Listen to this web page Listen

|  Text size: decrease text size increase text size   |  Contact  |  Svenska

To the webpage of the Swedish Research Council To the webpage of Uppsala University

Handling personal information

Sometimes research is interested in personal data. For example in longitudinal studies, the research is conducted over a longer time - up to thirty years is not uncommon - and aims at following things such as changes in health and social situation for certain population groups to, for example, learn about how certain work conditions affect us in the long term. In other research personal data are not the object per se, but as the research is performed on or with persons, such data will be handled as a consequence. The personal information processed might be sensitive in nature, thus entailing risks of infringing on the integrity of the persons in question.

Personal information refers to all kinds of information that directly or indirectly can be attributed to a living, individual physical person. It can be information on the person's name, personal number, birthdate, nationality, education, family or employment conditions. Other types of information of a less personal character can also be considered personal data. Note that coded information is considered personal data as long as a code key exists.

The Swedish authority responsible for personal data is The Swedish Data Protection Authority (soon to be renamed Integritetsskyddsmyndigheten)

Sweden & EU

In Sweden, the laws regulating the handling of personal information are first and foremost the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, GDPR, in force from May 25, 2018. A new Swedish Research Data Acts has been proposed to harmonize regulations. Already, the Article 29 Data Protection Working Party has presented for example Guidelines on Consent under Regulation 2016/679. GDPR is complemented by the Public Access to Information and Secrecy Act (Offentlighets- och Sekretesslag), Public Access to Information and Secrecy Ordinance (Offentlighets- och Sekretessförordning) and Tryckfrihetsförordningen (regarding freedom of press). For health and medical services, the Law regarding health data registers (Lag om hälsodataregister) and the Law on Patient Data (Patientdatalagen) regulate how patient data is handled.

From 1st of Decemeber 2013, a new act about health research on environmental and genetic causes of disease gives Swedish universities the possibility to create research registers as long as data providers give their explicit consent. Anonymised data can then be released from these registers for specific research projects, as long as they have been approved by an ethics review board (in the background is the unclear situation for the Lifegene project at Karolinska Institutet which was stopped by the Swedish Data Protection Authority). The Government has initiated a public inquiry on register research and therefore this act is only valid through the 31st of december 2015, then prolonged to 31 of December 2017. Summer 2017 it was proposed that the law will be further prolonged to 31 December 2020 (Fortsatt giltighet av lagen om vissa register för forskning om vad arv och miljö betyder för människors hälsa).

GDPR & Research

While rules on official secrets govern when data may be released, the GDPR governs how data are used. The registered is to be informed as to which information will be used. A person who submits information to a personal register established for research purposes has a further right to resulting information regarding him or herself. If a person can be identified - registers can also be anonymous - he or she also has the right to demand that incorrect or incomplete information be corrected or completed. The researcher should inform the subject on this issue. GDPR lists a set of basic principles relating to the processing of personal data, also in research. Personal data shall be:

As a principal rule, the handling of personal information requires consent from the person in question, with an exception for certain "specific purposes of public interest", such as processing data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, If sensitive information is involved - such as information on race or ethnic origin, political opinion, religious or philosophical conviction, membership in a union, health or sex life, genetic or bibliometric information - handling such information for research requires approval from a research ethics board. It will judge research according to the Act on ethical review, which says that research can only be approved if it is performed with respect for human dignity, that human rights and freedoms always should be considered and that the welfare of subjects always trumps the needs of society and science. Risks shall always be balanced by scientific merit. GDPR equates personal data relating to criminal convictions and offences or related security measures with sensitive data, as did the former Personal Data Act.

One who, alone or in a group, decides on the object of and means for the handling of personal information is called the controller (as a rule, this is an organisation), whereas the physical person appointed by the controller to ensure that personal information is handled correctly and according to the law is the processor.

Confidentiality in healthcare and in the social and behavorial sciences

As noted, a condition to be met for personal information from, e.g., patient journals to be released for research purposes is that the release be consistent with relevant provisions regarding secrecy, etc. However, consent from the concerned individuals always trumps secrecy rules.

In healthcare, information regarding health status and other personal matters are classified as confidential, if it is not obvious that it can be disclosed without any harm to the patient and his or her relatives. The individual's subjective opinion is important in deciding whether someone may be harmed. Secrecy is the professional confidentiality in public service for those who have access to information that may harm patients (or the safety of one's country, or public economic interest, etc.). The significance is that outsiders shall not gain access to information that has been designated confidential. This prohibition of disclosing confidential information pertains to oral reports, the release of public records or any other means of information transfer.

There are various exceptions. For research purposes, patients' journal information can be released with reservations. If you work at a public authority, you can assume the confidentiality already in place at the releasing authority. If the information is designated confidential and therefore not released, the researcher has the right to have the decision tried. First, one should turn to the handling archive officer. Thereafter, the city archivist makes a formal decision with a justification. Appeals are made to the Swedish administrative court of appeals, which is the highest authority. Patient journals more than 70 years old are not considered confidential and are therefore accessible for everyone.

When doing research in medicine, social science or in behavioural sciences, the Public Access to Information and Secrecy Act states that information regarding personal matters as a ground rule shall be regarded as confidential. Moreover, this rule has been extended generally to teaching and researching institutions for all studies in medicine and social and behavorial sciences (7 § offentlighets- och sekretessförordningen, SFS 2009:641). There is also a secondary confidentiality when a researcher recieves confidential data, the confidentiality so to speak follows the data. In general, statistical work fall under the law. Finally, there is a particular statute on confidentiality for scientific chronicles of linguistic and ethnological customs. All these rules are applicable on public research, not private.

Official and public documents

Good research practice demands that raw data be available for other researchers' review, for example for disputations and peer review of applications and articles. Further, the research organisation's actions are often official and may therefore be considered public (the principle of public access to official records) when secrecy does not apply. This concept is defined in 2 kap. 3 § tryckfrihetsförordningen (Chapter 2, 3§ of the Freedom of the Press Act). Of particular interest is when a document is considered upheld by an authority. If the document does not refer to any specific matter, it is considered upheld when it has been confirmed by the authority or has simply been finalized in some other way. This latter category can often include documents involved in research, for example completed test analyses, developed photographs or audiovisual recordings. Certain types of documents, for example diaries, registers or other lists that are maintained on a continual basis, are considered upheld when they have been prepared for annotation or entry. Every new annotation is then immediately a part of the public document. All research at universities – on-going or finished – must follow the statutes on public access to official documents. This means that material used in on-going research – journals, answers to questionnaires, laboratory test answers, notes of oral answers, etc. – are official documents. These laws are in place for the interests of, e.g., funding organisations, patients and society, as regards control of and possibility for inspection.

Problems may arise when researchers promise full confidentiality, the application of which is not without problem. Patients and participants in research should be informed about the actual protection of their data and the limitations of those measures. After an appeal to the Central Ethics Review Board (CEPN) in 2004, the Board opposed a regional board and approved of a project for which the regional board had demanded that secrecy be promised to participants in order for an approval being given. Instead information to participants should include: "Your answers and the results of the study will be kept so that no unauthorized persons can access them". CEPN's decision makes a precedent (Dnr Ö 5-2004). Among those that might get authorized, we find reviewers for journals or scrutinizers at doctoral disputations, those investigating possible fraud in research, and other scientists that want to use the material in their own research. A guide for how to handle the sharing of data while keeping standards of confidentiality has been proposed in the article 'Preparing raw clinical data for publication: guidance for journal editors, authors, and peer reviewers'.

USA & International

In research done in collaboration with US researchers, a question of Certificates of Confidentiality might come up. These certifficates are intended to help meet the obligations of confidentiality by preventing forced disclosure of identifiable data during legal proceedings. They are authorized by federal law and granted the U.S. Department of Health and Human Services for information that, if disclosed, "could have adverse consequences or damage subjects' financial standing, employability, insurability, or reputation." The current federal law states that with a Certificate, "persons engaged in biomedical, behavioral, clinical, or other research … may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals."

Last updated: 2018-09-17

Rules & guidelines

See further

CODEX, Centre for Research Ethics & Bioethics, BMC, Husarg. 3, Uppsala | Webmaster | About the web site