The Personal Data Act and student projects at Högskolan Dalarna

advertisement
The Personal Data Act and student projects at Högskolan
Dalarna
The purpose of the Personal Data Act (PUL – personuppgiftslagen) is to prevent the violation
of individuals’ personal integrity by use of personal data.1. This applies when one is using
personal data2 which are part of or intended to be part of a structured collection (for example,
a database) that makes it noticeably easier to search for or compile information3. The use of
personal data in unstructured material (such as text in a word processing program, text on the
Internet, sound and visual samples and e-mail correspondence) is freely permitted, provided
the information in question is not abused.4.
If personal data that are part of or intended to be part of a database are used in student
projects, it must always be reported to the university’s PUL-representative. In certain cases,
the processing must also be approved by the Research Ethics Committee. Below you will find
1
The words personal data in the Act refer to all information that may be directly or indirectly attributable to a
living physical person. This includes information regarding name, personal number, date of birth, nationality,
education, family and conditions of employment. This means that information of a less private nature is also
regarded as personal data. Pictures (photos, movies) of individuals are also regarded as personal data.
Information referring to deceased or people not yet born is not covered by the Act. Even coded information is
covered by the Act, as long as there is a key preserved that makes it possible to identify individuals.
2
Processing of personal data refers to any measure, or series of measures, taken regarding personal data,
automatically or manually; for example, the collecting, registration, organizing, storing, compilation, and
distribution of data. In other words, processing refers to all use of personal data, whether by computer or by any
other means.
3
In other words, this concerns a structured collection of personal data. In addition, they must be sorted according
to some kind of system. To be considered a collection of personal data there must be information about more
than one person. It is also necessary that the information in the collection is available for search or compilation
according to particular criteria. That is, it must be possible to do a search in the collection. Further, it must be
searchable by more than one criterion so that both name and personal number are indicated.
4
To determine whether a way of use is abusive, an overall judgment must be made of how sensitive the
information is, in which situations it emerges, for what purpose it will be used, how it has been distributed or
risks being distributed, and what the use of this data can lead to. Accordingly, in each case the interests of a free,
private individual must be weighed against other interests such as freedom of speech and freedom of expression.
Approved by UFL and UFN 2009-06-04
a more thorough account of what the text of the Act states, and what applies to student
projects at Högskolan Dalarna.
The recorded lecture “Research Ethics information for student projects at Högskolan Dalarna”
(which you can download from FEN’s website at www.du.se/forskningsetik), also contains
information about this, and gives concrete examples of what falls under the Act.
Definitions
In this document, personal data type A refers to all personal data, with the exception of
sensitive personal data that includes criminal acts, judgments in a criminal case, coercive
punishment measures, and/or the administrative deprivation of freedom.
In this document, personal data type B refers to sensitive personal data and personal data that
refer to violations of the law such as criminal acts, judgments in a criminal case, coercive
punishment measures, and/or the administrative deprivation of freedom.
According to the law, sensitive personal data refers to that which discloses race or ethnicity,
political opinions, religious or philosophical convictions or union membership as well as
personal data related to health or sexuality.
Approved by UFL and UFN 2009-06-04
1) When personal data of type A is used and the information is part of or intended to be
part of a database and informed consent can be obtained
If you will be using personal information of type A in your project and this information is part
of or intended to be part of a database you should always seek consent. This consent should
be individual, voluntary, specialized, unambiguous and informed:

Individual means that the person registered must, by manifestation of her or his will,
approve of the processing of personal data. It is, for example, not sufficient for an
association to approve the processing of personal data on behalf of its members.

Voluntary means that the decision as to whether personal data may be processed or
not must be based on a free choice. In other words, the situation must allow the
individual to say no.

The requirement for approval to be specialized signifies that a general consent to
processing of personal data cannot be accepted. Approval must refer to processing for
one or several specified purposes.

The requirement for the approval to be unambiguous means that there must be no
doubt that the person registered approves to processing of his or her personal data.

Informed indicates that the person whose personal information is included in the data
must approve, after having been informed of the following: the purpose of the
processing; to which recipients or group of recipients the data is disclosed; the right to
- after application - be informed about which of his/her personal data is processed (by
application); and the opportunity to correct any erroneous personal data. See
Appendix 1 for a detailed description.
It is, moreover, important to remember that approval must comprise the specific processing of
personal data. It is not sufficient that the person simply agrees to be part of the research
study.
The person registered is also entitled to retract his/her approval at any time. Thereafter,
further personal data on the registered person must not be processed.
What you should do if you intend to use personal data of type A in your project and
this information is part of or intended to be part of a database and you can obtain
informed consent
You should report the use of personal data by completing the attached form A and
submitting it to Högskolan Dalarna's PUL-representative.
Approved by UFL and UFN 2009-06-04
2) When personal data of type A is used and the information is part of or intended to be
part of a database and informed consent cannot be obtained
If you are going to use personal data of type A in your project and this information is part of
or intended to be part of a database you should always try to obtain informed consent. If this
is not possible, the study must undergo a research ethics review in all cases.
What you should do if you intend to use personal data of type A in your project and
this information is part of or intended to be part of a database and you lack informed
consent
You should report the use of personal data by completing the attached form A and
submitting it to Högskolan Dalarna’s PUL-representative.
You should submit a research ethics request to the Research Ethics Board. Applications
and more information are available at the board’s website at www.du.se/forskningsetik
A copy of form A should be attached to the request to the Research Ethics Board, which,
after completing the ethics evaluation, sends a copy of its decision to Högskolan Dalarna’s
PUL-representative.
Approved by UFL and UFN 2009-06-04
3) When personal data of type B is used and the information is part of or intended to be
part of a database
If you are going to use sensitive personal information concerning violations of the law such as
criminal acts, judgments in a criminal case, coercive punishment measures, and/or the
administrative deprivation of freedom in your project and this information is part of or
intended to be part of a database, the study must undergo a research ethics review in all cases.
This is the case regardless of whether the participants give informed consent or not.
What you should do if you intend to use personal data of type B in your project and
this information is part of or intended to be part of a database
You should report the use of personal data by completing the attached form A and
submitting it to Högskolan Dalarna’s PUL-representative.
You should submit a research ethics request to the Research Ethics Board. Applications
and more information are available at the board’s website at www.du.se/forskningsetik
A copy of form A should be attached to the request to the Research Ethics Board, which,
after completing the ethics evaluation, sends a copy of its decision to Högskolan Dalarna’s
PUL-representative.
Approved by UFL and UFN 2009-06-04
Appendix 1.
Information on the use of personal data must contain the following:

the party responsible for personal data (Högskolan Dalarna) and PUL-representative
(Rolf Björkman),

which data are to be processed,

from where the data will be gathered,

what the data will be used for,

who will have access to the data,

information that the informant is entitled to be notified as to which personal data –
referring to the individual in question – are used (a so-called register extract), after
application to the university’s PUL-representative, as well as the opportunity to have
erroneous personal data corrected,

information that if an individual will be identifiable in the completed project, he/she is
also entitled to have erroneous or incomplete data corrected and completed before
publication.
Approved by UFL and UFN 2009-06-04
Form A
REPORT OF PROCESSING OF PERSONAL DATA
Subject/level:
Date:
Recipient:
Designation (project title):
Telephone number:
Purpose for processing of personal data (if space is inadequate use separate sheet):
Personal data which are to be processed (if space is inadequate use separate sheet):
Is the register available to other authorities, units/departments or individuals? If so, to which/whom?
If personal number is registered, state the reason for this:
Will approval be obtained:
Yes
No, why not?
(state basis for processing referring to the Act)
Has the person registered been informed of the processing of personal data:
Yes, how?
No, why not?
Will personal data be transferred to a third nation (nation not part of the EU or connected to the EES):
If yes, declare how this is processed on a separate sheet.
Yes, via diskette or similar.
Yes, via Internet
(NB! Approval from registered
parties is required if data are not
clearly harmless)
(NB! Approval from registered
parties is required if data are not
clearly harmless)
Possible rules of secrecy:
Signature (supervisor):
PUL-representative’s notes:
…………………………………………………………..
Send report to Personuppgiftsombudet, Rektors kansli, Högskolan Dalarna, 791 88 Falun
 No
Download