Processing of Personal Data and confidentiality
Processing of Personal Data
The Whistleblower law contains supplementary provisions to the General Data Protection Regulation (GDPR), meaning that the law’s rules on the processing of personal data cannot be applied independently, but must be interpreted in conjunction with the GDPR.
Personal data may only be processed when necessary for the investigation. Personal data that is not relevant to the handling of the case must not be collected, and if collected by mistake, must be deleted as soon as possible. Additional specific regulations concerning the processing of personal data are outlined in Chapter 7 of the Whistleblower law.
Only individuals within the whistleblower function, or those appointed by the function to investigate the case, may access personal data processed in the matter. Access to personal data must be limited to what each individual needs to perform their duties.
Confidentiality and Secrecy
Anyone handling a case may not unlawfully disclose information that could reveal the identity of the reporting person or any other individual involved in the matter. This duty of confidentiality also applies to employees at Mid Sweden University to whom information about the investigated allegations has been transferred for further action or who otherwise come into contact with the information.