Sharing research data that contain personal information

Many types of data that we may not think of as personal data can, in fact, be considered personal data under the law. If additional personal information – for example in the raw data or in a public register – exists elsewhere, it could potentially serve as a code key that makes it possible to re-identify individuals in data files you thought had been de-identified. This means that the files still contain personal data, regardless of how easy or difficult it would be to access the additional information. 

There is also the issue of indirect re-identification (bakvägsidentifiering), where background information might be sufficient to single out and identify an individual in the dataset. For example, a research participant may be one of only five people in a municipality with a certain combination of traits, making them identifiable.

Anonymized or not?

Whether data can be considered anonymized from a legal point of view depends on the overall context – not just on what you have done to a specific version of a dataset or data that are stored with you. You must consider the origin of the material, how it has been handled, and what external information sources may exist. Is it possible that there can somewhere exist additional data that could potentially reveal someone’s identity in the material? In that case, the dataset still contains personal data. 

What data do you actually need to collect?

If you already know you want to make your data openly accessible, consider carefully what information you plan to collect. In most cases, personal data cannot be made fully open, and legal limitations – such as the Archives Act, the Swedish National Archives’ regulations, and your organization’s implementation guidelines – may restrict your ability to completely remove personal data from the material. Even processed datasets often still count as personal data and may only be shared under access restrictions following a confidentiality review by the research principal.

Because research data are typically considered official documents at public authorities, the principle of public access to information applies when someone requests access to the data. A confidentiality assessment must therefore be carried out before any data are released. In some cases, this may include a harm and prejudice assessment, evaluating how the data will be handled after release and the potential impact on the individuals concerned. You or your institution may need to identify who will manage the data and how, to ensure that appropriate legal protections are in place in the new processing context.

Even if the research principal is not a public authority, it is still the data controller and must comply with the General Data Protection Regulation (GDPR) in all personal data processing. This means, for example, that a legal basis for data processing must be established for each individual data disclosure.

Some non-governmental research organizations, such as certain foundation-run higher education institutions, are still subject to the same rules regarding managing and disclosing official documents as public authorities.

Research data may need to be shared across borders, such as in collaborations between universities in different countries or with research infrastructures, labs, or companies assisting with data analyses. Researchers and other stakeholders abroad may also request access to data. 

When sharing research data containing personal information internationally, it is especially important to ensure that the level of privacy protection for the research participants remains equivalent to that guaranteed by GDPR and related legislation. Sharing data with recipients in countries outside the EU/EEA can be legally complex, especially in jurisdictions that do not ensure an adequate level of data and privacy protection. You must ensure that all requirements for international transfers under GDPR are met before sharing data with recipients in such countries.

Definitions and interpretations of what qualifies as personal data vary across countries. For example, the concept of anonymity may differ, meaning that you could receive requests from journals or researchers to share data in ways that conflict with Swedish and EU legislation. Such requests may reflect other legal traditions, but you should not feel pressured to comply. Always clarify what applies in your specific case and rely on your local legal framework. 

While pseudonymized data are still classified as personal data under the law, the methods described in this handbook may still serve as risk-reducing safeguards when preparing data for ongoing or future processing.

Research data shared via SND’s system DORIS can have different access levels. These levels determine how open the data are: they may be freely accessible or subject to access restrictions. Restrictions may apply when data contain personal data or other sensitive information. In such cases, the research principal must conduct a confidentiality review before the data can be shared.

Even if your data cannot be made openly accessible, it is still worthwhile to describe your dataset in DORIS and make it findable via Researchdata.se. This increases visibility and interest in the data and helps ensure the dataset meets the FAIR principles of being Findable, Accessible, Interoperable, and Reusable.

Read more about sharing data with personal information through SND.