Navigated to

About personal data in research

Personal data can be directly or indirectly linked to an individual. Some personal data are considered to be sensitive or warrant special protection, but all personal data need to be protected in different ways. As an organisation, Umeå University is responsible for the processing of personal data in research conducted at the University.


Personal data can be linked to an individual

Personal data can be directly or indirectly linked to an individual. This means that obvious information such as the person’s name and personal identity number as well as any other information that can be linked to an individual are personal data. Combinations of data are also personal data if it is possible to link them to an individual.

There are three categories of personal data:

Sensitive personal data

Data that reveals

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • data concerning health or sex life, genetic or biometric data.

Health data can include allergies, sickness absence, pregnancy and doctors’ appointments, for example.

Privacy-sensitive/personal data of particular importance to protect

These include, for example:

  • personal identity number;
  • salary statements;
  • data concerning violations of the law;
  • evaluation data, such as data from development discussions;
  • data on the results of personality tests or personality profiles;
  • data concerning an individual’s private sphere; and
  • data on social circumstances.

General personal data

These are data that are neither sensitive nor privacy-sensitive/personal data of particular importance to protect.

Pseudonymised or anonymised data

Pseudonymisation does not mean that the personal data are anonymised. Pseudonymised data, i.e. encoded personal data, are personal data as long as a code key exists – regardless of where the key is located or who has access to it.

Anonymised data cannot be linked to an individual in any way and are therefore no longer personal data. If research data with personal data contains many variables, it may be difficult to anonymise the data.

When data is considered anonymised

The data cease to be personal data only when there is no possibility whatsoever of linking the data to an individual. The data are considered anonymised if there is no code key and there is no possibility of re-identification using other data sources (commonly referred to as backtracking). An example of this is when pseudonymised personal data are re-coded and the new code key is destroyed – a process known as double pseudonymisation.

However, the original data and the key to the first pseudonymisation are typically retained for research and archival purposes.

Sensitive personal data and violations of the law require ethical review

Research that involves the processing of sensitive personal data and personal data relating to violations of the law is subject to an ethical review requirement under the Swedish Act (2003:460) concerning the Ethical Review of Research involving Humans. In many cases, such data are also subject to secrecy rules, which means that the provisions of the Public Access to Information and Secrecy Act must also be taken into account.

Read more about ethical review

Read more about sharing research data in ethically approved research

Personal data controller

The personal data controller is the natural or legal person that determines the purposes and means of the processing of personal data. There may be one or more personal data controllers for the same personal data processing.  

As an organisation, Umeå University is the controller of personal data processed in research conducted at the University. In research collaborations, several organisations may be the controller for their part of the processing of personal data. However, the fact that an organisation merely discloses data to a research project does not mean that that organisation is the controller of the personal data processed in the research. 

What you need to do

There are several basic requirements that you must comply with when your research involves processing personal data. Processing of personal data means anything you do with personal data, including any form of collection, recording, storage, processing, analysis, consultation, compilation, disclosure and erasure. 

Read about the requirements for processing personal data for research purposes

Do you have a question?

If you have questions about personal data processing, please contact the legal officers at pulo@umu.se (data protection) 


For questions on research data management, please contact the university-wide research data support team.

Contact the research data support team

Latest update: 2025-06-03

Read more about personal data and information security

Hand plockar ut en identifikation från en dator.

Report incidents immediately

Immediately report any incident involving IT security, personal data or security protection.

Närbild på en gammaldags kompass.

Research ethics and good research practice

Conduct research scientifically and in a respectful and ethical manner.

Illustration händer på tangentbord framför en datorskärm med ett upplåst hänglås.

Information security

Plan for secure information management throughout the research project.