This page provides information about research ethics and GDPR for researchers.
Research misconduct and good research practice
All staff at Södertörn University are responsible for ensuring that good research practice is applied.
Researchers at Södertörn University can contact the Council for Research Ethics if they suspect deviations from good research practice.
Good research practice is the moral praxis that develops when the relevant actors critically reflect on research activities in dialogue with the surrounding community. The principles upon which such praxis rests are described in a range of documents, including the European Code of Conduct for Research Integrity External link, opens in new window., which is published by All European Academies, ALLEA.
Research misconduct is a serious deviation from good research practice in the form of fabrication, falsification or plagiarism, and which is committed deliberately or through gross negligence in the planning, implementation or reporting of research.
Fabrication is making up results and recording them as if they were real.
Falsification is manipulating research materials, equipment or processes or changing, omitting or suppressing data or results without scientific justification.
Plagiarism is using other people’s work and ideas without giving proper credit to the original source.
For actions of this kind to be considered misconduct, they must be serious and committed deliberately or due to gross negligence.
Deviation from good research practice is a broader concept than research misconduct, as it includes other misdemeanours. Examples could be not obtaining informed consent from research subjects, not applying for permission from the Swedish Ethical Review Authority when necessary, breaching regulations on secrecy and archiving, inappropriately obstructing or delaying the work of other researchers, manipulating authorship, or self-plagiarism.
Laws and ordinances that regulate good research practice, and deviations from it, assume that the relevant activity is an example of research and not, for example, care provision, teaching, art, journalism or a market survey. Providing an exact definition of research is difficult, but in the context of research ethics it means knowledge-producing activities that are conducted using scientific methods based on scientific theories, usually at higher education institutions, scientific institutes or other similar environments. Scientific theories and methods are those accepted by the research community, which is a broad definition and should be interpreted as theories and methods used by an established research group. In general, as well as the researcher, there is an entity responsible for research that is ensures compliance with good research practice. In our case, Södertörn University is the entity responsible for research.
In the context of research ethics, research is activity that aims to generate results that will be published in scholarly forums: articles in scholarly journals, monographs and contributions to anthologies. It is difficult to state what exactly counts as a scholarly publication, but the category is broader than articles and book contributions that undergo peer review. In general, essays authored by students at Bachelor’s or Master’s level are not research unless the student or supervisor (or both) intends to publish the results in a form other than the essay itself. The knowledge-generating activities of doctoral students during the production of a thesis are always considered research. The presentation of research and its results outside the research community and teaching (third stream activities) is generally considered popular science (which is not research). The line between scientific and cultural journalism and research can be hard to draw, particularly in the social sciences and humanities but, in general, researchers should ask whether there is an assumption that the journal in which the research is presented is read by other researchers in the field in which they work (apart from the interested general public). If so, it is research.
All staff at Södertörn University are responsible for ensuring that good research practice is applied. If you have suspicions or questions about deviations from good research practice, you must contact the Council for Research Ethics.
If the activity under suspicion is assessed possible research misconduct, the case will be transferred to the National Board for Assessment of Research Misconduct. If the suspicions relate to other deviations from good research practice, the university will process the case internally.
For a more detailed description of the process, see the university’s procedure, Case Management Procedure for Suspected Deviations from Good Research Practice.
GDPR for researchers
Personal data processing is often necessary when conducting research. The General Data Protection Regulation (GDPR) applies to personal data that is processed in this context. It is therefore important, beginning with the project’s planning phase, to decide whether personal data will be collected and processed. The information in the expander boxes provides support for researchers dealing with personal data as part of a research project.
Personal data is information that can be directly or indirectly linked to a living, identified or identifiable physical person. This means that anyone who is deceased is not covered by the GDPR. Examples of personal data are name, address, email address and personal ID number. Video and audio recordings, such as recorded interviews, can be considered personal data.
Sensitive personal data and personal data relating to criminal convictions and offences
Research projects that include sensitive personal data and personal data relating to criminal convictions and offences must undergo approved ethical review before research starts. More information about ethical review is available below the heading Ethical review.
Sensitive personal data are details about
- ethnic origin (this also includes questions about what is sometimes called “race”)
- political opinions
- religious or philosophical beliefs
- membership of a trade union
- a person’s sex life or sexual orientation
- genetic information (e.g. details from DNA analysis)
- biometric information (e.g. facial recognition or fingerprints)
Personal data relating to criminal convictions and offences is information about whether someone has committed a crime, been convicted in court in a criminal case, been the object of procedural coercive measures (e.g. detention, seizure, or prohibition of travel) and suspicion of a criminal offence.
The GDPR establishes fundamental principles that must be considered in all personal data processing. These principles, shown below, should be considered when you work with personal data.
- Do not process more personal data than necessary.
- Only collect personal data for specific and legitimate purposes.
- When the personal data is no longer needed for the stated purpose, under the GDPR it must be erased or deidentified. Please note that for research data, this data must be preserved or erased in accordance with the university’s information management plan.
- Personal data must be protected using the appropriate security measures.
Purpose of personal data processing
Under the GDPR, all processing of personal data must have a specific and expressly stated, legitimate purpose. In a research project, the purpose is undertaking the research the project intends to conduct.
In addition to the requirement for a clear purpose for the processing of personal data, the processing must be supported by one or more of the six lawful bases established in the GDPR. The lawful bases that may be particularly relevant for research conducted at Södertörn University is that personal data processing is necessary to perform a task in the public interest, as well as consent.
Personal data processing necessary to perform a task in the public interest
Personal data may be collected and processed if it is necessary to perform a task in the public interest. A task in the public interest must be supported by law or other ordinance. The task of conducting research is established in the provisions of the Higher Education Act, which means that when processing personal data is necessary to conduct research, researchers can use the lawful basis that it is a task in the public interest.
To assess whether personal data processing is necessary, you must conduct a fair assessment in which you examine whether there are other ways of conducting the research. If the purpose of the research can be achieved as successfully, easily and cheaply using anonymised data as it can with personal data, personal data processing cannot be considered necessary.
Consent as a lawful basis
Under the GDPR, consent must be freely given, specific and informed, as well as provided through a statement or a clear affirmative act. Consent must state that the person agrees to the processing of their personal data. It is important to ensure that there is no form of dependency between the person providing consent and the data controller (Södertörn University) that may mean the voluntary nature of the consent could be questioned. If a research project intends to collect personal data from employees or students at Södertörn University, some form of dependency could be considered to exist.
Consent as a lawful basis can be used during research partnerships with private or international organisations, because these actors cannot always use the lawful basis of a task in the public interest.
If you have questions about lawful basis, please contact firstname.lastname@example.org.
Consent to participate in research
A fundamental principle of research ethics is the collection of informed consent from the people who intend to participate in the research. One reason for collecting informed consent is to protect someone who intends to participate in research and to respect their right to autonomy. Consent to participate in research is not the same as consent to personal data processing – these are two separate things.
People who participate in research projects must be informed about personal data processing and their rights under the GDPR. This information must state who is responsible for the personal data processing and the purpose of the processing.
Participants must also receive clear, detailed information about what participation in the study entails (such as the methods that will be used and how participants can access the study’s results). For more information, see the expander boxes below Ethical review. There are templates for information texts and consent forms for use by researchers in the expander box called “Check list and useful forms”.
Under the GDPR, all personal data processing for research purposes must be subject to the appropriate security measures. Södertörn University is currently conducting work on a framework for information security. This type of framework means that information, such as personal data, must be classified according to given parameters. For example, sensitive personal data will receive a higher classification and thus a higher security value than other personal data. During the time that the university is working on a framework for information security, follow the below guidance.
The choice of security measures is dependent on the type of personal data being processed within the research project, as well as the amount of personal data. Encryption and access control are examples of technical and administrative security measures that can be taken when they are assessed suitable. One important principle in the GDPR is the principle of data minimisation, i.e. the personal data being processed must be adequate, relevant and limited in relation to the purpose. Do not collect more personal data than is needed.
One security measure that is often appropriate for personal data processing for research purposes is pseudonymisation. Pseudonymised personal data means that the personal data can no longer be linked to a particular person without a supplementary information (code key). For personal data to be considered pseudonymised this supplementary information must be kept separately and protected by measures that ensure they cannot be used to identify the person. Note that pseudonymisation is not the same as anonymisation. For example, in pseudonymisation, the personal ID number is replaced by a code. This code can be linked to the personal ID number through the code key. Personal data is thus not deidentified because there is still supplementary information, i.e. the code key, which can identify an individual. Pseudonymised information is considered personal data and is therefore covered by the GDPR. If the code key is destroyed and it is no longer possible to link and individual to the information, the data is then considered anonymised. Anonymised information is not regarded as personal data and is therefore not covered by the GDPR. However, it can be difficult to deidentify personal data in research data, as you must ensure that all the opportunities for identifying someone have been removed.
This places specific demands on security measures for research data that contains sensitive personal data and personal data relating to criminal convictions and offences. Research that contains such information may not start until it has received approval from an ethical review. More information about how such personal data will be processed by the university is available at Rättslig vägledning (legal guidance - only in Swedish).
The university is currently working on a new storage solution for research data.
For more information about the security measures that should be taken when processing personal data, please contact email@example.com. For issues of a technical nature (such as storage solutions or technical security solutions), please contact firstname.lastname@example.org.
The basis in the GDPR is that personal data may only be saved for as long as it is needed for the purpose of the personal data processing. Because Södertörn University is a public agency, research data created at the university often comprises official documents. Research data is thus covered by the Archives Act. The university’s information management plan, based on the regulations of the National Archives of Sweden, states which research documents must be preserved or erased.
If you have questions about erasure and archiving, please contact email@example.com.
Awareness of research data management has increased recently, and researchers are often asked to present a data management plan at the start of a project. Read more on the library’s webpage about research data management during and after the project period External link, opens in new window..
The university’s registry and archive function also provides support regarding which documents need to be registered and archived.
If your research relates to people in some way, your project may need to undergo ethical review. The head of school must be informed about the ethical review and it must be entered in the registry. It is not part of The Council for Research Ethics task to provide support in ethics review, in these cases the university refers to the authority for Reserch ethics, Etikprövningsmyndigheten External link, opens in new window.. They have some information in English at the bottom of the page.
The purpose of the legislation is to protect individuals and to respect human dignity. People who participate in a research project must be protected from physical, mental and privacy-related risks. Legal certainty must be protected for researchers and for research subjects. The ethical review weighs any risks in the project against the expected benefit to society. Research that must undergo ethical review is regulated in the Swedish Ethical Review Act (2003:460) External link, opens in new window. and in the Act (2019:1144) External link, opens in new window. on amendments to the Ethical Review Act.
The legislation applies to every part of the research process that is conducted within Sweden, from the recruitment of research subjects to data collection, data processing, analysis and publication of results, etc. Your research must therefore undergo ethical review in Sweden if it is conducted at Södertörn University, even if you collect data in another country. If any of your research is conducted in another country, then that country’s laws and regulations apply.
Research must undergo ethical review if it:
- involves a physical procedure on a living or dead person
- is performed using a method that aims to affect a person physically or mentally or entails the risk of such an injury
- is performed on biological material from a living or dead person that can be traced to that person
- includes the processing of sensitive personal data
- includes information about crimes
Under Swedish law, sensitive personal data is:
- ethnic origin (this also includes questions about what is sometimes called “race”)
- political opinion (also in the broader sense, not just party politics or involvement)
- religious or philosophical beliefs
- membership of a trade union
- a person’s sex life or sexual orientation
- genetic information
- biometric information that is used to unambiguously identify a person
More information about sensitive personal data can be found on the website of the Swedish Authority for Privacy Protection. External link, opens in new window.
The entity responsible for research (e.g. higher education institution, company or region) has ultimate responsibility for projects that fall under the legislation being subject to ethical review, and that no such research is conducted without approval. Generally, in university activities, the organisational responsibility for this rests with the head of school, who must sign the application.
An ethical review must be conducted regardless of whether your research is externally funded or if you are conducting it as part of your employment. The lead researcher applies for ethical review of a project. In practice, this is often the project manager or a doctoral student’s principal supervisor. However, the doctoral student is listed as the lead researcher on many doctoral projects, but if the lead researcher does not have a doctoral degree, the project must be conducted under the supervision of a researcher with a doctoral degree. The application must state who this is, and, for doctoral students, this is generally the principal supervisor. For doctoral projects, the principal supervisor is also responsible for ensuring that the project undergoes review. It is important that the ethical review is conducted before data collection starts, because a project cannot be reviewed in retrospect.
Projects in the abovementioned areas must undergo ethical review under the Swedish Ethical Review Act (2003:460). Not doing so may lead to fines or, in serious cases, a custodial sentence.
However, even if the project is not subject to the legislation, you can still have your project ethically reviewed and request an advisory statement from the authority. Apart from the legal obligation to have projects that fall under the Swedish Ethical Review Act (2003:460) External link, opens in new window. ethically reviewed, there may be other good reasons for doing so. For example, increasing numbers of international journals and publishers demand that the research on which a publication is based must have undergone ethical review; they could have laws and principles to relate to other than Swedish ones. One way of overcoming these barriers to publication is to apply for ethical review and request an advisory statement. When you contact journals and publishers, this statement can document that the project has undergone ethical review.
Research covered by the Swedish Ethical Review Act may only be conducted if the research subjects have provided informed consent. Consent must be voluntary, explicit and precise in relation to each research project. Consent must always be documented, preferably in writing. Consent is only valid if, prior to the start of data collection, the research subject has received information about the research plan and purpose, project methodology, potential risks or other consequences of participation, and the entity responsible for research for the project. They must also be informed that participation in the study is voluntary and that they can cease participating at any time without providing a reason.
Information about how ethical reviews are conducted is available on the Swedish Ethical Review Authority’s website External link, opens in new window.*. Södertörn University also offers regular internal courses on issues relating to research ethics, including ethical review.
You must also remember that your ethical review and notification of approval must be recorded in the registry at Södertörn University.
*The authority is planning to translate the web page into English, meanwhile they can provide the application documents in English. Note that the documents are only for guiding purpose - the application has to be written in Swedish with the Swedish application documents. Scroll down on the authority's website for information in English.
Below is a list of items you must consider. There is a list of documents that may be useful at the end of the collapsible text.
- Check that sensitive personal data will not be processed. If it will be, an ethical review must be conducted by applying to the Swedish Ethical Review Authority.
- Decide how the information will be stored and ensure that it is processed securely while work is underway.
- In consultation with the archivist, decide which parts of the information will be erased or retained when work is completed.
- Fill in the information and consent form.
- Inform and collect consent from every single person who will participate in the study, collect the necessary personal data, and process the personal data in accordance with what was decided in steps 1-5 above.
- After the project has been completed, erase or archive the personal data material in accordance with what was decided in step 4 above.
Shared responsibility for personal data
Are you collaborating with another higher education institution? Will you be transferring personal data between you? If so, you must draw up an agreement about this.
Useful forms and documents