The Personal Data Act and student projects at Högskolan Dalarna The purpose of the Personal Data Act (PUL – personuppgiftslagen) is to prevent the violation of individuals’ personal integrity by use of personal data.1. This applies when one is using personal data2 which are part of or intended to be part of a structured collection (for example, a database) that makes it noticeably easier to search for or compile information3. The use of personal data in unstructured material (such as text in a word processing program, text on the Internet, sound and visual samples and e-mail correspondence) is freely permitted, provided the information in question is not abused.4. If personal data that are part of or intended to be part of a database are used in student projects, it must always be reported to the university’s PUL-representative. In certain cases, the processing must also be approved by the Research Ethics Committee. Below you will find 1 The words personal data in the Act refer to all information that may be directly or indirectly attributable to a living physical person. This includes information regarding name, personal number, date of birth, nationality, education, family and conditions of employment. This means that information of a less private nature is also regarded as personal data. Pictures (photos, movies) of individuals are also regarded as personal data. Information referring to deceased or people not yet born is not covered by the Act. Even coded information is covered by the Act, as long as there is a key preserved that makes it possible to identify individuals. 2 Processing of personal data refers to any measure, or series of measures, taken regarding personal data, automatically or manually; for example, the collecting, registration, organizing, storing, compilation, and distribution of data. In other words, processing refers to all use of personal data, whether by computer or by any other means. 3 In other words, this concerns a structured collection of personal data. In addition, they must be sorted according to some kind of system. To be considered a collection of personal data there must be information about more than one person. It is also necessary that the information in the collection is available for search or compilation according to particular criteria. That is, it must be possible to do a search in the collection. Further, it must be searchable by more than one criterion so that both name and personal number are indicated. 4 To determine whether a way of use is abusive, an overall judgment must be made of how sensitive the information is, in which situations it emerges, for what purpose it will be used, how it has been distributed or risks being distributed, and what the use of this data can lead to. Accordingly, in each case the interests of a free, private individual must be weighed against other interests such as freedom of speech and freedom of expression. Approved by UFL and UFN 2009-06-04 a more thorough account of what the text of the Act states, and what applies to student projects at Högskolan Dalarna. The recorded lecture “Research Ethics information for student projects at Högskolan Dalarna” (which you can download from FEN’s website at www.du.se/forskningsetik), also contains information about this, and gives concrete examples of what falls under the Act. Definitions In this document, personal data type A refers to all personal data, with the exception of sensitive personal data that includes criminal acts, judgments in a criminal case, coercive punishment measures, and/or the administrative deprivation of freedom. In this document, personal data type B refers to sensitive personal data and personal data that refer to violations of the law such as criminal acts, judgments in a criminal case, coercive punishment measures, and/or the administrative deprivation of freedom. According to the law, sensitive personal data refers to that which discloses race or ethnicity, political opinions, religious or philosophical convictions or union membership as well as personal data related to health or sexuality. Approved by UFL and UFN 2009-06-04 1) When personal data of type A is used and the information is part of or intended to be part of a database and informed consent can be obtained If you will be using personal information of type A in your project and this information is part of or intended to be part of a database you should always seek consent. This consent should be individual, voluntary, specialized, unambiguous and informed: Individual means that the person registered must, by manifestation of her or his will, approve of the processing of personal data. It is, for example, not sufficient for an association to approve the processing of personal data on behalf of its members. Voluntary means that the decision as to whether personal data may be processed or not must be based on a free choice. In other words, the situation must allow the individual to say no. The requirement for approval to be specialized signifies that a general consent to processing of personal data cannot be accepted. Approval must refer to processing for one or several specified purposes. The requirement for the approval to be unambiguous means that there must be no doubt that the person registered approves to processing of his or her personal data. Informed indicates that the person whose personal information is included in the data must approve, after having been informed of the following: the purpose of the processing; to which recipients or group of recipients the data is disclosed; the right to - after application - be informed about which of his/her personal data is processed (by application); and the opportunity to correct any erroneous personal data. See Appendix 1 for a detailed description. It is, moreover, important to remember that approval must comprise the specific processing of personal data. It is not sufficient that the person simply agrees to be part of the research study. The person registered is also entitled to retract his/her approval at any time. Thereafter, further personal data on the registered person must not be processed. What you should do if you intend to use personal data of type A in your project and this information is part of or intended to be part of a database and you can obtain informed consent You should report the use of personal data by completing the attached form A and submitting it to Högskolan Dalarna's PUL-representative. Approved by UFL and UFN 2009-06-04 2) When personal data of type A is used and the information is part of or intended to be part of a database and informed consent cannot be obtained If you are going to use personal data of type A in your project and this information is part of or intended to be part of a database you should always try to obtain informed consent. If this is not possible, the study must undergo a research ethics review in all cases. What you should do if you intend to use personal data of type A in your project and this information is part of or intended to be part of a database and you lack informed consent You should report the use of personal data by completing the attached form A and submitting it to Högskolan Dalarna’s PUL-representative. You should submit a research ethics request to the Research Ethics Board. Applications and more information are available at the board’s website at www.du.se/forskningsetik A copy of form A should be attached to the request to the Research Ethics Board, which, after completing the ethics evaluation, sends a copy of its decision to Högskolan Dalarna’s PUL-representative. Approved by UFL and UFN 2009-06-04 3) When personal data of type B is used and the information is part of or intended to be part of a database If you are going to use sensitive personal information concerning violations of the law such as criminal acts, judgments in a criminal case, coercive punishment measures, and/or the administrative deprivation of freedom in your project and this information is part of or intended to be part of a database, the study must undergo a research ethics review in all cases. This is the case regardless of whether the participants give informed consent or not. What you should do if you intend to use personal data of type B in your project and this information is part of or intended to be part of a database You should report the use of personal data by completing the attached form A and submitting it to Högskolan Dalarna’s PUL-representative. You should submit a research ethics request to the Research Ethics Board. Applications and more information are available at the board’s website at www.du.se/forskningsetik A copy of form A should be attached to the request to the Research Ethics Board, which, after completing the ethics evaluation, sends a copy of its decision to Högskolan Dalarna’s PUL-representative. Approved by UFL and UFN 2009-06-04 Appendix 1. Information on the use of personal data must contain the following: the party responsible for personal data (Högskolan Dalarna) and PUL-representative (Rolf Björkman), which data are to be processed, from where the data will be gathered, what the data will be used for, who will have access to the data, information that the informant is entitled to be notified as to which personal data – referring to the individual in question – are used (a so-called register extract), after application to the university’s PUL-representative, as well as the opportunity to have erroneous personal data corrected, information that if an individual will be identifiable in the completed project, he/she is also entitled to have erroneous or incomplete data corrected and completed before publication. Approved by UFL and UFN 2009-06-04 Form A REPORT OF PROCESSING OF PERSONAL DATA Subject/level: Date: Recipient: Designation (project title): Telephone number: Purpose for processing of personal data (if space is inadequate use separate sheet): Personal data which are to be processed (if space is inadequate use separate sheet): Is the register available to other authorities, units/departments or individuals? If so, to which/whom? If personal number is registered, state the reason for this: Will approval be obtained: Yes No, why not? (state basis for processing referring to the Act) Has the person registered been informed of the processing of personal data: Yes, how? No, why not? Will personal data be transferred to a third nation (nation not part of the EU or connected to the EES): If yes, declare how this is processed on a separate sheet. Yes, via diskette or similar. Yes, via Internet (NB! Approval from registered parties is required if data are not clearly harmless) (NB! Approval from registered parties is required if data are not clearly harmless) Possible rules of secrecy: Signature (supervisor): PUL-representative’s notes: ………………………………………………………….. Send report to Personuppgiftsombudet, Rektors kansli, Högskolan Dalarna, 791 88 Falun No