If your student needs to process personal data

Does the student need to process personal data?

Handling personal data, or personal data processing, includes activities such as collecting, storing, disclosing, or deleting certain information about a person.

Personal data

Personal data is information that can be linked to a living person in some way.

Some examples of personal data are

• name
• e-mail address
• personal identity number
• voice recording
• a photo of a person.

More examples of personal data – imy.se/en

Sensitive personal data

Sensitive personal data is also information that can be linked to a specific living person, but this information is particularly sensitive.

Sensitive personal data includes

• ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• health data
• data about a person's sex life and sexual orientation
• genetic data
• biometric data used for identification.

Read more about sensitive personal data – imy.se/en

Certain processing of personal data is permitted

Students may process personal data in their course work if this is necessary to achieve the learning objectives of the course. As a supervisor, you must therefore determine whether the processing of personal data is a prerequisite for the student to pass the course.

Only process the personal data that is necessary

One principle that students should strive to follow is to only process the personal data that is necessary to achieve the learning objective. This is known as the principle of data minimisation. 

There are also other principles for personal data processing. You can read about these on the Staff Pages.

General principles for personal data processing – staff.lu.se

Use the university's templates

There are templates that students should use to either provide information about personal data processing or obtain consent for personal data processing. Which template to use depends on the type of personal data involved.

The templates make it easier for students to comply with the GDPR. According to the GDPR, data subjects (in other words those whose personal data is processed) must be informed about the processing. As a supervisor or teacher, you are responsible for ensuring that students are able to provide information about the processing in a manner that complies with the GDPR and protects individuals' privacy. 

The templates do not replace other information and consent to participation

The templates are intended to serve as information about or consent to the processing of personal data specifically. Students must also inform about and obtain consent for participation in the student project itself. Contact your faculty for information on how to formulate consent for participation.

Clarify the purpose of the personal data processing

Regardless of which template is used, as a supervisor, you need to support the student in determining which learning objectives the student should achieve. This should then be entered into the template. The purpose of this is to clarify to the participant why the student needs to process the personal data.

Templates for personal data and sensitive personal data

Template for personal data

If your student processes personal data that is not sensitive, it is sufficient for the student to inform the participants in the student project about the processing of personal data. Use Template 1 for this.

Template 1 – personal data (Word, 112 kB)

Template for sensitive personal data

If your student needs to process sensitive personal data, consent from the participants in the student project is required. Use Template 2 for this. The template should also state how the participant should proceed if they wish to withdraw their consent.

Template 2 – sensitive personal data (Word, 103 kB)