Personal data in research
What is personal data?
According to the Personal Data Act (PUL), personal data is any information which directly or indirectly can be linked to a person who is alive (read more at the Data Inspection Board's website). This includes, in addition to e.g. name and social security number, also images (photos) and audio recordings of people even if no names are mentioned. Encrypted or coded data and various types of electronic identities, such as IP number, is considered personal data if it can be linked back to individuals. Some personal data is regarded as sensitive, such as information regarding an individual's health.
Ethical approval, and usually also personal consent, is needed when handling personal data for research.
Coded data means that the social security number and name has been replaced with a code. The code can be linked to the name and social security number again through the use of a code key. The code key and coded data should not be stored together.
Coded data is also sometimes called anonymous or pseudonymous data.
De-identified data means that you can no longer connect a person to the data, the code key is destroyed. It often requires a few steps to fully de-identify personal data.
De-identified data is not personal data and is not subject PUL.
How should personal data be handled?
After receiving ethical approval to handle the personal data, it is important that all personal data is stored and worked on safely, and it needs to be protected against unauthorized access. Personal data may only be stored in systems and solutions that are approved for personal data at KI, such as KI ELN and approved servers (see Management of research data for more information).
It is always KI as an organisation that is responsible for personal data, never a single researcher, and therefore all records containing personal data should be reported to the Data Protection Officer Mats Gustavsson at the Legal Department. The Data Protection Officer and KI's lawyers can also provide assistance with other issues related to personal data handling.
Share data containing personal data
Ideally, the data is de-identified before it is shared, but this is not always possible in research. Instead, it is important to code, and sometimes double-code, the data and ensure that it is shared in a secure manner.
If the data is to be sent outside KI, it must be encrypted, or external partners may be given access to a secure server at KI.
For questions regarding sharing of data containing personal data, contact your local IT department or the ITA.