Inventory of personal data processing in research projects
New personal data regulations will come into force on 25 May 2018, replacing the current Personal Data Act. A project is under way at Linköping University to ensure that we are ready to meet the new legal requirements.
One component of the work at LiU in implementing the new regulations will be to draw up an extensive inventory of all processing of personal data at the university. The new regulations state that each controller of personal data is responsible for maintaining a record of all processing activities that is carried out during operations. It is usual that Linköping University (LiU) is controller of personal data for the processing of personal data carried out here.
One component of the inventory work is to create a list of all research projects in which personal data is processed for people who are the subjects of research.
Personal data is information of any form that can be related directly or indirectly to a living individual. It may be in the form of text, image, sound, etc. Information that has been anonymised is considered to be personal data, if a code key exists.
Processing of personal data describes all operation or set of operation that is performed on personal data, independently of whether this is carried out by automatic means or not. Examples are collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction. Processing may take place in, for example, an IT support system or on paper.
Controller of personal data is a natural or legal person, public authority, agency or other body that alone or jointly with others determines the purpose and means of personal data processing.
An inventory of the processing of personal data in research projects will be created as follows:
- A questionnaire is enclosed as an attachment to this email. We ask you to complete the questionnaire if you are responsible for an ongoing research project in which personal data is being collected or has been collected either from or about subjects of research – directly or indirectly.
- he questionnaire is to be completed for each individual research project in which processing of personal data takes place and for which LiU is controller of personal data. One questionnaire is to be completed for each research project.
- The completed questionnaire is to be returned to the email address given at the bottom of the questionnaire (email@example.com). The questionnaire will then be sent to the university’s inventory of personal data.
Only the processing for research of personal data for which LiU is the controller of personal data is to be inventoried. In the event of uncertainty about whether LiU is controller of personal data or not, the questionnaire is to be completed, and it is to be stated in the text field for comments that this is unclear.
Instructions for completing the questionnaire are available. These instructions are present not only in the Excel spreadsheet, but also as a separate document.
It is extremely important that everyone who is subject to this request participates, since the task of taking an inventory of personal data processing has been given a high priority at LiU.
It is obligatory to provide this information, and we must receive it by 28 February 2018.
More information about the project and how the inventory is being taken is available at the project website. This website will be continually updated.
It is also possible to send questions about the inventory work to firstname.lastname@example.org
Your cooperation in completing the questionnaire is appreciated.
Last updated: 2018-01-31