GDPR for life science data
On 25 May 2018, the EU General Data Protection Regulation, GDPR, will replace our Swedish Personal Data Act. The biggest changes are that individuals’ rights are more strongly protected and the Regulation applies in all EU countries.
The General Data Protection Regulation requires a legal basis for all processing of personal data. Individuals are given greater control over their personal data in various ways. Their right to access data that they have submitted themselves is strengthened, as is the possibility of having information corrected or being forgotten and having information erased. All processing of personal data must comply with the fundamental principles specified in the GDPR.
Does the GDPR apply to me?
The GDPR applies to everyone who processes personal data, so it applies to the organisation that is the personal data controller and to anyone processing personal data on behalf of another entity, the personal data processor. Essentially, the GDPR covers all processing of personal data, whether by companies, associations, public authorities or private individuals. The organisation is responsible for compliance and must be able to show that the regulations are being followed. SciLifeLab is a national resource and a collaboration between universities, therefore specific guidelines from each university should be followed. To facilitate your compliance with GDPR general information has been collected below.
What is personal data?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law. Examples of personal data are: name and surname, home address, email address, Internet Protocol (IP) address, genetic data, data concerning health.
What personal data processing is legal under the GDPR?
Personal data processing is legal if there is valid consent for the processing or if the processing is necessary to fulfil a contract or a legal obligation. It is also legal if the processing is needed to carry out a task in the public interest or in the exercise of official authority vested in the controller. More explicitly the legal bases are:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
For any set of personal data you are processing think about these questions:
- What personal data do I collect?
- How and when are the data that I collect processed and used?
- How do I collect personal data?
- Why do I collect these particular personal data? Is there any legal basis, in other words, are there any laws or rules that permit me to collect and process these personal data?
- How long do I keep the data I collect?
- What is there to show that the individuals concerned have given their consent?
- Do I disclose personal data to anyone else? Does anyone else have access to these personal data?
- Do I supply personal data to third countries?
For anyone processing personal data, this means:
- Determine the purpose and stick to it
- Only collect data that are needed
- Do not collect more data than necessary
- Do not use data for another, incompatible purpose
- Erase the data when they are no longer needed
- Ensure that the data are accurate and up to date
- Protect collected data
- Identify the legal basis for processing before processing begins
- Inform in a transparent and honest way
GDPR also has implications on how to handle research data. Therefore new legal framework will be presented during 2019. Read the interim report here (in Swedish)
More information regarding the specific procedures at our host universities can be found here:
Other useful links with more information regarding GDPR:
- SciLifeLab GDPR information meeting March 16, 2018
- Swedish Data Protection Authority
- Information classification and security at Uppsala university
- EU GDPR Portal
- Register personal data processing at Uppsala University
- NBIS working practices in support projects with human data