What is personal data?

Personal data is information that can be directly or indirectly linked to a living, identified or identifiable physical person. This means that anyone who is deceased is not covered by the GDPR. Examples of personal data are name, address, email address and personal ID number. Video and audio recordings, such as recorded interviews, can be considered personal data.

Sensitive personal data and personal data relating to criminal convictions and offences

Research projects that include sensitive personal data and personal data relating to criminal convictions and offences must undergo approved ethical review before research starts. More information about ethical review can be found on the page Research Ethics.

Sensitive personal data are details about

• ethnic origin (this also includes questions about what is sometimes called “race”)
• political opinions
• religious or philosophical beliefs
• membership of a trade union
• health
• a person’s sex life or sexual orientation
• genetic information (e.g. details from DNA analysis),
• biometric information (e.g. facial recognition or fingerprints)

Personal data relating to criminal convictions and offences is information about whether someone has committed a crime, been convicted in court in a criminal case, been the object of procedural coercive measures (e.g. detention, seizure, or prohibition of travel) and suspicion of a criminal offence.

Personal data that is not sensitive according to GDPR but needs extra protection

There are other types of personal data that are not sensitive according to GDPR but still needs extra protection. Here are some examples:

• Data regarding salary
• Personal data relating to criminal convictions and offences
• Evaluative information, such as information from development talks, information about results from personality tests or personality profiles
• Information that concerns someone’s private sphere
• Information about social conditions
• Personal identity number

These personal data require a higher level of security compared to harmless personal data such as name, email address, and phone number.

Fundamental principles

The GDPR establishes fundamental principles that must be considered in all personal data processing. These principles, shown below, should be considered when you work with personal data.

• Do not process more personal data than necessary.
• Only collect personal data for specific and legitimate purposes.
• When the personal data is no longer needed for the stated purpose, under the GDPR it must be erased or deindentified. Please note that for research data, this data must be preserved or erased in accordance with the university’s information management plan.
• Personal data must be protected using the appropriate security measures.

Purpose of personal data processing

Under the GDPR, all processing of personal data must have a specific and expressly stated, legitimate purpose. In a research project, the purpose is undertaking the research the project intends to conduct.

Lawful basis

In addition to the requirement for a clear purpose for the processing of personal data, the processing must be supported by one or more of the six lawful bases established in the GDPR. The lawful bases that may be particularly relevant for research conducted at Södertörn University is that personal data processing is necessary to perform a task in the public interest, as well as consent.

Personal data processing necessary to perform a task in the public interest

Personal data may be collected and processed if it is necessary to perform a task in the public interest. A task in the public interest must be supported by law or other ordinance. The task of conducting research is established in the provisions of the Higher Education Act, which means that when processing personal data is necessary to conduct research, researchers can use the lawful basis that it is a task in the public interest.

To assess whether personal data processing is necessary, you must conduct a fair assessment in which you examine whether there are other ways of conducting the research. If the purpose of the research can be achieved as successfully, easily and cheaply using anonymised data as it can with personal data, personal data processing cannot be considered necessary.

Consent as a lawful basis

Under the GDPR, consent must be freely given, specific and informed, as well as provided through a statement or a clear affirmative act. Consent must state that the person agrees to the processing of their personal data. It is important to ensure that there is no form of dependency between the person providing consent and the data controller (Södertörn University) that may mean the voluntary nature of the consent could be questioned. If a research project intends to collect personal data from employees or students at Södertörn University, some form of dependency could be considered to exist.

Consent as a lawful basis can be used during research partnerships with private or international organisations, because these actors cannot always use the lawful basis of a task in the public interest.

If you have questions about lawful basis, please contact dataskydd@sh.se.

Ethical consent to participate in research

A fundamental principle of research ethics is the collection of informed consent from the people who intend to participate in the research. One reason for collecting informed consent is to protect someone who intends to participate in research and to respect their right to autonomy. Consent to participate in research is not the same as consent to personal data processing – these are two separate things.

When should a data protection impact assessment be done?

If the processing of personal data is likely to result in a high risk to the freedoms and rights of individuals, an impact assessment should be carried out. The purpose of conducting an impact assessment is to identify and prevent risks. As a starting point, an impact assessment should be carried out before the processing of personal data begins. In this way, the risk of the university starting a personal data processing that later must be changed because it does not meet the requirements of the GDPR is minimized. An impact assessment can be helpful in assessing what security measures are needed or what technical solutions should be chosen to minimize identified risks.

A data protection impact assessment should, for example, be done if the processing of personal data consists of sensitive personal data on a large scale. An impact assessment may also need to be done if, in a research project, personal data is processed on a large scale about people who for some reason are in a subordinate or dependent position, such as children, employees, asylum seekers, the elderly, and patients.

More information on when and how an impact assessment should be done can be found under ”Rättslig vägledning”.

Information security and security measures

Under the GDPR, all personal data processing for research purposes must be subject to the appropriate security measures. Södertörn University is currently conducting work on a framework for information security. This type of framework means that information, such as personal data, must be classified according to given parameters. For example, sensitive personal data will receive a higher classification and thus a higher security value than other personal data. During the time that the university is working on a framework for information security, follow the below guidance.

The choice of security measures is dependent on the type of personal data being processed within the research project, as well as the amount of personal data. Encryption and access control are examples of technical and administrative security measures that can be taken when they are assessed suitable. One important principle in the GDPR is the principle of data minimisation, i.e. the personal data being processed must be adequate, relevant and limited in relation to the purpose. Do not collect more personal data than is needed.

Pseudonymisation

One security measure that is often appropriate for personal data processing for research purposes is pseudonymisation. Pseudonymised personal data means that the personal data can no longer be linked to a particular person without a supplementary information (code key). For personal data to be considered pseudonymised this supplementary information must be kept separately and protected by measures that ensure they cannot be used to identify the person. Note that pseudonymisation is not the same as anonymisation. For example, in pseudonymisation, the personal ID number is replaced by a code. This code can be linked to the personal ID number through the code key. Personal data is thus not deidentified because there is still supplementary information, i.e. the code key, which can identify an individual. Pseudonymised information is considered personal data and is therefore covered by the GDPR. If the code key is destroyed and it is no longer possible to link and individual to the information, the data is then considered anonymised. Anonymised information is not regarded as personal data and is therefore not covered by the GDPR. However, it can be difficult to deidentify personal data in research data, as you must ensure that all the opportunities for identifying someone have been removed.

For more information about the security measures that should be taken when processing personal data, please contact dataskydd@sh.se. For issues of a technical nature (such as storage solutions or technical security solutions), please contact cit@sh.se.

The basis in the GDPR is that personal data may only be saved for as long as it is needed for the purpose of the personal data processing. Since Södertörn University is a public agency, research data created at the university often comprises official documents. Research data is thus covered by the Archives Act. The university’s information management plan based on the regulations of the National Archives of Sweden, states which research documents must be preserved or erased.

If you have questions about erasure and archiving, please contact arkivarie@sh.se.