What is personal data?
Personal data is “any information relating to an identified or identifiable natural person”. Examples of personal data are: name, photographs, address, email, grades, age, personal identity number, hair colour, shoe size, qualifications and genome.
Lund University is responsible for all personal data processing within the organisation and is thereby the data controller in a vast majority of cases. In certain situations, the data processing is managed by a third party, which acts as the data processor in that case.
You may process the personal data necessary for carrying out the University’s remit and to enable you to:
- comply with laws, ordinances and collective agreements
- exercise public authority
- comply with agreements, such as purchasing contracts or collaboration agreements.
Personal data is:
- to be processed in a legal, open, correct and secure manner
- to be correct
- to be collected for specific, explicitly stated and justified purposes
- not to be too extensive in relation to the purpose
- not to be stored for longer than required for processing.
The GDPR lists special categories of personal data as extra sensitive and warranting protection. The following are examples of sensitive personal data:
- race or ethnic origin
- political views
- religious or philosophical convictions
- membership in a union
- a person’s sex life or sexual orientation
- genetic information and
- biometric data that unequivocally identifies an individual. *
*Personal data obtained through the digital processing of e.g. photographs, voice or fingerprints that enables or confirms the identification of a natural person.
In principle, you are never to collect data on people’s religion, sexuality, views or similar unless it is justified by staff and student healthcare, or ethically approved research.
Other types of data also to be considered as sensitive for integrity and warranting special protection are:
- salary information
- data on legal offences
- evaluation data, e.g. information from staff appraisals, information on results from personality tests or personality profiles
- information concerning a person’s private life
- details of social circumstances.
Is the personal identity number sensitive data?
No, but even so we are to exercise extra caution with them. Personal identity numbers are only to be exposed when:
- the data subject consents to the data processing, or
- the need is clearly justified with reference to the purpose of the data processing, or
- secure identification is important or some other noteworthy reason applies, or
- the processing cannot be completed in any other way.
Yes. All personal data that is still processed is to fulfil the requirements of current legislation even if it has been collected previously.
- Use common sense.
- Only use the personal data that is necessary.
- Process the personal data only for as long as it is needed
- Be cautious with personal data sent via email.
- When you email multiple recipients, use BCC (undisclosed recipients) instead of CC. It can be useful to create mailing lists in Epic or listserver.lu.se.
- Avoid collecting or storing personal data in free services with which the University does not have an agreement. Examples of services with which LU has no agreement are:
- Dropbox and Google docs. Use LU Box instead for non-sensitive personal data
- Google forms. Use Sunet Survey instead for non-sensitive personal data or create online forms in Drupal and Typo3
- Doodle. Use the calendar function in the University’s email system instead.
Employees’ next of kin
You can process the contact details of employees’ next of kin with reference to the University’s staff welfare management. This means that it is voluntary for staff members to provide details of their next of kin, but you do not need documented consent from the next of kin.
Students’ next of kin
For students, it is not possible to refer to a purpose that gives you the right to process contact details for next of kin. This means that if you wish to collect this data, you need to ask the next of kin for their consent.
- Do not collect more data than necessary. As a rule, a name and telephone number are enough. Making a note of the relationship between the staff member and their next of kin may, for example, reveal their sexual orientation: this is a personal detail that is not to be processed.
- Store "next of kin lists" securely. Only the manager, deputy manager and equivalent should have access to them.
- It is not your responsibility to inform the next of kin if something has happened to an employee or student; this is the responsibility of the police and the healthcare service.
Employees and students will receive standardised information from the University on the processing of their personal data within the framework of their work and studies.
Research projects in which personal data is processed take care of the information to be provided and any consent required from data subjects.
Regarding external engagement, recruitment of students and employees, the person collecting the personal data is responsible for ensuring that the data subjects are informed and provide their consent where required.
- receive information on what personal data the University processes and for what purpose
- withdraw their consent if processing is based on consent. As an employee, you must provide information on how data subjects are to proceed if they wish to withdraw their consent
- request correction of personal data
- file a complaint about how the personal data is used. As an employee, you must provide the data subject with information on how to proceed if they wish to file a complaint.
NB! As the university is a public authority, both the principle of public access to information and the Archives Act apply to personal data.
You need to ensure that the system is administrated and reported in compliance with the university’s system administration model, based on the process model PM3.
For questions about personal data and data protection, please contact:
Data Protection Officer, Legal Counsel
dataskyddsombud [at] lu [dot] se
+46 46 222 04 26
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.