Sharing research data in ethically approved research

Research on sensitive personal data and personal data on legal violations requires ethical review approval. 

Even if it is clear from the research's ethical approval that the parties will cooperate and the research data will be shared with the party in question, Umeå University is still to conduct a confidentiality review for the data in question before sharing. The University must also assess the data sharing based on the requirements of the GDPR.

What are sensitive personal data?

Sensitive personal data are data about currently living individuals that relate to:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• membership in trade unions;
• health;
• sex life or sexual orientation;
• genetic data; or
• biometric data used to uniquely identify a person.

What is information concerning violations of the law?

Personal data concerning violations of the law include data on criminal offences, criminal convictions, pre-trial coercive measures and pretrial detention. These are included in the group of personal data referred to as personal data that merit special protection. They are not sensitive personal data as per the GDPR but are treated in the same way as sensitive personal data in terms of ethical review and in other ways. The considerations related to sharing and disclosing sensitive personal data are thus relevant even for personal data concerning violations of the law.

Research using sensitive personal data and personal data on violations of the law requires ethical review approval.

Processing sensitive personal data or personal data concerning violations of the law in research requires an ethical approval as per Section 3 of the Ethical Review Act (2003:460).

Confidentiality for personal data in Chapter 21, Section 7 of the Public Access to Information and Secrecy Act is closely linked to this provision. Chapter 21, Section 7, item three of the Public Access to Information and Secrecy Act states that confidentiality applies to personal data if, after disclosure, the data will be processed in violation of the Ethical Review Act. This means that if the recipient does not have ethical approval, the data cannot be shared with them.

Example cases

A) Cooperation with a university or other public organisation in Sweden.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at another higher education institution, public authority, municipality or regional health authority in Sweden. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data include sensitive personal data or information concerning violations of the law.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• What personal data need to be share.
• The lawful basis for processing (sharing) the personal data.
• That the project has ethical approval and that the ethical approval covers sharing in the planned collaboration and with the collaborator.
  • If ethical approval has not been obtained or it does not include sharing in the planned collaboration, apply for a new approval or supplement the existing ethical review approval.
• Whether the data are protected by confidentiality.
• The data controller and that the identity of the data controller is documented.
• Document the considerations weighed for sharing the data.

Overview

Swedish municipalities, regional health authorities and other public authorities are covered by the same legislation as Umeå University, including the GDPR and the Public Access to Information and Secrecy Act.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit what is shared to personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data. When sharing sensitive personal data and personal data about violations of the law, it is important that it is clear from the ethical review approval that the data will be shared with the relevant collaborator.

See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. Sensitive personal data are of such a nature that confidentiality regulations often apply.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

In a research collaboration, there may be reason to define the controller for personal data. Are the parties separate personal data controllers or do they have a joint personal data controllership according to Article 26 of the GDPR?

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects. 

Currently, the most common approach for research collaborations is that the parties are separate personal data controllers. However, the Legal Affairs Office has noted an increase in requests for agreements on joint responsibility for personal data control.

Joint personal data controllers

Joint responsibility for personal data control must be documented. There are no formal requirements on how this documentation should look. It can take the form of an agreement or by reporting the division of responsibilities in an open manner, for example by the parties formulating a clear description of the joint personal data control in the information letter given to research subjects as part of the requirements in Articles 13–14 of the GDPR.

If the joint control of personal data is regulated in an agreement, the delegation of authority specifies that the University Director is to sign the agreement.

Is a personal data processing agreement needed?

For research collaborations, it is rarely a question of one party being a personal data processor for the other party. A research collaboration is not the type of dependent processing of personal data on someone else's behalf that is characterised by a processor situation. Providing data to a service provider, such as for analysis or transcription, are typical processor situations that require a written personal data processing agreement.

Agreements regulating sharing research data

The Legal Affairs Office does not recommend signing agreements with other Swedish higher education institutions, other public authorities, municipalities or regional health authorities on how shared research data will be processed, as they are covered by laws regarding public access to information and archiving obligations. Instead, information about any transferred confidentiality should be provided to these types of organisations.

Biobank samples are not public documents and thus are not covered by this guide or position regarding agreements. For these, rules in the Biobanks Act (SFS 2023:38) apply.

If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties. When you need to draw up or review agreements, fill out the Contract review form and send it to the Legal Affairs Office.

B) Cooperation with a higher education institution or other public organisation outside of Sweden but in the EU/EEA.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at another higher education institution, public authority, municipality, regional health authority or equivalent public organisation outside of Sweden but in the EU/EEA. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data concerns sensitive personal data or personal data concerning violations of the law.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• What personal data need to be shared.
• The lawful basis for processing (sharing) the personal data.
• That the project has ethical approval and that the approval covers the planned collaboration and the collaborator.
  • If there is no ethical approval or it does not cover the planned collaboration, apply for a new approval or supplement the existing approval.
• Whether there is a confidentiality provision that protects the data at Umeå University.
• Investigate whether the information can be pseudonymised or anonymised in a way that enables research data to be shared.
• Who the personal data controller is and that this is documented.
• Whether an agreement on sharing research data needs to be signed.
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• Document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the regulations that provide protection for certain research data. This complicates sharing data with recipients outside of Sweden.

The GDPR is an EU regulation and applies to the processing of personal data in all member states within the EU/EEA. Personal data issues are therefore handled in a similar way when working with collaborators in other EU/EEA countries than when working with Swedish organisations.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit what is shared to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data.

When sharing sensitive personal data and personal data about violations of the law, it is important that it is clear from the ethical review approval that the data will be shared with the relevant collaborator. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. Sensitive personal data are of such a nature that confidentiality regulations often apply. If the information is subject to confidentiality, the basic assumption is that research data cannot be shared with recipients outside of Sweden.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

In a research collaboration, there may be reason to define the controller for personal data. Are the parties separate personal data controllers or do they have a joint personal data controllership according to Article 26 of the GDPR?

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

Currently, the most common approach for research collaborations is that the parties are separate personal data controllers. However, the Legal Affairs Office has noted an increase in requests for agreements on joint responsibility for personal data control.

Joint personal data controllers

Joint responsibility for personal data control must be documented. There are no formal requirements on how this documentation should look. It can take the form of an agreement or by reporting the division of responsibilities in an open manner, for example by the parties formulating a clear description of the joint personal data control in the information letter given to research subjects as part of the requirements in Articles 13–14 of the GDPR.

If the joint control of personal data is regulated in an agreement, the delegation of authority specifies that the University Director is to sign the agreement.

Is a personal data processing agreement needed?

For research collaborations, it is rarely a question of one party being a personal data processor for the other party. A research collaboration is not the type of dependent processing of personal data on someone else's behalf that is characterised by a processor situation. Providing data to a service provider, such as for analysis or transcription, are typical processor situations that require a written personal data processing agreement.

Agreements regulating sharing research data

When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties. When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

C) Cooperation with a higher education institution or other public organisation outside the EU/EEA

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at another higher education institution, public authority, municipality, regional health authority or equivalent public organisation outside the EU/EEA. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data concerns sensitive personal data or personal data concerning violations of the law.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• What personal data need to be shared.
• The lawful basis for processing the personal data.
• Whether the country in question has what is known as an adequacy decision or whether other protective measures need to be put in place.
  • Contact the Legal Affairs Office.
• That the project has ethical approval and that the approval covers sharing the personal data in the planned collaboration and with the planned collaborator.
  • If there is no ethical approval or it does not cover the planned collaboration, apply for a new approval or supplement the existing approval.
• Whether there is a confidentiality provision that protects the data at Umeå University.
  • Investigate whether the personal data can be pseudonymised or anonymised in a way that enables research data to be shared.
• Whether an agreement on sharing research data needs to be signed.
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• The data controller and that the identity of the data controller is documented.
• Document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the regulations that provide protection for certain research data. This complicates sharing research data covered by confidentiality with recipients outside of Sweden.

The GDPR only applies to the processing of personal data within the EU/EEA, which creates barriers to the sharing of personal data with recipients in other countries. For this reason, sharing research data containing personal data with recipients outside the EU/EEA must be regulated differently to retain protection of personal privacy. Contact the Legal Affairs Office if you need to transfer personal data to a country outside the EU/EEA.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit the shared data to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data.

When sharing sensitive personal data and personal data about violations of the law, it is important that it is clear from the ethical review approval that the data will be shared with the relevant collaborator. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. Sensitive personal data are of such a nature that confidentiality regulations often apply. If the information is subject to confidentiality, the basic assumption is that research data cannot be shared with recipients outside of Sweden.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

Sharing personal data outside the EU/EEA is referred to as a third country transfer. For some countries, the EU Commission has issued what is known as an adequacy decision. This means that the national legislation in these countries ensures an adequate level of protection for personal data and personal privacy. These countries are listed on the website of the Swedish Authority for Privacy Protection. In these cases, the GDPR does not present any obstacles for sharing the data.

If the country is not on the list noted above, other appropriate safeguards must be in place to ensure the level of protection required by the GDPR. The most common safeguard for the University is to sign contracts with the standard contractual clauses developed by the European Commission. The Legal Affairs Office will help draw up these agreements, which are then signed by the University Director. In these cases, it is important that the data are pseudonymised. Not only will this often enable disclosure as per the Public Access to Information and Secrecy Act, it is also considered a safeguard as per Article 32 of the GDPR.

The basic conditions that must be met for the processing of personal data to be legal as per the GDPR must also be met. This includes only processing the personal data that are necessary. This makes it important to limit the shared data to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Agreements regulating sharing research data

When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party to the project provides a proposed agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties.

When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

D) Cooperation with a private company, foundation, voluntary organisation or similar in Sweden.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at a company, foundation, voluntary organisation or other private body in Sweden. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data concerns sensitive personal data or personal data concerning violations of the law.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• What personal data need to be shared.
• The lawful basis for processing the personal data.
Whether the data are protected by confidentiality.
• Investigate whether confidential data can be disclosed with confidentiality reservations. The person responsible for the research data determines such reservations. Contact the Legal Affairs Office for support.
• That the project has ethical approval and that the approval covers sharing the personal data in the planned collaboration and with the planned collaborator.
  • If there is no ethical approval or it does not include sharing in the planned collaboration, apply for a new approval or supplement the existing approval.
• Who the personal data controller is and that this is documented.
• Whether an agreement on sharing research data needs to be signed.
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• Document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act does not cover private entities. The protection provided by the Act for certain research data thus does not apply to private parties in a research project. This places obstacles for sharing research data covered by confidentiality with private parties in the projct. In some cases, sharing of research data that are subject to confidentiality can be made possible through confidentiality reservations.

The GDPR applies to private parties in all member states of the EU/EEA.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit the shared data to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data.

When sharing sensitive personal data and personal data about violations of the law, it is important that it is clear from the ethical review approval that the data will be shared with the relevant collaborator. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Sensitive personal data are of such a nature that confidentiality regulations often apply. When it comes to disclosure of research data to private entities, the confidentiality review is of crucial importance, since these parties are not covered by the Public Access to Information and Secrecy Act and there is no statutory confidentiality protection for the data. This means that the risk of harm or injury is greater than when sharing with public organisations covered by confidentiality regulations.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

In a research collaboration, there may be reason to define the controller of personal data. Are the parties separate personal data controllers or do they have joint personal data controllership according to Article 26 of the GDPR?

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

Currently, the most common approach for research collaborations is that the parties are separate personal data controllers. However, the Legal Affairs Office has noted an increase in requests for agreements on joint responsibility for personal data control.

Joint personal data controllers

Joint responsibility for personal data control must be documented. There are no formal requirements on how this documentation should look. It can take the form of an agreement or by reporting the division of responsibilities in an open manner, for example by the parties formulating a clear description of the joint personal data control in the information letter given to research subjects as part of the requirements in Articles 13–14 of the GDPR.

If the joint control of personal data is regulated in an agreement, the delegation of authority specifies that the University Director is to sign the agreement.

Is a personal data processing agreement needed?

For research collaborations, it is rarely a question of one party being a personal data processor for the other party. A research collaboration is not the type of dependent processing of personal data on someone else's behalf that is characterised by a processor situation. Providing data to a service provider, such as for analysis or transcription, are typical processor situations that require a written personal data processing agreement.

Agreements regulating sharing research data

When the research project collaborates with a private entity party, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties. When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

E) Cooperation with a private company, foundation, voluntary organisation or similar in the EU/EEA.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at a company, foundation, voluntary organisation or other private body outside of Sweden but within the EU/EEA. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data concern sensitive personal data or personal data concerning violations of the law.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• What personal data need to be shared.
• The lawful basis for processing the personal data.
• Who the personal data controller is and that this is documented.
• That the project has ethical approval and that the approval covers sharing the personal data in the planned collaboration and with the planned collaborator.
  • If there is no ethical approval or it does not cover the planned collaboration, apply for a new approval or supplement the approval.
• If there are confidentiality provisions that protect the data.
• Whether an agreement on sharing research data needs to be signed.
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• Document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the regulations that provide protection for certain research data. This complicates sharing data with recipients outside of Sweden.

The GDPR is an EU regulation and applies to the processing of personal data in all member states within the EU/EEA. Personal data issues are therefore handled in a similar way when working with collaborators in other EU/EEA countries than when working with Swedish organisations.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit what is shared to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data.

When sharing sensitive personal data and personal data about violations of the law, it is important that it is clear from the ethical review approval that the data will be shared with the relevant collaborator. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. Sensitive personal data are of such a nature that confidentiality regulations often apply. If the information is subject to confidentiality, the basic assumption is that research data cannot be shared with recipients outside of Sweden.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

In a research collaboration, there may be reason to define the controller for personal data. Are the parties separate personal data controllers or do they have a joint personal data controllership according to Article 26 of the GDPR?

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

Currently, the most common approach for research collaborations is that the parties are separate personal data controllers. However, the Legal Affairs Office has noted an increase in requests for agreements on joint responsibility for personal data control.

Joint personal data controllers

Joint responsibility for personal data control must be documented. There are no formal requirements on how this documentation should look. It can take the form of an agreement or by reporting the division of responsibilities in an open manner, for example by the parties formulating a clear description of the joint personal data control in the information letter given to research subjects as part of the requirements in Articles 13–14 of the GDPR.

If the joint control of personal data is regulated in an agreement, the delegation of authority specifies that the University Director is to sign the agreement.

Is a personal data processing agreement needed?

For research collaborations, it is rarely a question of one party being a personal data processor for the other party. A research collaboration is not the type of dependent processing of personal data on someone else's behalf that is characterised by a processor situation. Providing data to a service provider, such as for analysis or transcription, are typical processor situations that require a written personal data processing agreement.

Agreements regulating sharing research data

When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party in the project proposes an agreement, contact the Legal Affairs Office immmediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties. When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

F) Cooperation with a private company, foundation, voluntary organisation or similar outside the EU/EEA.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at a company, foundation, voluntary organisation or other private body outside of Sweden but in the EU/EEA. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data concerns sensitive personal data or personal data concerning violations of the law.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• What personal data are necessary to share.
• The lawful basis for processing the personal data.
• The data controller and that the identity of the data controller is documented.
• Investigate if there is confidentiality that protects the data.
• That the project has ethical approval and that the approval covers the planned collaboration and the collaborator.
  • If there is no ethical approval or it does not cover sharing personal data in the planned collaboration, apply for a new approval or supplement the existing approval.
• Whether the country in question has what is known as an adequacy decision or whether other protective measures need to be put in place.
  • Contact the Legal Affairs Office.
• Whether an agreement on sharing research data needs to be signed.
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• Document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the regulations that provide protection for certain research data. This complicates sharing research data covered by confidentiality with recipients outside of Sweden.

The GDPR only applies to the processing of personal data within the EU/EEA, which creates barriers to the sharing of personal data with recipients in other countries. For this reason, sharing research data containing personal data with recipients outside the EU/EEA must be regulated differently to retain protection of personal privacy. Contact the Legal Affairs Office if you need to transfer personal data to a country outside the EU/EEA.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit the shared data to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data.

When sharing sensitive personal data and personal data about violations of the law, it is important that it is clear from the ethical review approval that the data will be shared with the relevant collaborator. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. Sensitive personal data are of such a nature that confidentiality regulations often apply. If the information is subject to confidentiality, the basic assumption is that research data cannot be shared with recipients outside of Sweden.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

Sharing personal data outside the EU/EEA is referred to as a third country transfer. For some countries, the EU Commission has issued what is known as an adequacy decision. This means that the national legislation in these countries ensures an adequate level of protection for personal data and personal privacy. These countries are listed on the website of the Swedish Authority for Privacy Protection. In these cases, the GDPR does not present any obstacles for sharing the data.

If the country is not on the list noted above, other appropriate protective measures must be put in place to ensure the level of protection required by the GDPR. The most common safeguard for the University is to sign contracts with the standard contract clauses developed by the European Commission. The Legal Affairs Office will help draw up these agreements, which are then signed by the University Director. In these cases, it is important that the data are pseudonymised. Not only will this often enable disclosure as per the Public Access to Information and Secrecy Act, it is also considered a safeguard as per Article 32 of the GDPR.

The basic conditions that must be met for the processing of personal data to be legal as per the GDPR must also be met. This includes only processing the personal data that are necessary. This makes it important to limit the shared data to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Agreements regulating sharing research data

When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party to the project provides a proposed agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties.

When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

More information 

In-depth information

Agreements and contracts

Personal data processing in research 

Transfer of personal data abroad

FAQ on personal data management

Public documents

Confidentiality and professional secrecy

Disclosure of public documents

FAQ on public documents and confidentiality

Information security

Page Editor Legal Affairs Office