Processing of personal data in student and degree projects
On this page you can find information about what rules and regulations there are when processing personal data in your project.
The most basic safety precaution is to never collect more personal data than necessary for the project. Information that was never collected can never be lost or accessed by unauthorized individuals.
This is why information in the form of personal data always should be, if possible, the bare minimum.
If the project can be done with anonymous data, this should be prioritized. If data needs to be connected to a person, pseudonomizing the data could be an option. This is still processing of personal data but significantly safer.
Below there are 5 steps for students who are planning to use personal data in their project.
Step 1 – Is personal data necessary?
The first question should always be if you really need to use personal data? If the project can be done without it then that should be prioritized.
If personal data is not processed or used then to meet the criteria of the General Data Protection Regulation is not needed. Although it can be useful to know that any data that can be connected, directly or indirectly, is considered personal data.
Step 2 – Define the purpose and what information will be collected
It is important to decide what information should be collected and to define the purpose of the collection. This should be done before the practical part of the project.
The purpose of collecting the information is to ensure that the data collected is enough to substantiate the work. It is important that the student presents the purpose thoroughly as well as the data that will be collected to meet the purpose.
Step 3 – How will the data be stored?
Collected information and personal data must be stored with high security.
Step 4 – What information should remain when the work is done?
Personal data can not be stored for longer times than necessary and must be deleted when no longer needed. Although, there can be data that is vital for the work to make sense and to still be relevant.
That is why it is important to decide what happens with the data collected after the work has been done.
What data should remain and what should be erased?
Step 5 – Ask for permission, inform the participants and only gather necessary information
Personal data can only be processed if there is legal ground for the processing.
In most student projects, the legal ground is the permission to use the information. When collecting information, you ask the participant if you are allowed to use the information in your project and then you act accordingly.
The permission given has to be voluntary and preferably in written form for possible disputes.
Data erasure / archiving
Usually personal data is used only as a basis for a thesis and more rarely in the completed thesis. That is why it is important to decide what parts of the groundwork that should be kept and what should be erased.
Personal data collected for a project can only be stored as long as the data is necessary. The data can be used for important analysis or conclusions and that is why it can be important to still store data even after the thesis has been completed and graded.
What data remains and what data is erased depends on the project and is therefore decided depending on the project. Data that has to remain will be archived and the rest erased unless anything else has been decided during the collecting of data.
More information about processing of personal data at the University of Skövde (his.se).