What is personal data?
Who is responsible for personal data processing at Lund University?
When and how are you to process personal data?
What is "sensitive" personal data?
Does the GDPR affect how you process personal data collected before 25 May 2018?
How are we to process personal data in everyday work?
How are contact details for next of kin to be managed?
How are you to inform the data subjects?
What rights do data subjects have?
As a manager of an IT system that processes personal data, what do I need to do?
Does Lund University need to apply the GDPR outside of Sweden?
Coronavirus - Personal data and data protection for remote teaching and examination
Personal data is “any information relating to an identified or identifiable natural person”. Examples of personal data are: name, photographs, address, email, grades, age, personal identity number, hair colour, shoe size, qualifications and genome.
Lund University is responsible for all personal data processing within the organisation and is thereby the data controller in a vast majority of cases. In certain situations, the data processing is managed by a third party, which acts as the data processor in that case.
You may process the personal data necessary for carrying out the University’s remit and to enable you to:
- comply with laws, ordinances and collective agreements
- exercise public authority
- comply with agreements, such as purchasing contracts or collaboration agreements.
Personal data is:
- to be processed in a legal, open, correct and secure manner
- to be correct
- to be collected for specific, explicitly stated and justified purposes
- not to be too extensive in relation to the purpose
- not to be stored for longer than required for processing.
The GDPR lists special categories of personal data as extra sensitive and warranting protection. The following are examples of sensitive personal data:
- race or ethnic origin
- political views
- religious or philosophical convictions
- membership in a union
- a person’s sex life or sexual orientation
- genetic information and
- biometric data that unequivocally identifies an individual. *
*Personal data obtained through the digital processing of e.g. photographs, voice or fingerprints that enables or confirms the identification of a natural person.
In principle, you are never to collect data on people’s religion, sexuality, views or similar unless it is justified by staff and student healthcare, or ethically approved research.
Other types of data also to be considered as sensitive for integrity and warranting special protection are:
- salary information
- data on legal offences
- evaluation data, e.g. information from staff appraisals, information on results from personality tests or personality profiles
- information concerning a person’s private life
- details of social circumstances.
Is the personal identity number sensitive data?
No, but even so we are to exercise extra caution with them. Personal identity numbers are only to be exposed when:
- the data subject consents to the data processing, or
- the need is clearly justified with reference to the purpose of the data processing, or
- secure identification is important or some other noteworthy reason applies, or
- the processing cannot be completed in any other way.
Yes. All personal data that is still processed is to fulfil the requirements of current legislation even if it has been collected previously.
- Use common sense.
- Only use the personal data that is necessary.
- Process the personal data only for as long as it is needed
- Be cautious with personal data sent via email.
- When you email multiple recipients, use BCC (undisclosed recipients) instead of CC. It can be useful to create mailing lists in Epic or listserver.lu.se.
- Avoid collecting or storing personal data in free services with which the University does not have an agreement. Examples of services with which LU has no agreement are:
- Dropbox and Google docs. Use LU Box instead for non-sensitive personal data
- Google forms. Use Sunet Survey instead for non-sensitive personal data or create online forms in Drupal and Typo3
- Doodle. Use the calendar function in the University’s email system instead.
Employees’ next of kin
You can process the contact details of employees’ next of kin with reference to the University’s staff welfare management. This means that it is voluntary for staff members to provide details of their next of kin, but you do not need documented consent from the next of kin.
Students’ next of kin
For students, it is not possible to refer to a purpose that gives you the right to process contact details for next of kin. This means that if you wish to collect this data, you need to ask the next of kin for their consent.
- Do not collect more data than necessary. As a rule, a name and telephone number are enough. Making a note of the relationship between the staff member and their next of kin may, for example, reveal their sexual orientation: this is a personal detail that is not to be processed.
- Store "next of kin lists" securely. Only the manager, deputy manager and equivalent should have access to them.
- It is not your responsibility to inform the next of kin if something has happened to an employee or student; this is the responsibility of the police and the healthcare service.
Employees and students will receive standardised information from the University on the processing of their personal data within the framework of their work and studies.
Research projects in which personal data is processed take care of the information to be provided and any consent required from data subjects.
Regarding external engagement, recruitment of students and employees, the person collecting the personal data is responsible for ensuring that the data subjects are informed and provide their consent where required.
- receive information on what personal data the University processes and for what purpose
- withdraw their consent if processing is based on consent. As an employee, you must provide information on how data subjects are to proceed if they wish to withdraw their consent
- request correction of personal data
- file a complaint about how the personal data is used. As an employee, you must provide the data subject with information on how to proceed if they wish to file a complaint.
NB! As the university is a public authority, both the principle of public access to information and the Archives Act apply to personal data.
You need to ensure that the system is administrated and reported in compliance with the university’s system administration model, based on the process model PM3.
The General Data Protection Regulation (GDPR) applies to personal data processing that is linked to the EU, either because the organisation processing personal data is established in the EU or that an organisation outside the EU is offering goods and services to people within the EU or monitoring their behaviour here. This means that the GDPR is applicable to personal data processing carried out within the framework of Lund University’s activities, as the University is established in the EU. This applies regardless of whether the processing is carried out within or outside the EU and regardless of the citizenship or domicile of the people in question.
It is sometimes claimed that the GDPR “only applies to EU citizens” or “only to people who live in the EU”. These claims are thus incorrect regarding Lund University’s personal data processing.
You can read more about this by clicking here on this link.
This is a shorter recap of information - a longer more complete guide when it comes to protection for remote teaching and examination you will find if you click here.
Classroom teaching using Zoom
- Teaching is conducted using a Zoom online meeting instead of in a physical classroom
– The server for Zoom is in Stockholm, personal data is not processed outside the EU.
- There is a range of functions: webcam, audio, split screen, chat and recording
– The lecturer can control whether or not these functions are to be activated.
- Any recording is saved locally on the lecturer’s computer. The lecturer has the option of uploading the recording in the Canvas tool, Studio, so that students can access it there.
Personal data processing is permitted on the legal basis of “a task in the public interest” to the extent that the processing is necessary to enable the University to conduct its teaching. This applies provided that the students receive clear information about how their personal data will be processed in view of the teaching being conducted via Zoom.
As a lecturer, it is important to bear in mind the following:
- Always consider whether it is necessary to activate the webcam, audio and chat functions for the students in a teaching session
– It may often be justified to use one or more of the functions, but don’t do it as a matter of routine – make it a conscious choice
– Even if the chat function is activated, it is appropriate to give the students an opportunity to ask questions outside the lecture.
- Provide information about the student’s option to turn off functions.
- Recording entails a greater violation of integrity than just streaming and consequently there are more stringent requirements for justifying that recording is necessary. Consider whether recording is necessary. If it is, document the decision and the reason for it.
– Make a decision on how long the films need to be preserved and ensure procedures for deletion or disposal.
- Inform the students that they are not permitted to record teaching sessions.
The above applies provided that adequate technical and organisational security measures are in place.
Recording lectures in other ways
- The lecturer records them self/the lecture
- The lecturer publishes the recording in Canvas
Recording and publishing a lecture that involves only employed staff is permitted from a data protection perspective, as it is a part of the staff member’s duties.
Personal data processing is permitted on the legal basis of “exercise of public authority" to the extent that the processing is necessary to enable the University to conduct the examination. Regarding examinations, the University is required to ensure an examination in accordance with the law. This must be weighed against the violation of personal integrity that different solutions may entail. Based on the factors stated below, a decision must be taken on whether it is permitted to use a specific solution. It is very important that the students receive clear information about how their personal data is to be processed due to the examination being invigilated.
The factors below are to be taken into consideration.
- “Invigilation” of a student online via e.g. Zoom is only allowed if it is deemed necessary to ensure an examination in accordance with the law
– A decision about this should be taken prior to each scheduled examination, and the reason for the decision should be documented
– Do not activate more functions than absolutely necessary, e.g. recording and audio functions
- Recording entails a greater violation of integrity than just “invigilating” online and consequently there are more stringent requirements for justifying that recording is necessary. Consider whether recording is necessary. If it is, document the decision and the reason for it.
– Make a decision on how long the films need to be preserved and ensure procedures for deletion or disposal.
The above applies provided that it does not concern the processing of sensitive personal data and that adequate technical and organisational security measures are in place.
Remember that processing biometric data in order to unequivocally identify a person involves sensitive personal data that is not to be processed without specific support in law. Consent cannot be used as a legal basis for this type of processing due to the state of dependence that exists between the University and a student.
For questions about personal data and data protection, please contact:
Data Protection Officer, Legal Counsel
dataskyddsombud [at] lu [dot] se
+46 46 222 04 26
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.