Personal data in research
GDPR replaces PUL
The General Data Protection Regulation (GDPR, or Dataskyddsförordningen) for the processing of personal data affects the management of research data. For the most recent information, see GDPR at KI.
While awaiting complimentary national legislation, most notably a new research data legislation to be decided 2019, the recommendations below remain.
What is personal data?
According to the Personal Data Act (PUL), personal data is any information which directly or indirectly can be linked to a person who is alive (read more at the Data Inspection Board's website). This includes, in addition to e.g. name and social security number, also images (photos) and audio recordings of people even if no names are mentioned. Encrypted, coded or pseudomised data and various types of electronic identities, such as IP number, is considered personal data if it can be linked back to individuals. Some personal data is regarded as sensitive, such as information regarding an individual's health.
Ethical approval, and usually also personal consent, is needed when handling personal data for research.
Pseudonymised (coded) data
Pseudonymised data means that the social security number and name has been replaced with a code. The code can be linked to the name and social security number again through the use of a code key. The code key and coded data should not be stored together.
Anonymised (de-identified) data
Anonymised data means that you can no longer connect a person to the data, the code key is destroyed. It often requires a few steps to fully anonymise personal data.
Anonymised data is not considered personal data and is not subject PUL.
How should personal data be handled?
After receiving ethical approval to handle the personal data, it is important that all personal data is stored and worked on safely, and it needs to be protected against unauthorized access. Personal data may only be stored in systems and solutions that are approved for personal data at KI, such as KI ELN and approved servers (see Research Data Management for more information).
It is always KI as an organisation that is responsible for personal data, never a single researcher, and therefore all records containing personal data should be reported to the Data Protection Officer Mats Gustavsson at the Legal Department. The Data Protection Officer and KI's lawyers can also provide assistance with other issues related to personal data handling.
Share data containing personal data
Ideally, the data is anonymised before it is shared, but this is not always possible in research. Instead, it is important to pseudonymise/code, and sometimes double-code, the data and ensure that it is shared in a secure manner.
If the data is to be sent outside KI, it must be encrypted, or external partners may be given access to a secure server at KI.
For questions regarding sharing of data containing personal data, contact your local IT department or the ITA.