When initiating a new research project, you need to know how personal data may be processed in research. On this webpage, we’ve collected basic information on requirements and issues when processing personal data in research. Remember that the data controller is always responsible for how and why personal data is processed.
For research, the data controller could be a university, a regional executive board, a municipal committee or another organisation like a company. The data controller is responsible for informing and instructing you on processing personal data in research.
More information about data controllers is found below.
Personal data is any data relating to an identified or identifiable natural person. The crucial factor is whether the data alone or in combination with other data, can be linked to a living person. Here are some examples of personal data:
name
address
personal identity number
The following can also be personal data:
photographs
audio and video recordings
GPS coordinates
biometric data, such as information with physical or behavioural characteristics, fingerprints and movement patterns.
Even if a specific data point cannot be linked directly to a person, it might be combined with other data that would make it possible to link the aggregated data to a person. For example, data is personal data if there is a code key that allows someone to be identified.
It can be difficult to determine whether a research project will involve the processing of personal data. This is why it is important that the data controller carefully considers questions regarding personal data before beginning a research project.
If personal data is made anonymous in such a way as no one can be directly or indirectly identified, it is referred to as “anonymised”. The General Data Protection Regulation (GDPR), which regulates the processing of personal data, does not regulate anonymised data.
It can be very difficult to anonymise data in a way that that no longer makes them personal data.
Sensitive personal data is data revealing:
racial or ethnic origin
political opinions
religious or philosophical beliefs
membership in trade unions
data concerning health
data concerning a person’s sex life or sexual orientation
genetic data
biometric data for the purpose of uniquely identifying a person.
The general rule is that it is prohibited to process sensitive personal data, but GDPR does allow exceptions. One such exception is if processing is necessary for research purposes. This does require, however, that certain conditions are met.
As with all processing of personal data, as a researcher you should contact the data controller if you plan to process sensitive personal data.
Personal data relating to criminal convictions and offences are not sensitive personal data as defined by GDPR, but there is strong protection for this type of information. Personal data relating to criminal convictions and offences is data about someone having
committed a crime
been convicted or been found not guilty in a criminal court
been the subject of coercive measures in a criminal investigation, such as detention, travel ban or seizure
suspected for a specific crime.
In general, only public authorities may process personal data relating to criminal convictions and offences but there are some exceptions. As with all processing of personal data, as a researcher, you should contact the data controller if you plan to process personal data relating to criminal convictions and offences.
Personal data processing is everything done when personal data is processed, such as when personal data is:
collected
saved
shared/released
sorted
published
stored
deleted
Collecting personal data can include questionnaires or interview surveys or collecting data from databases.
The General Data Protection Regulation (GDPR) is intended to protect fundamental rights and freedoms, particularly the individual’s right to protection of their personal data. GDPR went into effect throughout the European Union in May 2018 with the aim of creating a consistent and equal level of protection for personal data without impairing the free flow of information within the EU and the EEC.
Fundamentally, GDPR derives from basic human rights. The right to privacy is also protected in several other regulations. The individual’s right to respect for their privacy and family life is regulated in the European Convention for the Protection of Human Rights and Fundamental Freedoms and other regulations.
The EU has also adopted a statute on the fundamental rights that regulate such things as the right of protection for personal data. The Swedish constitution also protects personal privacy.
The data controller is normally the one who determines for what purpose the personal data may be processed and the means of the processing. For example, the data controller can be a company, a foundation, an association or a state, regional or municipal authority.
For research at higher education institutions, the university or university college is most often the data controller and not the manager or the vice-chancellor at the workplace or an employed researcher.
An individual researcher is only in a few cases the data controller, such as if the person conducts research within the framework of an individual company. All personal data processing must comply with GDPR.
As an individual researcher, you may only process personal data in accordance with the instructions you have received from the data controller. You should always contact the data controller before processing personal data.
In some cases, the data controller must appoint a data protection officer. This applies to all public bodies, such as public higher education institutions.
The role of the data protection officer is to provide information on GDPR, provide advice on GDPR and monitor that everyone in the organisation complies with GDPR. For this reason, turn to the data protection officer when questions arise about personal data processing in your research.
General rules on personal data processing are found in GDPR. These are supplemented by regulations in the Data Protection Act and several register regulations that regulate how personal data may be processed in specific types of organisations.
IMY is the supervisory authority as stipulated in GDPR and the Data Protection Act. We are tasked with reviewing and implementing applications of the data protection rules. As such, we are empowered to review how personal data is processed in research.
One example of when we have done so is IMY’s decision on data security and processing of personal data in connection with research.
Approval is required from the Swedish Ethical Review Authority when sensitive personal data and personal data relating to criminal convictions and offences is processed within research.