Information på svenska om anvisningar för personuppgiftsbehandling i forskning 

Personal data sometimes need to be processed in order to achieve high quality in research at a reasonable cost and work effort. It is, however, important to make an assessment at the initial planning stage of the kind of personal data which may be necessary to process, what risks to privacy the processing would entail, whether these risks are proportionate to the purpose of the processing, as well as the conditions which have to be met under the applicable regulation. This instruction deals with some of the key issues. If you are uncertain about your obligations under the General Data Protection Regulation, you can contact the Data Protection Officer at Stockholm University. For legal matters you can also contact the legal counsels at the Office of the President.

Basic requirements for the processing of personal data for research purposes

The General Data Protection Regulation sets out the basic conditions which must be fulfilled if the processing of personal data is even to be considered legal. The list of so-called legal bases in Article 6.1 is exhaustive, which means that it must be possible to refer to at least one of these in order for the processing to be lawful. The legal basis which may primarily be of relevance at Stockholm University is processing which is necessary for the performance of a task carried out in the public interest under Article 6.1 e, and in some cases, often in the context of collecting data abroad, consent under Article 6.1 a. You can read more about these legal bases below.

The processing of personal data must not only rely on a legal basis; the processing itself must also follow certain fundamental principles. There must, for example, be a specified and explicit purpose of the processing, and the data must be accurate, adequate, relevant and not excessive in relation to the purpose for which it is collected. The latter principle is called data minimisation. This means that you need to ensure that you do not collect, use or in other ways process more data than what is necessary for accomplishing your task. You will find more information about these principles here.

Under the Ethical Review Act (2003:460), research which includes the processing of sensitive personal data and personal data related to violations of the law etc. is also subject to a requirement for ethical review of research involving humans (information about ethical review of research involving humans can be found here).

The rights of data subjects according to the General Data Protection Regulation must also be respected and the data subjects must be informed about these rights (more information and templates for information and consent can be found here). The data subjects must also be informed about the processing itself. This means that at the initial planning stage the need for further processing for archival purposes, the setting up of a data management plan for how materials are to be collected and stored, as well as who shall be given access to the material at different stages of the processing must be considered.

If there is a high risk for breaches of privacy, an impact assessment must be made before beginning the data processing (see information from the Swedish Authority for Privacy Protection). All processing of personal data at Stockholm University must be entered in the University’s record of processing activities (you will find instructions for records of processing activities here).

If personal data are to be processed by someone outside of the organisation on behalf of Stockholm University, a Personal Data Processing Agreement shall be signed. If personal data are to be published on the web or stored with a cloud service provider, specific rules must be taken into account. If personal data are to be transferred to a country outside of the EU, you must examine if this is possible. 

Processing necessary for the performance of a task carried out in the public interest

For Stockholm University (as for other universities and higher education institutions with the State as principal) the task to carry out research is defined in national law by provisions in the Higher Education Act. This means that researchers at Stockholm University can apply the legal basis ‘task of public interest’ under Article 6.1 e in the General Data Protection Regulation when they process personal data which are necessary to carry out the research. The requirement that the processing must be necessary to carry out the research does not mean that it is absolutely impossible to do the research without the processing of data. It is rather a matter of making an assessment of the reasonableness of the options at hand. Such an assessment should take into account the time, effort and costs, and whether the processing contributes to higher quality and reliability of the research results. If, on the whole, the purpose of the research can be achieved as well, as easily and at as low a cost with anonymous data as with personal data, the processing cannot reasonably be considered necessary for carrying out the research. 

Consent

Consent as a legal basis for personal data processing shall be freely given, specific, informed, and made by a statement or by a clear affirmative action. If it is a matter of sensitive personal data, the consent must, in addition, be explicit. It is important to ensure that there is no form of dependency relation between the data subject and the controller of personal data which could call into question the voluntariness of the consent. It must be easy to distinguish the request for consent from other possible issues which arise in connection with the data collection, and the consent given must apply to clearly defined purposes. It is not enough to state a general purpose such as research in a certain area. The information about the research project in question must be sufficiently detailed for the person whose consent has been requested to form a reasonable idea of what the participation and the processing of personal data will entail for them. If possible given the purpose of the processing, the option to give separate consent for different parts of the processing should be offered. The data subjects shall be given clear information about the processing and their rights. The consent shall be as easy to revoke as it was to give. The controller of personal data must be able to show proof of a valid consent. Therefore, it is important to document, in the record of processing activities, that consent has been given. Further information about obtaining consent, including templates for information sheets and consent forms can be found here

Safeguards

In accordance with the General Data Protection Regulation, all processing of personal data for research purposes shall be subject to appropriate safeguards, i.e.  measures to protect the data subject’s rights and freedoms. In data processing for research purposes, one type of safeguard, pseudonymisation, is often suitable and should thus be applied. This means that the personal data are processed in a way which makes it impossible to link them to an individual, unless additional information (stored separately) is used. This can be done for example through the use of code keys or special algorithms (so-called “hash functions”). As regards the processing of sensitive personal data and personal data relating to violations of the law etc., the safeguards are subject to specific requirements. Research carried out in Sweden and which involves processing of such data may not start until it has been approved in accordance with the Act (2003:460) concerning the Ethical Review of Research Involving Humans (see information on ethical review). For questions relating to ethical review, you are welcome to contact ethics support function the Office for Research, Engagement and Innovation Services (REIS) at Stockholm University or the Swedish Ethical Review Authority.

Some safeguards are regulated under national law. It is, however, the responsibility of the controller of personal data to ensure that the requirements under the regulation in this respect are fulfilled in each separate processing operation. For instance, the processing of personal data shall (with certain exceptions) cease if the data subject objects to the processing. Nor is it normally permitted to use personal data which are processed only for research purposes to take measures against the data subject. Technical and administrative safeguards should also be considered and measures taken when this is seen as suitable, e.g. encryption, access control and certification of staff.

In case of a personal data incident, such as a data breach, this must be reported within 72 hours to the supervisory authority. This means you contact the University’s IT Services.

Good Research Practice

In addition to the requirements set out in the data protection regulation, there are also well established guidelines on good research practice to consider, such as those presented in The ALLEA Code of Conduct for Research Integrity, the report Good Research Practice (2017) from the Swedish Research Council, and on the website CODEX.

Contacts

In case of a personal data incident, you must immediately contact the IT Services.
For questions about research integrity and ethics, you are welcome to contact the ethics support function at the Office for Research, Engagement and Innovation Services (REIS): etik@fs.su.se.  
In case of uncertainty concerning your obligations under the General Data Protection Regulation, contact the Data Protection Officer at Stockholm University: dso@su.se.  
For legal matters, you can also get in touch with the University’s legal counsels at the Office of the President.