A Guide to Working with Integrity as a CBS Student: Personal Data & GDPR

The processing of personal data is regulated by the General Data Protection Regulation, or GDPR. If you gain access to or collect personal data in connection with your academic work, you are responsible for safeguarding that data and must do your absolute utmost to shield the data subject from any damage.

Personal data

Personal data comprise any kind of information that may be used to identify a specific person in and by itself or, if combined with other pieces of information, may help identify a person indirectly. Personal data can be broken down into four categories: general personal data, sensitive personal data, information about criminal offences, and confidential data.

Personal data include but are not limited to  

• Name, e-mail, username on social media (general personal data)
• Education, income, position, employer (general personal data)
• Details of racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union affiliation, genetic data, health details, and sexual orientation (sensitive personal data)

You may gain access to personal data from

• Public or private registries, e.g. RKI (Danish credit reporting bureau), donor registries, etc.
• Interviews
• Questionnaires
• Other channels

General personal data (non-sensitive personal data)

Personal data that do not fall under the category of sensitive personal data (cf. below) are defined as general, or non-sensitive, personal data. General personal data include personal identification details such as name, address, and date of birth, as well as information about personal finances, tax-related matters, debts, significant social problems, other purely private matters, sick days, work-related circumstances, family circumstances, residence, car, qualifications, applications, CV, date of employment, job, work phone.  

General personal data may be subject to confidentiality, which of course must be respected always. Personal data of the general and confidential type include, but are not limited to, information regarding adoption, grades and exam cheats, significant social problems, as well as family circumstances.

Sensitive personal data

Sensitive personal data is defined explicitly in the GDPR and access to process such data is much narrower than in the case of general, or non-sensitive, personal data. Sensitive personal data must be shared via secure e-mail and valid consent must be obtained before any processing can commence.

The following information constitute sensitive personal data:

• Details of racial or ethnic origin
• Political beliefs
• Religious or philosophical beliefs
• Trade union affiliation
• Genetic data
• The processing of biometric data for the purpose of uniquely identifying a natural person
• Health details
• Sexual orientation

Confidential information

Confidential information is not a category explicitly mentioned in the GDPR. This information is regulated by other laws but may be of consequence in the way that the GDPR is applied.  Whether a piece of information is to be considered confidential or not depends on whether the information, in the general view of society, should be requested to be kept secret from the public eye. General or non-sensitive personal information may be confidential in some situations, but confidential information will not always be sensitive. However, sensitive personal data will always be confidential.

Confidential information may be information pertaining to

• National identification number (CPR no.)
• Personality test
• Divorce
• Adoption conditions
• Alcohol and drug testing
• Registration of cheating for exams
• Logging of internet usage
• Grades
• Significant social problems and family circumstances
• Reasons for expulsion
• Disciplinary cases
• Minutes of personal conversations if they contain confidential information
• Secret address

Complying with the rules for processing personal data

If you collect personal data from test subjects or via a questionnaire to be used in an assignment, you are responsible for the collected data, which means that you are responsible for

1. obtaining consent from the participants (the data subjects)
2. complying with the rights of the data subjects
3. storing the collected data safely
4. describing the purpose of the data collection in a record

1. Obtaining consent from the participants

If you collect data on other people, you need their written consent in order to use and possibly disclose the information you receive. To obtain written consent, you need to ask everyone involved to sign a consent form. A signed consent form ensures that the people involved are informed of your use of the personal data and that they agree to have their data used for your specific and stated purpose. You may not collect, process or disclose personal data until you have in your possession a signed consent form from the involved participants, and you must submit a copy of the consent form to every participant who has signed it.

2. Complying with the rights of the data subjects

The data subjects have a number of rights in relation to the processing of their data. The most important rights are

• The right of access – the data subject has the right to view the personal data you process and to obtain information about the processing
• The right to rectification – the data subject has the right to get incorrect personal data about them corrected
• The right to be forgotten – the data subject is entitled to withdraw their consent at any time

Every data subject have the right to withdraw their consent, which means that you may not continue with the processing of their data.

3. Storing the collected data safely

Once you have collected data and filled in relevant forms, you must keep this information in a safe and secure place, for instance in Microsoft OneDrive which is available to all CBS students. You need to make sure that the equipment used to collect data is protected by password to avoid unauthorized access. You also need to ensure that data are not accidentally or unlawfully destroyed, lost, or impaired. You must always delete personal data when it is no longer relevant for your project. In practice, this means that you must delete the personal data when your assignment has been assessed and the deadline for complaints has expired.

4. Describing the purpose of the data collection in a record

As data controller, you are obliged to describe the nature and purpose of the personal data that you collect. This must be stated in a document called a “record of processing activities”. Once you have created the record, it must be stored electronically in OneDrive. You may need it in case the Danish Data Protection Agency decides to do an inspection of CBS GDPR compliance.

Group projects

If you collaborate with one or more students on an assignment and as part of this work, you collect and process personal data you need to sign an agreement on joint data responsibility. The agreement on joint data responsibility means that all group members share responsibility jointly for the personal data collected in connection with the assignment.

GDPR breaches

Violation of data protection regulations may trigger a fine or a prison sentence of up to six months. If you experience a data breach, you are required - without undue delay and no later than 72 hours after becoming aware of it – to report the breach to the Danish Data Protection Agency and the CBS data protection officer.

Apart from the costs incurred by the person violating personal data protection regulations, breaches may affect people negatively and in some cases may lead to third-party litigation from individuals or groups seeking damages.

For this reason, and to protect the reputation of CBS as a trusted partner, whose students may be entrusted with sensitive data for their academic work, meticulously heeding the regulations and being mindful of the adverse consequences to real people in the case of breaches is absolutely essential.   

Jade Yang Faurschou - legal@cbs.dk