The processing of personal data in research has been regulated since May 25, 2018 by the General Data Protection Regulation (GDPR). This regulation replaces the Swedish law entitled Personuppgiftslagen. A new research data law came into force on this date, as was a new data protection law. On this webpage, you can find information specifically for researchers. More detailed information can be found on the other webpages here.
Research is also regulated by the Ethical Review of Research Act (Lagen of etikprövning). This sets demands in terms of ethical review in certain situations – for example, when processing sensitive personal data or information about criminal convictions and offences. Read more about ethical review on the Research Ethics Committee’s webpage or on Swedish Ethical Review Authority web (Swedish text).
Is personal data processed in research projects?
Personal data is data that can be identifiable by direct or indirect means, having either a direct or indirect connection to a living person. A direct connection can be name, email address or social security number (personnummer); an indirect connection might be the IP address of a computer, location data of a mobile or coded personal data. Pictures and sound recordings are also considered personal data. The deciding factor is that the data, either on its own or in combination with other data, can be linked to a living person.
GDPR applies when personal data is processed in a completely or partially automised manner, or manually, but is connected to a searchable register: for example, in the use of databases, web surveys, social media, and sound and image recordings. Participants in studies have the right to receive information about data processing in accordance with the requirements laid out in GDPR, and personal data may only be used for the purposes outlined in the information.
As well, the data must be necessary for the intended purpose and cannot be stored longer than is necessary to meet the purpose of the study. The intention with research data is that it will be saved and stored; however, data may be deleted after ten years.
If a study is conducted with anonymous data so that it is impossible to connect the information to a person, then GDPR does not apply. Note that coded or pseudonymised data is to be regarded as being personal data in the case that there is an existing keycode and when the keycode is held by another organisation.
Is personal data processed that is sensitive in terms of personal integrity?
Personal data that is sensitive in terms of personal integrity includes sensitive personal data and data about criminal convictions and offences.
Sensitive personal data is data about racial or ethnic origin, political opinions, religious or philosophical belief, membership in a trade union, health, sex life or sexual orientation, genetic data or biometric data. Data about criminal convictions and offences concerns crime, sentences, penalties and imprisonment.
For this type of information to be processed as part of research, then it must be necessary for the purpose of the study and there must be an approved ethics review. There are particularly strict demands on the processing of such data.
Basis for Processing
Research can normally be based on consent or the fact that the processing of it is necessary so that a task can be conducted that is of general interest.
It is important that consent is voluntary and that that there is no doubt that the registered person has given his/her approval after having first received clear information about what the processing of the personal data will involve. The consent will therefore be designed so that it also involves consent in terms of the processing of the personal data, not just participation in the study. So as to be able to prove consent, the consent should be in writing. The consent can be withdrawn at any time, after which no further data can be processed.
Inform Participants about Personal Data Processing
The participants have rights to information both about the study as well as about what personal data will be processed and how it will be processed. The following must, in accordance with GDPR, be clear in the information to participants:
Security, Storage and Transfer
The security requirements depend on the type and quantity of personal data, and the way it will be processed. In the case of sensitive personal data, the requirements are greater. They are also greater when the data is to be transferred over the Internet – for example, in the case of an online survey. This is why it is important that a risk analysis is conducted and documented before the study begins – for example, in the description of the method that will be used for the study.
All university employees can store collected data in the university’s central server (this is called H: or hemmakatalog). This is the recommendation in the case of the processing of sensitive personal data. There, data is protected and a back-up copy made on a regular basis. If data is to be stored locally on a computer or on a mobile device, such as a mobile phone or a USB memory stick, the researcher him-/herself must ensure that the personal data is protected and backed up.
Read more about security, storage and transfer under the heading Security and Transfer. Contact the university’s Data Protection Officer or IT with any questions.
Report Data Processing
All research projects that process personal data must report this to the university’s Data Protection Officer. You can find the application form required for this to the right.The reason for having to report data processing is that the university, in accordance with GDPR, has an obligation to conduct a register of all current documents at the university. To ensure it meets this obligation, it requires that it receives these applications.