Personal data and data protection
Data protection and privacy is about protecting personal data in accordance with requirements set out in legislation, e.g. GDPR. On this page you can read about privacy and data protection at Stockholm University. The information has been designed by the Data Protection Officer (DPO) at Stockholm University.
Personal data is information through which a natural person can be identified. In order for information to be considered to also constitute personal data, the decisive factor is that the information, individually or in combination with other data, can be linked to a living person. At Stockholm University, personal data is processed within all operations. The University is obliged to protect the personal data that it processes in accordance with the legislation that applies to personal data. The protection of personal data is usually referred to as “data protection”, and the legislation that applies in this area can therefore be summarised as data protection legislation. The overarching regulation is the General Data Protection Regulation, commonly known as the GDPR[i].
The Swedish Data Protection Act[ii] is a complementary national law, and the Ethical Review Act[iii] also contains provisions tied to personal data. In other respects, data protection always accords with the laws and regulations that apply to the University in general. Thus, data protection entails a relatively complex regulatory framework that places demands on all enterprises in relation to how they may handle personal data. There are three overarching requirements: Documentation, Transparency and Security. Below you will find information and recommendations regarding the handling of personal data within Stockholm University’s operations. The information and recommendations have been formulated by the Data Protection Officer at Stockholm University. Read more about the role of the Data Protection Officer under “Roles and responsibilities”.
The Data Protection Officer
At Stockholm University there is a data protection officer (DPO), located at the Legal Department, the Chancellors office. The DPO gives advice to the university and monitors the university’s compliance with the data protection rules and regulations and other data protection provisions. The DPO continuously reports to the vice-chancellor and university director, as well as annually to the university's board.
The DPO shall according to the GDPR be independent in the role and not decide how the personal data controller should manage issues related to data protection. However, the DPO can issue recommendations to the personal data controller based on the officer's knowledge of the legislation in relation to the organization in which the officer operates. According to the European Data Protection Board, if an organization chooses not to follow the DPO's advice, it should document its reasons for doing so. On this page you will find recommendations from the DPO regarding personal data processing within Stockholm University (in Swedish).
In case of a personal data breach
According to the GDPR a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If a security breach involving personal data occurs, the personal data breach must be documented and, in cases where the data breach is likely to lead to a risk for the data subjects, it must be reported to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) within 72 hours. The university may also need to inform the registered, for example, if there is a risk of identity theft or fraud.
The Data Protection Officer (dso@su.se) must be kept informed of the personal data incident and provides support as needed. In case of a personal data breach the university must fill out the template regarding a personal data breach (in Swedish only Word, 161 kB.) and send it to the Data Protection Officer. On the Swedish Privacy Agency's website, you can read more about what a personal data incident is and when an incident must be reported to IMY: www.imy.se