Management of personal data
Research often involves processing information which in one way or another can be traced to living individuals. The rules for managing such information are set out in the Personal Data Act. If the processing of the data concerns sensitive personal information, the research must also undergo ethical review. Below, you can read more about the rules that apply to the processing of personal information for research purposes.
What counts as personal data?
Personal data is understood as any information which can directly or indirectly be traced to a physical person who is currently alive. Thus it is sufficient that the information can be connected in some way to the person in question. An explicit connection, such as the personal identity number or home address, need not be included.
Coded and encrypted information also counts as personal data as long as it is possible to re-establish the connection between the data and the individuals concerned. It is of no consequence that the researcher does not personally have access to the code list or the password required to establish this connection.
What counts as processing of personal data?
Measures taken with regard to personal data, whether automatically or otherwise, count as processing of personal information. For example, this includes collection, registration, organisation, storage, processing or changing, recycling, gathering, use, disclosure through transmission, dissemination or other provision of data, compilation or matching, blocking, obliteration or destruction.
Sensitive personal data
If at any stage the research involves the processing of sensitive personal data, it must undergo ethical review. Please note that the Personal Data Act determines what counts as sensitive personal information. The Act states that this applies to personal information about:
- Race or ethnic origin
- Political views
- Religious or philosophical convictions
- Trade union membership
- Health or sex life
The requirement for ethical review also applies to personal data on legal offences involving crimes, criminal convictions, procedural coercive measures or administrative detention.
The personal information officer and the requirement to report processing of such data
At Lund University, the processing of personal data is to be reported to a specially appointed personal information officer, namely Johanna Alhem at Management Support (see contact details in the right hand column).
The report is to be filed before the personal data is processed. The form for reporting the processing of personal data can be downloaded directly from this web page. You can fill in the form on your computer but you must then print it out and get it signed by the head of department. It is to be sent to Management Support/Legal division, HS 31.
Who is responsible?
The head of each department is responsible for ensuring that the processing of personal data is carried out correctly and in accordance with the law. The head of department can, however, choose to appoint a contact person who is responsible for coordinating the department’s processing of personal data and takes care of contacts with the personal information officer. If such a person is appointed, this is to be reported on a separate form.
Several Swedish public authorities have joined forces to produce an information leaflet on personal data in research. In addition to general information on rules and regulations, the leaflet includes a checklist of things researchers need to take into account.
- Personal information in research – what rules apply? (in Swedish)
Personal data representative
Sektionen ledningsstöd, HS
Paradisgatan 5 B
johanna [dot] alhem [at] rektor [dot] lu [dot] se
Tel: 046-222 09 85
Do you have any questions regarding research ethics regulations? As an employee of Lund University, you can turn to forskningsetik [at] lu [dot] se.