Planning your data collection

The research principal is the public authority or legal or natural person within whose operations the research is conducted. The research principal has overall responsibility for ensuring that the research is carried out in accordance with good research practice. In studies involving sensitive personal data, the research principal must be named in the ethics application and is the entity ultimately responsible for the application.

It is not uncommon for one organization to apply for ethical approval for a project carried out in collaboration with other organizations – for example, a university conducting research together with a university hospital. In such cases, all involved organizations must be listed as research principals in the application for ethical review. Otherwise, a partner organization may risk conducting research without proper approval. Each research principal is responsible only for the part of the research conducted within their own organization.

It is important to determine whether the project will involve the processing of personal data. Remember that coded (pseudonymized) data are still considered personal data – even if the code key is stored separately. Only when the key is destroyed and individuals can no longer be re-identified from it, even indirectly, the data cease to be personal data.

If sensitive personal data will be processed for research purposes, approval from the Swedish Ethical Review Authority is required. You must also implement suitable technical and organizational safeguards to protect the data.

If your research involves personal data in any form, it is essential to identify the data controller(s). In Swedish publicly funded research, this is almost always the research principal. It is also useful to assess early on whether any data processors will be involved, or whether data will be shared with another data controller. This is especially important when multiple parties are involved in a research project.

Your project must comply with the fundamental GDPR principles for collecting and processing personal data. For example, data may only be collected for specific, clearly defined, and legitimate purposes, and no more data than necessary should be collected. The legal basis at universities is usually public interest.

SND has more information on legal bases for processing personal data in research.

The data controller must also assess any potential risks to the privacy of the data subjects before processing begins. This involves identifying potential risks with the data processing and suggesting security measures. In some cases – if the risks are considered high – a more detailed data protection impact assessment is required. All risk assessments must be documented to demonstrate compliance with GDPR. It is recommended to add these assessments to the data management plan.

Under GDPR, individuals whose personal data are being processed have the right to be informed. This is known as the right to information. Research participants are often informed about data processing alongside project information, particularly where informed consent is collected in accordance with the Ethics Review Act and general research ethics guidelines.

At a minimum, the information must include the legal basis for processing, the purpose of the processing, and the identity of the data controller. It is also important to provide a contact person and contact details for the Data Protection Officer, if one is appointed. There are some exceptions to the requirement to provide information – for example, in register-based research where it is impossible to contact individuals.

Read more about the right to information under GDPR on the website of the Swedish Authority for Privacy Protection (IMY).

The Ethics Review Act also requires that participants receive information before giving their consent to participate (informed consent). There is therefore a dual obligation to provide information – under both the Ethics Review Act and GDPR.

Read more about what the requirements on information to research participants should contain in “Guide to the Ethical Review of Research on Humans” (2023, page 36 and forward) from the Swedish Ethical Review Authority.

Will the research data be obtained from another public authority? It is common for researchers to request existing data, such as registry data from Statistics Sweden (SCB) or from the National Board of Health and Welfare (Socialstyrelsen). These authorities, like universities, must assess whether the data can be released based on confidentiality rules. They often require ethical approval (where relevant), ask about how confidentiality will be maintained, and request details on for what purposes the data will be used. Investigate in advance what conditions may apply and how long the process of reviewing the request to access data may take.

Even when collecting personal data directly from research participants, it is important to assess whether the data will be subject to confidentiality at your organization and, if so, under what terms. This will affect, for instance, how the data may be shared later. Research data with personal information are often subject to research and statistics confidentiality (forsknings- och statistiksekretess) under Chapter 24, Section 8 of the Public Access to Information and Secrecy Act (OSL, SFS 2009:400) and Section 7 of the Secrecy Ordinance (SFS 2009:641), as well as to data protection confidentiality (dataskyddssekretess) under Chapter 21, Section 7 of OSL.

Most organizations have internal guidelines for classifying information. These classifications affect which digital tools and storage solutions may be used.