Skip to main content
SDUnet

Search

Dansk
Menu

Data protection and information security

Personal data in education

Below you will find information and concrete examples of how to take data protection and information security into account when communicating with students and organising training.

When you are lecturing

  • Sometimes you may need to use personal data in your teaching. You should always consider whether it is necessary to show examples with personal data. If you feel it is necessary to show parts of an assignment, X-rays or other types of personal data in your teaching, do so in anonymised form. Also, remember to ensure that the personal data is not disseminated. So even if it is necessary to use confidential or sensitive information in your training, remove it before you upload your slides to itslearning. Remember to always ask for permission to use the material.

  • Class lists containing name and SDU email address appear in itslearning, where fellow students and lecturers have access to the lists. Students can add a picture and other information to the class list in itslearning, which will then be available to lecturers and fellow students. The lists may not be passed on unless there is a legal basis for it.

    If you as a lecturer need to save the lists somewhere else, you must use one of the SDU-approved systems, such as OneDrive or SharePoint.

  • As a lecturer, you are generally allowed to record lectures, laboratory experiments, etc. without the consent of the students. If you do so, you must:

    • ensure that there is no sensitive personal data on the admission
    • inform students that an admission is being recorded and what the recording will be used for
    • limit the dissemination of the admission (internal class page on Itslearning is OK, publication on the internet is generally not OK)
    • consider whether it is possible to respect students who do not want to be recorded (e.g. by switching off the microphone when they speak or allowing them to sit outside the camera angle)

    • consider on a case-by-case basis whether there is anything on the recording that would be inappropriate to share (for example, because the topic of the teaching is sensitive or because a student is sharing something very personal on the recording)

    • be aware if students present material on the admission that may be protected by copyright (e.g. presentations they also use in other contexts).

    Contact SDU RIO, if you are in doubt.

    Read the memo about the legal considerations (pdf)

    Mobile phone for admission

    If you use a mobile phone for admission, make sure it is encrypted. If you do not know if your mobile phone is sufficiently encrypted, ask SDU IT, Servicedesk for advice.

    Are students allowed to record classes? See what you need to be aware of

    As a lecturer, you have the pedagogical management rights and copyright to the material you have prepared. It is therefore up to you to decide whether students are allowed to audio and/or video record your teaching, but you should consider a few things before you respond to the student's request. You must ensure that there is a factual reason for refusing admission (e.g. that it inhibits the learning space), that students are treated equally and that requests from SPS and Elite students should generally be granted, as they have special needs.

    Students are responsible for obtaining permission from lecturers and fellow students prior to admission.

    Read the guidelines for admission at SDU.

  • Personal data may only be stored in SDU's approved systems, such as OneDrive, SharePoint or Microsoft Teams. 

    Remember to only save what you need and to delete information when you no longer need it. It can be a good idea to set up some deletion deadlines for yourself. For example, at the start of each semester, you can delete information that you no longer need. In general, a clean desk policy is encouraged..

    It is also important that you actively consider who has access to the systems and thus the data you store. Remember to delete access when a colleague no longer needs access to the data in question.

    If you wish to use other IT systems than those approved by SDU IT, you must always contact  SDU RIO to clarify whether a data processing agreement exists or whether it is possible to enter into one. This also applies if you ask students to create or use systems other than those approved by SDU.

  • Notes from exams (including exam papers) must be kept for 1 year ahead of the appeal deadline. Use one of the SDU-approved systems to store the notes and make sure to delete 1 year after the exam date.
  • If you choose to take personal data out of SDU IT systems, e.g. by printing a class overview with names or sending a class overview via email, you must be aware that it is your responsibility to process the personal data in accordance with applicable rules.

Communication with students

Communication should always be sent to their student.sdu.dk email or via itslearning. Please note that messages in itslearning cannot be deleted, so please ask your students to send messages containing sensitive personal data (health information, race, etc.) via their student email.

See the communication recommendations for itslearning.

If you receive an email from a student's private email, ask them to resend from their SDU email so that you can be sure which student you are communicating with.

Remember to delete sensitive and confidential personal data from your mailbox within 30 days of receipt and general personal data when you no longer need it/case is closed. If you need to store sensitive data for longer than 30 days, move it to a system approved for longer storage, such as SharePoint. Also, be aware of whether anything needs to be entered records.

Be especially aware that all specific information about what the student has is sensitive personal data, even if the student has "only" broken a leg or caught a cold.

Guidance for students on GDPR

The executive board has adopted a policy for data protection in students' independent assignments. This states:

... that the specific guidance in relation to each student's project lies with the student's project supervisor", and that "the supervisor supports the student in completing the project in accordance with the academic, legal and ethical standards of the subject area, including the data protection requirements of the subject area.

It will often be the individual student who is responsible for the data they process in connection with master's theses, bachelor theses, etc. - but this is not always the case. If the student is involved in a research project where SDU provides data or asks the students to process data in a specific way, it may be SDU and not the student who is the data controller. If in doubt, ask SDU RIO.

Read the guidelines for data protection in students' independent assignments (docx)

Material for students

You can refer students to the pages below, and you are always welcome to orientate yourself on the MySDU pages.

Material for lecturers

In collaboration with the faculties, SDU RIO has prepared a number of slides that provide an introduction to what students should be aware of when writing their master's thesis etc. You are welcome to use them in your guidance.

Do you have any questions?

The GDPR and Information Security Coordinators are your local contact and advisor for day-to-day data protection and information security at SDU.

See also