The General Data Protection Regulation from a research perspective
Processing of personal data
All processing and handling of personal data in research and student work at Mid Sweden University must be registered by the university. Contact the Data Protection Officer for assistance with registration.
Purpose of the processing
All processing of personal data must have a specific, explicitly stated and legitimate purpose. The starting point is that personal data collected for a specific purpose may not later be processed in a manner that is incompatible with this purpose.
However, by way of exception to the general rule, it is possible to use data collected for a specific research project in later research projects. When using personal data for a research project other than the one for which the data was originally collected, you must still comply with the other provisions of the GDPR.
What personal data should be processed?
In order to be able to decide whether personal data is processed in accordance with the General Data Protection Regulation, you need to identify what personal data is to be processed within the framework of your research project.
The data that is processed and to what extent it takes place can be important for later assessments, for example to determine what constitutes an appropriate protection for the data.
Legal basis for the processing
The processing of personal data within the framework of a research project can be based on one of the legal grounds of public interest or consent.
The possibility of using the public interest as a legal basis is based on the fact that conducting research is part of the University's mission. In order for consent to be used as a legal basis, and to be considered valid, there are a number of factors to consider.
Feel free to contact the legal function if you need help determining which legal basis is appropriate in the individual case or if you need help reviewing a consent formulation.
Special rules for sensitive personal data
The GDPR has particularly strict rules when it comes to handling sensitive personal data. Sensitive personal data is information that reveals a person's political opinions, racial or ethnic origin, religious or philosophical beliefs, or trade union membership. Genetic and biometric data, health data and data concerning a natural person's sex life or sexual orientation also constitute sensitive personal data.
The starting point of the GDPR is that the processing of sensitive personal data is prohibited and that a special ground is required in addition to the legal basis for it to be permitted to process such data. Scientific or historical research purposes are one such special basis. It is therefore permitted to process sensitive personal data when it is necessary for scientific or historical research purposes, provided that the research has been approved by an ethical review.
According to the Ethical Review Act, research on sensitive personal data may only be carried out if it has been approved in an ethical review. Research that involves the processing of personal data on offences involving criminal offences, convictions in criminal cases, coercive measures in criminal proceedings or administrative detention must also be ethically reviewed in accordance with the Ethical Review Act. This applies even if the data is not sensitive in the sense of the General Data Protection Regulation.
Information for data subjects
Read more about what information must be provided to the data subjects.
There is also a template that can be used.
Share information with someone outside the university
If the research project will share data with someone outside the university, there is reason to consider whether a personal data processing agreement needs to be drawn up. A personal data processing agreement is a requirement when someone outside the university's organisation processes personal data on behalf of the research project.
Template for data processing agreement.
As a general rule, personal data may not be transferred to a country outside the EU/EEA. If personal data must be transferred to a country outside the EU/EEA, it is important that the data is transferred in a secure manner. A lawyer should be contacted for advice.
Since July 2023, the European Commission's decision that it is permitted to transfer data to recipients in the United States who are members of the EU-U.S. Data Privacy Framework (DPF) applies to transfers of personal data to the United States. The decision means that these recipients are considered to have an adequate level of protection for personal data under EU data protection rules. To check whether a U.S. organization is affiliated with the Data Privacy Framework, one can use the official search function on the following website:
Keep in mind that some journals are not registered with the name of the journal but with the name of the company that owns the journal.
Appropriate protection of personal data
When processing personal data in a research project, appropriate safeguards must be taken for the data. The appropriate measures depend on the individual situation, the category of data being processed and the amount of data involved. Use the information classification as a basis for determining protective measures.
Rules regarding archiving and deletion
According to the General Data Protection Regulation, personal data may not be stored for a longer period than is necessary for the purposes for which the data was collected. However, it is permitted to process personal data for longer for archiving purposes. Research data with personal data must be archived in accordance with the procedures for archiving research documents.
Impact assessment according to Art 35
If the processing of personal data is likely to lead to a high risk to the rights and freedoms of natural persons, we are obliged under the General Data Protection Regulation to carry out a so-called impact assessment.
Read more about when an impact assessment is required for a research project
List according to the Art 30
When a research project processes personal data (e.g. about participants, patients, interviewees or contact persons), the project's processing of personal data must be documented in our register list (Article 30 GDPR).
Read more about how to list your research project under Article 30
Read more on SND's (Swedish National Data Service) page
Researchdata.se - Personal data in research