Search

Other search services

Courses and programmes Syllabus Welcome letters Staff Job vacancies

Ethical review and data protection in research

Research involving humans, personal data or animals is subject to research ethics requirements and data protection under the GDPR. Before the start of the project, the need for ethical review must be investigated and a legal basis for personal data processing must be ensured.

Here is an overview, see subpages for more information.

Ethical review under the Ethical Review Act

Research involving humans must be ethically reviewed and approved by the Ethical Review Authority (EPM) before it begins, if it is covered by the Ethical Review Act.

This applies, for example, to research that:

  • involves the processing of sensitive personal data or data relating to breaches of law;
  • involves physical interventions or impact on the research subject;
  • refers to biological material from human beings

The researcher is responsible for submitting the application on time. For doctoral students, the principal supervisor is responsible. The ethical review aims to protect the safety, integrity and rights of research subjects.

You can get support in the process through Mid Sweden University's Research Ethics Council. They can provide advice, review projects and assist in the application to the Ethical Review Authority (EPM). Contact details and information on how to receive support can be found on the page Governance and ethics.

Personal data in research projects

When research involves the processing of personal data, the processing must comply with the requirements of the General Data Protection Regulation (GDPR) and supplementary national legislation.

For research projects at Mid Sweden University, the legal basis is normally information of public interest. The processing of sensitive personal data takes place on the basis of special provisions for scientific research purposes and, where required, ethical approval.

The ethical research requirement that participation in research must be voluntary is not the same as consent as a legal basis under the GDPR.  

Impact assessment under GDPR

Where the planned processing of personal data is likely to entail a high risk to the rights and freedoms of the data subjects, an impact assessment must be carried out before the processing begins.

This may be relevant, for example, in the case of:

  • processing of sensitive personal data on a larger scale
  • Processing of data on vulnerable groups
  • New or privacy-sensitive technical solutions

How an impact assessment is carried out is described on the page Impact assessment.

 

 

 

 

Contact

Questions about research data

The page was updated 3/10/2026

Content owner:

Universitetsbibliotek och studentstöd (UB)