Sharing research data containing personal information

Many types of information that we may not think of as personal data can, in fact, be considered personal data under the law. If additional personal information exists elsewhere – for example in the raw data or in a public register – it could potentially serve as a code key that makes it possible to re-identify individuals in data files you thought had been de-identified. This means that the files still, from a legal perspective, contain personal data, regardless of how easy or difficult it would be to access the additional information. 

There is also the issue of indirect re-identification (bakvägsidentifiering), where there may be enough background information to single out an individual in the material so well that their identity can be considered to be disclosed; or that there is a high risk that someone’s identity will be disclosed. For example, a research participant may be one of only five persons in a municipality with a certain combination of traits.

Anonymized or not?

Whether data can be considered anonymized from a legal point of view depends on the overall context – not just on what you have done to a specific version of a dataset or data that are stored with you. You must consider the origin of the material, how it has been handled and processed, and what additional information sources may exist, here or elsewhere. Is it possible that there can somewhere exist additional data that could potentially disclose someone’s identity in the material? In that case, the dataset contains personal data. 

What data do you actually need to collect?

If you already know you want to make your data openly accessible, consider carefully what information you plan to collect. In most cases, personal data cannot be made fully open, and legal limitations – such as the Archives Act, the Swedish National Archives’ regulations, and your organization’s implementation guidelines – may restrict your ability to completely remove personal data from the material. Processed datasets often still count as personal data and can only be shared under access restrictions following an examination of secrecy by the research principal.

Because research data at public authorities – for example, most higher education institutions and public research organizations – are typically considered official documents, the principle of public access to information applies when someone requests access to the data. However, an official document is not necessarily a public document, as it may fall under a secrecy provision. An examination of secrecy must therefore be carried out before research data can be disclosed. In some cases, this may include a harm and prejudice assessment, which evaluates how the data will be handled after disclosure and the potential impact on the individuals concerned. You or your institution may need to identify who will manage the data and how, to ensure that the new processing context offers sufficient legal protection for the research participants' privacy.

Even if the research principal is not a public authority, it is still the data controller and must comply with the General Data Protection Regulation (GDPR) in all personal data processing. This means, for example, that the research principal must be able to invoke a legal basis for the personal data processing for each disclosure of material that contains personal data.

Some non-governmental Swedish research organizations, such as certain foundation-run higher education institutions, are still subject to the same rules regarding managing and disclosing official documents as public authorities.

Research data may need to be shared across borders, for example, in collaborations between universities in different countries or when research infrastructures, labs, or companies need access to the data to assist in data analyses or other processing. Researchers and other stakeholders abroad may also request access to data. 

When sharing research data containing personal information with third countries, meaning countries outside the EU/EEA, it is especially important to ensure an equivalent level of privacy protection for the research participants to that guaranteed by GDPR and related legislation in the EU/EEA countries. Sharing data with recipients in third countries can be legally complex, especially in jurisdictions that do not ensure an adequate level of data and privacy protection. You must ensure that all conditions for international data transfers under the GDPR, outlined in Chapter V of the law, are met before sharing data with recipients in such countries.

Definitions and interpretations of what qualifies as personal data vary across countries. For example, the concept of anonymity may differ, meaning that you could receive requests from journals or researchers to share data in ways that conflict with Swedish and EU legislation. Such requests may reflect other legal traditions, but you should not feel pressured to comply. Always clarify what applies in your specific case and rely on your local legal framework. 

While pseudonymized data are still classified as personal data under the law, the methods described in this handbook may still serve as risk-reducing safeguards when preparing data for ongoing or future processing.

Research data shared via SND’s DORIS can have different access levels. These levels determine how openly accessible the data are: they may be openly accessible or subject to access restrictions. Restrictions may apply when a dataset contains personal data or other sensitive information. In such cases, the research principal must conduct a secrecy assessment before the data can be shared.

Even if the data cannot be made openly accessible, it is still worthwhile describing the dataset in DORIS to make it findable via Researchdata.se. This increases the visibility and interest in the data and helps ensure that the dataset aligns with the FAIR principles of being Findable, Accessible, Interoperable, and Reusable.

Read more about sharing data with personal information through SND.