The lawful basis for the University's processing of students' personal data in teaching is the public interest, together with the Higher Education Act's requirement that universities conduct teaching. The University cannot use consent as a lawful basis for the processing of personal data in connection with teaching because of the voluntary nature required; students are considered to be dependent in relation to the University. The Swedish Authority for Privacy Protection's view is that consent is not to be used if there is another lawful basis (public interest). This in itself prevents the University from basing its processing of students' personal data on consent.
Go directly to:
What applies to remote teaching?
What applies to remote assessments?
Student assignments and processing of personal data
Remote teaching and summative assessment
As a general rule, the same approach applies to personal data processing in remote teaching as in normal teaching. The processing of personal data needs to be a prerequisite for teaching or constitute the basis for teaching itself.
Whether personal data processing is necessary may be determined on a case-by-case basis. The following should be the basis for the assessment:
- If necessary, the University may live stream students and teachers for teaching purposes.
- If necessary, the University may record teaching if the recording is part of the teaching material.
- If necessary, the University may live stream a summative assessment or compulsory component.
- If necessary, the University may record the summative assessment or compulsory component if the purpose of the recording is to form the basis for the assessment.
- The University may not record the students if the purpose of the recording is to document whether unauthorised aids or other deception have occurred in connection with assessment.
Note: A document is public if it is kept by the University and has been submitted to or drawn up here. When students submit documents to their teacher for assessment, they are regarded as having "arrived at the public authority or reached an authorised officer". The same applies to recorded lectures or examinations. Recordings are submitted or drawn up documents, making them an official document that can be requested.
What applies to remote teaching?
Processing of teachers' personal data in connection with teaching
The processing of employee personal data in connection with remote teaching is done based on the lawful basis contract, because this is part of the employee's assignment under the employment contract. This also applies if the teaching is live streamed or recorded.
For students who want to film a teaching situation, rules for sound recording, photography and filming in connection with teaching situations (in Swedish) also apply to remote learning. In this case, the teacher should ensure that other participating students can ask questions and interact in teaching in such a way that their personal data are not processed by the recording student. For example, they could ask anonymous questions. If this cannot be done, teachers should not allow recording by any student.
Processing of students' personal data
Processing is allowed if the purpose of the processing is instruction — whether the processing is done by live streaming or recording — and the processing is a prerequisite for implementing the instruction.
Live streaming of a lecture or other teaching component for those who would otherwise have participated on site is permitted. Similarly, the processing of personal data by students participating with sound and images in such a live-streamed teaching session is permitted. This has the lawful basis "public interest" together with the Higher Education Act's requirement that higher education institutions conduct teaching.
If there are teaching components where recording is also normally done as part of the teaching, this can also be done remotely. The recording may be a basis for the student's own reflection and for discussion with other students and teachers. The content of the recording then becomes part of the teaching material.
Encourage students in a home environment to position themselves as neutral as possible to reduce invasion of privacy. These recordings are to be kept/deleted in accordance with the Retention and deletion plan (in Swedish).
It is important to inform students that personal data processing is taking place through the digital connection (refer to www.umu.se/gdpr) and to inform them if something is saved. It is also appropriate to give students the opportunity to ask questions outside of the lecture (it becomes especially important that questions can be asked outside the lecture if it is recorded). Sensitive personal data or classified information should not be shared or appear in Zoom or Teams.
What applies to remote summative assessments?
As a general rule, the same approach is to apply to personal data processing in remote summative assessment as in customary summative assessments. If the purpose of a recording is to form a basis for assessment or documentation of compulsory components, recording is permitted. If students in ordinary written hall exams are to identify themselves and be supervised by invigilators, this may also be done remotely. However, if the purpose of the recording is to document whether cheating has occurred, this is not permitted.
When students are assessed, the University processes students' personal data supported by the lawful basis "public interest". Since summative assessments are considered to be an exercise of official authority, the lawful bases "legitimate interest" and "consent" from students cannot be applied in connection with summative assessment.
Live streaming of summative assessments and compulsory components
Identifying and monitoring students via webcam may in some cases be allowed if necessary, but this should not be done if it is a form of summative assessment that normally does not require identification with proof of identity (such as take-home exams).
In connection with digital forms of summative assessments, there may be a need to identify the student and to monitor the student during ongoing session. It is important to inform students that personal data processing is occurring through the digital connection (refer to www.umu.se/gdpr) and to inform them that nothing is saved. For that reason, the University is not allowed to record a live-streamed examination even if this is possible, either by the University or any of the participating students.
The lawful basis "public interest" gives the University scope to process students' personal data when it is required for the student's to identify themselves by presenting identification. However, there should be no requirement for identification if it is a form of summative assessment that normally does not require identification with proof of identity (such as take-home exams). If identification in a digital examination is to be done by presenting proof of identity, there is a risk that the personal identity number can be seen by other participants in the exam. For that reason, identification by proof of identity needs to be done in a way that prevents the other participants from seeing the personal identity number or other unique information. Identification can take place, for example, using photo lists instead.
Monitoring of the assessment can be arranged in a way comparable to a hall exam without recording the students. This would then mean that the teacher or someone else in real time monitors the students' written exam via the digital connection. The number of persons supervising the summative assessment may need to be adapted to the individual situation, primarily when using "breakout rooms". The University is regarded as having a lawful basis for this type of monitoring in the Higher Education Act and GDPR on grounds of public interest.
Recording summative assessments and compulsory components
Recording students in their home environment is considered such an invasion of privacy that explicit legal support is required for the University as a public authority to be regarded as having that right. Since there is no explicit lawful basis for recording students in assessment situations to prevent or document cheating or other deception, the data protection officer believes that such recording, even remotely, also violates GDPR.
Oral summative assessments and compulsory components imply that they are of an individual exploratory nature. This may require appropriate documentation. If a recording is made in these cases to obtain the necessary documentation for examining or assessing the compulsory part, the recording is allowed. The recording may also serve as a basis for the student's own reflection or for discussion, which is also allowed.
In corresponding cases, recording of students during oral exam or at other compulsory components remotely is allowed. Encourage students in a home environment to position themselves as neutral as possible to reduce invasion of privacy.
These recordings are to be kept/deleted in accordance with the Retention and deletion plan (in Swedish).
Student assignments and processing of personal data
Do you have contact with students conducting student work? Then it is important that you know how students may handle personal data in their student work. Examples of student work are degree projects, memoranda, academic papers and homework assignments.
Umeå University is responsible for the personal data processing by students within the framework of their studies, such as when students process personal data in a degree project. As a result, it is important for students to manage personal data in the manner required by GDPR.
More information about how students may process personal data.