Legal requirements and principles

Swedish research is governed by international conventions and regulations as well as national legislation, with several legal requirements and guiding principles for how data is to be managed. As these requirements and principles must be taken into account already at the planning stage it is a good idea to early on seek support from the research principal.

Data protection requirements

If personal data will be processed at any stage of the research, data protection rules must be taken into account. Personal data should be interpreted broadly and include information that can be indirectly attributed to a specific natural person. Processing refers, in principle, to all forms of handling of personal data, such as collection, use and deletion.

If specific categories of personal data, such as data related to a person’s health, or data related to criminal convictions and offences is to be processed in research, special requirements apply. Research involving specific categories of personal data and personal data related to criminal convictions and offences requires ethical review approval.

Ensure compliance with the basic principles

When personal data is processed, several fundamental principles must be taken into account. These include, among other things, that the research principal must ensure that:

• the processing of personal data has a specified, explicit and legitimate purpose, and that the data is not subsequently processed for other incompatible purposes (purpose limitation).
• the data processed is adequate, relevant and limited to what is necessary in relation to the research question (data minimisation).
• the data is not processed for longer than necessary (storage limitation).
• the processing of personal data is lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’), by ensuring, among other things, that the processing of personal data has a valid legal basis and that the requirements for information to data subjects are met.
• the data is protected by technical and organisational measures (integrity and confidentiality), which requires adequate information and cyber security.

The data controller must also be able to demonstrate compliance with data protection rules (accountability). This is done, among other things, by documenting the processing of personal data in a register and by having internal guidelines for data management in place.

Ensure support from a legal basis

The processing of personal data is lawful only if at least one legal basis applies. In research the legal basis is usually ‘task carried out in the public interest’ or ‘legitimate interests’. Consent may also constitute a legal basis.

With regard to special categories of personal data the main rule is that they are forbidden to process. However, there are exceptions, for example when processing is necessary for research purposes. For this research to be permitted, an ethical approval from the Swedish Ethical Review Authority is required. The same applies to the processing of personal data relating to criminal convictions and offences. This requirement applies even if the research subjects have given their consent to the research. When ethical review approval has been granted the legal basis is ‘task in the public interest’.

Respect the rights of data subjects

When personal data is processed in a research project the rights of natural persons must be respected. This includes the right to information about the processing of personal data, the right to access their personal data, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability and the right to object. If the processing of personal data is based on consent as the legal basis, the data subject also has the right to withdraw their consent.

However, there are several exceptions to these rights, and several rights only apply in certain situations.

Ensure compliance with other key requirements

If another entity will process personal data on behalf of the research principal the rules regarding data processor must be followed. This may be the case for example if the research principal uses an external supplier for the storage of research data. In these situations the research principal must, among other things, ensure that the data processor is reliable, meets certain requirements and that a data processing agreement (DPA) has been entered into between the data controller och the data processor.

When collaborating with other research actors, the sharing of personal data must be authorised. In this context, rules on responsibility and on tranfers of data to third-country need to be taken into account.

Conduct a data protection impact assessment when required

A DPIA, or data protection impact assessment, may be required in situations where the research project processes special categories of personal data, such as health data from patient records or health data registers.

A data protection impact assessment is a documented process that helps the data controller to comply with data protection rules and to reduce risks associated with so-called high-risk processing. The provisions on data protection impact assessments require, in certain cases, that the data controller consult the Swedish Authority for Privacy Protection prior to the processing of personal data.

Find out what internal guidelines apply in your organisation

There are often guidelines in place on how data and personal data should be handled at universities and other organisations. If you have questions about data management you may often get advice and support from your organisation’s Data Protection Officer (DPO) or other support services.

Ethical review approval and other permits

Ethical review approval

If a project falls under the definition of research in the Ethical Review Act and the research is to be conducted in Sweden, the provisions of that Act must be taken into account. Ethical review approval is required if the research:

• involves physical intervention, on living and deceased persons alike
• is carried out with a method that aims to affect the research participant physically or mentally, or involves an obvious risk of harm to them in body or mind
• are performed on biological material from a living or deceased human being and can be traced back to that person
• involves processing of specific categories of personal data or of personal data relating to criminal offences.

Important to consider:

• Ethical review is required even if the research subject has given his or hers consent for the data to be used and processed.
• The Ethical Review Act contains provisions on informed consent for research that involves physical intervention, is conducted using a method that aims to physically or psychologically influence a research subject, or that involves an obvious risk of harm to the research subject or involves studies on biological material that can be traced back to an individual. The Swedish Ethical Review Authority may also require informed consent in other situations by stipulating it as a condition in the ethical review permit.
• The Ethical Review Act applies to research conducted in Sweden. In international research collaborations ethical review is required for those parts of the research that are conducted in Sweden. The storage of research data is considered part of the research, which means that if data storage takes place in Sweden, this part of the implementation requires ethical approval in Sweden.
• If the research requires ethical review no element of the research may be started before an approved ethical review permit has been obtained. This also applies to activities such as the recruitment of research subjects or the collection of data and samples. Research that has already been conducted cannot be approved retrospectively and may not be continued, published or used in any context.

The Swedish Ethical Review Authority’s website contains, among other things:

• a guide to ethical review, including a chapter on the use of personal data in research
• questions and answers, including a section on personal data in research
• support templates that may need to be attached to an application for ethical review.

Other regulatory permits

The research project may also require permits from other regulatory public agencies. These may, for example, include permits under the Clinical Trials Regulation (CTR) or under the Medical Device Regulation (MDR).

The Swedish Medical Products Agency and the European Medicines Agency (EMA)offer support for clinical trials on medicinal products, as well as for questions regarding the use and handling of personal data or health data. Examples of support include:

• regulatory and scientific advice, as well as a centre for innovation support at the Swedish Medical Products Agency
• guidelines and methodological support for register-based studies that clarify what national regulatory public agencies (equivalent to the Swedish Medical Products Agency) consider important from a regulatory perspective when register data are used in medicinal product trials. Recommendations and considerations are designed by various expert panels, led by the EMA
• a checklist for study protocols, according to principles developed by the European Network of Centres for Pharmacoepidemiology and Pharmacovigilance (ENCePP), which is coordinated by the EMA. The checklist is regularly updated based on methodological advances and contains several important principles to consider when designing pharmacoepidemiological studies.

Other rules to comply with

In addition to general rules on data protection and provisions in the Ethical Review Act other rules may also apply. If samples and data from biobanks are to be used in research the provisions of the Biobank Act must be taken into account.

Public access to information and secrecy

For a research principal in the public sector documents that are created, received or submitted by the organisation generally become official documents. This also applies to research data such as digital texts, images, audio and video material, 3D scans, observations and experimental results.

The Swedish Freedom of the Press Act contains provisions on the public’s right to access official documents, known as the principle of public access to official documents. As a general rule official documents must be disclosed upon request, provided that the document or the information in the document is not classified as secret

It is important to find out what secrecy provisions apply to research data at the research principal during the planning phase.

Private research organisations are not covered by principle of public access to official document. However the disclosure of data to a private research principal may be subject to confidentiality restrictions.

Establish agreements

Assessing whether agreements are required and drafting agreements, may require support from legal experts. Agreements may, for example, be necessary in the following situations:

• If a project involves several research principals: A collaboration agreement may be required to regulate authorisations (access to data), the division of responsibilities, data management and joint controllership between the parties.
• If data is to be managed in different storage solutions or tools for analysis/processing: A data processing agreement (DPA) may need to be established with the data processor.
• In the case of specific terms and conditions: This may apply to secrecy/confidentiality, claims to intellectual property rights or copyright permission for certain research data. Such matters need to be regulated in agreements with an external party.