As a student it is important that you comply with the EU's General Data Protection Regulation (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven) when working with personal data, e.g. through a questionnaire or interview to be used in assignments, projects, thesis etc.
WHAT IS PERSONAL DATA?
Personal data is all kinds of information concerning an identified or identifiable natural person and may include:
Name, address, phone number, e-mail etc. (regular personal data)
Racial or ethnic origin, political, religious and philosophical beliefs, trade union membership, genetic or health status, sexual orientation and biometric data (sensitive personal data)
CPR numbers is considered regular personal data, but confidential information and are therefore subject to specific processing requirements.
HOW MAY YOU PROCESS PERSONAL DATA?
In the GDPR and the Danish Data Protection Act, the handling of personal data is referred to as the "processing" of personal data. The term "processing" covers, among others, the collection, registration, storage, disclosure and analysis of personal data.
When working with personal data, you must familiarize yourself with the rules applying to the processing of data, including whether you have a legitimate purpose and a legal basis for the processing of personal data. Legal basis means legal mandate or legal and regulatory framework.
As a student, you have a legal basis for the processing of data, when data is processed for the purpose of your studies. In most cases, you can use consent as the legal basis for processing.
WHAT TO DO IN PRACTICE?
If you gain access to or collect personal data to be used in a project, assignment, master's thesis etc., you are responsible for taking care of that data and to follow this step-by-step guide:
When you collect personal data to be used in a project etc., always remember to obtain a consent. You can read more about consent in the Danish Data Protection Agency's policy here.
Personal data should be handled in a safe manner. This means that you must store it in a way that is not available to the public, e.g. at unsecured places.
You are only allowed to share personal data if you have a legal basis (e.g. consent) to do so. If the sharing is part of the project and the consent fx, you must be certain that the people with whom you share the data with, also handle the data in a safe manner. If it is possible to share the data in an anonymous way, always do that.
Delete all personal data, when it is no longer relevant for your project etc. to keep.
All group members are jointly responsible for complying with GDPR and the Danish Data Protection Act when collecting and processing personal data for a group assignment/project.