When collecting data for use in your assignment, bachelor project or Master’s thesis, there are a number of things that you as a data controller must decide. Below you will find a checklist of things that you at the very least should relate to.
Before you start collecting personal data for your assignment, you need to think about the collection process itself. This is a requirement for you as an independent data controller, but overall, it is a good idea to make a plan for the various sub-elements of your assignment. The collection must take place in a secure manner, and you must therefore explore the possibilities of using secure systems, have a plan for how data should be stored, how you obtain consent, when deletion should take place etc.
It is a key issue in the GDPR that no more personal data may be processed than is necessary to fulfill the purpose. This means that you must be cleast about what personal data you need and thus not collect data that is not relevant for your project. This is called data minimization.
You are also recommended to make an overview of which personal data you collect and for what purposes it is to be used - this will help you if the Danish Data Protection Authority or those you collect information about ask. Below are suggestions for what you can include in such an overview:
- Study programme
- Your name
- Your supervisor's name
- Title of assignemtn
- Due data
- Purpose of processing the information (e.g. completing a bachelor's or master's degree)
- Categories of people (e.g. young people aged 15-20 on vocational education)
- Number of people per person category (e.g. 500 people between the ages of 15-20 on vocational education)
- Categories of personal data (e.g. age, gender, attitudes towards education, exam grades etc.)
- Where data is stored during collection and analysis
- Time of deletion of the information
In connection with obtaining consent, the participant must be informed of his or her rights so that he or she can assess whether to consent or not. It is part of the condition that the consent must be informed. The participant must be informed of:
- the identity and contact details of the data controller and his/her/its representative, if any;
- the purposes of the processing for which the personal data is to be used and the legal basis for the processing;
- any recipients or categories of recipients of the personal data;
- where processing is based on consent, the consentee must be informed of the right to withdraw their consent at any time; and
- the right to lodge a complaint with a supervisory authority (the Danish Data Protection Agency).
In addition, you can choose to disclose the items below (depending on the specific circumstances)
- the period for which the personal data will be retained or, if that is not possible, the criteria used to determine that period;
- the right to request from the data controller:
• insight into the personal data processed about the participant,
• to correct and adapt personal data that is not correct; or
• to delete personal data; or
• to restrict processing concerning the data subject; or
• the right to object to processing.
If you use SDU RIO’s declaration of consent, the disclosure obligations are part of the template.
You must make sure you have obtained valid consent from the person you want to collect information about – before you start collecting any data. This applies regardless of whether you need to record video, take pictures, have answers to a questionnaire or something completely different. There are four conditions that must be met before a consent is valid:
- The consent must be specific, so that it is adapted specifically to the task and purpose that is relevant.
- It should be voluntary, so that there are no inconveniences associated with saying no.
- It must be unambiguous, so tacit/implied consents are not valid.
Finally, it must be informed, so that the participant is informed of his or her rights.
A request for consent must be easily accessible, understandable and be in clear and plain language. Therefore, you should avoid using any specialist expressions, if possible. We recommend that you obtain written consent, as you must be able to prove that consent has been given – and what the participant has specifically consented to. This is SDU's recommendation although verbal consent is equally valid.
The participant may withdraw his or her consent at any time. If this happens, you are no longer allowed to process personal data and must therefore delete any data you have about the person.
Before giving consent, the participant must be informed that he/she/it may withdraw their consent. The process of withdrawing one’s consent must not be more cumbersome than providing it. If a declaration of consent has been made, it’s a good idea to allow the participant to withdraw their consent by email or phone. The participant must have sufficient information about their rights and the specific circumstances in relation to the assignment and the processing of data. This is a prerequisite for the consent to be valid.
People at age 15 or older can give consent if you assess that the person can understand the information and the consequences of giving consent to the processing of personal data. Read more in the fold-out menu below.
SDU RIO has created a template for a declaration of consent that you are free to use.
Please remember that declarations of consent must be stored in a safe way just like your other data. Declarations of consent must only be stored as long as the data is processed - i.e. until all data is deleted or anonymised.
In the case of personal information about children, it is a concrete assessment whether the child himself can consent. It must be taken into account whether the child can assess the consequences of the consent and here the type of personal information and the child's maturity is important. In general, an ordinary 15-year old is considered sufficiently mature to be able to consent for themselves. If the child is assessed to have any e.g. cognitive difficulties, it will require perental consent.
If the child does not have the necessary maturity to consent, it is the parent with custody who must consent (if the parents are divorced, but still have joint custody, it is the resident parent who must give consent). However, the child must still have information about the project themselves to the extent that it makes sense.
There are various requirements for the handling and storage of personal data. This must be done in a reassuring manner – with an appropriate level of security and privacy protection. This means that, for example, you are not allowed to store personal data in your bag, in your Dropbox or talk about the person data in public. Take a look at the tips and tricks regarding information security here.
Some systems are more secure than others. You can contact SDU IT for help choosing a secure storage solution or see the list here. You may find that a Secure Server solution (S4) is the most appropriate in your case. This particularly concerns students enrolled at the Faculty of Health Sciences, but can also apply to others. Talk to your supervisor about this.
Also remember to delete/shred 'raw data' as e.g. audio files in recording devices, paper questionnaires etc. once you have moved it to a secure storage solution.
You are recommended:
- To use a systematic naming of files so that the data about a person canbe easily retrieved - e.g. if the person concerned withdraws his consent.
- Not to transfer data from/to others via mail unless it happens via an SDU email to another SDU email. Remember that data can also be shared via OneDrive or an encrypted USB stick.
If you use equipment for e.g. sound or images you are responsible for protecting the data too. This means recordings etc. should be stored securely and deleted when you no longer need it. If you borrow recording equipment from SDU, this also applies.
Onedrive is available for students, and here you can securely store your data. You can find a full list of software, where you can process and store personal data here.