Urkund is a digital system used by universities and schools for checking plagiarism in students’ essays. Urkund is provided by Prio Infocenter AB, company reg. no. 556483-9032 (“we/us”).
We process personal data in order to conduct our business operations and provide the Urkund service. We are careful to protect the privacy of contact people at our customers and the privacy of users and strive to maintain transparency regarding the processing of personal data which takes place in our business operations and within the scope of Urkund.
2. Responsibility for processing of personal data
The party that processes personal data is either the controller of personal data or the processor of personal data. The controller is the party which determines the purposes and means of the processing of personal data while the processor is the party that processes personal data on behalf of a controller.
It is the controller which has the overall responsibility for ensuring that the processing of personal data takes place in accordance with applicable data protection legislation, while the actual handling of the personal data may be transferred to processors of personal data which must also comply with rules to ensure sufficient protection for the personal data.
It is possible to be the controller of certain processing activities while at the same time being the processor other processing activities. When personal data is processed within our operations, we are the controller for the processing (see section 5 below), while we are the processor when we act at the request of universities/schools and process personal data in the Urkund service since it is the university/school in this case which decides on the processing we perform on their behalf in the system (see section 4 below).
Our guidelines entail that we always process personal data in accordance with the principles regarding the processing of personal data set forth in article 5 of the General Data Protection Regulation, 2016/679 (EU) (often referred to as “GDPR”). In light of these principles, we endeavour:
- to ensure that all information and communications in conjunction with the processing of personal data are easily available and understandable, using clear and unambiguous language (lawfulness, fairness and transparency).
- not to collect personal data because it might be “good to have” (purpose limitation).
- not to process more personal data than is necessary to fulfil the purpose (data minimisation).
- to have routines in order to promptly erase personal data which is not required for the purpose and to correct incorrect data as soon as possible (storage limitation and accuracy).
- to implement technical or organisational safeguards in order to protect the personal data so that it is not accessible to unauthorised persons, destroyed or damaged (integrity and confidentiality).
- to document and demonstrate that the principles and applicable data protection legislation have been complied with (accountability).
4. The Urkund service
4.1 How does the service work?
When universities and schools enter into an agreement to use the Urkund service to check students’ essays, teachers and other authorised personnel at the school receive a user account, referred to as the “receiver account”, through which they can submit essays to be checked in the system. The teachers can also instruct the students to submit documents directly to the teacher’s Urkund account. In cases where the student submits the document to the teacher’s account, the student is registered in Urkund on a “submitter account”.
When an essay is sent in, it is compared with other student essays, texts which are available on the Internet, and external sources. After the essay has been reviewed, a report is sent to the teacher which highlights sections with similar content in other sources, what is referred to as the plagiarism report. Regardless of whether the teacher or the student submits the document, the plagiarism report is delivered to the teacher. The teacher may elect to share the report with the student, but the student does not receive the report automatically. We never decide whether plagiarism is involved. Instead, we only provide the Urkund service and the report which indicates textual or style similarities after which the schools may carry out their own assessment of whether plagiarism is involved.
The Urkund service works the same way for those who use a teaching platform in which Urkund is an integral part of the platform. For information regarding which data we have access to via the teaching platform used by your educational organisation, please contact the distributor of the teaching platform or our support department.
4.2 Purpose of the processing
It is the controller (the university/school) that establishes the purposes of the processing of personal data in the Urkund service. We only process the personal data for the purposes stated by the university/school.
4.3 Legal basis for the processing
In order for it to be permissible to process personal data, there must always be support in the General Data Protection Regulation, referred to as the legal basis. It is the controller (the university/school) which establishes the legal basis for the processing which we perform on their behalf. The legal basis for processing may be: (1) the consent of the data subject; (2) the processing is necessary to perform a contract to which the data subject is a party; (3) the processing is necessary for the controller’s compliance with legal obligations; (4) the processing is necessary to protect vital interests of the data subject or of another natural person; (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or finally (6) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, where the interest in processing the data overrides the protection of the data subject’s privacy (however, public authorities may not base their processing on a legitimate interest ‘balancing test’).
Most schools base the processing of personal data in Urkund on it being necessary to perform a task of public interest or as a part of the exercise of public authority by the controller to be able to grade and assess the work submitted. This is often written into the school’s/university’s own policy.
4.4 How do we obtain access to the personal data?
We obtain access to the personal data processed in Urkund through the teacher/student submitting it to the system (see section 4.1 above “How does the service work”).
4.5 Which personal data do we process?
Data is processed in Urkund regarding four different categories of users: customers, administrators, teachers and students. At the request of universities/schools, we process the following personal data in the Urkund service:
- Email address
- Linguistic style
- IP address
- Shibboleth identity
- Document (which may contain personal data in the text of the document)
- Email messages (which may contain personal data in the body of the message)
- Submission comments (which may contain personal data in the text)
All personal data is linked in Urkund to the email address which becomes the identity key. The email address is a mandatory piece of information which is directly or indirectly linked to a person (the email address may be impersonal, for example, email@example.com, but the email address is used as the identity key, i.e. the unique identifier for each person). The data is saved to be able to show the teacher who submitted the document and for the teacher to be able to create a user account. Urkund also stores email addresses to simplify the handling of various versions of documents so that Urkund can avoid showing hits between several different versions of documents which are submitted by the same student. Urkund also uses email addresses for students to be able to see what documents and information they have saved under their user account.
Linguistic style is personal data in that Urkund is able to link linguistic style to the person who wrote the text. Linguistic style is saved in the form of a code string which is linked to the Submitter (student).
A name is voluntary data except in cases where the university/school uses a Single Sign-On solution (SSO) for logging in. In such cases, names which have been stated by the university/school’s IDP (Identity Provider Server) are saved as mandatory data. When names are not stated and when SSO is not used, the first text on the email address is used as the name, i.e. whatever text comes before the @ sign. In the example in which firstname.lastname@example.org is used as the owner of the user account, the name would thus be stated as “Info” where a name has not been stated.
IP addresses are stored in system logs for possible troubleshooting.
The Shibboleth identity is data which is stored in the event the university/school uses a Single Sign-On solution for logging in. The Shibboleth identity is a type of user name which is used for linking to a user in a Single Sign-On server. The structure appears as an email address but, in practice, does not work as one. The Shibboleth identity often contains a summary of the person’s name. A person by the name of Anders Johansson might have a Shibboleth identity which looks like this: email@example.com.
Documents/email messages/submission comments
Documents, email messages, and submission comments which are submitted are stored in Urkund in order to make it possible to provide the service. The personal data which may exist in the text is then stored in an unstructured form in Urkund. The document text is saved to be able to convey it to the teacher and for schools using Urkund to be able to use the earlier documents as source material in future comparisons. The submission comments and email messages submitted in conjunction with submission of documents are stored to be able to provide a reporting package after comparison.
4.6 Sensitive information and safeguards
The body text in a document which is submitted via Urkund may contain sensitive personal data. According to the applicable data protection legislation, the primary rule is that sensitive data may only be processed with consent or where there is an exception, for example that the processing is necessary for reasons of substantial public interest and sufficient safeguards are implemented when the data is processed. It is the university/school which must have support for processing the data which we subsequently process on their behalf in the system. We have functionality implemented in Urkund to make it possible for the schools to choose to erase documents which contain sensitive data, provided there are no grounds for processing the data.
Our security systems have been developed with the privacy of the students at the forefront and protect to a very high degree against infringement, destruction, and other changes which might entail a risk to the privacy of the students. Students also have an independent possibility to conceal content in documents which they believe contains sensitive data, without requiring the approval of the university/school. This does not mean that the student avoids a plagiarism check or that the content is not shown to the receiving teacher. The content of the document, as well as who offered the document, will however be hidden from other teachers who possibly obtain a hit in your document during a subsequent plagiarism check.
4.7 How long is the data saved?
We save the data in Urkund based upon the wishes of the university/school. Information is anonymised or erased if, and when, the university/school so wishes and based upon the settings chosen by the university/school. It is the responsibility of the university/school to inform its students regarding which systems the university/school uses and which personal data the systems process, as well as how long they are stored.
The code string containing the student’s linguistic style is erased or anonymised based upon the wishes and settings of the school/university. IP addresses are saved for a maximum of six months unless the university/school has requested a different storage time in the agreement. The Shibboleth identity and the document text which students submit are saved according to the wishes of the university/school. The universities/schools may choose different types of settings depending on how they wish to handle the data, and tools to be able to handle data themselves.
Any personal data which is written in the comments in conjunction with the submission of documents is stored in the reporting package and saved for maximum of 25 months or according to the wishes of the university/school. It is erased at the same time as the report package. Any personal data which is found in submitted email messages when the documents are sent by email is stored and the email is deleted after a maximum of six months. Text in the body of email messages is subsequently stored as comments in the reporting package in the same way as submission comments and saved for maximum of 25 months. They are erased at the same time as the reporting package.
4.8 When do we disclose personal data?
The information in Urkund is not available to the general public and is only available to educational organisations. The database is not searchable other than through a plagiarism check of a document, i.e. a document is sent in for analysis and a response is provided with results only in the form of a plagiarism report. Documents may be released to teachers who receive a hit in the document in conjunction with another student’s plagiarism check. This occurs where the teacher requests the document from the school/university which is responsible for the document which generated the hit. This request is not made to us and not approved by us. Instead, it is the university/school is responsible for the document which is stored. Even documents where students have concealed content may be requested by teachers who receive a hit in the document in conjunction with a subsequent plagiarism check.
4.9 Subcontracted processors and transfers to third countries
We may retain the services of subcontracted processors within and outside of the EU/EEA (third country) for the processing of personal data. If this takes place, we will ensure that the subcontracted processors are bound by written agreements which impose upon them the same obligations and the processing of personal data as the obligations we have as a processor of personal data. In addition, we may transfer the information to the police or other public authorities where there is a legal obligation for us to disclose the data to them.
5. Urkund’s operations
5.1 Our processing of personal data
In certain situations, as described in the points below, we are also the controller of personal data:
- Data which is registered when visitors go to our website
− the data is saved in the form of IP addresses. The information is saved in order to be able to check for attempted infringement and is deleted as required by law.
- Contact information which we collected from public filing systems
− the data is saved in order to be able to contact the universities/schools to offer our services.
- Data which persons submit when they contact us, seeking employment with us, visiting us, or otherwise in contacts with us
− this data is saved in order for us to be able to recontact people and handle applications. The data is deleted on a regular basis, normally within two years.
The processing above is based on a legitimate interest ‘balancing test’, where our interest in the processing is deemed to override the interest of the data subject in protection of personal privacy. We have a legitimate commercial interest in the personal data processing. There is a relevant relationship between us and the persons who are registered – visitors to the website, individuals who contact us, and potential customers – and the information is required in order for us to be able to contact these individuals, check the website, and offer our service.
The processing below is based instead on consent from the data subject and it is possible for them to revoke their consent for this processing.
- Data which we receive when anyone signs up for our newsletter and other mailouts
− the data is saved in order for us to be able to send out the newsletter and mailouts. The data is saved until deregistration takes place at the request of the party who signed up for the newsletter or mailout.
- Data which individuals provide when they respond to questionnaires and studies
− which data is saved and when it is deleted is set forth in the relevant study, normally within two years.
The personal data may, for the purposes set forth above, be disclosed to other companies with which we cooperate. We may retain the services of processors of personal data within and outside the EU/EEA (third country) for the processing of personal data and may transfer your personal data to third countries. Where this takes place, we will enter into agreements and take other measures protect the personal data in accordance with the applicable statutory requirements. In addition, we may transfer the data to the police or other public authorities where there is a legal obligation for us to disclose the information to them.
We use two types of cookies. The first type is a persistent cookie which saves a file for a longer period of time on the visitor’s computer. This is used, among other things, for functions which indicate what is new since the user last visited the relevant website. The other type of cookie is called a sessions cookie and these are only valid during the visit to the website, for example in order to keep track of whether the visitor is logged in. We also use third-party cookies for, among other things, analysis of the traffic pattern with the help of the third party.
A visitor who wishes to avoid cookies being used may make changes in their security settings in the security alternatives in the browser so that the web browser does not accept cookies at all, or so that the visitor receives a question each time a website attempts to place a cookie in their computer. The visitor also has a possibility, through their web browser, to accept only sessions cookies. The visitor can also choose to remove previously stored cookies. A visitor who chooses not to accept cookies will, unfortunately, not be able to use vital functions on our website, such as logging in.
6. The rights of the data subject and our contact information
Customers and users may request what is referred to as a filing system extract with information regarding which personal data is processed about them and also have the right, at any time, to request correction, blocking, or erasure of personal data which is incorrect. Customers and users are also entitled to receive their personal data in a machine-readable format [or, where technically possible, to have the data transferred to a third party].
There is a possibility in Urkund for students who have submitted files via the service to log into Urkund and manage display settings for their documents and to be able to see which data has been stored regarding them. Other inquiries which involve the Urkund service, where we act as a processor of personal data at the request of a university/school, must be submitted directly to the university/school which is the controller of personal data. This means that we will subsequently act at the request of the university/school and not at the request of an individual student. The right to erasure or anonymisation and (the so-called “right to be forgotten”) is the type of right which will be handled via the university/school which is the controller, either directly through the tools Urkund provides or through contacts with Urkund. There are exceptions to the right to erasure where it is necessary to ensure other important rights such as, for example, the performance of a duty of public interest or as a part of the exercise of public authority and it is the university/school which decides whether erasure is to take place. The university/school may also refuse to erase data where it is required to perform legal obligations. The student may, for example, be under investigation for plagiarism. Universities and colleges also are entitled, according to the Higher Education Ordinance, to bring a disciplinary matter within 24 months after completion of a course.
In those situations where we are the controller, for example when someone registers for our newsletter and other mailouts, the data subject may turn to us directly in order to exercise their rights.
Prio Infocenter AB
SE-167 15 Bromma, Sweden
+46(0)8 738 52 00
In addition to this, customers and users may contact the supervisory authority, the Swedish Data Protection Authority, with any complaints regarding our processing of personal data.
Datainspektionen (the Swedish Data Protection Authority)
SE-140 20 Stockholm, Sweden
+46(0)8 657 61 00