The processing of personal data is regulated by the General Data Protection Regulation, or GDPR. If you gain access to or collect personal data in connection with your academic work, you are responsible for safeguarding that data and must do your absolute utmost to shield the data subject from any damage.
Personal data
Personal data comprise any kind of information that may be used to identify a specific person in and by itself or, if combined with other pieces of information, may help identify a person indirectly. Personal data can be broken down into four categories: general personal data, sensitive personal data, information about criminal offences, and confidential data.
Personal data include but are not limited to
You may gain access to personal data from
General personal data (non-sensitive personal data)
Personal data that do not fall under the category of sensitive personal data (cf. below) are defined as general, or non-sensitive, personal data. General personal data include personal identification details such as name, address, and date of birth, as well as information about personal finances, tax-related matters, debts, significant social problems, other purely private matters, sick days, work-related circumstances, family circumstances, residence, car, qualifications, applications, CV, date of employment, job, work phone.
General personal data may be subject to confidentiality, which of course must be respected always. Personal data of the general and confidential type include, but are not limited to, information regarding adoption, grades and exam cheats, significant social problems, as well as family circumstances.
Sensitive personal data
Sensitive personal data is defined explicitly in the GDPR and access to process such data is much narrower than in the case of general, or non-sensitive, personal data. Sensitive personal data must be shared via secure e-mail and valid consent must be obtained before any processing can commence.
The following information constitute sensitive personal data:
Confidential information
Confidential information is not a category explicitly mentioned in the GDPR. This information is regulated by other laws but may be of consequence in the way that the GDPR is applied. Whether a piece of information is to be considered confidential or not depends on whether the information, in the general view of society, should be requested to be kept secret from the public eye. General or non-sensitive personal information may be confidential in some situations, but confidential information will not always be sensitive. However, sensitive personal data will always be confidential.
Confidential information may be information pertaining to
Complying with the rules for processing personal data
If you collect personal data from test subjects or via a questionnaire to be used in an assignment, you are responsible for the collected data, which means that you are responsible for
1. Obtaining consent from the participants
If you collect data on other people, you need their written consent in order to use and possibly disclose the information you receive. To obtain written consent, you need to ask everyone involved to sign a consent form. A signed consent form ensures that the people involved are informed of your use of the personal data and that they agree to have their data used for your specific and stated purpose. You may not collect, process or disclose personal data until you have in your possession a signed consent form from the involved participants, and you must submit a copy of the consent form to every participant who has signed it.
2. Complying with the rights of the data subjects
The data subjects have a number of rights in relation to the processing of their data. The most important rights are
Every data subject have the right to withdraw their consent, which means that you may not continue with the processing of their data.
3. Storing the collected data safely
Once you have collected data and filled in relevant forms, you must keep this information in a safe and secure place, for instance in Microsoft OneDrive which is available to all CBS students. You need to make sure that the equipment used to collect data is protected by password to avoid unauthorized access. You also need to ensure that data are not accidentally or unlawfully destroyed, lost, or impaired. You must always delete personal data when it is no longer relevant for your project. In practice, this means that you must delete the personal data when your assignment has been assessed and the deadline for complaints has expired.
4. Describing the purpose of the data collection in a record
As data controller, you are obliged to describe the nature and purpose of the personal data that you collect. This must be stated in a document called a “record of processing activities”. Once you have created the record, it must be stored electronically in OneDrive. You may need it in case the Danish Data Protection Agency decides to do an inspection of CBS GDPR compliance.
Group projects
If you collaborate with one or more students on an assignment and as part of this work, you collect and process personal data you need to sign an agreement on joint data responsibility. The agreement on joint data responsibility means that all group members share responsibility jointly for the personal data collected in connection with the assignment.
GDPR breaches
Violation of data protection regulations may trigger a fine or a prison sentence of up to six months. If you experience a data breach, you are required - without undue delay and no later than 72 hours after becoming aware of it – to report the breach to the Danish Data Protection Agency and the CBS data protection officer.
Apart from the costs incurred by the person violating personal data protection regulations, breaches may affect people negatively and in some cases may lead to third-party litigation from individuals or groups seeking damages.
For this reason, and to protect the reputation of CBS as a trusted partner, whose students may be entrusted with sensitive data for their academic work, meticulously heeding the regulations and being mindful of the adverse consequences to real people in the case of breaches is absolutely essential.
Jade Yang Faurschou - legal@cbs.dk