Table of Contents
Diversity in data protection
It is one of the key responsibilities of researchers and the Project Principal Investigators to familiarise themselves with the local laws, rules and ethical requirements for their projects.
When research crosses legal and jurisdictional boundaries researchers should always seek to apply the requirements of the legislation that has the most stringent requirements of the whole project. Where this is unclear, you should obtain advice from your institute, ethical committees or qualified legal professionals.
Since 25 May 2018, the General Data Protection Regulation (GDPR; European Union, 2016a) applies to any researcher who collects data on EU citizens. One of its key aims is to harmonise laws across the EU regarding data protection legislation.
In addition to the GDPR, each EU Member State has rules on data protection and legislation that you have to familiarise yourself with if you collect personal data. Because of this, some Member States have more restrictive data protection legislation than others.
In the tabs below some key national legislation affecting data protection is stated. This is by no means a complete coverage of all the issues.
- Austria
- Finland
- Croatia
- Germany
- Greece
- Netherlands
- Norway
- North Macedonia
- Serbia
- Slovenia
- Sweden
- Switzerland
- UK
In addition to the GDPR, data protection in Austria is regulated at the national level through the data protection law, termed DSG (“Datenschutzgesetz"). Further specifications on data protection with regard to research are included in the research organisation act, termed FOG (“Forschungsorganisationsgesetz").
In principle, personal data may only be processed under certain circumstances regulated by the GDPR and national law on data protection. Personal data may for example be processed if the data subject has given her or his consent or if a legal exception applies as stated in European or national law. One important legal exception when processing data for scientific purposes is specified in §2f FOG. Scientific institutions (as defined in § 2b Z 12) may in particular collect, archive and systematically record research material (as specified in § 2b Z 6) for purposes pursuant to Art. 89 para. 1 GDPR, and for this purpose process all data (§ 2b Z 5) necessary to ensure optimal access to data and research material for purposes pursuant to Art. 89 para. 1 GDPR ("repositories").
In Finland, the Data Protection Act (1050/2018) specifies and supplements GDPR. For instance, according to the Data Protection Act, public interest can be a legal basis to process personal data in research if it is necessary and proportionate to the aim of public interest pursued. According to the Data Protection Act, a personal identity code may also be processed if it is necessary to uniquely identify the data subject for scientific or historical research purposes or statistical purposes.
In Finland the Office of the Data Protection Ombudsman has published a data protection roadmap for scientific research. It guides researchers in taking data protection into consideration at the different phases of research and the lifespan of data. For more information, see https://tietosuoja.fi/en/scientific-research-and-data-protection.
Universities and other research organisations have appointed their own data protection officers. They help researchers and produce templates for privacy notices and data protection impact assessments, along with other documents and agreements that are needed for data protection in research.
Personal data protection is a constitutional right, in the framework of human rights and fundamental freedoms. "The safety and secrecy of personal data shall be guaranteed for everyone." (The Constitution of the Republic of Croatia, Article 37).
The Act on Implementation of General Data Protection Regulation ("Official Gazette" No. 42/18) was enacted on 25th May 2018 to ensure full implementation of the GDPR in Croatia. National legislation contains no provisions regulating the use of personal data in scientific research.
The Croatian Personal Data Protection Agency is the only independent public supervisory authority in the Republic of Croatia within the meaning of the provision of Article 51 of the General Data Protection Regulation. The Agency can be contacted by researchers for consultation services about the use of personal data in their research.
Data protection in Germany is governed by the GDPR, the Federal as well the State Data Protection Acts.
There is no centralized authority for research ethics and data protection due to the federal nature of Germany. The Federal Commissioner for Data Protection and Freedom of Information is part of the Data Protection Conference (webpage in German only).
The German Data Forum (RatSWD) has published recommendations and teaching material on research ethics and data protection (webpage in German only). The Federal Data Protection Act was adapted to the GDPR in 2017.
Data protection in Greece is governed by:
-Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), known as GDPR
-Law 4624/2019 with the title “Hellenic Data Protection Authority (HDPA), measures for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and transposition of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 and other provisions”
Law 2472/1997 which has been has been repealed, except for the provisions referred to expressly in Article 84 of Law 4624/2019-Law 3471/2006 on the protection of personal data and privacy in the electronic telecommunications sector
Law 3471/2006 with respect to the electronic communications sector which incorporates into the Greek law European Directive 58/2002.
The above regulatory framework sets out the obligations of those who process personal data and the respective rights of those to whom the data processing relates. The same Law also provides for the establishment of the Hellenic Data Protection Authority (HDPA) and its powers and competencies.The Hellenic Data Protection Authority (HDPA) is a constitutionally consolidated independent Authority which incorporates into the Greek law. relevant EU legislation provisions.
All relevant, official, publicly available information can be found at: https://www.dpa.gr/index.php/en/enimerwtiko/legal_framework/personal_data
Research data should be stored permanently as far as possible insofar as scientists participate in research by or at the institution that has adopted the Netherlands Code of Conduct for Research Integrity (Association of Universities in the Netherlands, 2018) or discloses their research in its name, research findings and research data should be made public subsequent to completion of the research to the extent possible. Simultaneously, the institutions have the obligation to ensure permanent storage as far as possible. Upon receiving a grant from the Netherlands Organization for Scientific Research (NWO) it is important to address this in the Data Management Plan (DMP).
Project notification
In Norway, if you are going to process personal data and you work at one of the institutions that have an agreement Norwegian Centre for Research Data (NSD) as their Data Protection Services for Research then you must notify NSD about the research project. If your institution does not have an agreement with NSD, you must either notify your institution’s own Data Protection Official (if they have one) or the Norwegian Data Protection Authority. A notification is not required only if the research project registers anonymous information only. However, you should note that you will still need to notify the NSD if you will be processing personal data during the project, even if the research project will publish anonymous data.
If you are a researcher employed at an institution outside Norway different rules apply: if the data controller (i.e. the responsible institution) is established in an EEA country, it is sufficient to submit a notification of the project to the relevant authorities in the country concerned. If the data controller is located in a country outside the EEA, the notification must be submitted in Norway by a Norwegian institution that undertakes the role of the data controller’s representative.
Further information and advice can be sought from the NSD (n.d.) directly.
In this area, research institutions are obliged to respect the general provisions of the Law on personal data protection (2005) (Official gazette of the R. Macedonia No.7/05, 103/08, 124/08, 124/10, 135/11, 43/14 and 153/15). The new law, which implements the GDPR directive of the EU, is in preparation. Anyway, research institutions have developed their own practices for the protection of personal information during the research process.
Government of the Republic of Serbia adopted the Law on Personal Data Protection of the Republic of Serbia, in November 2018 and its implementation Act began on August 21, 2019. The Law on Personal Data Protection puts personal data at the very top of the protection priorities and gives citizens the functional capacity to manage their privacy much better and more transparently. In essence, the Law is the final product of a general civic and political initiative that has launched a long-standing "hard-fought" process to achieve legal frameworks in which each individual would have greater protection of his or her privacy and in which institutions and companies would be given much clearer rules and procedures by which they could to process and use personal information.
The special rule applies to data processing for a purpose archiving in the public interest, scientific or historical research, and statistical purposes, as well as when it comes to the right of access to information, or in general relationship between the right to protection of personal data and freedom of expression.
In Slovenia, the Personal Data Protection Act (Slovene, English) is still not adopted to General Data Protection Regulation. Researchers can find some guidelines on this topic at the Information Commissioner office. For more, see Publications and Guidelines of the Slovenian Information Commissioner.
The Swedish Ethical Review Authority is a recently restructured authority under the Ministry of Education and Research, for the protection of humans in research, research on biological material and sensitive personal data.
On their website, researchers can find information on the legal requirements that must be complied with in order for the research to be legal. The ethical rules that apply to research are based on international conventions, founded on principles for research ethics. Swedish research is covered by international law and conventions, as well as national legislation. The rules are there to make sure that individuals are not harmed or subjected to unnecessary risks when personal data och people are used for research.
The General Data Protection Regulation, GDPR, and complementary legislation includes all usage of personal information. Personal information can, according to GDPR, only be used for specific, explicitly stated, and legitimate purposes. However, even when all these criteria are met, personal information for research purposes also requires informed consent.
There are exceptions in case there is a rule that conflicts with other Swedish constitutional law, for example conflicts with The Freedom of the Press Act (SFS 1949:105), or The Fundamental Law on Freedom of Expression (SFS 1991:1469). Treatment of personal information for artistic or journalistic purposes is excepted, as well as private registers.
SND website provides further information (in Swedish).
Data protection in Switzerland is both regulated at the federal and the cantonal level. At the federal level, it follows the Federal Act on Data Protection (FADP) (The Federal Council, 2014) and the Ordinance to the Federal Act on Data Protection (OFADP) (The Federal Council, 2012). Besides the FADP, each of the 26 cantons has their own cantonal data protection act. Universities are regulated by cantonal laws.
The FADP is currently under revision and should align with the GDPR. See Finsterwald (2016) for more practical information.
In the UK, there is the Freedom of Information Act and a common-law tort of breach of confidence.
Freedom of Information Act
Researchers who work at a publically funded research institute or university in the UK are subject to the Freedom of Information (FOI) Act 2000. This Act provides members of the public with a right to access information held by UK public sector organisations (e.g. publically funded research institutes and universities). This means that a member of the public may make a request for access to a researcher’s research data.
There have been various examples of research data being requested through the FOI Act. For example, climate change researchers at the University of East Anglia had two such requests made in early 2007. The university initially refused to release data, however after one of the requesters drafted a letter to the ICO alleging that the university was in violation of the FOI Act the university released the requested research data (Booth, 2009).
An FOI request (GOV.UK, n.d.) can come in many forms, but for it to be valid, it must come in a written form, such as an email, letter or fax. An FOI request can also come from anyone, meaning that the requester does not have to have been a participant in the research project. The information needs to be provided unless an exemption or exception allows the researcher not to disclose the information. Researchers must respond within 20 working days of receiving the request and should seek assistance from their university/research institute before disclosing any information. This is particularly important where the FOI request requests access to data which is not that of the requester but is defined as ‘personal data’ under the GDPR of another ‘data subject’.
Researchers working on European projects need to be aware that they will need to comply with the UK FOI Act if there is a UK public research institute or university involved in their research project.
Further guidance on FOI (ICO, n.d.a) can be sought from your research institute/university or the UK’s Information Commissioner’s Office (ICO, n.d.b).
In the UK, there is a common-law tort of breach of confidence. A duty of confidence arises when confidential information comes to the knowledge of a person in circumstances where it would be unfair if it were then to be disclosed to others.
Disclosure of information subject to a duty of confidentiality would constitute a breach of the duty. The duty of confidentiality is not absolute and is not protected by legal privilege, and exceptions occur. For example, where the participant has consented to the information being used in specific ways, for agreed purposes, and by certain people or where a judge requires disclosure.
This applies to information not already in the public domain. If the consent form promises confidentiality, disclosing information unlawful may constitute a breach of confidence.