Planning your data collection

The research principal is the public authority or legal or natural person within whose operations the research is conducted. The research principal has overall responsibility for ensuring that the research is carried out in accordance with good research practice. In studies involving sensitive personal data, the research principal must be named in the ethical review application and is the entity ultimately responsible for the application.

It is not uncommon for one organization to apply for ethical review for a project carried out in collaboration with other organizations – for example, a university conducting research together with a university hospital. In such cases, all involved organizations must be listed as research principals in the application to the Swedish Ethical Review Authority. Otherwise, a partner organization may risk conducting research without proper approval. Each research principal is responsible only for the part of the research conducted within their own organization.

It is important to determine whether the project will involve the processing of personal data. Remember that coded (pseudonymized) data are still considered personal data – even if the code key is stored separately. Only when the key is destroyed and individuals can no longer be re-identified from it, even indirectly, the data cease to be personal data.

If sensitive personal data will be processed for research purposes, approval from the Swedish Ethical Review Authority is required. You must also implement suitable technical and organizational safeguards to protect the data.

If your research involves personal data in any form, it is essential to identify the data controller(s). In Swedish publicly funded research, this is almost always the research principal.

It is also useful to assess early on whether any data processors will be involved, or whether data will be shared with another data controller. This is especially important when multiple parties are involved in a research project.

Your project must comply with the fundamental GDPR principles for collecting and processing personal data (see Chapter II of the GDPR). For example, data may only be collected for specific, clearly defined, and legitimate purposes; there must be a legal basis for the processing; and no more data than necessary should be collected. The legal basis at universities is usually public interest.

SND has more information on legal bases for processing personal data in research.

The data controller must also assess any potential risks to the privacy of the data subjects before processing begins. This involves identifying potential risks with the data processing and suggesting security measures. In some cases – if the risks are considered high – a more detailed data protection impact assessment is required. All risk assessments must be documented to demonstrate compliance with the GDPR. It is recommended to add these assessments to the data management plan.

Under the GDPR, individuals whose personal data are being processed have the right to be informed. This is known as the right to information. Research participants are often informed about data processing alongside other project information, particularly when informed consent is obtained in accordance with the Ethical Review Act and general research ethics guidelines.

At a minimum, the information must include the legal basis for processing, the purpose of the processing, and the identity of the data controller. It is also important to provide a contact person and contact details for the Data Protection Officer, if one has been appointed. There are some exceptions to the requirement to provide information – for example, in register-based research where it is impossible to contact individual research subjects.

Read more about the right to information under GDPR on the website of the Swedish Authority for Privacy Protection (IMY).

The Ethical Review Act also requires that participants receive information before giving their consent to participate (informed consent). There is therefore a dual obligation to provide information – under both the Ethical Review Act and GDPR.

Read more about what the information to research participants should contain in “Guide to the Ethical Review of Research on Humans” (2023, page 36 and forward) from the Swedish Ethical Review Authority.

Will the research data be obtained from another public authority? It is common for researchers to request existing data, such as registry data from Statistics Sweden (SCB) or from the National Board of Health and Welfare (Socialstyrelsen). These government agencies must examine whether the data can be released based on secrecy provisions, just like universities and other higher education institutions must do. They often require ethical approval (where relevant), ask how the secrecy will be protected, and request details on for what purposes the data will be used. Investigate in advance what conditions may apply and how long the process of reviewing the request to access data may take.

When collecting personal data directly from research participants, it is still important to assess whether the data will be subject to secrecy at your organization and, if so, under what terms. This will affect, for instance, how the data may be shared later. Research data with personal information are often subject to research and statistical secrecy (forsknings- och statistiksekretess) under Chapter 24, Section 8 of the Public Access to Information and Secrecy Act (OSL, SFS 2009:400) and Section 7 of the Secrecy Ordinance (SFS 2009:641), as well as to data protection secrecy (dataskyddssekretess) under Chapter 21, Section 7 of OSL.

Most organizations have internal guidelines for information classification. These classifications affect which digital tools and storage solutions may be used.