Legal aspects

Research data contain personal data when they include information that can directly or indirectly be linked to a living individual. Direct personal information in research might include names or personal identity numbers. Indirect personal data – information that in itself can not identify a person, but when combined with other sources, it could identify someone – might include date of birth, place of residence, or occupation. This additional information can be found in records held by another authority, registry holder, company, or private individual. A code key also counts as additional information.

Note that how difficult it is to access additional information or external data sources does not affect whether the data are considered personal data.

When all links to living individuals have been removed.

This may be difficult to achieve retrospectively, once the personal data have been collected. It is often hard to determine whether data are no longer personal, as there may still be supplementary information elsewhere that could reveal identities – such as public records or content online. Laws and regulations may also require that documents that could be used to identify individuals are preserved.

Anonymized data are data from which all personal identifiers have been removed so that no individual can be identified. These data are no longer considered personal data. 

Pseudonymized data, on the other hand, are those where direct identifiers in the material have been replaced by a pseudonym or code. These can only be linked to individuals by someone who has access to additional information, such as a code key. Because that link exists, pseudonymized data are still considered personal data.

Pseudonymization reduces the risk of identification, but data are only considered anonymized once all links to individuals have been irreversibly removed – for example, if the code key is permanently destroyed. Aggregation may also enable anonymization, if categories are broad enough (e.g., grouping exact ages into wide age ranges) to prevent identification using additional data sources. 

What counts as pseudonymized research data can vary between quantitative and qualitative research. In quantitative studies, pseudonymization typically means replacing names or personal identity numbers with codes and a code key, stored separately from the data. In qualitative studies, such as interviews, it might involve replacing names with pseudonyms or using more general descriptions for specific job titles or workplaces to reduce identifiability. 

Note that laws and regulations differ between countries, so it is important to consider the legal and institutional context when managing research data. Contact your institution’s research data support services or Data Protection Officer for advice on managing personal data in research. 

The General Data Protection Regulation (GDPR) includes a principle of storage limitation, meaning that personal data should not be kept longer than necessary for the original purpose. Once that purpose has been fulfilled, personal data should in theory be deleted. In practice, this is often overridden by archival requirements, which require that data from publicly funded research should be preserved. If you work at a Swedish university or another public organization, the Swedish Archives Act applies to your material. You may be allowed to delete data if there has been a formal disposal decision that allows disposal (gallringsbeslut), often after a retention period of at least 10 years. Some research data must be preserved unchanged for the future.
What can be deleted or preserved is governed by the Swedish National Archives’ regulations and your institution’s local policies. Contact your organization’s archive for advice.  

In summary: If you have collected personal data for research, it is rarely possible to fully anonymize them in the short term, as the original data and any code keys usually need to be retained unless a formal disposal decision has been made.

Several laws apply to personal data processing in research, including: 

The General Data Protection Regulation (GDPR), which governs all processing of personal data within the EU/EEA. Processing of personal data in research includes collecting, recording, storing, analyzing, sharing, disclosing, and deleting data. 

The Data Protection Act (lag (SFS 2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning), which has an unofficial translation, and the Data Protection Ordinance (förordning (SFS 2018:219) med kompletterande bestämmelser till EU:s dataskyddsförordning), which adapt GDPR to Swedish law.  

The Freedom of the Press Act (Tryckfrihetsförordningen, SFS 1949:105) applies as most universities are public authorities, and their data are typically official documents (allmänna handlingar).  

The Public access to information and secrecy act (Offentlighets- och sekretesslagen, SFS 2009:400) determines whether research data are classified as confidential. This legislation also applies to some higher education and research institutions that are not public authorities. 

The Ethical Review Act (lag (SFS 2003:460) om etikprövning av forskning som avser människor) which applies to research involving sensitive personal data and some types of human research. 

The Act on responsibility for good research practice and the examination of research misconduct (lag (2019:504) om ansvar för god forskningssed och prövning av oredlighet i forskning), which covers integrity and ethical conduct in research.

The Archives Act (Arkivlagen, SFS 1990:782), which requires public authorities to preserve official documents, even if they contain personal data.

Read more about research data and GDPR.

Yes, if your research is conducted at a Swedish public authority or another organization subject to the principle of public access to information, research data are typically official documents (allmänna handlingar). Data become official documents if they are held at a public authority, or if they are received, sent, or finalized by the authority. Examples include survey responses, interview recordings, output from laboratory instruments, or register extracts.  

What you may or may not do with such research data is governed by laws such as the Public Access to Information and Secrecy Act, the Data Protection Act, the Archives Act, and rules from the National Archives. You can normally find guidance on how to apply these regulations to your work in your organization’s internal policy documents, such as its document management plan.  

As a general rule, raw data collected by, produced by, or received in a Swedish research project must be retained as they are official documents. There are additional legal requirements for preserving research data to, for example, audits or investigations into research misconduct. See the question above about deleting original data.  

Research data that are official documents may only be deleted after the retention period has expired. Contact your research data support or archives to find out what applies to your material.

Not unconditionally. Research data from public authorities are usually considered official records and can be requested to disclose under the principle of public access to official documents. Even if research participants have been informed otherwise, each request for access to the research data must undergo a confidentiality assessment. If the data are not protected by a secrecy provision, they must be released for disclosure. The principle of public access to official documents is mandatory and non-negotiable, so you cannot promise that personal data will never be shared.

This does not mean the data will be openly shared. Data with personal information are often confidential under the Public Access to Information and Secrecy Act, and a release can only happen after a confidentiality assessment. However, neither the researcher nor the participant decides if data are confidential – that decision is based on a legal assessment.

Different types of consent apply in research. They serve different purposes, so it is important to know what type of consent must be given and what it means that the consent is withdrawn.

• Ethical research consent: Most research involving human participants requires voluntary, informed consent in line with research ethics guidelines and good research practice.
• Informed consent under law: For example, research covered by section 4 of the Ethics Review Act, clinical trials, or use of biological samples under the Biobanks Act.
• GDPR consent: Although consent can be a legal basis for processing personal data under GDPR, research usually relies on public interest as the legal basis – not consent. Therefore, you rarely need GDPR consent to process personal data in research, but you usually do need ethical consent from participants.

Read more about lawfulness and legal basis for processing personal data in research.

In many cases, the data controller must inform participants about how their personal data, and which personal data, will be processed. This is a fundamental right under GDPR. The information must include who is the data controller, and the legal basis and purpose of the processing.

There are exceptions – for example, if it is impossible or would require disproportionate effort to inform research participants, such as in register-based research where the researcher has no access to identifiable data.

It depends on what you want to share and why. Are you sharing research data with a collaborator outside of your organization or depositing data in a repository? The purpose affects what legal checks are needed. 

Public authorities must assess each request for disclosure of the data individually, in line with the Public Access to Information and Secrecy Act. Publishing personal data openly is generally not permitted unless specific legal exceptions apply. Contact your local research data support team, legal adviser, or data protection officer for advice. 

Read more about sharing research data with personal information.

Sharing personal data with a journal requires the same type of legal review as any other request for disclosure of official documents. The request must be assessed in accordance with the Public Access to Information and Secrecy Act. Your registrar, legal adviser, Data Protection Officer, or research data support team can help with the process.

Read more about sharing research data with personal information.

Yes, but a few extra steps are required. First, the same legal review must be conducted as for any other data sharing. If sharing is allowed, the transfer itself must be secure – for example, not by regular e-mail. Examples of transfers include: 

• E-mailing documents with personal data to recipients outside the EU/EEA
• Using a data processor based outside the EU/EEA
• Giving non-EU/EEA users access, for example reading rights, to personal data stored in the EU/EEA
• Storing personal data in a cloud service based outside the EU/EEA.

Chapter V of GDPR governs international data transfers. Always consult a legal adviser to clarify what is permitted.

Yes, if the data controller or processor is based in the EU/EEA, or if the research targets individuals within the EU/EEA, GDPR applies – even if the data were collected elsewhere.

Yes. When you process personal data for research purposes, it counts as a new instance of processing under GDPR. You must still have a valid legal basis and specify the purpose of the processing, regardless of whether the data were previously published.

Yes, because naming the creators of a work is a legal obligation under the Swedish Copyright Act (Act (1960:729) on Copyright on Literary and Artistic Works). This provides a legal basis (legal obligation) and purpose for the data processing involved in publishing such information.