The assessment needs to take into account which personal data needs to be processed, which privacy risks the processing entails, whether these risks are proportionate to the purpose of the processing and which prerequisites need to be satisfied according to current regulations. As a result, you should conduct an information classification and a risk and vulnerability analysis before the start of each research project.
Go directly to:
Basic requirements for personal data processing for research purposes
Sensitive personal data and criminal convictions and offences
Information to be provided for the data subjects
Data protection impact assessment
Reporting your personal data processing
Personal data processing agreements
Necessary processing to carry out a task in the public interest
Consent to personal data processing and consent to participation in research
Safeguards
Reporting personal data breaches
Good research practice
Basic requirements for personal data processing for research purposes
The General Data Protection Regulation (GDPR) specifies certain basic conditions that need to be met for the processing of personal data to be legal.
Lawful basis
The list of lawful bases in Article 6.1 of GDPR is extensive. The lawful basis that is mainly relevant for research is public interest. For Umeå University (and for other universities and university colleges with the government as accountable authority), the task of research is established in national law through provisions in the Higher Education Act.
This means that researchers at Umeå University can apply the lawful basis "public interest" when processing personal data that is necessary to carry out research.
Processing personal data with consent according to GDPR entails risks that the consent will be withdrawn and that the research will be negatively affected as a result. Please note that this consent is different from consent to participate in research projects according to the Ethical Review Act.
Fundamental principles
In addition to the fact that the processing of personal data needs to have a lawful basis, certain basic principles apply to the processing itself.
- There must be a specific and explicitly stated purpose for the processing.
- The data are to be correct, adequate, relevant and not too extensive in relation to the purpose of the processing.
- When the personal data are no longer needed for the purpose, they are to be deleted or anonymised. Please note that the University has an obligation to archive, which means that in most cases the data needs to be saved for a certain period of time or preserved for the future.
- The data needs to be protected by taking appropriate security measures.
- The University needs to be able to demonstrate that the authority lives up to the requirements for correct processing of personal data and how this is accomplished. This means that the processing of personal data needs to be documented.
Sensitive personal data and criminal convictions and offences.
Research that includes the processing of sensitive personal data and personal data about criminal convictions and offences etc. is also covered by a requirement for ethical review according to the Act Concerning the Ethical Review of Research Involving Humans (2003:460). For questions about ethical review, contact the Swedish Ethical Review Authority.
Information to be provided for the data subjects
GDPR gives the data subjects rights that also need to be respected, and the data subjects are to be informed of these rights. The data subjects also need to receive information about the processing itself. This means the initial planning phase needs to consider further processing for archival purposes and a data management plan needs to be drawn up. This plan is to show how the material will be collected and stored and who will be given access to the material at different stages of the processing.
The University has produced a template related to information for participants in research projects where personal data are processed. This template has been developed on the basis of the Swedish Ethical Review Authority's "subject information support template" and has been supplemented to meet the obligation to provide information according to GDPR. There is also a checklist for the information required by GDPR. The checklist and template can be found under the heading Information and template on this page. These documents may be updated in the future. Be in the habit of always downloading the latest version published on the staff website.
Data protection impact assessment
If there is a high risk to the rights and freedoms of the data subjects, a data protection impact assessment needs to be conducted before processing begins. An impact assessment is needed, for example, if the research project extensively processes sensitive personal data or if registry data with many registered users is combined with other information in a way that those data subjects could not have expected. An impact assessment may also be necessary if the research project extensively processes personal data about children, employees, asylum seekers, elderly individuals and patients who for some reason are at a disadvantage or in a dependent position, making them vulnerable. Contact the Legal Affair's Office at pulo@umu.se for help in making this assessment.
Reporting your personal data processing
All personal data processing in research projects at Umeå University needs to be entered into the University's register (notification is initiated by contacting pulo@umu.se). More information about registration is available in our FAQ about personal data management.
Personal data processing agreements
If someone outside Umeå University is to process personal data on behalf of Umeå University, a personal data processing agreement needs to be signed. If personal data are to be stored in cloud services, special rules need to be observed. The University has produced a quick guide (in Swedish) that provides some guidance on how digital collaboration tools and storage areas at Umeå University can be used within the framework of the University's operations.
Necessary processing to carry out a task in the public interest
The fact that the processing of personal data is necessary to carry out a task in the public interest — that is, the research — does not mean that it has to be completely impossible to carry out the research without the processing. Rather, it is a question of making a reasonableness assessment of which alternatives are available. Such an assessment should take into account time required, workload, costs and whether the processing contributes to higher quality and reliability of the research results. If the purpose of the research can be largely achieved as well, easily and cheaply with anonymous data as with personal data, the processing cannot reasonably be considered necessary for the performance of the research.
Consent to personal data processing and consent to participation in research
Consent to the processing of personal data is not the same as consent according to the Ethical Review Act, which instead regulates participation in research.
Since the University as a rule uses the lawful basis "public interest" for personal data processing in research, the basis "consent" in the sense of GDPR should not be used. However, consent according to the Ethical Review Act may need to be obtained. Consent to the processing of personal data does not in itself imply consent to participation in research and consent to participation in research does not constitute a lawful basis for personal data processing — these are two different aspects.
Safeguards
According to GDPR, all personal data processing for research purposes needs to incorporate appropriate safeguards, such as measures that are suitable to protect the rights and freedoms of the data subject. The safeguards are to ensure that security, both technically and in terms of authorisation, is sufficient, based on the personal data processed in the project.
Technical and administrative safeguards, such as encryption and access control, are necessary to protect the personal data and should be considered and implemented when deemed appropriate. A safeguard that is often appropriate when processing personal data for research purposes is pseudonymisation. This means that the personal data are processed so that they cannot be linked to a single individual without (separately stored) supplementary data being used. This can be achieved, for example, through the use of code keys.
Regarding the processing of sensitive personal data and personal data involving criminal convictions and offence, etc., special requirements for safeguards and ethics permission are also needed to research this type of data. Often, such information is also confidential. In that case, the Public Access to Information and Secrecy Act's provisions about disclosure and duty of professional secrecy also are to be observed.
Reporting personal data breaches
If a personal data breach occurs — for example, through unauthorised data access — the University's data protection officer needs to report this to the supervisory authority within 72 hours. You therefore must report any suspected personal data breach immediately. The report is sent to abuse@umu.se.
Good research practice
In addition to the requirements established in current data protection regulations, there are also well-established guidelines on good research practice to consider. These include those listed in the Swedish Research Council's publication Good Research Practice (2017) and on the CODEX website.