Special provisions in the Personal Data Act
Informed consent means that a person voluntarily, after having received information, accepts the processing of their personal data. The premise is that the person’s consent is needed for processing their personal data in the form of registries or databases. For an agreement to have legal effect under the provisions of PUL, it is required that the person in question received information about the identity of the personal data controller, the purpose of the processing, and other information that the registered person needs to ensure their rights.
Below you will find a template for informed consent. In addition, the University, in consultation with the Swedish Data Protection Authority, has drawn up general information on the processing of personal data for research purposes at Lund University, see below. It can be useful to attach this to the other information with which you will provide the registered persons in your study.
Situations that do not require consent
Consent is not needed if the processing of personal data is required for complying with a legal obligation, an agreement with the registered person, to perform a task of public interest, or in connection with the exercise of public authority.
Other exceptions are also cases in which the interest of the personal data controller or third party outweighs the registered person’s integrity. Note that consent should not be obtained if it is not needed, because consent can be withdrawn.
Sensitive personal data
You are not allowed to process personal data about:
- Health or sex life
- Race or ethnic origin
- Political views
- Religious or philosophical convictions
- Trade union membership
Such sensitive personal data may only be processed with the consent from the registered person, or if it is necessary in areas such as health care, labour law, or for a non-profit organisation to register its members.
Sensitive personal data may be processed without consent for research and statistical purposes if the process is approved by a research ethics committee.
Personal identity number
The general rule is that personal identity numbers may not be processed without the consent of the registered person. There are, however, a few exceptions to the general rule, namely, when it is clearly justified in terms of:
- The purpose of the processing,
- the importance of secure identification, or
- other relevant reasons. In these cases, personal identity numbers may be processed without consent.
Transferring personal date to a third country
The new Personal Data Act contains a general prohibition on the transfer of personal data to third countries, which are not part of the EU/EEA or the Council of Europe’s Convention for the Protection of individuals with regard to Automatic Processing of Personal Data.
Online publication of personal data generally requires obtaining consent. The Swedish Data Protection Authority may, however, permit exemptions from this requirement. This may be the case for much of the processing for international research projects which currently still requires the approval of the Data Protection Authority.
Remember to take the following safety precautions when processing sensitive personal data:
- systems for access control with personal authorisation must be in place
- access to personal data should be logged and include user details
- all transfers via computer communications must be done in an encrypted form
- storage media that are not archived shall be deleted in such a way that the information cannot be recovered, and
- premises where computer equipment and storage media are stored should have access protection.
Liability for damages
If personal data is processed in violation of the Personal Data Act, Lund University will be forced to pay damages to the person or persons who have had their integrity violated.