Personal data can be linked to an individual
Personal data can be directly or indirectly linked to an individual. This means that obvious information such as the person’s name and personal identity number as well as any other information that can be linked to an individual are personal data. Combinations of data are also personal data if it is possible to link them to an individual.
There are three categories of personal data:
Sensitive personal data
Data that reveals
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- data concerning health or sex life, genetic or biometric data.
Health data can include allergies, sickness absence, pregnancy and doctors’ appointments, for example.
Privacy-sensitive/personal data of particular importance to protect
These include, for example:
- personal identity number;
- salary statements;
- data concerning violations of the law;
- evaluation data, such as data from development discussions;
- data on the results of personality tests or personality profiles;
- data concerning an individual’s private sphere; and
- data on social circumstances.
General personal data
These are data that are neither sensitive nor privacy-sensitive/personal data of particular importance to protect.
Pseudonymised or anonymised data
Pseudonymisation does not mean that the personal data are anonymised. Pseudonymised data, i.e. encoded personal data, are personal data as long as a code key exists – regardless of where the key is located or who has access to it.
Anonymised data cannot be linked to an individual in any way and are therefore no longer personal data. If research data with personal data contains many variables, it may be difficult to anonymise the data.
When data is considered anonymised
The data cease to be personal data only when there is no possibility whatsoever of linking the data to an individual. The data are considered anonymised if there is no code key and there is no possibility of re-identification using other data sources (commonly referred to as backtracking). An example of this is when pseudonymised personal data are re-coded and the new code key is destroyed – a process known as double pseudonymisation.
However, the original data and the key to the first pseudonymisation are typically retained for research and archival purposes.
Sensitive personal data and violations of the law require ethical review
Research that involves the processing of sensitive personal data and personal data relating to violations of the law is subject to an ethical review requirement under the Swedish Act (2003:460) concerning the Ethical Review of Research involving Humans. In many cases, such data are also subject to secrecy rules, which means that the provisions of the Public Access to Information and Secrecy Act must also be taken into account.
Read more about ethical review
Read more about sharing research data in ethically approved research
Personal data controller
The personal data controller is the natural or legal person that determines the purposes and means of the processing of personal data. There may be one or more personal data controllers for the same personal data processing.
As an organisation, Umeå University is the controller of personal data processed in research conducted at the University. In research collaborations, several organisations may be the controller for their part of the processing of personal data. However, the fact that an organisation merely discloses data to a research project does not mean that that organisation is the controller of the personal data processed in the research.
What you need to do
There are several basic requirements that you must comply with when your research involves processing personal data. Processing of personal data means anything you do with personal data, including any form of collection, recording, storage, processing, analysis, consultation, compilation, disclosure and erasure.
Read about the requirements for processing personal data for research purposes
Do you have a question?
If you have questions about personal data processing, please contact the legal officers at pulo@umu.se (data protection)
For questions on research data management, please contact the university-wide research data support team.