The EU General Data Protection Regulation (GDPR) imposes strict demands on all work involving personal data being carried out correctly. If you are planning to carry out a study with ethically sensitive content you must apply to the Ethics Council for review.

Personal data processing in thesis work

The EU General Data Protection Regulation (GDPR) imposes strict demands on all work involving personal data being carried out correctly. If you are planning to process personal information in your degree project there are many things to consider. This text provides a brief overview of the steps necessary for processing personal data. In addition to the rules governing personal data, there may be additional legislation to take into consideration depending on your thesis. We recommend having an overall discussion with your supervisor about what information is to be processed and plan accordingly.

What is personal data?

Personal data is any information that can be directly or indirectly attributed to a living person. Common forms of personal data include names, email addresses, telephone numbers, personal identification numbers, photos and audio recordings of people.

Personal data might also be a combination of information that on its own cannot be linked to a living person but can single out an individual when combined. Such a combination could, for example, be a person’s age and place of work.

What is sensitive personal data?

Sensitive personal data includes data revealing ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and certain biometric data, and data concerning a person's health, sex life or sexual orientation.

Step 1: Do you need to process the data?

The first question is whether it is really necessary to process personal data? If the work can be carried out without processing personal data, then this is preferable. 

Step 2: Register the processing of personal data

Any processing of personal data must be recorded in the University’s personal data processing registry. You can find the registry at dsfregister.mau.se/en and fill in the purpose of processing, what type of information you intend to collect and process, your contact details, how long the data will be saved, if any third parties will participate, and how the information will be protected.

When you log in to the registry, you will find guiding texts and explanations for all the information that needs to be entered. These records shouldn't contain any of the collected personal data, only a list of what is to be collected and processed so that the University has an overview of the data processing in progress. The University is the controller and, as such, formally responsible for personal data being processed throughout our institution; this also applies to degree projects.

Register your processing of personal data in the General Data Protection Regulation Register

Step 3: Determine how the information will be safely stored and processed during work

The collected information must be processed safely. We recommend you use your home directory. The home directory has sufficient security for sensitive personal data. Sensitive data is any data concerning: ethnicity; political opinion; religious or philosophical beliefs; trade union membership; health; sex life and sexual orientation; genetic data; and/or biometric data. 

Log in and open your home directory (access.mau.se)

The University also provides a number of additional services that may be useful, such as Box and Sunet Survey. These may be used for non-sensitive personal data. External services (tools not provided through the University) may not be used for any kind of personal data processing. This applies, for example, to Dropbox, Google docs and iCloud, as well as others.

Step 4: Determine what parts of the information are to be erased or archived once processing is completed

Personal data may not be saved for longer than is necessary and should be erased when no longer needed. At the same time, there may be parts of the information that must be preserved to be able to substantiate the conclusions of the thesis work or because they are necessary for future processing.

Therefore, before the practical work starts, it is important to decide what will happen to the collected personal data afterwards. What information is to be retained and what is to be erased?

Step 5: Obtain consent, inform the data subjects and collect the necessary personal data

You need consent from the data subject to process their personal data. Giving consent means that the data subject gives their active approval to the processing. In practice, this means that you need to inform them about:

  • what personal data you are collecting;
  • what it is to be used for and by whom;
  • how long the data will be used;
  • that they have the opportunity to request to see the collected the information;
  • that the data subject can withdraw their consent at any time; and
  • that it is possible to contact the Data Protection Officer or The Swedish Data Protection Authority with any complaints.

After the data subjects have read the information, they can give their consent and processing of the data is then permitted. It is important to know that consent must be registered and stored so that it can be presented upon request and that the data subject is entitled to withdraw their consent at any time.  Consent must be given in writing (digital signing is accepted) and the University has created a consent form that can be used. If the data subject has agreed to the processing, sensitive data may also be recorded (note that sensitive data involves high-security requirements when processing).

Consent form

Step 6: Process the collected information

Provided that the previous steps have been taken, you can start processing personal data for your degree project. 

Step 7: After processing, delete or archive personal data as needed

The material that has been processed should now either be transferred for archiving or deleted as described in Step 4. Log in to the General Data Protection Regulation Register and mark the processing as completed.

Register your processing of personal data in the General Data Protection Regulation Register

Data Protection Officer

Do you have questions regarding personal data management? Contact the Data Protection Officer by email, dataskyddsombud@mau.se.

Ethical review for ethically sensitive content

All students who carry out a study with ethically sensitive content must apply to the Ethics Council for review. In the application, the student (or students) provide information about their degree project: what it is about and how it will be carried out; how the participants provide their consent; and how the confidentiality requirement is met. The only exception applies to students at the Faculty of Culture and Society; at this faculty, the supervisors are responsible for supervising and guiding students concerning ethics of students’ work with the support from their Ethics Council. Here, students do not send ethical review application to the Ethics Council but work closely with their supervisors on this matter. 

The University is responsible for ensuring student work at all levels is conducted in an ethically sound and secure manner. The Ethics Council is therefore tasked with advising students/supervisors on how to carry out the study. Please note that the Ethics Council's review is advisory only.

Related pages

Writing your degree project

Cover page templates and writing guidelines for your thesis or degree project, what you need to do regarding your project.

How to succeed with your thesis paper

How to search for information and write references. Plan your thesis work to avoid stress. Find other students' theses. Get...

The Writing Centre and support for your studies

Help is on hand if you require support with either academic writing, finishing your written assignment, or deepening your...