These questions provide only overall answers. Bear in mind that it is always important to make an assessment in the individual case because details affect how the rules are to be applied.
To learn more, attend one of the courses in General Data Protection Regulation (GDPR), which can be found in the University's platform for internal training, Eduadmin.
Go directly to
General questions (updated 2023-10-27)
Reporting personal data processing (updated 2023-10-27)
Personal data processor (updated 2023-10-27)
Students and teaching (updated 2023-10-27)
Swedish personal identity number (updated 2023-10-27)
Personal data and official documents (updated 2023-10-27)
Personal data and email (updated 2023-10-27)
Student administration (updated 2023-10-27)
Personal data and employees (updated 2023-10-27)
General questions
What is personal data?
Any data relating directly or indirectly to a living person is personal data. This means that personal data includes more than names and personal identity numbers. It can also be usernames, Umu-ids, email or IP addresses, biometric data, physiological data and such material as voice recordings. Responses to questionnaires when the respondent's identity is known are personal data.
Combinations of data may also constitute personal data if the data can be linked to a natural person. Even if information, such as name, personal identity number or address, is not registered, the other data registered constitutes personal data if the other data can identify a specific person.
What is meant by there being different types of personal data?
Sensitive personal data is data that discloses:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership; and
- personal data relating to health or sex life, genetic or biometric data.
Health data can include such information as sick leave, pregnancy and doctors' appointments.
Even if some information is not classified as sensitive personal data, it may still be privacy-sensitive, personal data of particular importance to protect.
For example, this could include:
- salary data;
- information concerning violations of the law;
- valuation data, such as information from development discussions;
- information about results of personality tests or profiles;
- information relating to someone's private life; or
- information about social relationships.
Personal identity numbers are considered to be personal data of particular importance to protect.
Since any information that may be directly or indirectly linked to a living person is considered personal data, the term general personal data is often used to describe information that is neither sensitive nor personal data of particular importance to protect.
What does it mean to "process" personal data?
Every measure or combination of measures involving personal data, whether it is done automatically or not. For example: collecting, registering, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transferring, disseminating or otherwise making available, adjusting or combining, restricting, deleting or destroying. Essentially everything you do with the data.
What and who is a personal data controller?
The personal data controller is a natural or juridical person, public authority, institution or other body that alone or jointly with others determines the purposes and means of processing personal data.
Umeå University is the juridical person responsible for the processing of personal data that takes place at the University and at an external party that processes personal data on behalf of the University, a personal data processor.
Employees at Umeå University are representatives of the personal data controller but are not personal data controllers themselves.
When does the General Data Protection Regulation (GDPR) apply?
GDPR applies to the processing of personal data that takes place fully or partially automated. The regulation also applies to other processing of personal data if the data form part of or are intended to form part of a structured collection of personal data (such as a database or register) that is available for searching or compilation according to specific criteria. If you are to process personal data in digital form — for example, in IT systems, computers or smartphones within the EU/EEA — GDPR applies.
When Umeå University processes personal data within the framework of its activities, GDPR also applies to processing that takes place outside the EU/EEA because Umeå University is established within the EU/EEA.
Who is Umeå University's data protection officer?
At Umeå University, legal officers Marit Juselius and Tobias Nyström have been appointed data protection officers.
The data protection officers can be contacted at pulo@umu.se
What if the data are anonymous? (Anonymous, pseudonymised/coded data, sunthetic data)
In the case of anonymous or pseudonymised/coded data, it is very important to be careful about the terms used.
Pseudonymous (coded) data means that individuals cannot be identified directly from the data, but that a code key is retained that allows subsequent adjustments to the data, including identification of the individual to whom the data relate.
The code key must be kept separately and subject to technical and organisational security measures for the data to be considered pseudonymised. The code key does not need to be at Umeå University or even accessible to Umeå University. The data are still personal data and GDPR still applies.
Anonymised data means data containing no information that can be linked to an individual. The connection to a living individual thereby needs to be irreversibly severed. This may be the case if the code key is missing or the information has been provided anonymously. In cases where the code key was initially created, the code key needs be destroyed in a way that makes it completely impossible to recover it for the data to no longer be considered personal data, since only then can the data not be linked to a person.
Even if the personal data are pseudonymised or anonymised, the risk of backtracking needs to always be considered. Even if there is no code key or it has been destroyed, individuals can still sometimes be identified. For example, it may be possible to determine who the person is if the data contains so many variables that the sample is limited, or if the data can be directly attributed to such a limited group of persons that an individual can be identified by other data, or if the voice on a recording can be recognised. In such cases, despite the destruction of the code key, the data are still to be considered personal data. With proper pseudonymisation, backtracking will not be possible.
Always consider whether it is necessary to be able to identify who has provided the information. If that is not the case, avoid recording information that allows individuals to be identified.
Synthetic data is data that is artificially generated by computer programs or algorithms and is not collected from actual observations or events. This type of data is created to simulate or mimic real data and can be used for various purposes, including research, algorithm development and machine learning, and to protect sensitive information to avoid privacy and confidentiality issues.
Synthetic data can be created through various methods and models. By using these methods, one can create data that resembles real data but does not contain any actual individual identifiable information.
If personal data is to be used to create synthetic data, it must be ensured that the legal prerequisites, such as a legal basis and possible ethical review permission, exist for the processing of the personal data. Although synthetic data does not constitute personal data, there may be situations where the data is so similar to a real person that it can lead to, among other things, questioning the university's handling of information about research subjects.
What are the basic principles and what is the lawful basis for processing personal data?
Certain basic principles should always be taken into account when processing personal data. These are set out in Article 5 in GDPR.
According to Article 6 of GDPR, the processing always requires a lawful basis. This article contains an extensive list of possible lawful bases that can be relevant.
In brief, anyone processing personal data is to ensure that:
- there is always a lawful basis for the processing of personal data;
- the personal data are accurate and up-to-date;
- the purpose is specifically and explicitly stated;
- the personal data are relevant and not too extensive in relation to the purpose of the processing;
- the personal data will not be processed longer than is necessary for the purpose. Which data are to be disposed of or retained is stated in Umeå University's Document retention and deletion plan;
- technical and organisational measures will ensure adequate protection of the personal data so that the personal data do not risk falling into the wrong hands or being manipulated;
- the assessments made when processing of personal data are documented.
What rights does the individual have under GDPR?
The individual has several rights under GDPR:
- Right to information — as a general rule, the individual has the right to information when personal data are processed.
- Right to rectification — the individual is to have the opportunity to rectify inaccurate personal data and, to some extent, supplement incomplete personal data.
- Right to erasure ("right to be forgotten") — in certain cases, individuals have the right to have their data erased.
- Right to restriction of processing — in certain cases, the individual has the right to request restriction of personal data processing. This can be done by designating personal data for processing in the future for certain limited purposes.
- Right to data portability — under certain conditions, the individual has the right to receive and transfer the personal data to another location (such as another organisation).
- Right to object to the further processing of personal data in certain cases.
- Right to not be subject to a decision that has a legal effect, through automated decision-making (including profiling), unless there is an exception in other law or consent has been given.
- Right to complain and demand damages — the individual has the right to lodge a complaint with Umeå University and the Swedish Authority for Privacy Protection.
Individuals in contact with Umeå University can find information about this at: www.umu.se/gdpr
Reporting personal data processing
Why should I report my personal data processing?
According to GDPR, the University is to keep a register of such processing of personal data that takes place wholly or partially automated.
Who is to report personal data processing and does all personal data processing have to be reported?
The University has listed the personal data processing normally foreseeable in its operations at an overall level in the register for personal data processing. Special notification is required in the following situations:
- Each research project in which personal data are processed is to be reported by the responsible researcher.
- Personal data processing in IT systems is to be reported by the system owner.
Registries also are to be held when Umeå University is the personal data processor. Those responsible at Umeå University for the contractual relationship in which processing occurs are to report such processing.
The term IT systems also covers IT services and external cloud services. Only processing of personal data that is fully or partially automated has to be reported.
Examples of fully/partially automated processing are:
- Processing of personal data by computers and IT systems and transfer of personal data to digital format, such as when processing personal data in a searchable register or database or transferring personal data from manual surveys to a database.
- Digital audio and video recordings.
- Personal data are processed and stored digitally, for example in a Word document, Excel document or PDF format.
You do not need to give notice of the end of the personal data processing, but you are to report when it is expected to end. If there is any change in the information you have provided regarding your personal data processing, you can submit updated information. Contact pulo@umu.se to receive a special form for this.
As an employee, if you only process personal data within an IT system in a predictable manner with regard to the University's operations, you do not need to report the processing of personal data, but the system owner is responsible for reporting the IT system.
You also do not need to report personal data processing in education and administration if the processing takes place in a predictable manner.
Student assignments do not need to be reported separately; such a report has already been made for all student assignments jointly.
If you are unsure whether to report your processing of personal data, you should contact pulo@umu.se to determine whether your processing is to be reported.
How are personal data processing operations reported?
Contact the data protection officers via pulo@umu.se and report that you are going to process personal data. You need to specify whether the processing is to take place within research or IT systems or whether the University is the personal data processor. If you are unsure, it is a good idea to briefly describe what you are going to do.
You will then receive written information and a link to a digital form where you fill in the information requested. Contact pulo@umu.se if you have questions about the form.
When should my personal data processing be reported?
Before you start a research project, provide an IT system, or start performing tasks as a data processor that require fully or partially automated processing of personal data, you are to notify the data protection officer of such processing.
If, for any reason, you have not reported ongoing personal data processing, you need to submit your notification as soon as possible. If you are unsure whether your ongoing personal data processing has been reported, you can contact the data protection officers at pulo@umu.se.
What happens after my report?
Your report is entered in a register of personal data processing at Umeå University.
Personal data processor
What is a personal data processor?
A personal data processor is someone who processes personal data on behalf of the personal data controller — that is, someone outside Umeå University who processes personal data for which the University is the controller. For this to be permitted, GDPR requires the University to establish a personal data processing agreement (PUBA) with the entity that will process personal data on behalf of the University.
Contact the data protection officer for assistance in establishing a PUBA.
Who may sign a personal data processing agreement on behalf of the University?
Umeå University is always the party in a PUBA; individual employees are NOT. Regardless of whether the University is the personal data controller or personal data processor in the agreement, the Vice-Chancellor's delegation of authority requires the signature of the University Director. PUBA is always to be reviewed by a legal expert before the agreement is signed.
Inquiries about PUBA should be sent to pulo@umu.se.
Am I as an employee considered as a personal data processor?
No, employees who carry out work for University activities and operations are regarded as representatives of the University. The personal data controller is the University as an organisation and not individual employees.
For example, when the Swedish Ethical Review Authority asks who is responsible for personal data in a research project, it means which organisation is responsible for personal data processing in the research project. That can be Umeå University, for example.
Students and teaching
How may Umeå University process personal data about students?
Umeå University may process students' personal data because it is part of the University's mission to educate and assess students. According to the basic principles of all personal data processing, the University may only use the personal data necessary to fulfil that purpose.
Can the University photograph students and save photo lists of them?
It can have photo lists of students if the photos are needed to educate and assess the students. Otherwise, photos of students probably mean that more personal data are collected than necessary. If photos become necessary, it is important that they not be distributed to anyone other than the teachers who need them and that they be saved only as long as necessary.
What applies to remote learning?
Recording and publishing a lecture with only employees is permitted under GDPR because this is part of the employee's job. Live streaming a lecture for those who would otherwise have participated on site is also allowed.
It is important to inform students that personal data processing is taking place through the digital connection (refer to www.umu.se/gdpr) and to inform them that nothing is saved. It is also appropriate to give students the opportunity to ask questions outside of what is being recorded.
Sensitive personal data or classified information should not be processed in Zoom or Teams. Read more on the page about personal data processing in education.
What applies to remote assessments?
In connection with digital forms of exams, there may be a need to both identify the student and to monitor the student during the ongoing summative assessment.
It is important to inform students that personal data processing is taking place through the digital connection (refer to www.umu.se/gdpr) and to inform them that nothing is saved.
If identification in a digital examination is to be done by presenting proof of identity, there is a risk that the personal identification number can be seen by other participants in the exam. For that reason, identification through proof of identity needs to be done in a way that prevents the other participants from seeing the personal identification number. Identification can take place, for example, using photo lists.
Monitoring of the summative assessment in Zoom can be arranged in a way comparable to a written exam without recording the students. This means that the teacher or someone else monitors the students' written exam via the digital connection. The University is regarded as having a lawful basis for this type of supervision in the Higher Education Act and GDPR on grounds of public interest.
On the other hand, a recording of students in their home environment is considered such an invasion of privacy that explicit legal support is required for the University as a public authority to be regarded as having that right. In the absence of explicit legal support, the data protection officer considers that recording students in their home environment violates GDPR. Read more on the page about personal data processing in education.
Swedish personal identity number
What applies if I want to process personal identity numbers?
Personal identity numbers are considered privacy-sensitive/personal data of particular importance to protect. Registration of personal data is to be very restrictive. If it is sufficient to process birth data instead (first six digits of the personal identity number), only this information is to be processed.
What applies if I want to process the complete personal identity number?
To register the complete personal identity number, you need to comply with the requirements of GDPR and the Swedish Data Protection Act (2018: 218) with supplementary provisions to the EU's General Data Protection Regulation (GDPR). According to Chapter 3, Section 10 of the Swedish Data Protection Act, if you do not have consent from the data subject, personal identity numbers may only be processed in the following situations:
- where clearly justified by the purpose of the processing;
- reliable identification is important; or
- for some other noteworthy reason.
Please note that the University as a public authority is very limited in the right to support its processing of personal data on the basis of consent. In the vast majority of cases, it needs to have support in one of paragraphs 1–3 above to be entitled to process personal identity numbers.
Personal data and official documents
What applies if someone requests access to official documents containing personal data?
The GDPR itself does not prevent disclosure of official documents. The only reason official documents may not be disclosed is if they are covered by privacy considerations. Denying disclosure of official documents requires a legal basis in the Public Access to Information and Secrecy Act (OSL) or other law specifying that confidentiality applies for the data. GDPR contains no rules on conficentiality.
If the information requested contains personal data, the confidentiality assessment needs to also include whether there is "GDPR confidentiality" in accordance with OSL Chapter 21, Section 7.
Remember that the University needs to have a reason to assume that someone will process the personal data in violation of GDPR to prevent a disclosure due to "GDPR confidentiality".
What does "GDPR confidentiality" mean?
GDPR confidentiality is regulated in OSL Chapter 21, Section 7. This means that confidentiality of the personal data exists if it can be assumed that the personal data will be processed at variance with GDPR, the Swedish Data Protection Act (2018: 218) with supplementary provisions to the EU's General Data Protection Regulation (GDPR), or Section 6 of the Ethical Review Act, after the data has been disclosed to the recipient.
To determine whether GDPR confidentiality exists, it is necessary to assess whether the recipient's processing of personal data after disclosure is compatible with;
- GDPR;
- the Swedish Data Protection Act; and
- Section 6 of the Ethical Review Act (applicable only if sensitive personal data or information about violations of law is to be used for research).
If the University determines that the recipient's processing would be at variance with that legislation, the University will deny the recipient access to the information on grounds of confidentiality in Chapter 21, Section 7 of OSL.
How do I assess in practice whether "GDPR confidentiality" exists?
To assess whether the data are covered by GDPR confidentiality, the University may need to ask how and for what purpose the applicant is to use the data (normally the University may not request such information). However, there needs to be some concrete circumstance that makes it possible to assume that the personal data after disclosure will be processed in a way that violates GDPR. Questions may not be asked just because there is a request to disclose personal data.
Examples of such circumstances may include:
- bulk collection of personal data; and
- selected data (selection of persons with certain qualifications, year of graduation, age range, etc.).
If the request concerns only individual data, there is rarely reason to believe that the recipient's processing violates GDPR, the Data Protection Act or Section 6 of the Ethical Review Act. The University does not then have reason to request information about the purpose of the processing. The same applies if the information is requested for journalistic purposes.
Asking more questions than are required to make the confidentiality assessment is not allowed. If the questions are answered in a concrete manner and the applicant's statement appears plausible, it should be accepted. If you are uncertain about how to assess confidentiality, you should contact the University's legal officers.
The following information text may be sent to the applicant when further information is requested:
"The data you have requested is personal data. According to the Public Access to Information and Secrecy Act (2009:400), Chapter 21, Section 7, the personal data is confidential if it can be assumed that disclosure would result in the data being processed in violation of the EU General Data Protection Regulation (EU 2016/679), the Swedish Data Protection Act (2018: 218) with supplementary provisions to the EU's General Data Protection Regulation (GDPR) or Section 6 of the Act Concerning the Ethical Review of Research Involving Humans (2003:460). To make such an assessment, we have the right to ask the party requesting access to the data what they are going to use the data for. Accordingly, I request that you briefly explain how you intend to use the data."
Can I disclose personal identity number data for GDPR purposes?
GDPR applies to the processing of personal data that is wholly or partly automated and to the manual processing of personal data if the personal data are or will be included in a register. Personal identity numbers constitute personal data that are particularly worth protecting and are specifically regulated in the Data Protection Act (2018:218).
A few personal identity numbers
If the applicant requests only a few personal identity numbers, there is rarely reason to assume that GDPR will apply to the applicant's processing of personal identity numbers. This means that the University can, as a rule, provide information about individual personal identity numbers.
More than a few personal identity numbers
If several personal identity numbers are requested, we can usually assume that GDPR will apply to the applicant's processing of the personal identity numbers, and an assessment needs to be made of whether GDPR confidentiality prevails. Contact the Legal Affairs Office for support in assessing whether the personal data can be disclosed.
Can I disclose personal data if the recipient will use the data for direct marketing purposes?
Companies and other third parties often request students' and employees' personal data for marketing purposes. When such a request is received, a confidentiality review always needs to be made to enable the University to decide whether the recipient's processing conforms to GDPR and the Swedish Data Protection Act (2018:218). The recipient needs to fulfil the essential requirements of Article 5 of GDPR and have support from one of the lawful grounds set out in Article 6 of GDPR to process the personal data.
In the confidentiality assessment, the University is to consider whether the information requested is necessary to fulfil the applicant's purpose of processing or whether the purpose can be achieved with less data. According to Article 6 of GDPR, the recipient also needs to have a lawful basis to process the personal data. In many cases, the company's need for the personal data for direct marketing can be considered a legitimate interest under GDPR, and the company then has the right to process them. This is the case when the scope of the marketing is relatively limited (two mailings per year), does not concern sensitive personal data and the content of the marketing itself cannot be considered a violation of privacy.
Email addresses of private individuals may be disclosed to the recipient even if they are to be used for marketing purposes. The recipient is responsible for ensuring that marketing takes place in accordance with applicable legislation, such as the Marketing Act (2008:486), Section 19, to obtain consent from the person in order to send marketing to his or her email address. However, it may be useful to remind the recipient at the time of disclosure that they are obliged to comply with GDPR rules. And if an email address is disclosed, remember the requirement in section 19 of the Marketing Act that marketing directly to a natural person's email address may occur only with the prior consent of the data subject. The fact that the email addresses are disclosed by the University does not imply that any such consent has been given by the data subjects.
Disclosure of sensitive personal data for research purposes
If information is requested for research purposes or the University intends to disclose personal data as part of a research collaboration, the University needs to always conduct a confidentiality assessment to determine whether the information can be disclosed. This means that if the information contains personal data (also known as pseudonymised personal data with a code key included), the University will determine whether the information is confidential, including GDPR confidentiality in accordance with OSL Chapter 21, Section 7.
If the requested personal data constitute sensitive personal data and are requested for use in research, approved ethical review is a prerequisite for disclosure. Before disclosing sensitive personal data for research purposes, the recipient needs to present an approved ethical review for the University to conduct a confidentiality assessment. If the recipient does not have an approved ethical review permit, confidentiality applies in accordance with OSL Chapter 21, Section 7, and the information may not be disclosed. If an approved ethical review permit exists that includes the personal data requested, the recipient's processing is also assessed in accordance with GDPR and the Data Protection Act.
The recipient needs to always comply with the basic requirements of Article 5 of GDPR with support from one of the lawful bases stated in Article 6 of GDPR to process the personal data. If the data are to be used for research by another Swedish higher education institution, the lawful basis "public interest" may serve as the basis for the recipients' processing.
How are official documents containing personal data disclosed?
There is no obligation to disclose official documents in digital form such as email. If the information to be disclosed contains personal data, disclosure should be in the form of paper documents.
If personal data of a more general nature is disclosed, such as data already available on the University's external website, email may be an option for transfer.
If disclosure of official documents containing personal data other than in paper form is under consideration, such as research involving ethical review for processing, appropriate technical and organisational measures need to be adopted to protect the data. Naturally, if the data contains sensitive personal data or personal identity numbers, this greatly increases the requirements for data transfer and security. Use recommended systems for the transfer of information that meets the data protection value according to the information classification.
Does the GDPR require me to inform data subjects that their personal data has been disclosed?
If the University discloses official documents containing personal data, the University does not need to inform the data subjects of the disclosure. This applies regardless of the purpose for which the data are disclosed, even when the data are disclosed for research purposes.
The same applies to the recipient, who is not obliged to inform data subjects that the data has been disclosed to the recipient. The recipient may still need to inform the data subjects when using sensitive personal data in research if the Ethical Review Board has specified in its ethical review decision that the data subjects are to be informed.
GDPR contains provisions about when and what information is to be provided to data subjects.
Personal data and email
Do I process personal data when I send and receive emails?
Email in principle always means that personal data are processed. The email address itself is often personal data, and all other information in the message that can be linked to an individual is also personal data. As a result, the processing of personal data by email needs to comply with all the requirements of GDPR.
The University is obligated to manage incoming mail. Once you have read the email, you need to assess how the personal data are to be processed and what legal support you have for further processing. Consequently, if and for how long the email can be saved depends on the content.
Email received by a public authority normally becomes a public document to be registered, recorded or otherwise kept organised unless it is of minor or temporary importance and can therefore be deleted. The University's Retention and deletion plan has more detailed information about registration, retaining and disposal of data.
When you send an email reply or auto reply, your reply should include information about how Umeå University processes personal data and include a link to umu.se/gdpr, which describes how Umeå University processes personal data.
The Swedish Authority for Privacy Protection (IMY) has produced a guide to managing personal data in emails (in Swedish).
Feel free to use the signature template that is available and can be downloaded in the email programmes' signature templates. There you will find the link to information about personal data processing.
Are there any restrictions on what data can be sent by email?
Do not send the following information by email:
Sensitive personal data
According to GDPR, sensitive personal data are data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, personal data relating to health or sexual activity and genetic or biometric data. Health data can be, for example, information about sick leave, pregnancy and doctors' appointments.
Confidential information
An official document is generally public. In some cases, information in official documents may be confidential if there is support for this in one of the sections of the Public Access to Information and Secrecy Act (SFS 2009:400).
If information is classified as confidential, it is a criminal offence to disclose it — for example, by communicating the information orally, through disclosing documents or by other means. Sending information by email means revealing it. In exceptionally cases, confidential information may be sent to the person authorised to access the data using the University's service for sending encrypted files.
Information covered by the Protective Security Act (2018:585)
You should never send the following information by email:
- Personal data meriting special protection or personal data of particular importance to protect.
It is always good to think of email as a postcard; there are many kinds of information are not suitable to send with postcards.
Even if data are not classified as sensitive personal data under GDPR, the data can still be worth protecting and should not be sent by email as a result. This includes salary data, data on violations of the law, valuation data such as development discussions, data on results of personality tests or profiles, information relating to someone's private life or data on social conditions.
When it comes to personal identity numbers, you should always be restrictive in the way you process them. You are to balance your interests between the need to send information by email, for example, and the privacy risks involved. Personal identity numbers require particular protection and should be exposed as little as possible. If a few personal identity numbers need to be sent by email, consider whether it is possible to delete the last four digits.
Can security measures make it possible to send sensitive data or particularly protected data by email?
Umeå University offers services for staff to send files with encrypted transmission between sender and recipient. Sending with encrypted transmission is safer than sending as an attachment in regular email.
Process personal data primarily in a jointly approved collaboration tool. In that case, it is sufficient to notify recipients via email that the information is available in the collaboration tool.
An alternative could also be to use a case management system instead of communicating via email. If a case arrives via email, move it into the case management system and allow the conversation to take place through that system. Make sure notifications are turned on.
If individuals wants to receive by email certificates or other documents containing personal data about themselves, you need to ensure that the email address provided as the recipient address really belongs to the individual. For students, the only address to be used by the University is the email address stated in Ladok. In case of uncertainty, the regular postal service should be used instead.
What do I need to consider if I send emails to many recipients?
To handle emails in accordance with GDPR, anyone intending to send emails to many people should ask themselves whether it is important, based on the purpose of the message, to list all recipients in the address bar. In the case of larger mailings, all recipients seldom need to be listed openly. Consider entering the addresses in the Bcc field instead.
Avoid sending personal data relating to many different individuals in the same email.
What else do I need to consider regarding personal data in emails?
Do not disclose personal data unnecessarily. Send personal data only to those who need it for their work.
Disclosure of official documents are to be made on paper. Electronic communication should be used only in cases when it facilitates the University's processing and when the official documents do not contain personal data.
Do the same rules apply to data that may be contained in an email in the case of an internal email message?
There is always a risk that someone other than the intended recipient can gain access to an email message. For that reason, Umeå University believes that all emails should be handled the same, regardless of whether the email is sent internally or externally.
How should I handle the email that comes to me?
Emails to all the University's email addresses should be handled like other mail, which means that they should be kept and regarded according to the same rules as regular mail. Anyone can ask to see a list of the mail you have in your email box and also to see the messages in it that are official documents. If such a request is received, you can have a short period of time to purge the letters that are not official documents. This could involve something you received personally. Remember that requests for official documents, including requests for email logs, are to be handled promptly.
If you receive personal data in an email that you will continue to process — such as in a system for case management or student administration — the data should be transferred there, and the email message should then be deleted (both from your inbox and from the deleted items folder).
Email should not be used to process personal data in the long term. It is not a secure repository, and it can be difficult to find information about an individual in the email or ensure that the information is removed when no longer needed. To more easily comply with GDPR, it may be important to move certain data from emails to a more appropriate system, such as a case management system. See also Rules for IT resources at Umeå University.
What should I do if the email received contains personal data that should not be in the email?
If you receive sensitive data via email, make sure that the messages are removed from your inbox and also from your deleted items folder as soon as possible.
Try to discourage individuals from submitting sensitive personal data by email as much as possible. Though an individual cannot be prevented from submitting such information by email, the University can advise against it, and we as a public authority may not continue to disseminate the information.
If the University needs to store data, you should transfer it as soon as possible to the system where it belongs, such as a system for case management, student administration or personnel administration. Then delete the message and remove it from the deleted items folder.
Where such a system does not exist and the email is an official document, it is to be printed and handled in accordance with the rules on official documents.
Example: Medical conditions are considered sensitive personal data. If an employee or student sends information about their pathological status by email, the University is responsible for managing that information securely. This means transferring the information to the correct system or other protected document and then deleting the message (including in the deleted items folder).
If the received email is to be answered, this should be done with a new message or the sensitive information should be deleted from the message. Nothing about the medical condition is to be included in the response. Receipt of the document can be confirmed.
Student administration
Is there a good answer you can give to people who question why we are not allowed to send certificates of enrolment digitally?
The following answers can be used:
"Certificates of enrolment and other study assignment-related certificates contain personal data meriting special protection because they contain personal identity numbers and valuation data or assessment data. Such data should be sent as seldom as possible by unencrypted email. This type of data requires a higher level of protection because it is considered particularly worthy of protection. For more information, please refer to the guide written by the Swedish Authority for Privacy Protection (IMY): Managing personal data in email (in Swedish)".
What applies to sending certificates of enrolment digitally?
As a rule, the certificate should be sent in paper form to the student's civil registration address for privacy reasons.
An alternative to sending certificates of enrolment in paper form may be to use the University's service to send encrypted email to the email address registered in Ladok. For information, see Send files encrypted with Protected Attachment on the staff website. This makes it possible to avoid sending the certificate over an open network. However, it requires that passwords be given to the student via another medium than email, such as by phone or text message.
It is important to ensure that recipients are who they claim to be. Umeå University communicates with the student via the email address registered in Ladok. Information on how students can change their email address can be found in logged-in mode on the Student Web page "My settings".
If a student emails the department and asks for information, can we ask for their personal identity number by email to obtain the information? Or do we have to call them or have them call us back instead?
Personal identity numbers should not normally be emailed without additional safeguards such as encryption. The University should never encourage those inquiring to send personal identity numbers via open email.
An alternative might be to ask them to send their date of birth without the last four digits if this is sufficient for the purpose. Another option may be to call them and ask them to provide their personal identity number.
How long do received and sent emails need to be saved before it can be deleted?
For emails received or sent that are considered to be official documents by a public authority, the general rule is that the email should be retained unless the information is included in the University's document retention and deletion plan, where deletion regulations exist. Emails that are to be registered are handled in the order that applies for registration. If the email is not to be registered or archived, it is to be deleted as soon as the email is out of date — that is, on an ongoing basis. The mailbox should not be used as an archive.
What applies when we receive certificates with sensitive information, such as recommendations on assistive tools?
If you receive sensitive data via email, make sure that the messages are removed from your inbox and also from your deleted items folder as soon as possible. Try to discourage individuals from submitting sensitive personal data by email. Though an individual cannot be prevented from submitting such information by email, the University can advise against it, and we as a public authority may not continue to disseminate the information.
If the student questions why we cannot just receive it by email, we can explain that we cannot guarantee that email is a safe way to handle that kind of information, but that if they choose to send it by email, we will of course accept it.
What applies if, for example, a decision on credit transfer to the department comes from the Degree Office via email?
If the credit transfer contains sensitive or privacy-sensitive data, we recommend using the University's service for forwarding encrypted files.
As with all emails, the document is to be registered and archived in the manner regulated by the Retention and deletion plan and not retained in the email box.
What if an external actor (such as a municipality) requests a list of students who will soon graduate for recruitment purposes, for example? How can we disclose such a list?
If an external actor asks for a list of students, this involves disclosing an official document. Under the question Can I disclose personal data if the recipient will use the data for direct marketing purposes? there is a detailed explanation.
Remember that if the external actor requests a list including personal identity numbers, they are also entitled to that information according to the principle of public access to official documents, unless the individual case involves confidentiality. The University charges a fee for issuing copies of official documents.
Personal data and employees
May I collect personal data about employee relatives to contact them in the event of an accident or emergency?
Yes, you may. However, it should be completely voluntary; there is no requirement for employees to provide contact information to relatives.
As an employee, go to the heading Personal data in PASS and fill in the contact information for relatives. The employee is responsible for filling in the information and informing the person that they are listed as a contact person in case of illness or accident that occurs during working hours.
As a manager, go to Tjänster/Pers/Anstuppgift and then to Personinfo in PASS to see the information.
The data may not be used for any purpose other than that for which they are intended — that is, the data may not be used to contact relatives with other types of questions.