipients of the email will not see who else has received the message. In this way, you avoid students feeling that the university does not handle their personal data in accordance with GDPR. It is also a simple way to live up to the basic principle of data minimization in GDPR.

The principle of data minimization is about a data controller never processing more data than is necessary for the purpose.

We have collected information about what you need to consider in order to handle email in accordance with GDPR in our FAQ about personal data management.

2023-12-14: Umeå University is open even around Christmas.

Christmas is fast approaching. We all look forward to winding down and spending time with loved ones. The operations at Umeå University are entering a quieter phase but are not closed during the days around Christmas and New Year. Through good routines and simple measures, we meet both our obligations and get a calm and relaxed Christmas holiday that we so badly need. 

As an employee of the agency, you are obliged to answer questions from individuals, or make sure that someone else answers, as soon as possible, even during the holidays. Through routines for monitoring incoming mail, email, and phone calls during the absence, the department meets this obligation and creates conditions for employees to rest during the holiday. On Aurora, you will find tips on how you can meet the service obligation during Christmas and New Year. Among other things, as an employee, you should leave a power of attorney with permission to open personal addressed mail and listen to voice messages. When you are absent, you should leave an absence message where it appears who can be contacted instead. You can also refer to the Infocenter which can help answer general questions. If possible, forward your email to a colleague or a suitable office mailbox. It is not allowed to forward the university's email to email accounts outside the university.

It's important that we continue to protect our information even in connection with the holidays. Some who unfortunately do not take time off are unauthorised individuals who want to access the university's information. There can also be mistakes or technical errors that mean information ends up in the wrong hands, is destroyed or lost. If such an incident involves personal data, or IT-security incidents this should be investigated and reported within 72 hours. This deadline also applies during the Christmas holiday. The department therefore needs to have routines for monitoring and reporting personal data incidents even during periods of high absence.

We wish you all a safe and relaxed holiday.

Did you accidentally send an email to the wrong recipient or lose your phone? It might be a personal data breach.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

A personal data breach could be a hacker attack through which all data in a system is stolen. It could also be as simple as someone losing their mobile phone, that staff at the University who do not have the authorisation to access personal data by mistake gain access to such data, or that an email containing personal data is sent to the wrong recipient.

If you are a system owner, you may have received information that an unauthorised person has gained access to personal data in a system. The information may come from a system supplier acting as a data processor, an employee, a third party or even the individual whose personal data is being processed.

If you suspect that a personal data breach may have occurred, you must report it to Anyone who becomes aware of a possible personal data breach must report it immediately. Read more under If something happens

The obligation to report personal data breaches is intended to limit possible damages. Therefore, please spread the information about the importance of reporting personal data breaches to your colleagues so that the University can protect the personal integrity of our employees, students and research participants. 

Contact information

Contact the Legal Affairs Office on

Data protetion officers, questions regarding personal data management

Legal Affairs Office