Skip to main content
Researchdata.se

Protected data

Research data can be sensitive for various reasons and to varying degrees, requiring different levels of protection during the research process, when sharing data and during long-term preservation and archiving. There may be legal or ethical reasons that prevent data from being openly accessible, such as when the data contain personal information, are protected by copyright, or classified as confidential.

Research data may require protection due to risks concerning:

  • personal integrity
  • endangered biological species and environments
  • trade secrets
  • financial agreements
  • the operations and activities of organizations and municipalities
  • confidentiality.

By conducting an information classification of the data handled as part of your research, you can assess which data need protection, the risks and consequences of inadequate protection, and the appropriate level of security required.

You can read more about common reasons for restricting access to research data on the page As open as possible, as restricted as necessary

Security-sensitive information

A specific category of protected data includes security-sensitive information directly linked to Sweden’s national security. These data require a higher level of protection compared to confidential informationOpens in a new tab. You should always consult with the Chief Information Security Officer (CISO) in your organization before publishing any information about security-sensitive data. Discuss possible options, such as making the data, or some part of the data, available with restricted access.

Questions to consider

Do your research data contain confidential information?

  • If yes: Contact your local research data support service or your organization’s legal officers.

Does the information relate to Sweden’s national security?

Contact your organization’s Chief Information Security Officer (CISO) if you are not sure.

  • If yes: The data are classified as security-sensitive information and must be handled in compliance with the Protective Security Act. Contact the Chief Information Security Officer in your organization for guidance on proper protective security measures.

 

Information related to Sweden’s national security

Security-sensitive information is directly linked to Sweden’s national security. There is no exhaustive list of information that is classified as security-sensitive, but it can include information about the armed forces, the core institutions of democracy (e.g., the judicial system and the Election Authority), and other critical societal functions. It refers to information and activities of fundamental importance to Sweden’s security.

If security-sensitive information is disclosed, it could impair Sweden’s capability to participate in international cooperation or harm Sweden’s defence capability,  preliminary investigations or intelligence activities. Other security-sensitive information can be detailed descriptions of buildings where essential public services are located, or information about critical products in times of crisis or war, which, if they are leaked, could compromise protective security measures, or risk and vulnerability assessments, which might hinder society’s ability to manage crises if they are disclosed. 

If you are not sure whether your research involves information that is linked to Sweden's national security, contact the Chief Information Security Officer (CISO) in your organization.

The Protective Security Act

Security-sensitive information is governed by the Protective Security Act (Säkerhetsskyddslag, SFS 2018:585Opens in a new tab), which imposes requirements for measures related to information security, personnel security, and physical security. An English version in PDF format can be found on the Government's website: The Protective Security Act (2018:585)Opens in a new tab.

The Protective Security Act clarifies the obligations of organizations handling security-sensitive information. It includes fundamental provisions on protective security, security measures, security classification levels, reporting obligations, and protective security agreements to ensure a higher level of protection than standard confidentiality regulations. 

Organizations conducting security-sensitive activities must assess and document their protective security needs in a protective security analysis. Additionally, employees who handle security-sensitive classified information must undergo security vetting, and any collaboration with third parties must involve protective security agreements. 

Note that research data repositories may not be able to meet the security requirements set forth by the Protective Security Act. It may also be illegal to even create a data description for security-sensitive information in a research data catalogue, even if it does not include the actual dataset.