Processing of personal data

Register personal data processes

If you have any questions contact dataskyddsombud@ki.se

• ---

  1. The Title of the Personal Data Processing:

• Name
  For instance, the name of a research project, a business process, a course code, or an operational system. It can be challenging to distinguish one processing activity from another and determine where the boundaries lie. A piece of advice when making notifications is to consolidate personal data processing activities that can be linked to the same purpose and involve the same categories of personal data into a single processing activity.

• 2. Contact Person for Personal Data Processing:

• Name
  First Name Last Name
• Phone Number
• E-mail Adress
• Department Choose: MTC C1 MBB C2 FyFa C3 Neuro C4 CMB C5 IMM C6 LIME C7 MEB C8 NVS H1 LabMed H5 MedH H7 Clintec H9 MMK K1 MedS K2 KBH K6 OnkPat K7 CNS K8 GPH K9 DentMed OF KISÖS S1 KIDS D1 KM CC KIB CB UF Internrevisionen UoL
• Area of activity Choose: Research Education Health and Medical Care Administration Other
• If other Area of Activity, please specify
• Ethical Approval
  Yes

  No
• Attach the application and decision from the Ethical Review Authority or the Medical Products Agency
  Bläddra...

  
  
  • ()

• 3. Responsibility for personal data processing

• Are there one or more ethical approvals for the research?

• Is KI the data controller for the processing, or is KI the data processor?

• Responsibilty
  If KI, either alone or in conjunction with another party, determines the purpose and means of personal data processing, KI is the data controller. If another entity processes personal data on behalf of KI or allows KI to process personal data on its behalf, KI is the data processor
  KI is the sole data controller for personal data processing

  KI is jointly responsible for personal data processing with another party

  KI is a data processor or engages a data processor
• Who is the collaborator?
• Who is the data controller?
• Attach Collaboration Agreement
  Bläddra...

  
  
  • ()
• Attach Data Processing Agreement
  Bläddra...

  
  
  • ()

• 4. Description of personal data

• Categories of individuals to be registered (categories of individuals affected by the processing) 

• Individuals
  Trial subjects

  Employees at KI

  Affiliated with KI

  Students at KI

  Doctoral students at KI

  Patients (when KI is the healthcare provider)

  Job applicants

  Others
• If other category, please specify

• Estimated number of registered individuals affected by the personal data processing:

• Number of registered

• The processing of personal data includes the following categories of personal data:

• Categories
  Name

  Contact Information

  Co-ordination Number

  Social Security Number

  Pseudonym, Code or Consecutive Number

  Online identifier

  Photographs

  Video Recordings

  Audio Recordings

  Biological Samples

  Ethnic Origin

  Political Opinions

  Religious Beliefs

  Philosophical Beliefs

  Trade Union Membership

  Genetic Data

  Biometric Data

  Health Data

  Sex Life

  Sexual Orientation

  Racial or ethnic origin

  Other
• If other category, please specify

• Where are the personal data collected from?

• Source
  Directly from the data subject

  Other source
• If other source, please specify

• 5. IT-systems used for processing

  Applies, for instance, to collection, processing, and storage.

• IT-systems
  Server at departement

  KI´s central storage solutions on file servers or OneDrive

  KI ELN

  KI Survey

  REDCap

  Computer recieved/configured from KI

  Uppmax

  SAS

  R

  BASS

  External Harddrive

  USB

  No system (paper / manual processing)

  Other
• If other system, please specify

• 6. Description of personal data processing

• Describe the purpose of the processing, why does it occur? 

  The purpose should be succinctly but sufficiently detailed to understand why personal data needs to be processed

• Purpose

• What are the legal grounds for personal data processing?

  Note! In research and education at KI, the legal basis for processing personal data is "Public interest or exercise of authority". 

• Legal Grounds
  Public task

  Consent from the data subject

  Fulfilling a contract

  Fulfilling a legal obligation

  Protecting vital interests of fundamental importance

  Legitimate interest (Note! Balancing of interests is not a legal ground for the authority’s core activities)

• ---

  7. Time before destruction

  How long will personal data be processed before it is destructed or deleted?

• Time span before deletion
  Less than 1 year

  1-2 years

  2-5 years

  5-10 years

  10-17 years

  More than 17 years/ indefinitely

• ---

  8. Transfer of personal data

  Transfer is simply when personal data is shared outside of KI. This can happen in various ways, for example, by sending documents containing personal data, giving someone read access to KI's systems, or using a cloud service.

• Will or has the personal data been transferred outside of KI?

• .
  Yes to recipients within Sweden
• .
  Yes to recipients within the EU/EEA area
• .
  Yes to recipients outside the EU/EEA
• In which country is the recipient?

• How will the personal data be transferred outside of KI?

• Method
  Email

  Access on file server at KI

  Transfer to recipient’s file server

  Portable storage media (USB, hard drive, etc.)

  MFT

  Other
• If other, please specify

• ---

  9. Protective measures

  Protective measures can be both technical and organizational. Technical measures include, for example, login, encryption, and virus protection. Organizational measures include, for example, log control, access management, and staff training.

• Specify the measures that have been taken to increase the protection of personal data:

• Protection
  Protection Authentication (Multi-factor)

  Encryption

  Pseudonymization of personal data

  Access controls (limited number of people who have access to the data)

  Protection against malware/programs (such as virus protection)

  Backup

  Remote access

  Logging of access to personal data

  Other
• If other, please specify