Search

Other search services

Courses and programmes Syllabus Welcome letters Staff Job vacancies

Procedure for processing personal data in student projects

What does this page apply to?


This procedure describes how personal data may be processed in student projects at Mid Sweden University. It describes the division of responsibilities and how personal data should be handled in practice, from planning to deletion. The procedure is aimed at both students and course coordinators. The procedure applies when a student project:

  • contains personal data, and
  • is not part of an ethically approved research project.

What is meant by personal data, see the information Processing of personal data

Responsibility – who does what?

Mid Sweden University

Mid Sweden University is the data controller for students' personal data processing within education and is responsible for compliance with GDPR. 

Course coordinator department

The department responsible for the course has a special responsibility for:

  • assess whether personal data needs to be processed
  • determine whether sensitive or privacy-sensitive data is admissible
  • ensure that the student uses approved storage areas
  • ensure that consent and information are handled correctly
  • ensure that personal data is deleted or archived after examination;

It is the department that ultimately decides how the requirements are to be met and that must ensure that the student is informed about what applies.

The student

The student is responsible for:

  • follow the department's instructions
  • only process necessary personal data
  • Handle materials safely
  • Delete tasks when work is completed
     

When does this procedure apply?

The procedure must be followed when: the student project contains personal data in addition to quotations, references and source references, and
The work is not part of a research project with the responsible researcher.

Procedure – step by step

Step 1: Does personal data need to be processed?

The starting point should always be not to process personal data, or to process as few as possible.

The department responsible for the course shall:

  • ensure that personal data is only used if necessary;
  • emphasise that completed student projects should not normally contain personal data
     

Step 2: Assess the protection value of the data

It must be established at an early stage:

  • what kind of personal data may be
  • whether the data is ordinary, sensitive or privacy-sensitive
  • If sensitive or privacy-sensitive data may be present,  a necessity and suitability assessment is required
  • The department responsible for the course is responsible for ensuring that this is carried out before the study starts 

 
Step 3: Decide how the information will be stored and handled

The department responsible for the course is responsible for:

  • Only the University's approved system is used
  • access is limited to those who need the data
  • external cloud services are not used
  • sensitive data is only processed in specially approved environments 

 
Step 4: Decide on Deletion or Filing

Even before collection begins, it must be decided:

  • what to delete
  • what should be archived, if any;
  • After grading: Personal data shall normally be deleted
  • The student is asked to delete all material
  • Exceptions are handled according to the information management plan 

 

Step 5: Design information and consent

The department responsible for the course shall:

  • ensure that the University's templates are used
  • Ensure that information is accurate, clear and tailored to the target audience
  • if necessary, contact the Data Protection Officer (e.g. in the case of verbal consent) 

This template is intended to be used in student projects at Mid Sweden University where personal data is processed with consent as a legal basis according to the General Data Protection Regulation (GDPR).  Text in square brackets [ ] must be adapted to the student project in question.


Step 6: Collect and process personal data

  • Consent must be documented
  • Consents must be stored together with other material
  • The department is responsible for follow-up and support so that the student can follow the decided management
     

Step 7: Cull or archive after examination

On completion of the examination, the following persons shall:

  • material is deleted or archived as decided
  • The student deletes all personal data material
  • ensure that this is done 

 
Student projects in research projects (short reference)

If the student project is part of a research project, the project's regulations, legal basis and storage solutions apply. The principal investigator is the principal investigator.

Read more on the page Personal data in research.

 
Contact and support

In case of uncertainty, the department responsible for the course or the data protection officer must be contacted well in advance:
dataskyddsombud@miun.se

The page was updated 3/19/2026

Content owner:

Digitalization and Services (DOS)