Storing personal data

The rules governing the processing of personal data do not set any specific requirements concerning security. No requirement is thus made for the persons who process either sensitive or ordinary personal data to have their own office, or that personal data may only be processed electronically.

The general rule is that both the data controller and the data processor must take appropriate technical and organisational security measures on the basis of a specific risk assessment. The assessment may entail that concrete, physical or technical measures must be taken, such as locking up premises and taking other measures to ensure that sensitive data cannot be accessed by unauthorised persons.

Who may view the personal data that I process?

• Internally within AU: The parties for whom it is necessary to view the personal data, in accordance with the purpose and legal basis.
• Outside AU: The parties to whom the data subjects have been informed that the data will be disclosed (whether this concerns other data controllers or data processors for AU).    

Read more about the security of processing.

• You may never store or process confidential or sensitive personal data on your private computer or other private equipment. If you work with personal data, you must always use the computer issued to you as an Aarhus University employee.
• Sensitive personal data in its final form may not be stored in AU’s e-mail and calendar program (Outlook) and because it is not intended for the storage of sensitive personal data.

The rules for secure storage of personal data are, in principle, the same for digital and physical material. This means that only persons in positions of trust with a legitimate need may have access to the personal data.

• The physical material containing personal data must be kept under lock and key when not in use.
• The physical material may only be accessible to persons in positions of trust.
• The physical material must be destroyed responsibly when the purpose of storing it has lapsed.

When you have finished working with personal data and the result is available in final form, please note that different rules apply. E.g. sensitive personal data in its final form may not be stored in AU’s e-mail and calendar program (Outlook) because it is not intended for the storage of sensitive personal data.

Storing primary data (sensitive personal data)

Academic staff must be aware that, in accordance with the “Responsible conduct of research at Aarhus University”, primary data (and thereby sensitive personal data) data must be stored for minimum five years after “completion” (i.e. in practice for minimum five years after the most recent publication of new results from a given data set). In this respect, AU is also obliged to make servers, archives etc. available.

Project descriptions containing the names and positions of collaborative partners.

You may store personal data for as long as necessary for the purpose for which the data was collected. This means that you may store the project description for as long as you are working with it or on the subsequently approved project. After this, it must be deleted. If the project is not approved, and you wish to retain the project description for any later applications, you must make it anonymous so that it does not contain personal data. In the case of sensitive personal data, other rules apply to storage (storage for a maximum of 30 days).

Articles and reports which contain names, email addresses, job titles, tel. nos., etc. 

In the case of published articles and reports, these may be retained. If the articles and reports have not yet been published, this will depend on the purpose of storing them.  

Final contracts for research and consulting projects

You must send final contracts for research and consulting projects to TTO - tto@au.dk.