We can’t promise that no one will be able to take part of personal data in research

Published: 2021-12-29

A person holds up a paper with a question mark in front of their face.On 12 December, SND hosted a webinar about open access to research data that contain personal data. On the agenda were questions about the best way to manage these data, if, and if so, how they can be disclosed. A major focus was on legal reasoning and discussions.

This is a field where we domain specialists get an incredible number of questions, said Anders Brändström who moderated the webinar together with his colleague Karina Nilsson.

One of the invited presenters was Jörgen Svidén, administrative director of the Ethics Review Appeals Board. He highlighted some common misconceptions in this field. One thing he wanted to explain was the question of whether research data that contain personal data may be disclosed as public documents.

—Of course, it may happen. Public documents that are recorded at a public authority can be requested by anyone. But if they contain sensitive personal information, the authority that keeps the documents will make an assessment before can be disclosed. If they are requested for the purpose of further research, a new ethics review must be made for the new research project. In that case, there will be double assessments, he said.

Chatarina Larson, legal officer at Umeå University, agreed. She said that by promising research subjects that no one else will be able to take part of their information, we undermine the trust in research. Instead, we have legislation that makes sure that only authorised people can gain access to that information. Classified information can’t be transferred unless the classification can also be transferred to the recipient, she explained.

—There are many laws and regulations that researchers have to follow. As a whole, these laws are there to protect the integrity of research subjects, and their right to their own information. But the rules can also be seen as a tool to make sure that we, as a university and researchers, have to gain and keep the public’s trust. We need to show that we can manage these data in a correct way, said Chatarina Larson.

Anonymised data are not personal data

There are some options if you want to share research data openly but can’t do so as they contain personal data. Chatarina Larson mentioned the possibility to anonymise data, which means that you clear the material of all information that could identify a person.

—By anonymising data, you can make both the GDPR and OSL [Editor’s note: the General Data Protection Regulation and the Public Access to Information and Secrecy Act] unapplicable. But there are high requirements. The result of the anonymisation must be that it’s no longer possible to identify the persons with the accessible information, or together with information that can be found elsewhere. There can, for instance, not be any code keys with you or with anyone else, she said.

You must also consider the risk of data re-identification. This means that there may not be any possibility to identify persons from an anonymised material by combining different indirect identifiers, such as data on profession, municipality, and age.

Researchers can get support from SND and their local Data Access Unit

The webinar also addressed what support researchers can get in their work with managing and sharing research data, with as well as without personal data. Max Petzold, director of SND, presented an overview of SND’s work and services for finding and sharing research data.

—The intention of our work ahead is that research data will remain with the research principal, he said, and referred to the the distributed model that’s being developed together with the members of the SND network.

When research data are stored with each respective HEI, it is possible to describe and even share data that contain personal data in the SND research data catalogue. After an assessment process, mentioned above, research data can then be disclosed by the relevant HEI.

Thomas Kieselbach, with the local research data support function (Data Access Unit, DAU) at Umeå University Library, presented the DAU’s functions and relation to the researcher. He also took the opportunity to promote the national collaboration in enterprise architectures for research data. In the scope of this collaboration, Monica Lassi (SNIC), Emma-Lisa Hansson (Lund University), and Mattias Persson (Örebro University) have interviewed several researchers to learn how satisfied they are with the data management during a research project. Judging from their investigation, the interviewed researchers are more satisfied with the data management in the early stages of the process but become less pleased with support and solutions as their projects progress. As this is a qualitative survey based on interviews, you can’t make any general claims from it, but Thomas Kieselbach thinks that it’s still interesting to take a closer look at the results.

—In summary, we get a feeling for how researchers experience data management during various stages of their research projects. It’s a limited study, but still a very useful material, he said.

You can read more about the event and the presentations from it here. Note that the presentations are in Swedish.)

Read more about managing research material with personal data.