Processing personal data in projects etc.

How to comply with the rules for collecting and processing personal data

If you collect personal data, e.g. from test subjects or through a questionnaire, to be used in an assignment/your Master’s thesis, you are responsible for the collected data. This means that you are responsible for:

1. obtaining consent from the participants
2. complying with the rights of the data subjects
3. storing the collected data in a safe manner
4. to describe the purpose of the data collection in a so-called ‘record of processing activities’.

---

1. Collect consent from the people participating  

If you collect data on other people, you need their written consent to use and possibly disclose the information you receive. To get written consent, you must asks everyone involved to sign a consent form. A signed consent form ensures that the person(s) involved agree to have their data used for your specific purpose. 

You may not collect, process or disclose personal data until the consent forms have been signed. You must submit a copy of the consent form to the person who has signed it. 

Find a template for a consent form. 

---

2. Complying with the rights of the data subjects

Find information about the rights of data subjects

---

3. Storing the collected data in a safe manner

It is your responsibility to ensure that the data that you work with is stored safely. You must always delete personal data when it is no longer relevant for your assignment/Master’s thesis. In practice, the means that you must delete the personal data when your assignment/Master’s thesis has been assessed and the deadline for complaints has expired. 

You can store data safely using OneDrive, which is available to all students at Aarhus University. Here, you can also store completed forms, consent forms and contracts. Information stored in OneDrive must be pseudonymised or anonymised if the data can be used to identify individual persons (confidential or sensitive data.)

Read more about classification of data

For further questions about storage or managing of data contact the director of studies at the relevant department or faculty.

---

4. Describe the purpose of the data collection in a so-called ‘record of processing activities’

As data controller, you are obliged to describe the nature and purpose of the personal data that you collect. This must be stated in a document called a ‘record of processing activities’. 

When you have created the record, it must be stored electronically. You may need this record in the event that the Danish Data Protection Agency makes an inspection of Aarhus University to check whether we are in compliance with the personal data regulations.

Find template.

The use of research data in an assignment/a Master’s thesis  

Within a certain framework, you are allowed to work with personal data that you receive from a researcher to be used in an assignment/your Master’s thesis.

A researcher can only legally give you access to personal data from a research project under one of three circumstances:

1. If the personal data in question is anonymous.
   Personal data is considered anonymous when the researcher has deleted the key that connects the individual person with the specific information. Usually, this does not happen until five years after the research project is completed.
2. If the researcher has obtained consent from the participants of the project to use the personal data in connection with teaching.
   In this case, you must enter into an agreement on the disclosure of personal data with the person responsible for the project. Find more information about disclosure of data.
3. If your supervisor confirms that you will be processing the personal data for the purpose of scientific/schorlarly research. You must get your supervisor to sign a form that confirms that you are conducting a piece of scientific/schorlarly work.  

Group projects and personal data

 

If you collect and process personal data for a group assignment or a report/Master’s thesis written in collaboration between two or more students, you must make an agreement on joint data responsibility. 

The agreement on joint data responsibility means that all group members will be responsible for the personal data collected in connection with the assignment/report/Master’s thesis. 

Find a template for a joint data responsibility form.

 

Borrowed equipment

If you borrow electronic equipment from Aarhus University for an interview etc in connection with an assignment or Master's thesis, you are responsible for the content. This means that the recordings (and other content on the equipment) you make, must be deleted from the borrowed equipment after use, and that the content must be stored securely afterwards. 

Confidentiality when students collaborate with companies as part of their studies

When students collaborate with a party outside Aarhus University (i.e. a third party) as part of their studies and want to use this party’s confidential information/business secrets in connection with an exam or in a written thesis, an agreement concerning this must be made between Aarhus University, the student and the third party. Read more.    

If you are a student assistant associated with a research project

If you are employed as a student assistant at Aarhus University, and you, in connection with your job, are associated with a research project, you are obliged to process personal data confidentially. This means that you cannot show or send information to others or store it on your computer when you are no longer associated with the research project. 

As a student assistant you must comply with Aarhus University’s information security policy.