Management of personal data
Research often involves processing information which in one way or another can be traced to living individuals. The rules for managing such information are set out in the General Data Protection Regulation. If the processing of the data concerns sensitive personal information, the research must also undergo ethical review. Below, you can read more about the rules that apply to the processing of personal information for research purposes.
What counts as personal data?
Personal data is understood as any information which can directly or indirectly be traced to a physical person who is currently alive. Thus it is sufficient that the information can be connected in some way to the person in question. An explicit connection, such as the personal identity number or home address, need not be included.
Coded and encrypted information also counts as personal data as long as it is possible to re-establish the connection between the data and the individuals concerned. It is of no consequence that the researcher does not personally have access to the code list or the password required to establish this connection.
What counts as processing of personal data?
Measures taken with regard to personal data, whether automatically or otherwise, count as processing of personal information. For example, this includes collection, registration, organisation, storage, processing or changing, recycling, gathering, use, disclosure through transmission, dissemination or other provision of data, compilation or matching, blocking, obliteration or destruction.
Sensitive personal data
If at any stage the research involves the processing of sensitive personal data, it must undergo ethical review. Please note that the General Data Protection Regulation determines what counts as sensitive personal information. It consists in personal data revealing
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- sex life or sexual orientation
Regarded as sensitive is also
- genetic data
- biometric data
The requirement for ethical review also applies to personal data on legal offences involving crimes, criminal convictions, procedural coercive measures or administrative detention.
The Data Protection Officier (DPO) and the requirement to report processing of personal data
The Data Protection Officier at Lund University can be contacted via dataskyddsombud [at] lu [dot] se. Before processing personal data this shall be reported via a special form. Information about this and the form is found here: Registration of personal data processing.
Who is responsible?
The head of each department is responsible for ensuring that the processing of personal data is carried out correctly and in accordance with the law. The head of department can, however, choose to appoint a contact person who is responsible for coordinating the department’s processing of personal data and takes care of contacts with the Data Protection Officer. If such a person is appointed, this is to be reported on a separate form.
Do you have any questions regarding research ethics regulations? As an employee of Lund University, you can turn to forskningsetik [at] lu [dot] se.
Data Protection Officier (DPO)
dataskyddsombud [at] lu [dot] se