- Start
- / Startpage
- / Research
- / Support for researchers
- / Personal data in research
Personal data in research
Personal data processing is often necessary when conducting research. The General Data Protection Regulation (GDPR) applies to personal data that is processed in this context.
It is therefore important, beginning with the project’s planning phase, to decide whether personal data will be collected and processed. The information in the expander boxes provides support for researchers dealing with personal data as part of a research project.
What is personal data?
Personal data is information that can be directly or indirectly linked to a living, identified or identifiable physical person. This means that anyone who is deceased is not covered by the GDPR. Examples of personal data are name, address, email address and personal ID number. Video and audio recordings, such as recorded interviews, can be considered personal data.
Sensitive personal data and personal data relating to criminal convictions and offences
Research projects that include sensitive personal data and personal data relating to criminal convictions and offences must undergo approved ethical review before research starts. More information about ethical review can be found on the page Research Ethics.
Sensitive personal data are details about
- ethnic origin (this also includes questions about what is sometimes called “race”)
- political opinions
- religious or philosophical beliefs
- membership of a trade union
- health
- a person’s sex life or sexual orientation
- genetic information (e.g. details from DNA analysis),
- biometric information (e.g. facial recognition or fingerprints)
Personal data relating to criminal convictions and offences is information about whether someone has committed a crime, been convicted in court in a criminal case, been the object of procedural coercive measures (e.g. detention, seizure, or prohibition of travel) and suspicion of a criminal offence.
Personal data that is not sensitive according to GDPR but needs extra protection
There are other types of personal data that are not sensitive according to GDPR but still needs extra protection. Here are some examples:
- Data regarding salary
- Personal data relating to criminal convictions and offences
- Evaluative information, such as information from development talks, information about results from personality tests or personality profiles
- Information that concerns someone’s private sphere
- Information about social conditions
- Personal identity number
These personal data require a higher level of security compared to harmless personal data such as name, email address, and phone number.
Fundamental principles
The GDPR establishes fundamental principles that must be considered in all personal data processing. These principles, shown below, should be considered when you work with personal data.
- Do not process more personal data than necessary.
- Only collect personal data for specific and legitimate purposes.
- When the personal data is no longer needed for the stated purpose, under the GDPR it must be erased or deindentified. Please note that for research data, this data must be preserved or erased in accordance with the university’s information management plan.
- Personal data must be protected using the appropriate security measures.
Purpose of personal data processing
Under the GDPR, all processing of personal data must have a specific and expressly stated, legitimate purpose. In a research project, the purpose is undertaking the research the project intends to conduct.
Lawful basis
In addition to the requirement for a clear purpose for the processing of personal data, the processing must be supported by one or more of the six lawful bases established in the GDPR. The lawful bases that may be particularly relevant for research conducted at Södertörn University is that personal data processing is necessary to perform a task in the public interest, as well as consent.
Personal data processing necessary to perform a task in the public interest
Personal data may be collected and processed if it is necessary to perform a task in the public interest. A task in the public interest must be supported by law or other ordinance. The task of conducting research is established in the provisions of the Higher Education Act, which means that when processing personal data is necessary to conduct research, researchers can use the lawful basis that it is a task in the public interest.
To assess whether personal data processing is necessary, you must conduct a fair assessment in which you examine whether there are other ways of conducting the research. If the purpose of the research can be achieved as successfully, easily and cheaply using anonymised data as it can with personal data, personal data processing cannot be considered necessary.
Consent as a lawful basis
Under the GDPR, consent must be freely given, specific and informed, as well as provided through a statement or a clear affirmative act. Consent must state that the person agrees to the processing of their personal data. It is important to ensure that there is no form of dependency between the person providing consent and the data controller (Södertörn University) that may mean the voluntary nature of the consent could be questioned. If a research project intends to collect personal data from employees or students at Södertörn University, some form of dependency could be considered to exist.
Consent as a lawful basis can be used during research partnerships with private or international organisations, because these actors cannot always use the lawful basis of a task in the public interest.
If you have questions about lawful basis, please contact dataskydd@sh.se.
Ethical consent to participate in research
A fundamental principle of research ethics is the collection of informed consent from the people who intend to participate in the research. One reason for collecting informed consent is to protect someone who intends to participate in research and to respect their right to autonomy. Consent to participate in research is not the same as consent to personal data processing – these are two separate things.
Data controller
A data controller is the one who decides why (purpose) and how personal data should be processed. When Södertörn University is the research principal for a project, the university is normally also the data controller. If the university has a research collaboration with, for example, another university, the universities can be independently responsible for their own personal data processing. Depending on the purpose of the personal data processing and how the personal data will be processed within the research collaboration the universities can however be considered joint data controllers.
Joint data controller
If there are several parties involved in a research project and if the parties together decide the purpose and means for a certain personal data processing, the data controller responsibility can be considered joint. If parties are joint data controllers, the parties must enter into an agreement where their respective responsibilities to comply with the GDPR are established. The university has a template for an agreement for joint data controller that researchers can use.
Data processor
A data processor is an external organization that processes personal data on behalf of a data controller. A data processor can for example be a company, an individual, or an authority. The data processor may only process personal data according to instructions from the data controller.
If a researcher intends to hire an external company or an external organization to process personal data on behalf of the research project, a data processing agreement should be established. Below is a template for a Personal Data Processor Agreement. The template is currently only available in Swedish. An English template is being developed.
When should a data protection impact assessment be done?
If the processing of personal data is likely to result in a high risk to the freedoms and rights of individuals, an impact assessment should be carried out. The purpose of conducting an impact assessment is to identify and prevent risks. As a starting point, an impact assessment should be carried out before the processing of personal data begins. In this way, the risk of the university starting a personal data processing that later must be changed because it does not meet the requirements of the GDPR is minimized. An impact assessment can be helpful in assessing what security measures are needed or what technical solutions should be chosen to minimize identified risks.
A data protection impact assessment should, for example, be done if the processing of personal data consists of sensitive personal data on a large scale. An impact assessment may also need to be done if, in a research project, personal data is processed on a large scale about people who for some reason are in a subordinate or dependent position, such as children, employees, asylum seekers, the elderly, and patients.
More information on when and how an impact assessment should be done can be found under ”Rättslig vägledning”.
Information security and security measures
Under the GDPR, all personal data processing for research purposes must be subject to the appropriate security measures. Södertörn University is currently conducting work on a framework for information security. This type of framework means that information, such as personal data, must be classified according to given parameters. For example, sensitive personal data will receive a higher classification and thus a higher security value than other personal data. During the time that the university is working on a framework for information security, follow the below guidance.
The choice of security measures is dependent on the type of personal data being processed within the research project, as well as the amount of personal data. Encryption and access control are examples of technical and administrative security measures that can be taken when they are assessed suitable. One important principle in the GDPR is the principle of data minimisation, i.e. the personal data being processed must be adequate, relevant and limited in relation to the purpose. Do not collect more personal data than is needed.
Pseudonymisation
One security measure that is often appropriate for personal data processing for research purposes is pseudonymisation. Pseudonymised personal data means that the personal data can no longer be linked to a particular person without a supplementary information (code key). For personal data to be considered pseudonymised this supplementary information must be kept separately and protected by measures that ensure they cannot be used to identify the person. Note that pseudonymisation is not the same as anonymisation. For example, in pseudonymisation, the personal ID number is replaced by a code. This code can be linked to the personal ID number through the code key. Personal data is thus not deidentified because there is still supplementary information, i.e. the code key, which can identify an individual. Pseudonymised information is considered personal data and is therefore covered by the GDPR. If the code key is destroyed and it is no longer possible to link and individual to the information, the data is then considered anonymised. Anonymised information is not regarded as personal data and is therefore not covered by the GDPR. However, it can be difficult to deidentify personal data in research data, as you must ensure that all the opportunities for identifying someone have been removed.
For more information about the security measures that should be taken when processing personal data, please contact dataskydd@sh.se. For issues of a technical nature (such as storage solutions or technical security solutions), please contact cit@sh.se.
The basis in the GDPR is that personal data may only be saved for as long as it is needed for the purpose of the personal data processing. Since Södertörn University is a public agency, research data created at the university often comprises official documents. Research data is thus covered by the Archives Act. The university’s information management plan based on the regulations of the National Archives of Sweden, states which research documents must be preserved or erased.
If you have questions about erasure and archiving, please contact arkivarie@sh.se.
People who participate in research projects must be informed about personal data processing and their rights under the GDPR. This information must state who is responsible for the personal data processing and the purpose of the processing.
Participants must also receive clear, detailed information about what participation in the study entails (such as the methods that will be used and how participants can access the study’s results). Below are templates for information texts and consent forms that researchers can use.
Personal data processing that occurs within research must be registered in a personal data processing register. According to the GDPR, data controllers, such as Södertörn University, are obliged to keep a register of their personal data processing. The register should be made available to the Data Protection Authority (Integritetsskyddsmyndigheten in Swedish) upon request.
The register should only describe the actual personal data processing (for example, which personal data is processed and why). The record should not contain any information about the actual person that occurs in the personal data processing.
Below is a template for a personal data processing register that researchers can use. The researcher is responsible for filling in and storing the register during the project. If the personal data processing changes during the ongoing project, the register may need to be updated by the researcher.
Information
Questions about page content? Use the contact in the relevant expander.
Want the page updated? - Fill in this form
For other questions, please email info@sh.se