Personal data in student projects

Start by determining the purpose of the work you are going to conduct - this is the purpose of your processing of personal data.

Consider whether it is suitable and necessary to process personal data to achieve the purpose or if you can achieve the same purpose without processing personal data. If it is necessary, try to limit it so that you process as little personal data as possible.

Together with your supervisor or the teacher responsible for the course, you should also assess the suitability of the intended work. Is the project something that is in line with your education? Can it be carried out so that the privacy of the individuals whose personal data is to be processed is not affected in a negative way? You can read more about how to make this assessment on the page Security measures. 

The suitability and necessity assessment must be carried out regardless of whether you are to process special categories of personal data or "ordinary" personal data.

Assess which types of personal data that are necessary to process in your project. Write down your purpose with the processing of data as briefly as possible.

Together with your supervisor or the teacher responsible for the course, you should decide how to collect, store and otherwise process personal data.

Note that you should only use the tools and services provided by the university. It is not permitted to use tools and services that are available for free on the internet.

The tools provided by the university are found via the following pages:

Digital tools
Other digital tools and software

You also need to apply relevant security measures (for example coded information instead of printed names). Read more on the page Security measures. 

You only have the right to process personal data as long as it is necessary for your project. After completing the project, the personal data must be deleted.

If you plan to collect personal data directly from the data subject, whether it is ‘ordinary’ personal data or sensitive personal data, the data subject must give their consent to participate in your work. When you receive the consent, you must also inform the data subject about how the personal data will be processed. 

The university has a template for this. You find it on this page under the heading "Templates". 

If you have collected the data from someone other than directly from the data subject, it is in many cases impossible to obtain consent and inform about the processing without having to collect contact information from another source. In these cases, you should not go to another register (for example the population register) to be able to contact the data subject regarding the processing carried out by you.

Be thorough and only process the data in the way that you informed about. If the purpose or the way you process the data changes, you need to repeat the steps above that are affected by the changes. When you are finished (examined), you delete the data that is no longer needed.

When writing academic papers, you often need to make references to previous works in the field. This is partly due to other legislation which states that the author must be named in connection with the reference to the work.

You can therefore assume that you may process personal data in the form of quotes and references when you write your paper without having to further consider GDPR. If you only process personal data in the form of quotes and references, you therefore do not need to go through the checklist below.

It is often the case, for example in methods courses, that students are given a task to carry out a certain type of survey, such as a questionnaire. In this case, the teacher may also have indicated what is to be investigated and what the questions should be about. In these cases, you do not need to think about steps 1-3 in the checklist above as the teacher has already specified how your work should proceed.  

However, it is still important that the respondents, i.e. those answering the survey for example, are informed about how their personal data will be processed and are given the opportunity to consent to participate in the work. If your teacher has already developed an information and consent form you should use it, otherwise you can use the template available on this page. 

The template for information and consent provided on this page has been reviewed to ensure that the wording complies with the requirements of the GDPR. It is therefore advisable that you formulate your information using the template.  

If your teacher or supervisor considers that the consent to participate should be worded differently, for example due to ethical requirements, then your teacher's or supervisor's instructions will apply.

There is also no requirement for you to obtain written consent on paper. If you and your teacher/supervisor decide that it is more appropriate to obtain consent verbally, and make your own note of having asked the question, that is sufficient.  

Participants can also submit their consent digitally, for example by email.

You can also collect consent digitally if you are conducting a survey using Microsoft Forms, in which case you can publish a PDF of your information form at the beginning of your survey and include the consent form found in the template on this page as the first question in the survey. 

SharePoint or OneDrive are suitable for storing and editing your documents. You can also store images, films or audio files on these spaces. Be careful not to give others access to areas where you store personal data.  

You can use Zoom for digital interviews. Zoom allows you to switch on "end-to-end encryption" in the call, which is useful if sensitive personal data may come up in the call.  

Forms can be used for surveys. It is a flexible tool where you can make many different types of settings yourself.  

It is important that you use your student account when you log in to the tools. You must not use private login details or services not provided by the university.

No, it is sufficient that the participant gives consent to the work as a whole. 

What is personal data?

Personal data is any kind of information that can be linked to a living natural person. Typical examples are name, address and personal identity number. Photos of people can be personal data in cases where the person in the photo can be identified. The registration number of a car can be personal information if it is possible to link the information about the car to an individual natural person.

Special categories of personal data

In GDPR, a distinction is made between "regular" personal data and such data that is considered sensitive. This type of data is called special categories of personal data and is considered to need special protection. The processing of special categories of personal data is prohibited unless one of the exceptions in GDPR can be applied. Special categories of personal data refers to information about:

• ethnic origin,
• political opinions,
• religious or philosophical beliefs,
• membership of a trade union,
• health,
• a person's sex life or sexual orientation,
• genetic data, or
• biometric data used to uniquely identify a person.

Personal data worth extra protection

Personal identity numbers and coordination numbers are not categorized as special categories personal data. However, they are considered to require extra protection and must therefore be treated with particular care.

In addition to personal identity numbers and coordination numbers, children's personal data is considered particularly worthy of protection. This is because children are not considered to be able to exercise their rights in the same way as adults and it may be more difficult for them to predict the consequences of the processing of their data.

If you intend to process personal data of children, and therefore need to take any additional measures, you should talk to your supervisor. Additional measures taken may consist of additional and more specified information to the data subjects. GDPR requires that information given to children must be specially adapted to their age.

What is processing of personal data?

Processing is defined in the GDPR as basically any operation which is performed on personal data, regardless of whether it takes place electronically or not. Examples of processing are to collect, register, store, process, correct, delete or transfer. However, GDPR is only applied for processing that is fully or partially carried out by automated means (that is, electronically) or such processing that occurs in manual registers (for example, lists).

Legal bases for processing

In order to process personal data, there must be at least one legal basis for the processing. For students' processing of personal data within their studies, it is the legal basis of public interest or exercise of authority that is primarily used. 

• Public interest or exercise of authority
  You may need to process personal data in order to benefit from your education. The legal basis for that processing is that it constitutes a necessary public interest. The university can apply this legal basis on behalf of its students since the we has an assignment of conducting education according to the Higher Education Act and the Higher Education Ordinance.
• Consent 
  In exceptional cases, the legal basis consent can be used. You can process personal data after obtaining consent from the data subject. Keep in mind that a revoked consent must be respected if you use this legal basis. If you and your supervisor consider that consent is the best legal basis for your work, contact dataskydd@gu.se.

Processing different categories of personal data

As a general rule, special categories of personal data may not be processed, but there are exceptions. Since special categories of personal data is considered to have a greater protection value than other personal data, there are requirements of taking more extensive measures to protect this data.

More information about when it is allowed to process special categories of personal data is found on the page Special categories of personal data. Discuss with your supervisor how you meet the requirements.

The personal data worth extra protection, such as personal identity numbers and coordination numbers, may be processed with the support of the data subject's consent. Without consent, personal identity numbers may only be processed if it is clearly justified with regard to:

• the purpose of the processing,
• the importance of secure identification, or
• any other noteworthy reason.

There may also be special regulations that allow personal identity numbers and coordination numbers to be processed.

As a general rule, personal data relating to convictions in criminal cases and violations of law that include crimes or related security measures (criminal data) may not be processed unless it is expressly stated by Swedish or European law that someone may process the data. The information referred to here can be everything from case numbers to information relating to a possible arrest warrant and convictions.

More information about when it is allowed to process special categories of personal data is found on the page Security measures. Discuss with your supervisor how you meet the requirements.

Basic principles for processing

GDPR contains a number of basic principles that must always be followed. You must make sure to follow these principles when you process personal data within your studies:

• Personal data processing must be lawful, fair and processed in a manner that is transparent in relation to data subject.
• Personal data may only be processed for specific, explicit and legitimate purposes.
• The personal data must be relevant and limited to what is necessary in relation to the purpose.
• The personal data must be accurate and up-to-date.
• The personal data must not be saved longer than necessary.
• The personal data must be given adequate protection.
• The person in charge of personal data (the university) is responsible for and must be able to demonstrate that the principles are complied with. The University of Gothenburg is therefore responsible for the personal data processing that you carry out as a student.

The rights of the data subject

When you process personal data within your studies you must, on behalf of the University of Gothenburg, ensure that the rights of the data subjects are met. On our external website, you find information about the rights of the data subjects.