Handling personal information

Sometimes research is interested in personal data. For example in longitudinal studies, the research is conducted over a longer time - up to thirty years is not uncommon - and aims at following things such as changes in health and social situation for certain population groups to, for example, learn about how certain work conditions affect us in the long term. In other research personal data are not the object per se, but as the research is performed on or with persons, such data will be handled as a consequence. The personal information processed might be sensitive in nature, thus entailing risks of infringing on the integrity of the persons in question.

Personal information refers to all kinds of information that directly or indirectly can be attributed to a living, individual physical person. It can be information on the person's name, personal number, birthdate, nationality, education, family or employment conditions. Other types of information of a less personal character can also be considered personal data. Note that coded information is considered personal data as long as a code key exists [Source: Datalagskommittén].

Sweden & EU

In Europe, the European Parliament and the Council of Europe's Directive 95/46/EC on protection of individuals with reference to the handling of personal information and on the free flow of such information has guided development within this area. The directive has enabled the flow of personal information between EU countries, but it is also necessary that member states transmit personal information to a third country only if that country guarantees an "adequate" protection level for the information. The first four countries considered to have attained such a level of protection were Switzerland, Canada, Hungary and the US. A few others have since been added. It is also allowed, among other things, to transmit personal information that is to be used only in a country that has entered the Council of Europe's Convention for the protection of individuals with regard to automatic processing of personal data (see below). The Directive allows EU countries to transmit personal information to another country even if that country does not have an adequate protection level, if the personal information officer (see below) can guarantee the integrity level. In the directive's wake, a number of recommendations and interpretations have been presented by the EU's Data Protection Working Party.

In Sweden, the laws regulating the handling of personal information are first and foremost the Personal Data Act (PUL) and the Personal Data Ordinance, complemented by the Swedish Data Inspection Board's Authority Regulations. The Official Secrets Act (Offentlighets- och Sekretesslag), Official Secrets Ordinance (Offentlighets- och Sekretessförordning) and Tryckfrihetsförordningen (regarding freedom of press) are also essential. For health and medical services, the Law regarding health data registers (Lag om hälsodataregister) and the new Law on Patient Data (Patientdatalagen) regulate how patient data is handled. The National Board on Health and Welfare has issued accompanying regulations on "informationshantering och journalföring i hälso- och sjukvården". The Swedish Research Council has also published a policy document addressing the handling of personal information in research.

The Personal Data Act

While rules on official secrets govern when data may be released, the Personal Data Act (PUL) governs how data are used. According to PUL, the person in question is to be informed as to which information will be used. A person who submits information to a personal register established for research purposes has a further right to resulting information regarding him or herself. If a person can be identified - registers can also be anonymous - he or she also has the right to demand that incorrect or incomplete information be corrected or completed. The researcher should inform the subject on this issue. It is common that the responsibility to uphold good register practice lies with the research department's chairperson or president.

According to the principal rule in 10§ of the Law regarding Personal Information, the handling of personal information requires consent from the person in question, with an exception for certain "necessary considerations". For example, handling of information can be seen as necessary if it concerns a task of public interest. However, if sensitive information is involved, such as information on race or ethnic origin, political opinion, religious or philosophical conviction, membership in a union, or health or sex life, stricter demands apply. According to 19§ of the Law, handling such information for research requires approval from a research ethics board. It will judge research according to the Act on ethical review, which says that research can only be approved if it is performed with respect for human dignity, that human rights and freedoms always should be considered and that the welfare of subjects always trumps the needs of society and science. Risks shall always be balanced by scientific merit. Use of sensitive information for statistical purposes must be necessary as described in PUL 10§, and the interest to society must clearly outweigh the risk to an individual's integrity that handling of information can involve. As noted, a condition to be met for personal information from, e.g., patient journals to be released for research purposes is that the release be consistent with relevant provisions regarding secrecy, etc. However, consent from the concerned individuals always trumps secrecy rules.

Note also that, according to 36§ of the Law and 10§ of the Regulation, certain types of research projects have an obligation to notify the Swedish Data Inspection Board. In other cases it is normally enough that the personal information representative be informed. One who, alone or in a group, decides on the object of and means for the handling of personal information is called the personal information officer (as a rule, this is an organization), whereas the physical person appointed by the officer to ensure that personal information is handled correctly and according to the law is the representative. For more on personal information in research, see Personuppgifter i forskningen — vilka regler gäller? and PuL och känsliga personuppgifter i forskningen from the Swedish Data Inspection Board. The Board has also given out Answers to Consultation Concerning who is to be Regarded as Controller of Personal Data in Connection with Clinical Studies.

Confidentiality in healthcare

In healthcare, information regarding health status and other personal matters are classified as confidential, if it is not obvious that it can be disclosed without any harm to the patient and his or her relatives. The individual's subjective opinion is important in deciding whether someone may be harmed. Secrecy is the professional confidentiality in public service for those who have access to information that may harm patients (or the safety of one's country, or public economic interest, etc.). The significance is that outsiders shall not gain access to information that has been designated confidential. This prohibition of disclosing confidential information pertains to oral reports, the release of public records or any other means of information transfer.

There are various exceptions. For research purposes, patients' journal information can be released with reservations. If you work at a public authority, you can assume the confidentiality already in place at the releasing authority. If the information is designated confidential and therefore not released, the researcher has the right to have the decision tried. First, one should turn to the handling archive officer. Thereafter, the city archivist makes a formal decision with a justification. Appeals are made to the Swedish administrative court of appeals, which is the highest authority. Patient journals more than 70 years old are not considered confidential and are therefore accessible for everyone.

When doing research in medicine, social science or in behavioural sciences, the law on public access and secrecy ("offentlighets- och sekretesslag") states that information regarding personal matters as a ground rule shall be regarded as confidential. There is also a secondary confidentiality when a researcher recieves confidential data, the confidentiality so to speak follows the data. In general, statistical work fall under the law. Finally, there is a particular statute on confidentiality for scientific chronicles of linguistic and ethnological customs. All these rules are applicable on public research, not private.

Official and public documents

Good research practice demands that raw data be available for other researchers' review, for example for disputations and peer review of applications and articles. Further, the research organization's actions are often official and may therefore be considered public (the principle of public access to official records) when secrecy does not apply. This concept is defined in 2 kap. 3 § tryckfrihetsförordningen (Chapter 2, 3§ of the Freedom of the Press Act). In brief, a document being submitted to a public authority entails that it concerns an issue resting with, e.g., a university and reaches an employee of this authority, and that this person receives the document in his/her capacity as an employee. Even if the document were to arrive at the person's home, it should be viewed as having been submitted and should be stored at the authority, provided the above criteria were met.

A document is considered upheld by an authority if it has been executed (distributed or sent from the authority) or if the matter the document refers to has been settled. If the document does not refer to any specific matter, it is considered upheld when it has been confirmed by the authority or has simply been finalized in some other way. This latter category can often include documents involved in research, for example completed test analyses, developed photographs or audiovisual recordings. Certain types of documents, for example diaries, registers or other lists that are maintained on a continual basis, are considered upheld when they have been prepared for annotation or entry. Every new annotation is then immediately a part of the public document. That the document is stored at the authority normally means that it is actually physically at the authority, but in certain cases it can also mean that the document is available to the authority through technical means. Note that since confidentiality regulations may apply, a document that is public ("allmän") is not automatically an official ("offentlig") document.

Note that "public handling" applies not only to paper but also to "description in writing or pictures as well as film that can be read, listened to or in any other way be regarded only using technical means" (Press Law). All research at universities – on-going or finished – must follow the statutes on public access to official documents. This means that material used in on-going research – journals, answers to questionnaires, laboratory test answers, notes of oral answers, etc. – are official documents. These laws are in place for the interests of, e.g., funding organizations, patients and society, as regards control of and possibility for inspection. Problems may arise when researchers promise full confidentiality, the application of which is not without problem. Patients and participants in research should be informed about the actual protection of their data and the limitations of those measures. See further a pm from the National Agency for Higher Education, Integritetskänsligt forskningsmaterial, and another from the Swedish Research Council, Hantering av integritetskänsligt forskningsmaterial, as well as a report from SUHF: Övergripande principer för offentlighet och sekretess i integritetskänslig forskning.

After an appeal to the Central Ethics Review Board (CEPN) in 2004, the Board opposed a regional board and approved of a project for which the regional board had demanded that secrecy be promised to participants in order for an approval being given. Instead information to participants should include: "Your answers and the results of the study will be kept so that no unauthorized persons can access them". CEPN's decision makes a precedent (Dnr Ö 5-2004). Among those that might get authorized, we find reviewers for journals or scrutinizers at doctoral disputations, those investigating possible fraud in research, and other scientists that want to use the material in their own research. A guide for how to handle the sharing of data while keeping standards of confidentiality has been proposed in the article 'Preparing raw clinical data for publication: guidance for journal editors, authors, and peer reviewers'.

USA & International

In research done in collaboration with US researchers, a question of Certificates of Confidentiality might come up. These certifficates are intended to help meet the obligations of confidentiality by preventing forced disclosure of identifiable data during legal proceedings. They are authorized by federal law and granted the U.S. Department of Health and Human Services for information that, if disclosed, "could have adverse consequences or damage subjects' financial standing, employability, insurability, or reputation." The current federal law states that with a Certificate, "persons engaged in biomedical, behavioral, clinical, or other research … may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals."

The first important international guidelines regarding personal information were OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of Europe's Convention for the protection of individuals with regard to automatic processing of personal data. The two were rather similar and were both grounded in the idea of "fair information practices", something that has characterized policy documents the world over since then due to the overwhelming support the two guidelines have received. As opposed to the Guidelines, the Convention - more narrow in content (only ADP, or automatic data processing) - is binding only for the states that have ratified it. OECD has also published Guidelines on Security of Information Systems. The UN's Guidelines Concerning Computerized Personal Data Files can also be mentioned here.

Today the protections of personal data and privacy are severely compromized, as economical interests and protection against terror increasingly are used as excuses for exceptions. The Madrid Privacy Declaration laments this and demands that more stringent protections are reinstated.

Last updated: 2010-07-27