Personal data in thesis
If you as a student intend to process personal data in your independent work/thesis/thesis work, there is a lot to consider before you can begin.
It is the General Data Protection Regulation (GDPR), together with supplementary Swedish laws, which impose many and extensive requirements for all personal data processing in an open, correct and safe manner.
Step 1 - Must personal data be processed?
The first question you must ask yourself is whether it is necessary to process personal data in the academic work? If you do not process personal data, then the requirements of the General Data Protection Regulation do not apply, which makes the implementation of your work less complicated.
However, it is important to remember that personal data includes all information that may be linked directly or indirectly to a living person, which means that it is not only information such as name, national registration number, IP number and recorded interviews (even if no names are mentioned) that is personal data. The data could also be a combination of less identifiable details that together make it possible to identify an individual.
Step 2 - Define the aim of the study (the purpose of the processing)
Before the practical work begins, it is important to think through and clearly note what types of data need to be collected and why. For those writing an academic paper, this is not a difficult task, but rather the purpose of the processing is simply to be able to carry out the study necessary in order to support your work, but it is important that you think through and formulate the purpose and that you are aware of what information is necessary in order to achieve it.
Please note that it is never permissible to collect and process more personal data than is necessary to achieve the purpose.
It is also important to keep in mind, that personal data should not be disseminated to more people than necessary. Unauthorised persons should not be able to access personal data; only the person who requires access to the data in order for the academic work to be carried out and to be examined may process the personal data.
Step 3 - Ensure that sensitive personal data is not processed
Sensitive personal data according to the General Data Protection Regulation entails information about race or ethnic origin, political views, religious or philosophical convictions, union memberships, genetic details, biometric data in order to clearly identify a natural person, details concerning health, or details about a persons sex life or sexual preference. Personal data such as mother tongue or native language may also be sensitive personal data that may in certain cases indirectly deduce to ethnic origin.
The departure point of the General Data Protection Regulation is that processing sensitive personal data is prohibited. The only exception to the prohibition on processing sensitive personal data in academic work is when you as a student write your paper within the context of a research project that has been granted ethical approval from a regional ethical review committee. Supplementation: Processing of sensitive personal data requires special security measures - all processing must be done in Jönköping University’s systems and computers, sensitive personal data may not be stored on a private computer or personal storage medium.
Step 4 - Decide how the information shall be stored and processed
Collected information must be processed in a secure manner. Jönköping University provides a number of services that can be practical in this work.
External cloud services (tools not provided by Jönköping University), may not be used for the processing of personal data. This applies, for example, to storage services such as Dropbox, Google Docs, iCloud and so on. It is also inappropriate for you to store personal data on unencrypted USB memory sticks, as well as smart phones or tablets (because these can have insufficient security and are often synced with cloud services).
Step 5 - Decide which parts of the information are to be deleted or saved
Personal data may not be retained for longer than is necessary and should be deleted when it is no longer required. However, in some exceptions, there may be personal data that needs to be retained for a certain period in order to substantiate the conclusions of the academic work, or because it is necessary for future processing (for example, if you intend to publish the results in scientific articles).
For articles as well as the article’s supporting documentation, the Archives Act and the Swedish National Archives regulations shall apply. Archiving is carried out by Jönköping University through the archive and registry function. Therefore, before the practical work can begin, it is important to decide what should happen to the collected personal data. Is there any data that needs to be submitted to Jönköping University to be stored for a certain period of time? Other personal data must be deleted by the student after the academic paper has been approved and the grade has been registered in the Ladok study register.
Step 6 - Produce an information letter and consent form
According to the General Data Protection Regulation, personal data may only be processed if there is a legal basis for the processing. With an academic paper, it is in practice only the consent of an individual that is the determining factor. (Personal data from existing registers can sometimes be processed on some other legal basis?)
You can obtain consent by writing to the participants of the study and informing them what the aim of the study is, what personal data you want to collect, what the personal data will be used for, and how long your personal data will be saved before deletion. Only after the person who will participate in the study has received this information can he or she consent to the processing.
Step 7 - After you complete your examination, delete or archive the personal data material
When you have completed your academic work, the work has been examined, and your results have been submitted to Ladok, another essential element remains. The personal data material that has been processed shall now either be deleted or transferred for storage/archiving, as decided in step 5.