Utskrift från Malmö universitets webbplats www.mah.se

The new General Data Protection Regulation (GDPR)

What do I need to be aware of as a university staff member with regards to GDPR?

  • Personal data is any information that can directly or indirectly be linked to a living person. This means that personal data are not only things like names and national identification numbers, but also user names, email addresses, biometrics, physiological data and any combination of data that makes it possible to identify a living person. All processing of personal data must comply with the principles of the General Data Protection Regulation (GDPR).
  • The difference between the GDPR and the previous law, the Data Protection Directive (PUL), is not substantial, meaning that most of us can continue to handle personal data in almost the same way as we do today, although we do need to improve our routines. The type of personal data we collect must be made clear from the outset, as well as how the personal data will be used. Procedures for registering and erasing data (both formally and in practice) must also be improved. 
  • Personal data must be handled securely and we must be able to demonstrate how we process information. As a staff member, you must only use university-wide, approved systems when handling personal data as part of your work tasks. Do not handle personal data in external storage services and tools that are not provided by the University, such as Dropbox, Google docs and iCloud. All personal data should be handled in approved systems like Office 365 and the file storages on Malmö University’s servers. When using an external service, we must be able to guarantee that the information will not be used for other purposes, like profiling for advertising, and we must have a written agreement with the service provider, meaning that many services will be lost.
  • All employees are responsible for handling personal data in a legally correct and responsible way. Do not email sensitive personal information and do not distribute or publish images of individuals who have not provided documented consent. Make sure to archive or erase information that is no longer needed.
  • We have a registry for all processing of personal data at the University. Most of the University’s data processing is carried out within our university-wide systems where personal data processing agreements are made between the data processer and the University. This applies, for example, to the handling of students’ personal data in Ladok and staff members’ personal data in Primula, Retendo and IDService. Knowledge about the registry is important for those who initiate processes that involve personal data, for instance when purchasing new software or starting a research project.
  • All processing of personal data must comply with the principles of the GDPR which state that: data must be processed in a legal, correct and transparent manner in relation to the data subject; all information must be accurate and updated; all information must be processed in a secure manner; information may only be collected for specific, explicit and legitimate purposes; the information may not be too extensive in relation to its purpose; and the information may not be used for longer than the period required for processing.