The purpose of this guide is to help researchers at Umeå University understand what needs to be decided when research data need to be shared with collaborators in a research project.
Application of regulations differ depending on what the research data include and if the recipient is in Sweden, in the EU/EEA, or in another country and if the recipient is a public authority, a regional health authority, a company or a voluntary organisation.
The structure of the guide
This page provides general information and discusses questions that need to be considered when sharing research data in collaborative projects. Subsequent pages present a number of example cases that describe in more detail necessary decisions when sharing research data in different situations.
Support and help
Sharing research data requires making complex assessments. Support and help are available from the Legal Affairs Office. Staff at the office also have access to templates for information on transferred confidentiality and decisions on confidentiality reservations, which they will help you fill in as needed.
When contacting the Legal Affairs Office, clearly describing what the research data contain and who the recipient is ensures that you will receive the best possible help.
Example cases for sharing research data
Depending on the type of information included in the research data and the recipient, consideration needs to be given to such aspects as the protection of personal data and confidentiality.
These example cases describe the relevant legal regulations and necessary considerations and decisions when sharing research data with different types of recipients. Each example case has a checklist summarising the decisions that must be made before research data are shared.
A confidentiality assessment must always be conducted before research data are shared. These example cases are also applicable when you have determined that there is no confidentiality.
If research data need to be shared with several collaborators, you must decide separately for each collaborator how and if to share based on the relevant example case.
The example cases do not apply to sharing research data with the supplier of a purchased service, such as for transcription or analyses. In those cases, other measures are required, for example, a personal data processing agreement may be needed.
Sharing research data in ethically approved research
Sharing research data that contain personal data that merit special protection or general personal data
Sharing confidential research data
Who is collaborating?
In legal terms, research collaborations are collaborations between the organisations that researchers are employed by or commissioned by and not between individual researchers. In most cases, research data are thus shared with the co-researcher's employer or client. Research data are public documents at Umeå University, and the authority is responsible for its research data. Umeå University as the authority is thus the entity that shares the research data, and sharing requires following the rules that apply to the handling of public documents at Umeå University.
Public documents
Research data are public documents at Umeå University, and the authority is responsible for its research data. As the authority, Umeå University is the entity that shares the research data, and sharing requires following the rules that apply to the handling of public documents at Umeå University.
Please note! Biobank samples are not public documents and thus are not covered by this guide or position about agreements. Provisions in the Biobanks Act (SFS 2023:38) apply to these types of samples.
Definitions
Definitions of terms in this guide:
Anonymised personal data refer to data that do not contain any information that can be linked to an individual. Any link to a living individual must be irrevocably severed. Anonymised data do not constitute personal data as defined in the GDPR.
Confidentiality means a prohibition on disclosing information, whether orally, by making an official document available or in any other way. There must be support in the Public Access to Information and Secrecy Act for information included in a public document at Umeå University to be considered confidential.
Disclosure refers to the disclosure of research data as defined by the Freedom of the Press Act and is a broader concept than sharing.
Lawful basis refers to the legal basis in the General Data Protection Regulation (GDPR) for processing personal data. The legal basis for research under the GDPR is public interest.
Personal data refer to any information that may be directly or indirectly linked to a living individual. This includes not only names and personal identity numbers, but also usernames, Umu IDs, email or IP addresses, biometric data, physiological data and, even such data as a voice recording. Survey responses where the recipient is known are personal data. Even combinations of data can constitute personal data if, through the data, it is possible to link these to a natural person.
Personal data that merit special protection refer to personal data that are considered particularly worthy of protection. This can include salary data, data concerning violations of the law, valuation data, such as data from staff development discussions, data from the results of personality tests or personality profiles, information relating to an individual's private life or information on social conditions.
Pseudonymised personal data refer to personal data that have been coded and thus cannot be used to directly identify individuals, but where a code key is preserved, enabling later additions to the data, and thus enabling identification of the individual to which the data refer.
Research data refer to digital information that has been collected to be analysed for a scientific purpose. Examples of such research data are results from experiments and measurements, observations from fieldwork, statistics, survey responses, interviews and images. Physical objects, such as scientific and archaeological collections, physical works of art or biobanks are not in themselves considered research data, while digital information about such objects is considered research data. The definition corresponds to the definition of research data used in Umeå University's Research data policy, reg. no. FS 1.1-545-21. Research data are public documents at the University.
Sensitive personal data are personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and personal data relating to health or sexual activity and genetic or biometric data.
Sharing refers to the release of research data to research project collaborators for purposes related to the project. When sharing research data, the University is releasing research data on its own initiative without a prior request for access to public records.
Who decides whether research data can be shared?
The researcher responsible for the research data, usually the principal investigator (PI), is responsible for assessing whether the research data can be shared, including conducting the confidentiality review. The Legal Affairs Office can provide support in this assessment. For complex confidentiality assessments or with uncertainty regarding how personal data may be shared, always contact the Legal Affairs Office.
Choice of system for sharing research data
Choose which IT system you can use for sharing research data based on the project's information classification and risk and vulnerability analysis. Choose solutions that are approved for the highest level of protection that the information requires. When possible, choose a system that is recommended by the University centrally or that your department recommends.
About the principle of public access to official documents
The principle of public access to official documents means that everyone has the right to access public documents held by Swedish authorities, municipalities, regional health authorities and other public organisations. This right can only be restricted if the information can be classified as confidential according to a provision in the Public Access to Information and Secrecy Act.
Legally, research constitutes actual actions. This means, in contrast to documents in a matter, that research data as a general rule become a public document immediately when the data are received by the University, such as, for example, survey responses, or when it has been completed, that is when the analyses, experiments and tests that generated the data have been conducted.
On the public documents page, you can read more about the principle of public access and when a document is considered public.
What is disclosure of public documents?
Disclosing a public document means that the information is shared with a person or organisation outside Umeå University. The disclosure may mean that a copy of the document is given to the recipient, but it may also mean that the recipient is given access to read the information using an IT system, that the information is displayed on a computer screen or played back, or that the recipient is otherwise given access to the information. Original copies of public documents must be kept at Umeå University and thus may not be released to recipients. Even when sharing research data, the formal requirements for disclosure of public documents must be met.
Special provisions for data collected by staff with combined employment and affiliations.
Research data collected within the employment of a public employer other than Umeå University, for example within the framework of clinical work at a regional health authority, are public documents of that employer and requests for access must be done according to that employer's regulations, even if the person who is to access the data at Umeå University is the one that collected the data at the other employer. Confidentiality is often transferred when disclosing data, which means the same confidentiality applies for processing the data at Umeå University.
An affiliation with Umeå University does not mean that the person is employed by the University. Sharing research data with an affiliated individual must therefore be handled in the same way as for other collaborators.
About confidentiality
Confidentiality is a prohibition on disclosing information, whether orally, by making an official document available or in any other way. The basis for considering information in a public document at Umeå University confidential must come from the Public Access to Information and Secrecy Act. If a confidentiality review determines that the person to whom the information relates may suffer harm in the manner specified in the relevant section of the Act, the information is covered by confidentiality.
Before sharing research data, Umeå University needs to investigate whether the University has received the data from another authority, and if so, whether that authority has transferred "its" confidentiality to Umeå University. Thereafter, the University needs to investigate whether the data are covered by any other confidentiality.
If data are covered by confidentiality, they may not be disclosed unless a non-confidentiality provision in the Act applies to that situation. Conversely, if there is no risk of harm or legal support for confidentiality, the information cannot be classified.
In the event of uncertainty as to whether the research data intended for sharing are subject to confidentiality, contact the Legal Affairs Office.
Confidentiality means you have an obligation to secrecy
If data are confidential, those with access to the data have an obligation to secrecy. The obligation to secrecy means that it is a criminal offense to disclose confidential data to a third party, regardless of whether this is done orally, through the release of a public document or in some other way.
What is a confidentiality review?
Before a document is disclosed or shared, a confidentiality review must be conducted. A confidentiality review is required each time data are shared. It is not permitted to simply refer to how the situation was handled in the past.
A confidentiality review means that Umeå University examines whether the data are covered by confidentiality as per a provision of the Public Access to Information and Secrecy Act. The review is based on the requirements specified in the relevant section of the Act.
As a rule, Umeå University must assess whether any natural or legal person suffers harm or loss (mentally, physically or financially) in the manner described in the section on disclosure of data. If the confidentiality review determines that confidentiality applies, it may still be possible to share research data if confidentiality can be transferred to the recipient, if the research data can be disclosed with a confidentiality clause, or if measures can be taken to ensure the data can no longer be linked to the person to whom the data relate.
Confidentiality review – step by step
A confidentiality review includes an examination of whether the disclosure of the research data could result in harm or damage to the persons or organisations to whom the information relates. Certain measures can enable research data sharing with a collaborator even though the information would otherwise be subject to confidentiality. If confidentiality can be transferred to the recipient, this indicates that disclosure can occur and that this option should be used. Personal data can also be pseudonymised so that information about an individual's personal circumstances, which in some cases are intended to be protected by privacy regulations, can no longer be linked to a specific individual. Each example case provides guidance on handling common situations.
Contact the Legal Affairs Office if you are unsure how to share research data with your collaborator.
- Are research data included in a public document?
The Guide to public access and confidentiality (only in Swedish) provides information on assessing when a document becomes a public document. As a rule, research data are public documents as soon as they arrive at the University or have been produced here.
- Is there a confidentiality provision in the Public Access to Information and Secrecy Act that applies to the data?
If there is no confidentiality provision for the data, the research data can be shared with the collaborator.
- If the data are confidential, is there any other provision that would still allow disclosure of the data?
Investigate whether it is possible to transfer confidentiality to the recipient or share the information with a confidentiality clause. If permitted, the research data can be shared with the collaborator.
- If there is a confidentiality provision, conduct a personal data protection test and harm review.
A confidentiality review includes an examination of whether disclosing the research data could cause harm or injury to the persons or organisations to whom the information relates.
The Guide to public access and confidentiality (only in Swedish) provides information on the most common confidentiality provisions related to the University's operations and activities.
In some cases, measures that eliminate the ability to link the information to the person to whom it relates, such as pseudonymisation of personal data, can allow the data to be disclosed.
- If it is still not possible to share research data, the data subject to confidentiality is to be removed (masked).
- Retain information about the right to a written dismissal decision.
The University must explain why the research data have been deemed confidential. It must also inform the person who requested access to research data that they have the right to receive a written dismissal decision that can be appealed to the Court of Appeal. The pages on the release of public documents include a sample response that can be used when informing that a request for access to research data has been denied due to confidentiality.
- If a written dismissal decision is requested, that is to be provided as per the University's rules of delegation.
About personal data
Personal data refer to any information that can be used, directly or indirectly, to identify a living person. Only in exceptional cases are data relating to a deceased person classed as personal data, and then only if the data can be used to identify another, now living person. Data that have been anonymised, where there is no way to link the data to a living person, do not constitute personal data. Pseudonymised personal data, that are data that have been coded to protect the personal data, are personal data as long as the code key is saved, even if Umeå University or the person with whom the data are shared does not have access to the code key.
Read more about considerations with personal data processing on the Personal data management pages.
What rules apply to sharing personal data?
Processing personal data is regulated in the EU's General Data Protection Regulation (GDPR). The GDPR applies to all member states of the EU/EEA and to all personal data processing, regardless of the context in which the personal data processing occurs. Sharing research data containing personal data with collaborators within the EU/EEA is usually unproblematic in terms of the GDPR.
The level of protection guaranteed in the GDPR may not be compromised when research data with personal data are shared with collaborators located outside the EU/EEA. In these cases, the University must still investigate whether there is a decision on an adequate level of protection from the European Commission before sharing. If not, appropriate safeguards must be instituted that ensure the same level of protection for the personal data.
Are personal data covered by confidentiality?
The GDPR contains no provisions on confidentiality for personal data, but personal data may be subject to confidentiality according to provisions in the Public Access to Information and Secrecy Act.