Personal data in research
The General Data Protection Regulation (GDPR, or Dataskyddsförordningen) is relevant for research data management when personal data is part of the research
The General Data Protection Regulation
For the most current information, see GDPR at KI.
What is personal data?
Personal data is any information which directly or indirectly can be linked to a person who is alive (read more at the Data Inspection Board's website). This includes, in addition to e.g. name and social security number, also images (photos) and audio recordings of people even if no names are mentioned. Encrypted, coded or pseudomised data and various types of electronic identities, such as IP number, is considered personal data if it can be linked back to individuals. Some personal data is regarded as sensitive, such as genetic data and information regarding an individual's health.
Ethical approval, and usually also personal consent, is needed when handling personal data for research.
Pseudonymized (coded) data
Pseudonymized data means that the social security number and name have been replaced with a code. The code can be linked to the name and social security number again through the use of a code key. The code key and coded data should not be stored together. As long as a code exists that can be used to identify the people in the study, even if you as a researcher do not have access to it, the pseudonymized data is still considered personal data and is subject to the GDPR regulations.
Anonymized (de-identified) data
The data is anonymized when the code key is destroyed and it is no longer possible to connect a person to the data. Anonymised data is not considered personal data and is not subject to GDPR.
Aggregated pseudonymized data can also be considered anonymized data if it is no longer possible to identify individuals in the grouped data.
It often requires several steps to fully anonymize personal data. For tips on anonymization techniques see the following page from the UKDataService.
How should personal data be handled?
There must be a legal basis and a clear purpose for the processing of personal data to be carried out.
Ethical approval, and usually also personal consent, is needed when handling personal data for research.
It is important that all personal data is stored and worked on safely, and that it is protected against unauthorized access. Personal data may only be stored in systems and solutions that are approved for personal data at KI, such as KI ELN and approved servers.
It is always KI as an organisation that is responsible for personal data, never a single researcher, and therefore all records containing personal data should be reported to the Data Protection Officer at KI.
The Data Protection Officer can also provide assistance with other issues related to personal data handling.
Share data containing personal data
Ideally, the data is anonymised before it is shared, but this is not always possible in research. Instead, it is important to pseudonymise/code, and sometimes double-code, the data and ensure that it is shared in a secure manner.
If the data is to be sent outside KI, a system that is authorized by the IT department to share personal data must be used.
When transferring personal data between KI and another organization, an agreement may be needed. A description of the process for drawing up agreements for the transfer of personal data can be found here.
Contact
If you have questions regarding The General Data Protection Regulation (GDPR) contact dataskyddsombud@ki.se.