Practical guidance – processing of employees' personal data
How to handle employee personal data
This page provides practical guidance for those who work at Mid Sweden University and process personal data about employees, former employees or job applicants. The purpose is to provide support in the daily work and contribute to personal data being handled legally, securely and responsibly.
All processing of personal data must take place in accordance with the General Data Protection Regulation (GDPR), supplementary legislation and the University's internal governing documents. Mid Sweden University must also be able to show that the rules are followed.
Before you process personal data
Before collecting, registering or otherwise using personal data, you should ensure that the processing is necessary for your work. You need to know why the data is to be processed and what purpose it fulfils. The processing must have a defined legal basis, such as a task in the public interest, a legal obligation or a contract.
If you are unsure whether a processing is lawful or necessary, you should contact your manager or the Data Protection Officer before proceeding.
Restrict access to the data
Personal data may only be shared with people who need it to perform their duties. It is important not to disseminate information more widely than necessary. When sending emails, always check the recipient carefully, especially if the message contains sensitive or privacy-sensitive information.
Avoid storing documents with personal data in open, broad-privileged folders. Instead, use the systems and storage areas that are intended for the purpose and that have proper access control.
Handle sensitive personal data with special care
Information about, for example, health, trade union membership or other sensitive matters is covered by special protection under the General Data Protection Regulation. Such data may only be processed if there is explicit legal support.
Sensitive personal data must be handled extra restrictively. They should not be sent via unencrypted e-mail and should only be stored in systems that are approved for this type of information.
Use the right system and avoid private solutions
Personal data must be processed and stored in the University's operating systems or in other designated storage areas. Private cloud services or external storage solutions may not be used for work-related personal data.
Do not save data longer than necessary
Personal data must not be stored for longer than is necessary for the purpose for which it was collected, and when the data is no longer needed, it must be deleted or deleted in accordance with applicable procedures and document management plans.
It is important not to keep personal data "just in case". Regular review and cleanup of e-mail and work folders is part of responsible data protection work.
If something goes wrong
A personal data breach can, for example, mean that data has been sent to the wrong recipient, that a computer or mobile phone has been lost, or that unauthorized persons have gained access to personal data.
If you suspect that an incident has occurred, you must immediately report this in accordance with the University's procedure for personal data breaches. Timely reporting is essential to be able to limit any consequences and meet the requirements of the law.
Your responsibility as an employee
Everyone who processes personal data within Mid Sweden University's operations has a responsibility to do so in a correct and secure manner. This means that you must comply with applicable guidelines, protect the data against unauthorized access and act with care for personal privacy.
Data protection is part of the University's responsibility as a public authority and an important part of the trust between employers and employees.