Handling personal data

Sometimes research is interested in personal data. For example in longitudinal studies, the research is conducted over a longer time - up to thirty years is not uncommon - and aims at following things such as changes in health and social situation for certain population groups to, for example, learn about how certain work conditions affect us in the long term. In other research personal data are not the object per se, but as the research is performed on or with persons, such data will be handled as a consequence. The personal information processed might be sensitive in nature, thus entailing risks of infringing on the integrity of the persons in question. 

Personal information refers to all kinds of information that directly or indirectly can be attributed to a living, individual physical person. It can be information on the person's name, personal number, birthdate, nationality, education, family or employment conditions. Other types of information of a less personal character can also be considered personal data. Note that coded information is considered personal data as long as a code key exists.

The Swedish authority responsible for personal data is The Swedish Authority for Privacy Protection.  

The General Data Protection Regulation, GDPR

In Sweden, the law regulating the handling of personal information are first and foremost the Regulation on the protection of natural persons with regard to the processing of personal data, GDPR, in force from May 25, 2018. Additionally, the European Data Protection Board has presented Guidelines on Consent under Regulation 2016/679 

While rules on official secrets govern when data may be released, the GDPR governs how data are used. The registered is to be informed as to which information will be used. A person who submits information to a personal register established for research purposes has a further right to resulting information regarding him or herself. If a person can be identified - registers can also be anonymous - he or she also has the right to demand that incorrect or incomplete information be corrected or completed. The researcher should inform the subject on this issue. GDPR lists a set of basic principles relating to the processing of personal data, also in research. Personal data shall be: 

• processed lawfully according to the GDPR
• limited to what is necessary in relation to the purposes for which they are processed 
• accurate and, where necessary, kept up to date
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised processing and accidental loss or destruction 
• and the controller shall be able to demonstrate the compliance with GDPR and how it is appliced. 

As a principal rule, the handling of personal information requires consent from the person in question, with an exception for certain "specific purposes of public interest", such as processing data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, If sensitive information is involved - such as information on race or ethnic origin, political opinion, religious or philosophical conviction, membership in a union, health or sex life, genetic or bibliometric information - handling such information for research requires approval from a research ethics board. It will judge research according to the Act on ethical review, which says that research can only be approved if it is performed with respect for human dignity, that human rights and freedoms always should be considered and that the welfare of subjects always trumps the needs of society and science. Risks shall always be balanced by scientific merit. GDPR equates personal data relating to criminal convictions and offences or related security measures with sensitive data. 

One who, alone or in a group, decides on the object of and means for the handling of personal information is called the controller (as a rule, this is an organisation), whereas the physical person appointed by the controller to ensure that personal information is handled correctly and according to the law is the processor. 

Confidentiality in healthcare and in the social and behavorial sciences

As noted, a condition to be met for personal information from, e.g., patient journals to be released for research purposes is that the release be consistent with relevant provisions regarding secrecy, etc. However, consent from the concerned individuals always trumps secrecy rules. 

In healthcare, information regarding health status and other personal matters are classified as confidential, if it is not obvious that it can be disclosed without any harm to the patient and his or her relatives. The individual's subjective opinion is important in deciding whether someone may be harmed. Secrecy is the professional confidentiality in public service for those who have access to information that may harm patients (or the safety of one's country, or public economic interest, etc.). The significance is that outsiders shall not gain access to information that has been designated confidential. This prohibition of disclosing confidential information pertains to oral reports, the release of public records or any other means of information transfer. 

There are various exceptions. For research purposes, patients' journal information can be released with reservations. If you work at a public authority, you can assume the confidentiality already in place at the releasing authority. If the information is designated confidential and therefore not released, the researcher has the right to have the decision tried. First, one should turn to the handling archive officer. Thereafter, the city archivist makes a formal decision with a justification. Appeals are made to the Swedish administrative court of appeals, which is the highest authority. Patient journals more than 70 years old are not considered confidential and are therefore accessible for everyone.

When doing research in medicine, social science or in behavioural sciences, the Public Access to Information and Secrecy Act states that information regarding personal matters as a ground rule shall be regarded as confidential. Moreover, this rule has been extended generally to teaching and researching institutions for all studies in medicine and social and behavorial sciences (7 § offentlighets- och sekretessförordningen, SFS 2009:641). There is also a secondary confidentiality when a researcher recieves confidential data, the confidentiality so to speak follows the data. In general, statistical work fall under the law. Finally, there is a particular statute on confidentiality for scientific chronicles of linguistic and ethnological customs. All these rules are applicable on public research, not private.