Use the brochure for research collaborations
Share the brochure Research collaboration with Umeå University with your collaboration partner so they understand the legal requirements for collaborations.
Do not share information classified as secret with foreign parties
The rules in the Public Access to Information and Secrecy Act only apply to Swedish authorities and other public organisations in Sweden. If Umeå University has received the data with transferred secrecy from another public authority or if there is another type of secrecy that protects the data at Umeå University, the basic assumption is that the research data cannot be shared with recipients outside of Sweden regardless of whether the recipient is a public authority, a higher education institution or another organisation.
Pseudonymisation is one way to enable the sharing of research data with information classified as secret with a collaboration partner in another country. If the data can no longer be linked to a specific individual and there is no associated information that allows the individual to become “traceable”, it is in many cases possible to share research data classified as secret.
Always contact the Central Support Team for Research Data Management if you need to share research data that are classified as secret with recipients abroad.
Checklist for sharing research data with partners in other countries
Before sharing research data with a partner in another country, you should:
- check to see if Umeå University has received the data from another Swedish authority or public organisation and determine whether the disclosing authority has transferred data secrecy to Umeå University;
- conduct a secrecy examination;
- investigate whether there are other possible measures that protect the individual or information classified as secret and thus enable sharing of the research data, such as anonymising or aggregating the information; and
- investigate whether an agreement on sharing research data needs to be signed.
If the research data contain personal data, you will also need to:
- assess which personal data are necessary to share; and
- contact the Central Support Team for Research Data Management if the research project parties have joint personal data responsibility that needs to be documented.
If the recipient of research data with personal data is in a country outside the EU/EEA (known as a third country), you also need to:
- check whether the country in question has what is known as an adequacy decision or whether other safeguards are needed; and
- whether an agreement on sharing research data needs to be signed.
Document the considerations made when sharing data, for example, in the research project’s data management plan.
Contact the Central Support Team for Research Data Management if you intend to share research data containing personal data with third countries.
Secrecy examinations
If the data can no longer be linked to a specific individual and there is no associated information that allows the individual to become “traceable”, in many cases it is possible to share research data classified as secret.
Sharing research data covered by secrecy with a collaborator abroad may be possible if:
- the information is pseudonymised;
- it is not possible to use any available data other than a code key to link the data to an individual;
- the agreement between Umeå University and your collaborator (such as a collaboration agreement) has confidentiality clauses for the data, known as contractual secrecy; and
- if the research is to be ethically reviewed, the ethical review application must make it clear that data will be shared with research collaborators abroad.
All of the above points must be met before sharing data abroad could be possible.
The secrecy examination can consider whether the research subjects were clearly informed that data will be shared with research collaborators abroad when the subjects gave their consent to be included in the research.
Protection level as per GDPR
If the European Commission has made an adequacy decision for the recipient’s country of residence, GDPR does not prevent you from sharing research data.
If the European Commission has not made an adequacy decision for the relevant country, other appropriate safeguards must be in place to ensure the level of protection required by GDPR, such as by signing standard contractual clauses (SCC). It is also important that the data are pseudonymised since this often enables release as per Public Access to Information and Secrecy Act and is considered a safeguard in GDPR.
Read more about sharing research data that include personal data
Agreements regulating sharing of research data
To be able to share research data with a partner in another country, an agreement needs to be signed that regulates how the data may be used. This type of agreement should stipulate:
- that research data may not be used for any other purpose than for the current project;
- what the collaborator is to do with the research data after the end of the project;
- that the collaboration partner may not pass on research data to others; and
- that the recipient is responsible for having the necessary permits required for processing research data as per the statutory requirements in the country where the recipient is active.
Do you have questions about research data?
The University has a cross-functional team that supports you with research data issues in areas such as archiving, legal affairs, IT support, open data, and information security. You can contact the research data support team using the following form:
Contact the research data support team if you have questions