Planning your data collection

The research principal is the public authority or legal or natural person within whose operations the research is conducted. The research principal has overall responsibility for ensuring that the research is carried out in accordance with good research practice. In studies involving sensitive personal data, the research principal must be named in the ethical review application and is the entity ultimately responsible for the application.

It is not uncommon for one organization to apply for ethical review for a project carried out in collaboration with other organizations – for example, a university conducting research together with a university hospital. In such cases, all involved organizations must be listed as research principals in the application to the Swedish Ethical Review Authority. Otherwise, a partner organization may risk conducting research without proper approval. Each research principal is responsible only for the part of the research conducted within their own organization.

It is important to determine whether the research study will involve processing of personal data. Remember that coded (pseudonymized) personal data are still considered personal data – even if the code key is stored separately with another organization. It is only when the key has been destroyed and individuals no longer can be re-identified from it, even indirectly, that the data stop being personal data.

If the research involves processing of sensitive personal data for research purposes, you must have approval from the Swedish Ethical Review Authority before collecting any data. You must also implement appropriate technical and organisational safeguards to protect the data.

If your research involves any form of personal data, it is essential to identify the data controller(s). In Swedish publicly funded research, this is almost always the research principal.

It is also useful to assess early on whether any data processors will be involved, or whether data will be shared with another data controller. This is especially important when multiple parties are involved in a research project.

Your project must comply with the fundamental GDPR principles for collecting and processing personal data (see Chapter II of the GDPROpens in a new tab). For example, data may only be collected for specific, explicit, and legitimate purposes; there must be a legal basis for the processing; and no more data than necessary for the research question should be collected. The legal basis at universities is usually public interest.

SND has more information on legal bases for processing personal data in researchOpens in a new tab.

The data controller must also assess any potential risks to the privacy of the data subjects before processing begins. Analyse the potential risks with the intended personal data processing and suggest protective measures. In some cases – if the risks are considered high – a more detailed data protection impact assessment is required. All risk assessments must be documented to demonstrate compliance with the GDPR. It is recommended to add these assessments to the data management plan.

Under the GDPR, individuals whose personal data are being processed have the right to be informed about the processing. This is known as the right to information. Research participants are often informed about data processing alongside other project information, particularly when informed consent is obtained in accordance with the Ethical Review Act and general research ethics guidelines.

At a minimum, the information must include the legal basis for processing, the purpose of the processing, and the identity of the data controller. It is also important to provide a contact person and contact details for the Data Protection Officer, if one has been appointed. There are some exceptions to the requirement to provide information – for example, in register-based research where it is impossible to contact individual research subjects.

Read more about the right to information under GDPROpens in a new tab on the website of the Swedish Authority for Privacy Protection (IMY).

The Ethical Review Act also requires that participants receive information before giving their consent to participate (informed consent). There is therefore a dual obligation to provide information – under both the Ethical Review Act and the GDPR.

Read more about what the information to research participants should containOpens in a new tab in “Guide to the Ethical Review of Research on Humans” (2023, page 36 and forward) from the Swedish Ethical Review Authority.

It is advisable to explain already at the data collection stage that research data may be preserved and made available in repositories to enable new research or reviews of research. Information about the personal data processing to research participants could look like this:

Personal data may be disclosed to, for example, researchers, journals and other authorised parties for reuse in subsequent research or for the review of research, either within Sweden or abroad. Any such disclosure of data will be assessed on a case-by-case basis to ensure that it is made in accordance with applicable legislation and that the personal data can be handled securely.

Will research data be obtained from another public authority? It is common for researchers to request existing data from various sources, such as register data from Statistics Sweden (SCB) or from the National Board of Health and Welfare (Socialstyrelsen). These government agencies must examine whether the data can be released based on secrecy provisions, just like universities and other higher education institutions must do. They often require the recipient to show ethical approval (where relevant), ask how the secrecy will be protected, and request details on for what purposes the data will be used. Investigate in advance what conditions may apply and how long the process of reviewing the request to access data may take.

When collecting personal data directly from research participants, it is still important to assess whether the data will be subject to secrecy at your institution and, if so, under what terms. This will affect, for example, how the data can be shared later. Research data with personal information are often subject to research and statistical secrecy (forsknings- och statistiksekretess) under Chapter 24, Section 8 of the Public Access to Information and Secrecy Act (OSL, SFS 2009:400) and Section 7 of the Secrecy Ordinance (SFS 2009:641), as well as to data protection secrecy (dataskyddssekretess) under Chapter 21, Section 7 of OSL.

Most organizations have internal guidelines for information classification. These classifications affect which digital tools and storage solutions may be used.