FAQ in English – June 2018

==>Denna sida på svenska

FAQ

1. What are personal data?
2. What are “sensitive” personal data?
3. When are we allowed to process personal data?
4. Does the General Data Protection Regulation affect our processing of old personal data?
5. When do we need consent in order to process personal data?
6. What are the conditions for consent to the processing of personal data?
7. What rules apply to children and consent?
8. What are the conditions for old consents?
9. How are we to process personal data on a daily basis?
10. Should we purchase courses for staff about the new regulation?
11. How are we to inform the data subjects?
12. As a teaching staff member, what should I do?
13. As a researcher, what should I do?
14. As a manager, what should I do?
15. As an employee working with communication and external engagement, what applies to me?
16. As the manager of a local IT system containing personal data, how do I prepare?
17. Whom can I contact if I need help and support to prepare?



1. What are personal data?

Answer: According to the General Data Protection Regulation, ‘personal data’ means “any information relating to an identified or identifiable natural person”, such as name, photo, home address, email address, grades, age, personal identity number, hair colour, shoe size, expertise, genome….



2. What are “sensitive” personal data?

Answer: The General Data Protection Regulation defines certain personal data as in need of special protection. We must be extra restrictive in our use of such data.

Examples: ethnicity – political views – religion – union membership – health – sexual orientation – sex life – genetic data – biometric data

In principle, we are not to have information about people’s religion, sexuality, opinions, etc., unless it is justified for staff/student health reasons, or for ethically reviewed research.

NB! In Sweden, personal identity numbers are also considered sensitive personal data.


3. When are we allowed to process personal data?

Answer: We are allowed to process personal data when necessary to fulfil our assignment – education, research and external engagement.

We may also process personal data when necessary in order for us to

  • comply with laws, regulations and collective agreements
  • exercise public authority
  • fulfil agreements, e.g. purchasing or cooperation agreements

Remember: We are only allowed to use necessary personal data, and only for as long as required!



4. Does the General Data Protection Regulation affect our processing of old personal data?

Answer: Yes, the GDPR also covers previously collected personal data. Not least because the processing of personal data includes storing, sorting, reading, forwarding, deleting, etc. The easiest thing to do would be simply to delete any personal data that we no longer need. But we should NOT do so without first assessing whether the data can be archived instead. For more information on deleting personal data, see LU’s Records Management Plan. If you find the archiving rules unclear, consult your local registrar.


 

5. When do we need consent in order to process personal data?

Answer: Most of the personal data we handle do not require consent from the data subjects, as we are a public authority, performing a task in the public interest. However, in some activities consent is necessary, mostly because they involve processing of personal data of data subjects who do not actively contribute to our organisation. Some examples:

  • Recruitment of staff and students
  • Lists or registers of external stakeholders such as donors, alumni and newsletter subscribers
  • People on certain photos known as genre images (see project blog)
  • Relatives of students

Within research, the same consent rules apply as before, when required for ethical review. Read more about consent in research at https://www.researchethics.lu.se/research-ethics-information/informed-consent.


 

6. What are the conditions for consent to the processing of personal data?

Answer: The consent must be voluntary, informed and documented.

Voluntary – This means that we must be restrictive in using consent to process personal data of our employees and students. Employees and students are often in a position of dependency towards the University. There may be an opportunity to use consent from employees and students in cases where they are able to decline without the risk of personal consequences. An example of this could be asking people to appear in photos or videos, or be cited, in our public communication.

Informed – A person who gives their consent must be aware of which personal data we collect and why, how we will process the data, and their rights as a data subject. This information (see GDPR art 13–14 for details) is so extensive that it usually must be provided in writing. The general elements of the information can be found at https://www.lunduniversity.lu.se/about/contact-us/processing-of-personal-data-at-lund-university; you will need to supplement the information with specific details concerning your personal data management.

Documented – We must document consent from data subjects. This can be done in different ways, the important thing is that we are able to retrieve the consent if necessary and connect it to the personal data to which the consent applies. On the other hand, you do not need to register the consent.


 

7. What rules apply to children and consent?

Answer: For children up to and including the age of 12, consent must be obtained from the child’s legal guardian – in cases that require consent. From when the child turns 13, they can give their own consent to the processing of their personal data.

You need to be extra careful when processing the personal data of children. You should speak with their legal guardian, even if the law does not require you to do so.


 

8. What are the conditions for old consents?

Answer: Old consents are valid as long as they comply with the requirements of the General Data Protection Regulation. For example, they must be documented in a way that includes contact information to the data subjects. If you have old consents on paper, in emails or from an online form, it is important that you:

  • keep them in good order
  • assess whether they live up to the conditions voluntarily, informed and documented, where informed includes information about what we intend to use the data for, what rights the data subjects have and how to claim them.
  • be able to distinguish between different consents given by people in a position of dependency, e.g. staff and students.

 

9. How are we to process personal data on a daily basis?

  • Use common sense – How would you want your personal data to be handled?
  • Limit the amount of data – use only the personal data you need.
  • Limit the amount stored – process personal data only for as long as necessary, then delete, or possibly archive, the data.
  • Be careful about including personal data in emails.
  • When sending an email to many people at the same time, use BCC instead of CC if you don’t want all recipients to have access to each other’s email addresses, or create a proper mailing list in epic or listserver.lu.se (NB! Consent*[1] for people who are not staff or students).
  • Avoid collecting or storing personal data with free services which do not have an agreement with Lund University, such as:

 

10. Should we purchase courses for staff about the new regulation?

Answer: No, we prefer that you don’t. There is a wide range of courses and the vast majority of them do not deal with education and research – two areas that are independently regulated. If you have any questions, please contact the University’s data protection officer, but first look through the standard slideshows produced by the University’s GDPR project group. The University will release an online course in Kompetensportalen. In the meantime, we encourage you to take the LUISA course.


 

11. How are we to inform the data subjects?

GDPR articles 13–14 require fairly extensive information to be provided to persons whose personal data we process – regardless of why the data are processed.

LU’s GDPR project can help by providing general and standardised information for staff and students. Our aim is that the information will cover all processing of personal data pertaining to these two groups.

Research projects involving personal data will continue to be in charge of handling their own information and consent.

The same applies to external engagement, recruitment of students and staff as well as public events. The person who collects the personal data is responsible for informing and obtaining consent from the people concerned when required.

Standard information about this is available at https://www.lunduniversity.lu.se/about/contact-us/processing-of-personal-data-at-lund-university, which you will need to supplement with information on e.g.

  • the purpose of the personal data processing
  • the length of the processing period
  • whether the personal data will be shared with anyone outside Lund University

 

12. As a teaching staff member, what should I do?

  • Be attentive to information and recommendations from the people in charge of learning platforms or web publication systems you use in your teaching.
  • Read up on the standard information for students as soon as it becomes available. If you collect or handle personal data not covered by the standard information, you will need to supplement the information you provide to students and perhaps also acquire consent.
  • In most cases, the University is responsible for the personal data processed by our students in connection with their degree projects and other projects. This means that we are also responsible for how the students provide information and acquire consent.

 

13. As a researcher, what should I do?

  • Use the relevant online form to notify the University’s data protection officer of research projects which include personal data.
  • The online form is currently being updated. You will be informed once it is ready. In the meantime, you are not required to report personal data processing within research.
  • Do not expect that one approved ethical review will mean that we have lived up to the requirements of the new regulation.

 

14. As a manager, what should I do?

  • If you have local administrative systems containing personal data, you need to make sure that they fulfil the requirements of the GDPR – the plan is that this will be included in the systems administered within the PM3 process model as of 2019.
  • New policy documents on the matter may be forthcoming. Be prepared to study and communicate them to all relevant staff.
  • Consult with the University’s data protection officer if you are unsure.

 

15. As an employee working with communication and external engagement, what applies to me?

  • Personal data in unstructured form on paper, in emails, in text files and on the web cease to be an exception in this context. This means that we should, for example, delete any excess information from interviews, evaluations, or similar – unless it is to be filed.
  • We need to establish new procedures for photo and film, both online and in printed material. Find more information on this on the GDPR project blog.

 

16. As the manager of a local IT system containing personal data, how do I prepare?

Make sure that the system is administered and reported in accordance with the University’s system administration model, based on the PM3 process model. For information about the model, please contact development strategist Karl Ageberg karl.ageberg@rektor.lu.se at the IT unit.


 

17. Whom can I contact if I need help and support to prepare?

  • As of 25 May, the University has a new data protection officer, Bo-Göran Andersson. He can be reached at dataskyddsombud@lu.se.
  • If you have questions regarding personal data agreements, please contact the Legal Services office.
  • We have also begun developing coordinated and decentralised structures to provide help and support with personal data issues.

 

Kommentarer inaktiverade.