Processing of personal data in degree projects

Depending on the subject of your work, there may be additional rules to follow. It is therefore important that you discuss with your supervisor what information needs to be handled and how you can best plan for this.

Step 1 – Do you really need to process personal data?

The first thing you should ask yourself is whether personal data really needs to be collected.

If it is possible to conduct the survey without personal data, this is always preferable. Then you do not need to comply with the rules in the Data Protection Regulation, which simplifies the work.

Remember that personal data includes all information that can be linked to a living person, directly or indirectly. This can be names, social security numbers, recorded interviews, or photographs, but also a combination of more anonymous data that together can identify someone.

Step 2 – Define the purpose and what information is needed

Before you start collecting data, you should clearly define:

• The purpose – why the data is needed
• What information is necessary to conduct the survey

The purpose is usually to collect data to support your thesis, but it is important that you carefully consider and document this.

Step 3 – Register the processing of personal data

All processing of personal data must be registered in BTH's register.

You do this by filling out a form where you describe:

• The purpose of the processing
• What types of data you will collect
• Your contact details
• How long the data will be stored (if possible to specify)
• Whether anyone else is involved in working with the data
• How the information will be protected

The register does not contain any collected data – only a description of the processing. Since BTH is responsible for all personal data processing within the organization, this also applies to degree projects.

• Notification of personal data processing – student work xlsx, 58.9 kB.

Step 4 – Secure storage and handling of information

You must store the collected data securely.

Recommended storage locations:

• The home directory (J:) provides sufficient security for both ordinary and sensitive personal data.
• OneDrive (BTH service) can be used for personal data that is not sensitive.

Prohibited storage locations:

• External services such as Dropbox, Google Docs, and iCloud may not be used.

What counts as sensitive personal data?

Examples of sensitive data include information about race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, and information about a person's health, sex life, or sexual orientation. If you handle such data, security must be extra high.

Step 5 – Decide what to delete or save when the work is complete

Personal data may not be stored longer than necessary and must be deleted when it is no longer needed.

At the same time, there may be parts of the information that must be retained in order to substantiate the conclusions of the thesis or because they are necessary for future processing. Before the practical work begins, it is therefore important to decide what will happen to the collected personal data afterwards.

What data should be retained and what should be deleted? During the course of the work, there may be reason to reconsider the original plan, but it is important to have a basic plan, not least in order to be able to answer questions from the data subjects (the people whose data is collected).

Consider the following:

• What data needs to be retained to substantiate the conclusions of the thesis
• What data should be deleted after the work is completed

Have a plan from the outset, but be prepared to adjust it during the course of the work.

Step 6 – Obtain consent and inform the data subjects

Personal data may only be processed if there is a legal basis for doing so.

The General Data Protection Regulation specifies a number of grounds that are considered permissible, but for a thesis, in practice, only consent can be considered. This means that the person must give their active consent after receiving clear information about:

• What data is collected.
• What the data will be used for and by whom.
• How and why the data will be used.
• How long the data will be used.
• How long the data will be stored.
• The right to request access to the information collected.
• The possibility of complaining to the data protection officer or the Privacy Protection Authority.

Important information about consent:

• It must be in writing (digital signatures are acceptable).
• It must be recorded and stored so that it can be retrieved if necessary.
• The data subject has the right to withdraw their consent at any time.
• This also applies to sensitive personal data, but sensitive data places high demands on security in its handling.

If it is not possible to use consent

If it is not possible to use consent, you should discuss this with your supervisor and BTH's data protection officer to see if another solution can be found.

Step 7 – Process the collected information

If you have followed the previous steps, you can now process the data without further action.

Step 8 – End processing: delete or archive

Once the thesis is complete, personal data should either:

• Be deleted according to the plan from step 5.
• Be transferred for preservation/archiving if it needs to be saved for future use.

Contact BTH's data protection officer and notify them that the processing has been completed.

Summary

• Consider whether you need to collect personal data.
• Define the purpose and what information is needed.
• Register the processing with BTH.
• Store the data securely.
• Decide what should be saved or deleted.
• Obtain consent from the data subjects.
• Process the data according to the plan.
• Delete or archive the material when the work is complete.