Research involving human data

What is human data?

Any data that directly or indirectly can be associated with a living person is considered personal data, e.g. name, address and personal identity number. See also legal reference regarding personal data.

What is sensitive human data?

Some personal data are regarded as sensitive, e.g. data related to health and genetic data. This explicitly includes all genetic data (both RNA and DNA, and both somatic and germline information), and is likely to also apply to other kinds of omics data. Aggregated data (like population frequencies) might not be considered sensitive anymore, but a decision has to be made on a case-to-case basis. Personal data should always be pseudonymised, but the data will still remain sensitive in legal terms. See also legal reference regarding sensitive data.

Important regulations to follow

Please find below an overview of relevant regulations to follow when doing research involving human data.

Who is responsible for the data?

The person who decides how and why the personal data should be processed is responsible for ensuring that the processing is done according to the law. That person is called the Controller (of personal data). The Controller is typically the university employer of the principal investigator (PI). The PI should act as a representative of her university employer and is responsible for ensuring that personal data is handled correctly in her projects.

Am I allowed to share data about humans?

Anonymised data can be shared publicly, but you have to first be sure that the data is truly anonymous which can be hard, especially if you are working with genetic data.

Personal data may be allowed to be shared under some circumstances. Make sure to follow GDPR, the ethical review act and other relevant regulations, see further information below regarding considerations.

Repositories for publishing human data

The GDPR states that the processing (including storing) of personal data should stop when the intended purpose of the processing is done. There are, however, exemptions to this e.g. when the processing is done for research purposes. Also, from a research ethics point of view, research data should be kept to make it possible for others to validate published findings and reuse data for new discoveries. This is also governed by what the data subjects have been informed about regarding how you will treat the data after project completion. The recommendation is to deposit the sensitive data in the appropriate controlled access repositories if such are available, but this requires that the data subjects are informed and have agreed to this.

Federated European Genome-phenome Archive (FEGA) Sweden is an archive for storing and sharing data in Sweden in a way that meets the requirements of the General Data Protection Regulation (GDPR). Any data submitted to the archive is subject to controlled access, which means that access to the data only will be granted after a formal application procedure.

Considerations when working with human data

GDPR considerations

Before embarking on a new project, consider the following:

  • Have the data processing been reported to the data protection officer?
  • What is the purpose of processing the personal data?
  • Who is the data controller of the personal data processed in the project?
  • What is the legal basis for processing the personal data?
  • Have data processing agreements been established between the data controller(s) and any data processors?
  • Have Data Protection Impact Assessments (DPIA) been performed for the personal data?
  • What technical and procedural safeguards have been established for processing the data?
  • What happens with the data after project completion?

Data Protection Officer (dataskyddsombud)

The role of the data protection officer is to check that the General Data Protection Regulation (GDPR) is complied with within the organisation. If personal data is processed in your research, you should report this to your institute’s Data Protection Officer (DPO).

Article 6 (1) lists under what conditions the processing is considered lawful. Of these, Consent or Public interest are relevant when it comes to research. You should determine what legal basis (or bases) you have for processing the personal data in your project.

Traditionally, consent has been the basis for processing personal data for research, but under the GDPR there cannot be an imbalance between the processor and the data subject for it to be considered to be freely given. In Sweden the use of consent as the legal basis for processing by universities for research purposes is therefore not recommended. Instead, public interest should probably be your legal basis. Note that if your legal basis for processing is consent, a number of requirements exists for the consent to be considered valid under the GDPR. Consents given before the GDPR might not live up to this.

Also note that even if public interest is the legal basis, other laws and research ethics standards might still require you to have consent from the subjects for performing the research.

Data Processing

All processing of personal data must comply with the Principles relating to processing of personal data in the GDPR.

  • A Data Processing Agreement is needed when a Processor (someone from a different university than the controller) is processing the data (e.g. storing or analysing) on behalf of the Controller.

As a Controller you should:

  • Ensure that data processing agreements are established when needed.
  • Ensure that all Processors are informed on what can and cannot be done to the data.
  • Ensure that all processing is done in a compute environment with a suitable level of security, e.g. Bianca at Uppmax.

As a Processor you should:

  • Only handle the data according to the instructions from the Controller.
  • In the case of a data breach, accidental or otherwise, immediatly report the incident to the Controller.

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is needed if the personal data processing is likely to result in a high risk to individual people’s rights (IMY on Impact assessments and prior consultation). The purpose of a DPIA is to prevent risks before they occur, by identifying what risks exist and draw up procedures to meet those risks. In order be able to decide if a DPIA is needed, you should perform a risk analysis. Analyse what risks your personal data processing may involve and suggest appropriate security measures. Document your findings so that you can demonstrate that you comply with the GDPR. If the risk analysis shows that a DPIA is needed, there are tools to help you e.g. PIA software from CNIL.

Security of processing

To ensure that the personal data that you process in the project is protected at an appropriate level, you should apply technical and procedural safeguards to ensure that the rights of the data subjects are not violated. Examples of such measures include, but are not limited to, pseudonymisation and encryption of data, the use of computing and storage environments with heightened security, and clear and documented procedures for project members to follow.

Ethical considerations

Before embarking on a new project, consider the following:

  • Has the project (or parts of the project) undergone ethical review?
  • Have informed consents been collected from the research subjects?
  • Are there limitations of use defined in these?
  • Is the intended research purpose within the scope of the limitations of use that is defined in the ethics approval(s) and/or the informed consent(s)?

The purpose of these questions is to spell out what uses the subjects have consented to, and/or for what uses ethical approvals have been given. Then, given the stated research purpose of this project, are the consents and ethical approvals for the datasets compatible with this.

Resources & Training