Processing of personal data

Karlstad University is responsible for the processing of personal data conducted by students within their education. When a student processes personal data under supervision of the University, the student acts as a representative of the University. The University is therefore responsible for ensuring that the processing complies with applicable laws and that the data subjects’ integrity is protected.

Further information on personal data processing by students, as well as guidelines and templates for academic papers can be found here: 

• GDPR for students

Definitions

Processing (of personal data): any operation performed on personal data. Examples of processing: gathering of personal data through, for example, interviews (even if no names are mentioned), online surveys, showing someone personal data on a screen, printing personal data on a printer, saving a file containing personal data on a computer, sending personal data via email and deleting a file containing personal data. Even paper surveys generally involves processing of personal data.

Sensitive personal data: data disclosing ethnic origin, political opinions, religious or philosophical beliefs, trade union affiliation and the processing of genetic data, biometric data to unequivocally identify a physical person, data concerning health, a physical person’s sexuality or sexual preference.

Unauthorised persons: people (e.g., your children, partner or classmates) who should not have access to the information.

Personal data: any kind of information that can be directly or indirectly linked to a living person. Examples of personal data: family relationships, personal finances, memberships, opinions, qualifications, religious beliefs, and much more. 

Academic papers: independent projects as well as papers that are part of a research project.

IT security when processing sensitive personal data

At Karlstad University, students are generally prohibited from processing sensitive personal data. However, there are exceptions. As an example, sensitive personal data may be processed as part of an independent project by students in subjects that have been exempted by the dean. Consult your supervisor to ensure you have the right to process sensitive personal data and that the processing of personal data has been registered in the University’s register of personal data processing as part of an academic paper before you start collecting personal data.

Students may only process sensitive personal data using IT technical solutions and services that the IT director has assessed as having adequate protection for the type of data in question and in accordance with applicable instructions. All other processing of sensitive personal data is prohibited and may result in disciplinary sanctions. Information about which systems to use and instructions on how to use them can be found here (in Swedish):

• Säker uppsats

Cloud services and other external services

External cloud services that are not available via Karlstad University may not be used for processing of personal data. This includes storage services such as Dropbox, Google docs, iCloud, etc. 

For an up-to-date list of approved services, go to:

• Services

You must log in to these services using the links provided by Karlstad University.

IT security when processing personal data (non-sensitive personal data)

Karlstad University recommends that students use Microsoft 365 (M365) by logging in to:

• office.com

Use your KauID and work on your document in Office Online to manage personal data. Students can log in to M365 from any device with their KauID. M365 provides secure and flexible storage, facilitates collaboration and also offers backup functions that students can activate and recover themselves by following the instructions on the Microsoft website (link below).

If a student prefers to use their own IT equipment, they must first consult with their supervisor. However, the student must ensure adequate backup that unauthorised persons cannot access. Example below on this page.

M365 or personal IT equipment may never be used for sensitive personal data; the secure technical solution provided by the University must always be used when processing sensitive personal data (see below).

To protect the information in M365, strong authentication must be activated by 31 December 2025 at the latest. You should therefore activate strong authentication, as soon as possible, in accordance with the instructions on:

• Microsoft 365

Synchronisation from M365 to personal IT equipment must be turned off and downloading of personal data must only take place following approval by the supervisor. However, thesis drafts as well as the final thesis may be downloaded to personal IT equipment for printing, for example. 

When using the Microsoft 365 app on mobile devices, it is important to activate a PIN code to prevent unauthorised access to the information in M365. 

Chromebooks, mobile phones or tablets may only be used when the student is working in M365, since these devices often have backups activated to cloud services that the University does not have agreements with, such as iCloud. However, mobile phones and tablets may be used to record interviews in accordance with information below on this page. 

More information about backup and restoring files: 

• Backup and restoring files

IT security measures for personal computers

For students to be able to process personal data as part of an academic paper on their own personal computer, the processing needs to meet certain security requirements. The requirements for Linux/Unix computers are the same as for Windows and macOS computers, but are not included in this document.

This means that computers used for writing academic papers need to:

• be protected by a strong password (see below)
• have antivirus software installed and activated
• ensure that the built-in firewall of the operating system is turned on
• the operating system and software used must also be updated with necessary security updates. Old operating systems such as Windows 7 and 8.1, older versions of Windows 10 before 23H2, and older macOS versions before version 13 no longer receive security updates and are therefore not safe to use.

Links for security measures:

• Firewall Windows
• Firewall macOS
• Update Windows
• Update macOS

Different software uses different types of updates. A few examples of common software: 

• Office
• Adobe PDF Reader
• Firefox
• Chrome

Instructions on how to update the software you use can be found in the help section of the software or on the company website. 

• Find out which Windows version your computer is using
• Find out which macOS version your computer is using

IT security measures for personal mobile phones and tablets

When using mobile phones or tablets, the following needs to be ensured:

• the device must be protected by a strong PIN code (see below)
• the operating system and apps on the device must have completed necessary security updates

External USB sticks, USB hard drives and paper documents

When using external storage media such as USB sticks or USB hard drives to store personal data, it is important that these are kept in a safe place so that unauthorised persons cannot gain access to the information. Paper documents, such as printouts, containing personal data must also be kept in a safe place to prevent authorised access.

Login details

The purpose of a password is to protect your information on IT services and computers so that attackers and unauthorised persons cannot read or destroy your information. Therefore, it is important to create a strong password that makes it difficult for unauthorised persons to access your information. Here is a list of advice when creating a strong password, based on recommendations by the Swedish Internet Foundation:

• A unique password for each service
  The world’s best password can become the world’s worst if you use it everywhere. If the password leaks, a person who wants to intrude suddenly has access to all your services. You should therefore use different passwords for different services, and you must never use the same password for your KauID that you use or have used for external services (such as Google, Spotify or Netflix). Nor should you reuse the same password that you have used before, for example, at your previous school.
• Use unusual and impersonal passwords
  Forget about passwords like Summer2023 or Swifties4Ever. A strong password needs to be unusual and contain nothing that can be linked to you as a person.
• Think long when it comes to passwords
  The longer the password, the better. A password should include at least 10 characters. By thinking in phrases, the password becomes easier to remember than a bunch of letters and numbers jumbled up. Four randomly selected words will get you far.

For more tips and information on how to create a strong password (in Swedish):

• Internetkunskap starka lösenord

PIN codes

As with passwords, PIN codes should be difficult to guess, so choose PIN codes that have no connection to you as a person. Bad examples of PIN codes are digits in a row like 1234 or 0000. PIN codes that are linked to your own, your partner’s or your children’s birth date are also examples of bad PIN codes. Just like passwords, long PIN codes are more secure than short one. Therefore, you should, if possible, use PIN codes that are six characters or longer. 

Recording interviews

Before recording an interview, start by considering the location you are in. Ensure that no unauthorised people can listen to what is being said during the interview. A suitable place to record an interview could be one of the group rooms available at the University. 

Recording via M365 

For easy and smooth handling, interviews can be recorded directly to M365 by installing the Microsoft app “M365 Copilot” on your mobile phone or tablet. In addition to the audio file being stored directly in M365, you also have the option to transcribe the audio file into a Word document in M365.

Please note! The transcript in M365 will contain errors. Students must therefore listen to the audio file and correct any mistakes.

If a student chooses to use the app on their mobile phone or tablet, it is important to activate a PIN code on the device and ensure that unauthorised persons do not have access. If an unauthorised person gains access to the mobile phone or tablet, they can not only access the information but also destroy or change the information in M365.

• Microsoft 365 and stream

Recording if M365 is not an option

If the student, after consulting with their supervisor, finds it necessary to record interviews in a way other than directly to M365, it can be done as follows:

Via Zoom
You can record an interview in Zoom if the computer, mobile phone or tablet used meets the security requirements. When the recording is made in Zoom, two files are created, one audio file and one video file. The video file must be deleted as soon as the interview is finished, unless otherwise agreed in advance with your supervisor.

Via computer
Local software installed on the computer that meets the security requirements can be used to record interviews provided there is no synchronisation of the audio file to a cloud service that Karlstad University does not have an agreement with.

Via mobile phone or tablet
The following steps need to be taken if a mobile phone or tablet that meets the security requirements is to be used to record an interview:

1. Put the mobile phone or tablet on airplane mode, ensure WiFi is turned off
2. Complete the interview
3. Copy the file with the interview via a cable to a computer that meets the security requirements
4. Delete the file containing the interview from the mobile phone or tablet
5. Turn off airplane mode on your mobile phone or tablet

Via voice recorder (that is not connected to the Internet)
As long as the interview is stored on the recorder, it must be handled in such a way that unauthorised persons cannot listen to the recorded interview. This could include you supervising the recorder as long as it contains the interview or placing the recorded in a locked space. Once the interview has been saved on a computer that meets the security requirements and has been deleted from the voice recorder, the recorder no longer has to be handled in any certain way.

Transcription

When transcribing interviews, that is, when interviews are written down in a document from audio files, this can be done in two different ways: in M365 or manually by the student. 

• Transcriptions in M365. The student uploads the audio file to M365 and it will be transcribed automatically.
  Please note! The transcript in M365 will contain errors. Students must therefore listen to the audio file and correct any mistakes.
• Manual transcription. Manual transcription means that the student listens to the audio file and writes down the information in a text document. You should primarily use Word in M365, Office online. In cases where this is not possible, you can use Word on a computer with sufficient security, after consulting with your supervisor. 

Instructions on how to transcribe your recordings in Word:

• Microsoft Transcribe Your Recordings

Deleting data upon completion of an academic paper

After completing an academic paper, all work material containing personal data must be deleted from Säker uppsats, M365, the computer and any external storage media, such as USB sticks. Remember to empty the recycle bin in M365 and on the computer as well.

Any printed documents containing personal data must be destroyed before being discarded by cutting the paper into small pieces or using a paper shredder if you have access to one.