Questions about personal data
- What is personal data?
- Who is responsible for personal data processing at Lund University?
- When is processing of personal data permitted?
- What is “sensitive” personal data?
- Does the General Data Protection Regulation affect how you process old personal data?
- How are you to process personal data in everyday work?
- How are contact details of next of kin to be processed?
Questions about the legal basis and consent
- What is a legal basis?
- When are you to use consent as a basis for processing personal data?
- How is consent for the processing of personal data to be managed?
- What applies to children and consent?
- What applies to past consent?
Questions about data subjects
Questions about IT systems
Pursuant to the GDPR, personal data is “any information relating to an identified or identifiable natural person”. Examples of personal data are:
- personal identity number
- hair colour
- shoe size
Lund University is responsible for all personal data processing within the organisation and is thereby the data controller in the vast majority of cases.
In certain situations, the data processing is managed by a third party which acts as the data processor in that case. The relationship between the processor and the data controller is to be regulated through a written agreement, known as a data processing agreement.
In case of errors and shortcomings in processing, both the data controller and the data processor may be subject to administrative penalties determined in Sweden by the supervisory body, the Swedish Data Protection Authority and imposed by a court. The penalties may be very high (maximum EUR 20 million for a Swedish higher education institution). The Swedish Data Protection Authority is responsible for reviewing the management of personal data and dealing with complaints from data subjects.
The data protection officer at Lund University is entrusted with reviewing the processing of personal data at the University but also with providing support to employees. As an individual employee, you are expected to process personal data correctly and to know about the rules that apply to your particular work duties. (ta bort?)
You may process the personal data necessary for carrying out the University’s mission: to provide education, research and external engagement. You are also permitted to process personal data necessary to enable you to:
- comply with laws, ordinances and collective agreements
- exercise public authority
- comply with agreements, such as purchasing contracts or collaboration agreements
The processing of personal data is to follow the guidelines below:
- The processing is to be conducted in a legal, correct and open manner in relation to the data subject.
- The data is to be correct and up to date.
- The data is to be processed securely.
- The data is to be collected for specific, explicitly stated and justified purposes.
- The data is not to be too extensive in relation to the purpose.
- The data is not to be stored in the form of personal data for longer than required for processing.
Remember: You are only permitted to use necessary personal data and you are only permitted to use it for as long as it is needed!
The GDPR lists particular categories of personal data as extra sensitive and warranting protection. The following are examples of sensitive personal data:
- Race or ethnic origin
- Political views
- Religious or philosophical convictions
- Membership in a union
- A person’s sex life or sexual orientation
- Genetic information
- Biometric data that unequivocally identifies an individual *
*Personal data obtained through the digital processing of e.g. photographs, voice or fingerprints that enables or confirms the identification of a natural person.
In principle, you are never to collect data on people’s religion, sexuality, views or similar unless it is justified by staff and student health, or ethically approved research.
Other types of data that are also to be considered as sensitive for integrity and warranting particular protection are:
- salary information
- data on legal offences
- evaluation data, e.g. information from staff appraisals, information on results from personality tests or personality profiles
- information concerning a person’s private life
- details of social circumstances.
Is the personal identity number sensitive data?
Pursuant to article 9 in the GDPR, the personal identity number does not constitute sensitive data. In Sweden, however, legislators have decided in the national complement to the EU’s GDPR (the Swedish Data Protection Act) that personal identity numbers and coordination numbers are data that warrant extra protection. Personal identity numbers are therefore to be exposed as little as possible and only when:
- the data subject consents to the data processing or
- the need is clearly justified with reference to the purpose of the data processing or
- secure identification is important or some other noteworthy reason applies or
- the processing cannot be completed in any other way, for example by using birth data or partial birth data.
The Swedish Data Protection Authority has exhaustive information on the processing of sensitive personal data:
Yes, the GDPR affects personal data collected before 25 May 2018. As of 25 May 2018, personal data in unstructured information on paper, in emails, text files and online is considered personal data processing. This means that you need to decide whether or not to delete or archive excess information from interviews, evaluations and suchlike. More information on what needs to be archived is available on the Records management page. If you find it difficult to interpret the records management plan, consult the registrar at your organisation.
For all processing of personal data, you need to have a legal basis.
- Use common sense and use as a starting point how you would like your own personal data to be processed.
- Data minimisation: only use the personal data that is necessary.
- Storage limitation: process the personal data only for as long as it is needed. Destroy, delete or archive personal data that you no longer need.
- Be cautious with personal data sent via email.
Read more about processing personal data on the Emails page
- When you email multiple recipients, use BCC (undisclosed recipients) instead of CC. It can be useful to create mailing lists in Epic or listserver.lu.se. Remember that consent for mailings is required for people who are not LU employees or students.
- Avoid collecting or storing personal data in free services with which the University does not have an agreement. Examples of services with which LU has no agreement are:
- Dropbox and Google docs. Use LU Box instead for non-sensitive personal data
- Google forms. Use Sunet Survey instead for non-sensitive personal data or create online forms in Drupal and Typo3
- Doodle. Use the calendar function in the University’s email system instead.
Lund University regularly collects contact details for employees’ and students’ next of kin. Read more below about what applies to employees and students respectively.
Employees’ next of kin
You can process the contact details of employees’ next of kin with reference to the University’s staff welfare management. This means that it is voluntary for staff members to provide details of their next of kin. For the employees who wish to provide details of their next of kin, you do not need documented consent from the next of kin.
Students’ next of kin
For students, it is not possible to refer to a purpose that gives you the right to process contact details for next of kin. This means that if you wish to collect this data, you need to ask the next of kin for their consent. Remember that consent must be voluntary, informed and documented.
- not to collect more data than necessary. As a rule, a name and telephone number are sufficient. Making a note of the relationship between the staff member and their next of kin may, for example, reveal their sexual orientation: this is a personal detail that is not to be processed.
- Store "next of kin lists" securely. Only the manager, deputy manager and equivalent should have access to them.
- It is not your responsibility to inform the next of kin if something has happened to the employee or student; this is the responsibility of the police and the healthcare service.
Articles 13 and 14 of the GDPR require comprehensive information to be provided to all those whose personal data is processed, regardless of the purpose or legal basis for the processing.
Employees and students will receive standardised information from the University on the processing of their personal data within the framework of their work and studies. This information is to cover all processing of personal data for these two categories that takes place within the University’s activities.
As previously, research projects in which personal data is processed take care of the information to be provided and any consent required from data subjects.
With regard to external engagement, recruitment of students and employees, the person collecting the personal data is responsible for ensuring that the data subjects are informed and provide their consent where required.
Read more about processing personal data within these areas on the following pages:
Data subjects have the right to:
- withdraw their consent at any time. As an employee, you must provide information on how data subjects are to proceed if they wish to withdraw their consent. (Withdrawal of consent applies to future processing, not the processing that has taken place before the withdrawal).
- have access, request correction or deletion of personal data or limitation of processing of data concerning the data subject.
- file a complaint about how the personal data is used. As an employee, you must provide the data subject with information on how to proceed if they wish to file a complaint.
You need to ensure that the system is administrated and reported in compliance with the University’s system administration model, based on the process model PM3.
You can turn to the University’s data protection officer for support and advice by contacting the officer via email dataskyddsombud [at] lu [dot] se
Questions on data processing agreements are to be addressed to the Legal Division:
dataskyddsombud [at] lu [dot] se
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.