The General Data Protection Regulation (GDPR) sets a high standard regarding the way we process personal data in our education, for example in your master's thesis work. The data processing must be organized, protected and conducted in a transparent matter in relation to the data subjects.
This guide consists of two parts:
- An introductory section on the principles and rules for personal data
- Guidelines in seven steps for the practical handling
Also, please use the checklist below as support for how to handle personal data in your student work.
Basic principles for processing personal data
According to the GDPR, all processing of personal data must follow a number of basic principles:
- Transparency - all personal data must be handled in a legal, transparent and correct manner
- Purpose limitation - personal data can only be used for specific purposes
- Data minimization - the personal data processed must be necessary for the purpose
- Correctness - personal data must be correct and, if necessary, updated
- Security - personal data must be given adequate and appropriate protection
- Storage minimization - personal data should not be stored for longer than necessary
Rules for personal data
GDPR and the Swedish national data protection legislation together form the framework for all processing of personal data at Chalmers. Personal data is all information that can be directly or indirectly linked to a specific individual. Examples of personal data are name, address, e-mail address, picture, video, social security number, ID number, IP address, location information, user behavior (for example in traffic situations), opinions in survey responses, health data and nationality. The important question to ask is: Can this information be linked to a specific individual?
When you are considering using personal data in a master’s thesis or student project, you should always ask yourself the question - Is it necessary for me to use the personal data to achieve the goal of my work? If you can achieve the goal with only anonymous data you should use that instead.
Before I collect or usepersonal data* in my thesis, I have:
- clarified my actual needs for collecting personal data
- documented the purposes for my use of personal data processing
- assessed the need for personal data and purpose with my supervisor
- if internship: clarified the responsibility for any personal data processing with the internship company and supervisor
- studied the basic principles of personal data processing
- assured that I won’t process any sensitive personal data
- assured secured storage of personal data in storage services approved by Chalmers
- taken measures to keep the personal data safe from others (for example password protection to computer, determined around storage in Chalmers storage services)
- contacted Chalmers' data protection officer (email@example.com) when transferring personal data outside the EU/EEA, to discuss what protection measures are required before the transfer
- customized the Chalmers’ consent form with information about processing of personal data in my project/thesis
- obtained consent through the Chalmers’ consent form
* Examples of personal data: Name, address, e-mail address, picture, video, social security number, ID number, IP address, location information, user behavior (for example in traffic situations), opinions in survey responses, health data, nationality.
The important question to ask is: Can the information be linked to a specific individual?
Consent and information about processing of personal data in student thesis
If any questions please contact firstname.lastname@example.org