Personal data is any information which is directly or indirectly attributable to a physical, living person, such as name, personal identity number, address, email address, photo. The processing of personal data is referred to in the Swedish Personal Data Act as any measure or series of measures taken with regard to personal data, whether by automatic means or not, such as collecting, registering, organising, storing, adapting or altering, retrieving, using or reusing, disclosing by transmission, disseminating or otherwise making available, compiling or combining, blocking, erasing or destroying.
Under the Personal Data Act, sensitive personal data is information that discloses a person’s race or ethnicity, political opinions, religious or philosophical convictions, membership of trade unions, or data related to health and sex life. The processing of sensitive personal data is generally prohibited. However, there are some exceptions, such as when the registered person has given their explicit consent, and when processing is done for research purposes. To process sensitive personal data for research purposes without consent requires the approval of the Research Ethics Committee (Faculty of Medicine), or a preliminary review by the Swedish Data Protection Authority (all other faculties, as well as genetic studies).
Special rules apply for personal identity numbers. Personal identity numbers may be processed only with the consent of the registered person or when clearly justified with regard to the purpose of the processing, the importance of secure identification, or some other substantial reason.
In principle, it is prohibited to transfer personal data to a third country (practically all countries outside the EU and EEA) that does not have an adequate level of protection for personal data. Consent removes the prohibition. There are a few other exceptions as well.
The following information is to be voluntarily provided to the registered person: name of the personal data controller (in this case Lund University), purpose of processing the personal data, and any other information needed to ensure the rights of the registered person, e.g. information about the recipients of the data, the right to request information and rectifications.
The type of data and the volume of data on each person are both significant in determining the sensitivity of the data. Under the Personal Data Act, sensitive personal data is information that discloses a person’s race or ethnicity, political opinions, religious or philosophical convictions, membership of trade unions, or data related to health and sex life. In this context, i.e. relating to data security, personal data on transgressions of the law that concern offences, verdicts in criminal cases, coercive measures or administrative deprivation of liberty should be regarded as sensitive data.
A particular risk factor could be that personal data on a large number of people is being processed, that equipment used when processing the personal data will be connected to an open network, that personal data will be transferred to someone outside the University, within or outside the country, or that a large number of people will gain access to the personal data.
This could, for example, relate to risks of operational disruptions, accidents, theft of equipment, or unauthorised access to personal data.
The measures could be in both physical and organisational terms.
If you have questions concerning security measures for protecting personal data, contact the IT Security Group at LDC by telephone on 046 2229000 or via email at firstname.lastname@example.org.