Registration of personal data processing
All research projects that involve personal data processing are to be registered in Personal Data Lund University (PULU). This also applies if you have registered your research project previously.
Above all, it is a matter of public confidence and the University’s credibility. People who participate in research projects must be able to trust that the University processes their personal data in accordance with existing laws and regulations.
There is also a legal requirement that the University can present a register covering all personal data processing. There has long been a requirement for a register. But with the introduction of the GDPR, the register requirement has been tightened throughout Europe. If the University does not fulfil the requirements, we may incur financial penalties.
Register your research project at pulu.adm.lu.se (change language on top of the form).
Registration of personal data processing within research
The legal basis for personal data processing within research is almost always that it is carried out in the public interest. This means that it is permitted to process personal data if it is necessary for a research project.
- In certain cases, there is a requirement for ethical approval, for example if you are processing sensitive personal data. You can read more about ethical approval by clicking here (link opens in same window).
- If a party outside the University is engaged for data processing, for example a supplier of IT services, there is to be a personal data processing agreement in place. You can read more about personal data processing agreements by clicking here (link opens in the same window).
- Personal data is to be stored in a secure manner. If you need to share data with colleagues this is also to be done in a secure manner.
- The Archives Act and principle of public access to information also apply to research data.
What personal data can be processed?
Depending on the purpose of the research project, you decide what type of personal data is to be processed. It is only permitted to collect and process personal data that is necessary for the implementation of the research project.
Data that is completely anonymised is not personal data and therefore the data protection legislation does not apply to it. The data is to be completely unidentifiable. This means that there is no key and that it is not possible to identify the individuals, even though it is possible to put together the different data that is being processed.
NB. If the data is linked to individuals when it is collected and not anonymised until a later stage, the data protection legislation applies up to the point when the data is completely anonymised.
As a rule, in research projects where data is collected directly from participants they are to give their consent or permission to be involved. This consent is somewhat different to consent in accordance with the data protection legislation.
If a participant changes their mind and no longer wants to take part, this does not automatically mean that the participant has the right to have their data deleted in accordance with the GDPR. Data that is a basis for a research publication is to be saved for reasons of research ethics, even though there are participants who have withdrawn their consent. However, you are neither to use the data for analyses or publications in the future nor collect further data on the participant. If it is possible to remove the data relating to a participant who has withdrawn their permission, this is to be done. Remember that the Archives Act applies. Even though a participant withdraws their consent, it is possible that the data relating to this person is to be archived.
Information for participants in research projects
The data protection legislation contains requirements for providing certain information to the people whose data you process. This also applies to participants in research projects. The participants are to receive the information before they give their consent. You can read more about information for data subjects by clicking here (link opens in the same window).
NB. This only includes the information required in accordance with the data protection legislation. Naturally, the participants are to be provided with other information about the research project.
There are certain occasions when you do not have to inform the participants that you are processing data about them:
- Survey data: If you use data from a research database, as the participants have already been informed.
- Register data: If it would be too difficult, for example because you do not have access to the participants’ contact details.
One way to increase security and protect the people whose personal data is processed in a research project is to pseudonimize the data. Pseudonymization means that the people have been coded and that there is a key to which someone in the project has access. Pseudonymized data is personal data and all the requirements in the data protection legislation apply.
If something happens to personal data
If something happens to personal data that “leads to unintentional or illegal destruction, loss or changes, or to unauthorised disclosure or unauthorised access”, this is to be reported to the Data Protection Authority.
In practical terms a personal data incident can occur, for example, when someone has forgotten papers or a USB stick on a train, or an unauthorised person has for some reason gained access to a database. It is also an incident when data is lost or unintentionally deleted.
Report the personal data incident to infosak [at] lu [dot] se
For some research projects, funders request a certificate that Lund University has appointed a data protection officer. Lund University is in the process of generating such a certificate regarding Secure State Cyber AB.
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se