Personal data in research

Research data containing personal data shall be handled in accordance with the Data Protection Regulation and other relevant Swedish legislation.

The Data Protection Regulation (GDPR) - regulates the handling of personal data and privacy protection. The GDPR is a common EU regulation which in Swedish law is also supplemented by the Swedish Data Protection Act (2018:218) with supplementary provisions to the EU Data Protection Regulation.
The Swedish act concerning the ethical review of research involving humans (2003:460) regulates research on sensitive personal information about human beings and biological material.

The University's information on the data protection regulation outlines what you need to know when personal data is processed in research.

Data in research data that can be attributed to a living person can be of two kinds:

Direct personal data are data that clearly and directly identify a person. It can be names, personal numbers, photographs, addresses, biometric data or audio recordings.

Indirect personal data is information in a data set that, in combination with each other or with other available information, enable the identification of an individual. Examples that may appear in research data are socio-economic data at detailed level, geographical information such as postal code or place of residence, household composition or rare disease information. Information that has been encrypted or pseudonymized, but can be linked to a natural person by means of additional data is also personal data under the GDPR.

Data containing direct personal data should be encrypted by means of pseudonymisation where possible. Direct identifiers such as name or personal number are then replaced with a code and the code key must be stored separately and securely.

If data is anonymised so that it is no longer possible to associate data with individuals in any way, the information is no more defined as personal data under the Data Protection Regulation. However, the GDPR sets high requirements for data to be considered anonymous and this affects the conditions for sharing and publishing this type of data.

Personal data must be protected against access by unauthorised persons through organizational and technical measures. They must therefore be stored and processed in a safe manner. In case of suspicion that personal data have come into wrong hands or destroyed, contact it-incident@uu.se to report a possible personal data incident.

The University is normally the data controller for personal data processed in research at the university and the processing of personal data must always be reported. If personal data is processed and/or stored by an external party outside the University, a personal data processing agreement must be set up with that party. Please note that the transfer of personal data to third countries (outside the EU/EEA area) may only take place if the recipient country ensures a high level of data protection.

With the exception of doctoral students, the University is not responsible for data collected or generated by students. However, the university is responsible for the processing of personal data carried out by students in the context of their education.

The processing of sensitive personal data is prohibited under the Data Protection Regulation, but may be permitted for research purposes after an approved ethical review. An important part of the application for an ethical review is to explain how information (data) about the researchers will be handled and protected against unauthorised access.

For questions about the processing of personal data, please contact the University's Data Protection Officer or the Legal Department.

Personal data in research

Consent