This quick guide is intended as a help for SLU researchers who process personal data as part of their research.
For more background, read about the definition of personal data and more in-depth information about the legal requirements. (All references to the staff web refer to the web pages at this link).
Step 1: Legal basis and purpose
Selecting a legal basis
The first step is choosing a legal basis that makes fulfilling the data protection requirements as easy as possible. Which legal basis you choose is closely linked to how you phrase the purpose of your processing. Ask yourself the following questions about your project:
- Will you be using the personal data in your actual research, i.e. is the personal data your primary data?
- Will you be working closely together with the participants in the study?
If the answer to these two questions is yes, the most suitable legal basis is consent.
If the answer is no, particularly to the first question, public interest is the most suitable legal basis.
Remember to state where it is specified that the task in question is one that is the responsibility of SLU. This could be a legal act, a bargaining agreement or a duty assigned to us by another public authority.
If you answer yes to the first question but no to the second one, you should always contact firstname.lastname@example.org.
The choice of legal basis determines how you can describe the purpose of the processing. If the legal basis is consent, you can describe the purpose of the processing in more general terms, such as ‘We process personal data in order to conduct research on cancer’. This is only possible if consent is the legal basis. It makes it possible to collect and use personal data in research before you know what results to expect from the processing.
Remember that someone who has consented to the processing of their personal data always has the right to withdraw this consent. They do not have to justify this, which makes it important to document how the consent was given, who has consented and who has withdrawn their consent. If someone withdraws their consent, you must cease the processing of their data and delete it. The fact that data subjects can withdraw their consent means that using this legal basis involves a certain amount of administrative work.
If you process personal data in your research but the data is not part of your actual research, you should reflect on what you need the personal data for. If it will only be used to contact people, e.g. the owner of a pet that is part of your study, the purpose of the processing is obvious – contacting the participant. There are then fewer advantages of a broader purpose, but you still have to manage and document consent.
As the advantages of a broad, general purpose as discussed earlier (improved possibility to collect and conduct research on personal data before you know what results to expect) do not apply if the purpose can easily be defined more narrowly, consent as the legal basis is a less obvious option because of the administration it involves.
Purpose of the processing
When you have decided which legal basis to use, you need to describe the purpose of the processing. That is, you need to describe what you intend to do with the personal data. If you will only use it to contact participants in your study, that is what you write. If you are going to conduct a survey to investigate something, explain how you will collect data using the survey and what you will be analysing.
What you need to explain is the role of the personal data itself in your research.
Below are some examples of narrower descriptions of purpose that are acceptable:
From the student web
We process your personal data in order to:
- ensure that data about applicants, completed studies, grades and
qualifications are preserved
- carry out examinations and plagiarism checks
- register grades, presence and other data on completed studies
- enable you to work with teachers and other students on a course or programme.
From research projects
‘In order to conduct the research we need to collect personal data from the residents of [area] regarding their perceptions and experience of their social environment. Some of the information discussed in the interviews may be considered personal sensitive data. The data will be collected for the following purposes:
1. To analyse the interviews as part of a qualitative method and mixed methods analysis to inform the results and discussion for an MSc thesis. The results will also be compared against anonymised findings from [app] data in the [area] borough.
2. The summary of key findings and themes will be provided to community groups interested in the research project and presented in any relevant community discussions. All the findings will be anonymised and not directly related to you as an individual.
3. Following the completion of research and analysis, third parties may request the data to inform further research in the spirit of open science. The data will only be shared if the third party continues the research to benefit community needs. The data shared will be anonymised and therefore cannot be connected to you as an individual.’
‘We compile information about strategies for decision-making and risk management used by Swedish producers of eggs and broiler chickens to meet changing conditions in agriculture. The purpose of the study is to create an understanding for and improve sustainability and resilience within the EU agricultural sector.
The results of the survey will provide important information on the resilience and adaptability of agriculture, information that may be of importance for future agricultural policies in Sweden. The study is funded through the EU’s Horizon 2020 research and innovation programme, grant agreement no 727520. For this purpose, we need to collect data through in-depth interviews with a selection of agricultural businesses. The information will be compiled in reports and scientific articles.’
Broad purposes in research projects
If you use consent as the legal basis for the processing, you can describe the purpose in broader terms. It is not yet clear exactly how general a purpose description can be, but the Swedish Authority for Privacy Protection has stated that ‘we process personal data for medical research’ is too broad, while ‘we process personal data for medical research on cancer’ is sufficiently specific.
NB. This only applies if the data subject has consented to the processing of personal data, which is not the same as consenting to taking part in the research project. On the staff web, you can find templates for documenting consent. Consent can also be given in other ways, as long as it is documented.
Step 2: Which personal data do you need to collect?
You need to make it clear to yourself which data you will be collecting, and why it is needed for the purpose you have defined.
Step 3: Inform the data subject
The data subject always has the right to be informed of which kind of processing of their personal data that will take place. You will find a template for information to data subjects on the staff web. This information can be given in writing, orally, via video or in any other way as long as SLU can prove that the data subject has been informed. You can either publish an integrity policy on the project web, or give participants this information together with other project documentation.
If you are conducting register-based research where you are not in direct contact with the data subjects and there is a large number of data subjects, you can instead publish the information on the web. If you do, you must describe clearly from where the personal data has been collected, what data you are collecting and whose.
Step 4: Register the processing
Your head of department has an Excel file where you must register all research projects that contain personal data, and one of your co-workers at the department will have been assigned the task of managing this file. Register your research project and information about in this file.
Step 5: Ensure that your processing complies with the information you have given
This means that once you have defined a purpose, you may not process the personal data for any other purpose. If you need to process it for other purposes, you need to update both your registration and the information you have given to the data subjects.
Pay extra attention to avoid phishing attempts through email, server intrusion or if you accidentally send datasets with personal data to recipients who should not have access to it. Any incidents must be reported immediately to the Security Unit using the incident reporting tool on the staff web (click the ‘Emergency or incident’ button on the start page).