Processing of personal data in student and degree projects
There are important differences between what is legally required of the University's students in terms of degree and student work, depending on whether a work processes personal data or not. Here is a brief overview of the most important things to think about as an individual student.
Questions to ask before starting a degree or student project
If the answer is No, proceed directly to question 4.
If the answer is Maybe, contact your teacher/supervisor to discuss the potential need for personal data processing, and proceed to question 2.
If the answer is Yes, contact your teacher/supervisor to discuss the appropriate management of processing personal data.
Complete a form for consent that ”the research person” must sign. Your supervisor should save the form.
Complete the “Form for personal data processing register” together with your supervisor.
If it turns out that the work can and should completely avoid all personal data, then proceed directly to question 4.
If it is not possible to completely avoid personal data, then everyone involved in the work (including teachers/supervisors) should ask themselves if all the personal data they intend to process is really necessary? For example, is it possible to avoid collecting information such as name, age, gender, and so on?
After all possible minimization is done, proceed to question 3.
Read the University's guidelines for processing personal data. Consult your teacher/supervisor for any questions.
Also make sure that all requirements regarding, for example, consent, protective measures, collection, storage, management and erasure of personal data are met and followed, and that you are clear about what the legal basis for personal data processing actually is (usually that the participants give their consent, which must be in writing, clear and distinct, voluntary and possible to withdraw).
Then continue to question 4
According to the law (2003:460) on ethical review of research involving humans, ethical review does not apply to work that is "only carried out within the framework of university education at first level or advanced level".
For the majority of degree and student theses, the answer is no.
Note, however, that there are exceptions – this is what the Ethics Review Authority writes on its website: "For the exception from the requirement for ethics review for student work to apply, it is required that it only concerns one part of the education. The work must therefore not 'overlap' with a research project and there must be no thought that the work may lead to a 'normal' research project. If you see from the beginning in the planning that you will want to publish the outcome in a scientific journal, it is a clear indication that it concerns such research that needs to be tested ethically."
Also note that other forms of ethics review (for example for research on animals) may occur with other relevant authorities.
Background
Some degree and student work may process personal data (such as name, social security number, postal address, email address, username in social media, or similar). If any processing of personal data takes place within a degree or student project, it must take place in accordance with relevant legislation, including:
Extra care must be taken if a degree or student project also processes sensitive personal data (for example, information about illness or health conditions, genetic or biometric data, political or religious beliefs, ethnic origin, sexual orientation, membership of a trade union, or the like).
In the majority of cases, the minimization principle regarding personal data should be applied, and sensitive personal data should be completely avoided in degree and student work where this is possible.
According to the GDPR, the University is the data controller for personal data, with total responsibility for ensuring that the personal data processing that takes place within the University complies with the applicable laws and regulations. The individual student, the one who actually processes personal data in practice within a degree or student project, is then to be considered a personal data controller in the GDPR's sense, which means that he must follow the documented instructions that the personal data controller (the University) provides, i.e. the information as given here.
Note that this text applies to all degree and student theses which – according to the law (2003:460) on ethical review of research involving human subjects – "are only carried out within the framework of university education at first level or advanced level".
