In the guide's general section, you can read about what confidentiality is and what conditions are required for research data to be covered by confidentiality.
It is common for data classified as confidential also to be personal data. You may therefore also need to confirm the processing is in accordance with the provided examples before sharing research data. Contact the Legal Affairs Office if you are unsure whether your research data are covered by confidentiality.
Different types of confidentiality
There are three different forms of confidentiality in the Public Access to Information and Secrecy Act: absolute confidentiality, strong confidentiality and weak confidentiality.
Absolute confidentiality means that no data may be disclosed to anyone other than employees who need the data to be able to perform their work. No personal data protection test or harm review is conducted.
Strong confidentiality means that a supposition for confidentiality protection applies and that the information may only be disclosed if it is clear that this can be done without certain harm or damage. This means that, in principle, you must be able to rule out that harm or damage will occur if the data are disclosed.
Weak confidentiality means that a supposition for public access to information applies, and that the data may only be classified confidential if it can be assumed that certain amount of harm or damage can occur. This means that you know of a circumstance that indicates that harm or damage will occur if the data are disclosed.
Guidance on the most common confidentiality provisions for Umeå University's organisation and activities are found in the Vägledning om offentlighet och sekretess (Guide to public access and confidentiality) (only in Swedish).
Contact the Legal Affairs Office if you are unsure whether your research data are covered by confidentiality.
Transferred confidentiality
Under certain conditions, Swedish authorities can transfer the same confidentiality that applies to their own authority to another Swedish authority. According to Chapter 11, Section 3 of the Public Access to Information and Secrecy Act, such confidentiality is transferred from another public authority to the University when the University receives the confidential classified data for research purposes. Much of the information received by the University from other authorities, such as register data from Statistics Sweden and others, is covered by transferred confidentiality.
When sharing research data, in many cases the University can use the same option of transferring confidentiality to another Swedish authority. It is not possible to transfer confidentiality to collaborators outside of Sweden or to a collaborator that is not a Swedish authority, for example a company or a voluntary organisation. When sharing confidential research data, you must provide information to the collaborator about the transferred confidentiality. Contact the Legal Affairs Office for help in formulating this information.
Sharing with confidentiality reservations
In collaborative projects with Swedish companies, in some cases sharing confidential research data can be enabled by including a confidentiality reservation as per Chapter 10, Section 14 of the Public Access to Information and Secrecy Act. Sharing research data subject to confidentiality reservation means that the recipient's right to determine the use of the data is restricted. The University can, for example, prevent the recipient from disclosing the data or can implement restrictions on the right to use the data.
Confidentiality reservations can only be used if the University judges that the risk of damage is eliminated when sharing research data with the other party.
When sharing with a company, the reservation is to be addressed to individuals employed by the company. This is linked to the fact that the reservation establishes a statutory and penally sanctioned confidentiality obligation. Confidentiality reservations are to be formulated as a decision and not as an agreement. Contact the Legal Affairs Office for help with formulating the decision. It is not allowed to disclose confidential information with confidentiality reservations to collaborators outside of Sweden.
Agreement-regulated confidentiality
Agreements, such as cooperation agreements, may include clauses that regulate the confidentiality of data that are disclosed, known as contractual confidentiality. Contractual confidentiality can never replace legal rules on public access to information and confidentiality, but it can be a complement to allow sharing data in some cases. Contractual confidentiality, combined with other measures, such as pseudonymisation, means that the University may conclude during a confidentiality assessment that the data are shared without risk of damage or harm to the person to whom the data relate. An assessment is to always be conducted in individual cases.
Contractual confidentiality is not as strong as the confidentiality set forth by the Public Access to Information and Secrecy Act. This is, in part, because the confidentiality obligation is not penalised as per the Criminal Code in the case of contractual confidentiality.
Since there are no legal rulings regarding disclosure with contractual confidentiality, sharing research data that contain confidentiality-classified data with the support of contractual confidentiality involves the risk that the sharing will be judged as a breach of confidentiality in the event of a trial. Each researcher needs to be aware of and make decisions based on this risk when sharing.
If you need help reviewing or drawing up agreements, fill out the Contract review form and send it to the Legal Affairs Office.
Sharing research data with collaborators in another country
The rules in the Public Access to Information and Secrecy Act only apply to Swedish authorities and other public organisation. As such, as a general rule, confidential data cannot be transferred to individuals or organisations abroad. If sharing research data with foreign parties is to be possible, additional protective measures are needed to protect the data that the confidentiality applies to.
Possible measures that may enable transfer of data abroad are the following:
- The data that the University intend to disclose are pseudonymised.
- There is no possibility to use other available data to link the data to an individual, i.e., back tracking is not possible.
- An agreement (e.g., a partnership agreement) must have confidentiality clauses for the data, known as contractual confidentiality.
- If the research is to be ethically reviewed, it must be clear from the application that data will be shared with research parties abroad.
Example cases
A) Cooperation with a higher education institution or other public organisation in Sweden.
Case description
A researcher at Umeå University conducts a research project together with researchers (co-researchers) at another higher education institution, public authority, municipality, regional health authority or equivalent public organisation in Sweden. The co-researchers are directly involved in the project and need access to raw data for analysis or similar.
Checklist
Before research data is shared with collaborators, researchers at Umeå University need to determine the following:
- Whether Umeå University receives the data from another Swedish authority or public organisation. Check whether the confidentiality of the data has been transferred to Umeå University from the disclosing authority.
- If the data do not come from another authority or the disclosing authority has not shared the data with transferred confidentiality, conduct a confidentiality review based on the confidentiality provisions applicable to the data.
- If Umeå University can share the data with transferred confidentiality as per Chapter 11, Section 3 of the Public Access to Information and Secrecy Act, inform the recipient of any transferred confidentiality.
- Document the considerations weighed for sharing the data.
Overview
Swedish municipalities, regional health authorities and other public authorities are covered by the Public Access to Information and Secrecy Act. Confidentiality can often be transferred to parties covered by the Public Access to Information and Secrecy Act when the purpose of disclosure is for the data to be used in research. Transfer of confidentiality is done with support from Chapter 11, Section 3 of the Public Access to Information and Secrecy Act.
Umeå University needs to investigate whether there is a confidentiality provision that protects the data at the University.
If the University has received data from another authority, the University needs to investigate whether the disclosing authority has transferred "its" confidentiality to Umeå University. Transfer of confidentiality is done with support from Chapter 11, Section 3 of the Public Access to Information and Secrecy Act. Often, information or a decision is included at the time of disclosure that confidentiality has been transferred.
In some cases, Umeå University has the option of sharing the data with transferred confidentiality with organisations that are also covered by the Public Access to Information and Secrecy Act. If Umeå University can transfer the confidentiality with the support of Chapter 11, Section 3 of the Act, it is rarely considered to be harmful or damaging to the individual that the data are disclosed.
If research data are shared with transferred confidentiality, the recipient must be informed that confidentiality has been transferred and which provision in the Public Access to Information and Secrecy Act the recipient is to apply. Contact the Legal Affairs Office for templates and support in producing information materials. To ensure a quick response when contacting us, clearly describe the recipient and what the research data to be shared include.
Transfer of confidentiality is not possible
During the confidentiality review, should Umeå University conclude that it is not possible to transfer confidentiality to the collaborator or other measures cannot sever the link between the data and the person for whom the confidentiality intends to protect, sharing is not possible.
Agreements regulating sharing research data
The Legal Affairs Office does not recommend signing agreements with other Swedish higher education institutions, other public authorities, municipalities or regional health authorities on how shared research data will be processed, as they are covered by laws regarding public access to information and archiving obligations. Instead, information about any transferred confidentiality should be provided to these types of organisations.
Biobank samples are not public documents and thus are not covered by this guide or position regarding agreements. For these, rules in the Biobanks Act (SFS 2023:38) apply.
If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties. When you need to draw up or review agreements, fill out the Contract review form and send it to the Legal Affairs Office.
B) Cooperation with a private company, foundation, voluntary organisation or similar in Sweden.
Case description
A researcher at Umeå University conducts a research project together with researchers (co-researchers) at a company, foundation, voluntary organisation or other private body in Sweden. Umeå University is the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar.
Checklist
Before research data is shared with collaborators, researchers at Umeå University need to determine the following:
- If Umeå University receives the data from another Swedish authority or public activity, determine whether the confidentiality of the data has been transferred to Umeå University from the disclosing authority.
If the data do not come from another authority or the disclosing authority has not shared the data with transferred confidentiality, conduct a confidentiality review based on the confidentiality provisions applicable to the data.
- Investigate whether confidential data can be disclosed with confidentiality reservations. The person responsible for the research data determines such reservations. Contact the Legal Affairs Office for support.
- Whether an agreement on sharing research data needs to be signed.
- Document the considerations weighed for sharing the data.
Overview
The Public Access to Information and Secrecy Act does not cover private parties. As such, the protection provided by the Act for certain research data does not apply to private parties. This complicates sharing research data covered by confidentiality with private parties.
In these cases, it is not possible to transfer confidentiality as per Chapter 11, Section 3 of the Public Access to Information and Secrecy Act. In cases of Swedish private parties, disclosed confidential data can be protected using a confidentiality clause as per Chapter 10, Section 14 of the Public Access to Information and Secrecy Act.
Contact the Legal Affairs Office for assistance in assessing whether a confidentiality reservation is possible and in formulating decisions. To ensure a quick response when contacting us, clearly describe the recipient and what the research data to be shared include.
Agreements regulating sharing research data
When the research project collaborates with a private entity party Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:
- that research data may not be used for any other purpose than for the current project; and
- what the collaborator is to do with the research data after the end of the project.
If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties. When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.
C) Cooperation with a party in another country
Case description
A researcher at Umeå University conducts a research project together with researchers (co-researchers) at a higher education institution, public authority, company or other organisation in another country. The co-researchers are directly involved in the project and need access to raw data for analysis or similar.
Checklist
Before research data is shared with collaborators, researchers at Umeå University need to determine the following:
- If Umeå University receives the data from another Swedish authority or public activity, determine whether the confidentiality of the data has been transferred to Umeå University from the disclosing authority.
- Always contact the Legal Affairs Office if research data can be covered by statistical confidentiality as per Chapter 24, Section 8 of the Public Access to Information and Secrecy Act.
- If the data do not come from another public authority or the disclosing authority has not shared the data with transferred confidentiality, conduct a confidentiality review based on the confidentiality provisions applicable to the data.
- Investigate whether measures can be taken that protect what the confidentiality covers and thus enable sharing of the research data.
- Whether an agreement on sharing research data needs to be signed.
- Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
- Document the considerations weighed for sharing the data.
Overview
The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the regulations that provide protection for certain research data. When data are shared with a collaborator in another country, it is therefore not possible to transfer Umeå University's confidentiality as per Chapter 11, Section 3 of the Public Access to Information and Secrecy Act. This complicates sharing data with these types of recipients.
The option of disclosing data with the support of a confidentiality reservation also does not apply to recipients outside Sweden.
If Umeå University has received the data with confidentiality from another public authority or if there is another type of confidentiality that protects the data at Umeå University, the basic assumption is that the research data cannot be shared with recipients outside of Sweden.
Agreements regulating sharing research data
When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:
- that research data may not be used for any other purpose than for the current project;
- what the collaborator is to do with the research data after the end of the project; and
- that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.
If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties. When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.