Sharing research data that contain personal data

If the research data contain sensitive personal data or personal data concerning violations of the law, please read the guide on Sharing data in ethically approved research.

What is personal data that merit special protection?

Personal data that merit special protection are personal data that are not sensitive personal data but that are considered particularly worthy of protection. This can include salary data, valuation data, such as data from staff development discussions, data from the results of personality tests or personality profiles, information relating to someone's private life or information on social conditions. Personal identity numbers are considered personal data particularly meriting special protection.

Personal data concerning violations of the law are also considered to be personal data meriting special protection. However, since these require ethical approval for processing in research, they are covered under the section Sharing research data in ethically approved research.

What are general personal data?

Since any data that may be directly or indirectly linked to a living person are considered personal data, the term "general personal data" are often used to describe information that is neither sensitive nor important for privacy.

Example cases

A) Cooperation with a university or other public organisation in Sweden.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at another higher education institution, public authority, municipality or regional health authority in Sweden. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data are personal data that merit special protection or general personal data.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• what personal data need to be shared;
• the lawful basis for processing (sharing) the personal data;
• whether there is confidentiality that protects the data;
• who the personal data controller is and that this is documented; and
• document the considerations weighed for sharing the data.

Overview

Swedish municipalities, regional health authorities and other public authorities are covered by the same legislation as Umeå University, such as the GDPR and the Public Access to Information and Secrecy Act.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit the shared data to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules regarding controllership of personal data

In a research collaboration, there may be reason to define the controller for personal data. Are the parties separate personal data controllers or do they have a joint personal data controllership according to Article 26 of the GDPR?

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

Currently, the most common approach for research collaborations is that the parties are separate personal data controllers. However, the Legal Affairs Office has noted an increase in requests for agreements on joint responsibility for personal data control.

Joint personal data controllers

Joint responsibility for personal data control must be documented. There are no formal requirements on how this documentation should look. It can take the form of an agreement or by reporting the division of responsibilities in an open manner, for example by the parties formulating a clear description of the joint personal data control in the information letter given to research subjects as part of the requirements in Articles 13–14 of the GDPR.

If the joint control of personal data is regulated in an agreement, the delegation of authority specifies that the University Director is to sign the agreement.

Is a personal data processing agreement needed?

For research collaborations, it is rarely a question of one party being a personal data processor for the other party. A research collaboration is not the type of dependent processing of personal data on someone else's behalf that is characterised by a processor situation. Providing data to a service provider, such as for analysis or transcription, are typical processor situations that require a written personal data processing agreement.

Agreements regulating sharing research data

The Legal Affairs Office does not recommend signing agreements with other Swedish higher education institutions, other public authorities, municipalities or regional health authorities on how shared research data will be processed, as they are covered by laws regarding public access to information and archiving obligations. Instead, information about any transferred confidentiality should be provided to these types of organisations.

Biobank samples are not public documents and thus are not covered by this guide or position regarding agreements. For these, rules in the Biobanks Act (SFS 2023:38) apply.

If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties.

When you need to draw up or review agreements, fill out the Contract review form and send it to the Legal Affairs Office.

B) Cooperation with higher education institutions or other public organisations outside of Sweden but within the EU/EEA.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at another higher education institution, public authority, municipality, regional health authority or equivalent public organisation outside of Sweden but within the EU/EEA. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data are personal data that merit special protection or general personal data.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• what personal data need to be shared;
• the lawful basis for processing (sharing) the personal data;
• whether there is a confidentiality provision that protects the data;
  • Investigate whether the information can be pseudonymised or anonymised in a way that enables research data to be shared.
• who the personal data controller is and that this is documented;
• whether an agreement on sharing research data needs to be signed;
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the regulations that provide protection for certain research data. This complicates sharing data with recipients outside of Sweden.

The GDPR is an EU regulation and applies to the processing of personal data in all member states within the EU/EEA.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit the shared data to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. Sensitive personal data are of such a nature that confidentiality regulations often apply. If the information is subject to confidentiality, the basic assumption is that research data cannot be shared with recipients outside of Sweden.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

In a research collaboration, there may be reason defining the controller for personal data. Are the parties separate personal data controllers or do they have a joint personal data controllership according to Article 26 of the GDPR?

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

Currently, the most common approach for research collaborations is that the parties are separate personal data controllers. However, the Legal Affairs Office has noted an increase in requests for agreements on joint responsibility for personal data control.

Joint personal data controllers

Joint responsibility for personal data control must be documented. There are no formal requirements on how this documentation should look. It can take the form of an agreement or by reporting the division of responsibilities in an open manner, for example by the parties formulating a clear description of the joint personal data control in the information letter given to research subjects as part of the requirements in Articles 13–14 of the GDPR.

If the joint control of personal data is regulated in an agreement, the delegation of authority specifies that the University Director is to sign the agreement.

Is a personal data processing agreement needed?

For research collaborations, it is rarely a question of one party being a personal data processor for the other party. A research collaboration is not the type of dependent processing of personal data on someone else's behalf that is characterised by a processor situation. Providing data to a service provider, such as for analysis or transcription, are typical processor situations that require a written personal data processing agreement.

Agreements regulating sharing research data

When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties.

When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

C) Cooperation with a higher education institution or other public organisation outside the EU/EEA.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at another higher education institution, public authority, municipality, regional health authority or equivalent public organisation outside the EU/EEA. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data are personal data that merit special protection or general personal data.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• what personal data will be processed;
• the lawful basis for processing the personal data;
whether the country in question has what is known as an adequacy decision or whether other safeguards need to be put in place;
• Contact the Legal Affairs Office.
• who the personal data controller is and that this is documented;
• whether there is a confidentiality provision that protects the data;
  • Investigate whether the personal data can be pseudonymised or anonymised in a way that enables research data to be shared.
• whether an agreement on sharing research data needs to be signed;
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the protection the Public Access to Information and Secrecy Act provides to certain research data. This complicates sharing data with these types of recipients.

GDPR only applies to processing personal data within the EU/EEA, which obstructs transferring personal data to parties outside the EU/EEA. In these cases, sharing of research data with personal data must be regulated differently to maintain protection of personal privacy. Contact the Legal Affairs Office if you need to transfer personal data to a country outside the EU/EEA.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. If the information is subject to confidentiality, the basic assumption is that research data cannot be shared with recipients outside of Sweden. Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

Sharing personal data outside the EU/EEA is referred to as a third country transfer. A third country transfer requires being able to maintain the corresponding protection for personal privacy that the GDPR creates. For some countries, the EU Commission has issued what is known as an adequacy decision. This means that national legislation in these countries ensures an adequate level of protection for personal data and personal privacy. These countries are listed on the website of the Swedish Authority for Privacy Protection. In these cases, the GDPR does not present any obstacles for sharing the data.

If the country is not on the list noted above, other appropriate protective measures must be in place to ensure the level of protection required by the GDPR. The most common safeguard for the University is to sign contracts with the standard contract clauses developed by the European Commission. The Legal Affairs Office will help draw up these agreements, which are then signed by the University Director. In these cases, it is important that the data are pseudonymised. Not only will this often enable disclosure as per the Public Access to Information and Secrecy Act, it is also considered a safeguard as per Article 32 of the GDPR.

Agreements regulating sharing research data

When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party to the project provides a proposed agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties.

When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

D) Cooperation with a private company, foundation, voluntary organisation or similar in Sweden.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at a company, foundation, voluntary organisation or other private body in Sweden. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data are personal data that merit special protection.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• what personal data will be processed;
• the lawful basis for processing the personal data;
• whether the data are protected by confidentiality;
  • Investigate whether the data can be disclosed with confidentiality reservation. The person responsible for the research data determines such reservations. Contact the Legal Affairs Office for support.
• who the personal data controller is and that this is documented;
• whether an agreement on sharing research data needs to be signed;
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be signed.
• document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act does not cover private parties. The protection provided by the Act for certain research data thus does not apply to private parties. This places obstacles for sharing research data covered by confidentiality with private parties. In some cases, sharing of research data that are subject to confidentiality can be made possible through confidentiality reservation.

The GDPR applies to private parties in all member states of the EU/EEA.

Confidentiality review

When it comes to disclosure of research data to private entities, the confidentiality review is of crucial importance, since these parties are not covered by the Public Access to Information and Secrecy Act and there is no statutory confidentiality protection for the data. This means that the risk of harm or injury is greater than when sharing with public organisations covered by confidentiality regulations.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules regarding controllership of personal data

In a research collaboration, there may be reason to define the controller for personal data. Are the parties separate personal data controllers or do they have a joint personal data controllership according to Article 26 of the GDPR?

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

Currently, the most common approach for research collaborations is that the parties are separate personal data controllers. However, the Legal Affairs Office has noted an increase in requests for agreements on joint responsibility for personal data control.

Joint personal data controllers

Joint responsibility for personal data control must be documented. There are no formal requirements on how this documentation should look. It can take the form of an agreement or by reporting the division of responsibilities in an open manner, for example by the parties formulating a clear description of the joint personal data control in the information letter given to research subjects as part of the requirements in Articles 13–14 of the GDPR.

If the joint control of personal data is regulated in an agreement, the delegation of authority specifies that the University Director is to sign the agreement.

Is a personal data processing agreement needed?

For research collaborations, it is rarely a question of one party being a personal data processor for the other party. A research collaboration is not the type of dependent processing of personal data on someone else's behalf that is characterised by a processor situation. Providing data to a service provider, such as for analysis or transcription, are typical processor situations that require a written personal data processing agreement.

Agreements regulating sharing research data

When the research project collaborates with a private entity party, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project; and
• what the collaborator is to do with the research data after the end of the project.

If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties.

When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

E) Cooperation with a private company, foundation, voluntary organisation or similar in the EU/EEA.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at a company, foundation, voluntary organisation or other private body outside of Sweden but within the EU/EEA. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data are personal data that merit special protection.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• what personal data need to be share;
• the lawful basis for processing the personal data;
• the data controller and that the identity of the data controller is documented;
• whether there is a confidentiality provision that protects the data at Umeå University;
  • Investigate whether the information can be pseudonymised or anonymised in a way that enables research data to be shared.
• whether an agreement on sharing research data needs to be signed;
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the regulations that provide protection for certain research data. This complicates sharing data with recipients outside of Sweden.

The GDPR is an EU regulation and applies to the processing of personal data in all member states within the EU/EEA.

The GDPR specifies certain basic conditions that must be met for the processing of personal data to be legal. This includes only processing the personal data that are necessary. This makes it important to limit the shared data to the personal data actually required by the collaborator to conduct their part in the project. There also needs to be a lawful basis for sharing the personal data. See the Personal data processing in research pages for more information on what to consider when processing personal data.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. Sensitive personal data are of such a nature that confidentiality regulations often apply. If the information is subject to confidentiality, the basic assumption is that research data cannot be shared with recipients outside of Sweden.

Read more about the necessary confidentiality considerations in the guide on Sharing confidential research data.

Rules for controllership of personal data

In a research collaboration, there may be reason to define the controller for personal data. Are the parties separate personal data controllers or do they have a joint personal data controllership according to Article 26 of the GDPR?

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

Currently, the most common approach for research collaborations is that the parties are separate personal data controllers. However, the Legal Affairs Office has noted an increase in requests for agreements on joint responsibility for personal data control.

Joint personal data controllers

Joint responsibility for personal data control must be documented. There are no formal requirements on how this documentation should look. It can take the form of an agreement or by reporting the division of responsibilities in an open manner, for example by the parties formulating a clear description of the joint personal data control in the information letter given to research subjects as part of the requirements in Articles 13–14 of the GDPR.

If the joint control of personal data is regulated in an agreement, the delegation of authority specifies that the University Director is to sign the agreement.

Is a personal data processing agreement needed?

For research collaborations, it is rarely a question of one party being a personal data processor for the other party. A research collaboration is not the type of dependent processing of personal data on someone else's behalf that is characterised by a processor situation. Providing data to a service provider, such as for analysis or transcription, are typical processor situations that require a written personal data processing agreement.

Agreements regulating sharing research data

When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party in the project proposes an agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties.

When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

F) Cooperation with a private company, foundation, voluntary organisation or similar outside the EU/EEA.

Case description

A researcher at Umeå University conducts a research project together with researchers (co-researchers) at a company, foundation, voluntary organisation or other private body outside of Sweden but within the EU/EEA. Umeå University is the personal data controller and the research accountable authority. The co-researchers are directly involved in the project and need access to raw data for analysis or similar. The research data are personal data that merit special protection or general personal data.

Checklist

Before research data are shared with collaborators, researchers at Umeå University need to determine the following:

• what personal data need to be share;
• the lawful basis for processing the personal data;
• the data controller and that the identity of the data controller is documented;
• whether the data are protected by confidentiality;
• whether the country in question has what is known as an adequacy decision or whether other protective measures need to be put in place;
  • Contact the Legal Affairs Office.
• whether an agreement on sharing research data needs to be signed;
  • Contact the Legal Affairs Office if an agreement regulating sharing research data needs to be drawn up.
• document the considerations weighed for sharing the data.

Overview

The Public Access to Information and Secrecy Act is a national legislation that does not apply outside of Sweden. As such, foreign parties are not covered by the protection the Public Access to Information and Secrecy Act provides to certain research data. This complicates sharing data with these types of recipients.

GDPR only applies to processing personal data within the EU/EEA, which obstructs transferring personal data to parties outside the EU/EEA. In these cases, sharing of research data with personal data must be regulated differently to maintain protection of personal privacy. Contact the Legal Affairs Office if you need to transfer personal data to a country outside the EU/EEA.

Confidentiality review

Umeå University needs to investigate whether the University has received the data from another public authority and whether that authority has transferred "its" confidentiality to Umeå University. Then, the University needs to investigate whether the data are covered by any other confidentiality. If the information is subject to confidentiality, the basic assumption is that research data cannot be shared with recipients outside of Sweden. Read more about the necessary confidentiality considerations in the gudie on Sharing confidential research data.

Rules for controllership of personal data

Sharing personal data outside the EU/EEA is referred to as a third country transfer. A third country transfer requires being able to maintain the corresponding protection for personal privacy that the GDPR creates. For some countries, the EU Commission has issued what is known as an adequacy decision. This means that national legislation in these countries ensures an adequate level of protection for personal data and personal privacy. These countries are listed on the website of the Swedish Authority for Privacy Protection. In these cases, the GDPR does not present any obstacles for sharing the data.

If the country is not on the list noted above, other appropriate protective measures must be in place to ensure the level of protection required by the GDPR. The most common safeguard for the University is to sign contracts with the standard contractual clauses developed by the European Commission. The Legal Affairs Office will help draw up these agreements, which are then signed by the University Director. In these cases, it is important that the data are pseudonymised. Not only will this often enable disclosure as per the Public Access to Information and Secrecy Act, it is also considered a safeguard as per Article 32 of the GDPR.

Agreements regulating sharing research data

When the research project collaborates with a party outside of Sweden, Swedish legislation does not place the same requirements for public access to information, confidentiality and archiving as it does for Swedish parties. It may thus be necessary to sign agreements regulating how data may be used. Such agreements should stipulate:

• that research data may not be used for any other purpose than for the current project;
• what the collaborator is to do with the research data after the end of the project; and
• that the recipient is responsible for having the necessary approvals as per the legislation in the country where the recipient operates.

If another party to the project provides a proposed agreement, contact the Legal Affairs Office immediately. It is common that the terms of such a proposal need to be adjusted through negotiation between the parties.

When you need to draw up or review contracts, fill out the Contract review form and send it to the Legal Affairs Office.

Page Editor Legal Affairs Office