Personal data is any kind of information that can be used to identify a specific person or indirectly identify the person if the information is combined with other information.
The processing of personal data is regulated by the General Data Protection Regulation (“GDPR”). If you gain access to or if you collect personal data in connection with your Master’s Thesis or an assignment, you are responsible for taking care of the data and must not do anything that could damage the data subject.
Personal data includes:
You may gain access to personal data from:
General personal data:
Personal data that does not fall under the category of “sensitive personal data” can be referred to as “general personal data”.
General personal data may include personal identification details such as:
Sensitive personal data:
Sensitive personal data is explicitly defined in the GDPR and the access to process such data is more narrow than the processing of non-sensitive personal data. Sensitive personal data must be communicated via secure e-mail and there must be obtained a valid consent before processing sensitive personal data.
The following information is sensitive personal data:
Confidential information:
Confidential information is not a category explicitly mentioned in the GDPR. This information is regulated by other laws but may be of importance in the way the GDPR is applied. Whether an information can be considered confidential relies on an assessment of whether the information should, in the general view of society, be requested to be kept secret to the public. Non-sensitive personal information may be confidential in some situations, but confidential information will not always be sensitive. However, sensitive personal data will always be confidential.
If you collect personal data from e.g. test subjects or via a questionnaire to be used in your thesis or another assignment, you are responsible for the collected data, which means that you are responsible for:
#Obtaining consent from the participants
If you collect data on other people, you need their written consent to use and possibly disclose the information you receive. To obtain written consent, you must ask everyone involved to sign a consent form. A signed consent form ensures that the persons involved are informed of your use of the personal data and that they agree to have their data used for your specific purpose. You may not collect, process or disclose personal data until you have a signed consent form from the involved participants and you must submit a copy of the consent form to every participant who has signed it. You will find a downloadable consent form on my.cbs.dk.
#Complying with the rights of the data subjects
The data subjects have rights in relation to the processing of their data. The most important rights of the data subjects are:
#Storing the collected data safely
Once you have collected data and filled in relevant forms, you must keep this information in a safe and secure manner. This can be done by for example using Microsoft OneDrive, which is available to all students at CBS. You must ensure that the equipment used to collect data with is protected by password to avoid access by unauthorized persons. You must also ensure that data is not accidentally or unlawfully destroyed, lost or impaired. You must always delete personal data when it is no longer relevant for your assignment. This means in practice, that you must delete the personal data when your assignment has been assessed and the deadline for complaints has expired.
#Describing the purpose of the data collection in a record
As data controller, you have the obligation to describe the nature and purpose of the personal data that you collect. This must be stated in a document called a “record of processing activities”. Once you have created the record, it must be stored electronically in OneDrive. You may need it in case the Danish Data Protection Agency inspects CBS to check whether we comply with the GDPR.
Because they can have severe negative repercussions for the data subjects involved and others, violations of the GDPR may come with various sanctions, both financial and, in very grave cases, custodial. If you experience a data breach, you must - without undue delay and no later than 72 hours after becoming aware of it - report the breach to the Danish Data Protection Agency, followed by a notification to the CBS data protection officer.
Apart from the costs incurred by the person violating the personal data protection regulations and the adverse consequences for data subjects, breaches may also in some cases lead to third-party litigation from individuals or groups seeking damages.
For alle of these reasons, and to protect the reputation of CBS as a trusted partner, whose students may be entrusted with sensitive data for their academic work, meticulously heeding the regulations and being mindful of the adverse consequences to real people in the case of breaches is absolutely essential.
You are working on your master’s thesis with two other students. The topic is Copenhagen Pride and you need to collect data from a large group of people in the LGBTQ community about their lives and their sexual orientation via individual interviews. You decide to record the interviews on your smartphone and plan on sharing the interviews with your collaborators so each of you will have easy access when needed. After completing your last interview, you head back to campus on the Metro to meet up with your group. However, as you get off the Metro, you realize that you have lost your smartphone and with it all of your data ...
This example represents a number of attention points and problems pertaining to the handling of personal data.
When you are writing a thesis or an assignment with other students, all of you are equally responsible for the personal data that you collect, analyse and store.
When you collect data via interviews, you need to obtain consent from the person you are interviewing and this should be done prior to the interview.
The information being collected in this example is about sexual orientation, which in a GDPR context is categorized as sensitive personal data. When working with sensitive personal data you need to be extra aware of how to comply with the GDPR, including how to safely store the collected data.
If your data is lost, you must report the breach to both the Danish Data Protection Agency and the CBS data protection officer as soon as possible and no later than 72 hours after becoming aware of the breach.
Jade Yang Faurschou - legal@cbs.dk
If you collaborate with one or more other students on your thesis or other assignment and you collect and process personal data, you are required to conclude an agreement on joint data responsibility. The agreement on joint data responsibility means that all group members will be responsible for the personal data collected in connection with the assignment / thesis. The agreement is available for download along with a lot of other information on my.cbs.dk.