Swedish Proposal for Research Data Act XXXII Nordic Conference on Legal Informatics November 13-15 2017 Cecilia Magnusson Sjöberg, Professor Faculty of Law Stockholm University Today s presentation about personal data processing for research purposes Background Approach Proposal Remaining work Challenges
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA, AND REPEALING DIRECTIVE 95/46/EC (GENERAL DATA PROTECTION REGULATION) Swedish regulative response General Data Protection Regulation (2016/679), GDPR National general supplementary legislation SOU 2017:39 National specific rules and regulations The Research Data Inquiry (U 2016:04)
SOU 2017:50 Interim report presented on June 9, 2017 to the minister for Higher Education and Research Helene Hellmark Knutsson The consultation process 143 consultative organs listed Responses were due by September 15, 2017 An official referral to the Council of Legislation is being prepared by the Ministry of Education Secretariat Cecilia Magnusson Sjöberg, special investigator Maria Jacobsson, Head Secretary Cecilia Arrgård Staffan Malmgren Margareta Sandén Magnus Stenbeck
The notion of research and the Ethical Review Act (2003:460) Definitions Section 2 In this statute, the terms listed below shall be construed as follows: Research: Scientifically experimental or theoretical work intended to result in new knowledge and development outcomes on a scientific basis, excluding work that is performed within the framework of higher education on the basic or advanced level. Responsible research body: A government authority or a physical or legal entity under whose auspices the research is conducted Research subject: A living person who is the subject of research. The Commission Dir. 2016:65 Processing of personal data for research purposes Part 1 was presented on June 9, 2017 Part 2 due by May 25, 2018 Dir. 2017:29 Processing of personal data in the Royal Library Completed November 9, 2017 Dir. 2017:61 Legal prerequisites for providing data to the Luxembourg Income Study (LIS) Due by May 25, 2018 Dir. 2017:87 Processing of personal data in research libraries Completed November 9, 2017
Major research library activities Personal data processing: Data about borrowers Digitalisation of analogue collections Digitalisation of remote access or upon visitors request Data base searches Publishing activities Hosting publication data bases Management of identifiers Text- and data mining (TDM), as a service Also: Open science partner Open education partner SOU 2017:50 General considerations in view of the General Data Protection Regulation (GDPR) and the proposal by the Data Protection Inquiry (SOU 2017:39) Establish the legal ground for lawful processing research as a task carried out in the public interest enable processing of personal data for research purposes while maintaining privacy protection Equate researchers in public and private organisations
About consent The prerequisites for valid consent are made explicit in GDPR Private research actors Consent can be a legal ground Processing of sensitive personal data (special categories) or personal data on criminal convictions and offences must be subject to ethical review regarding research conducted in Sweden Public research actors Limited possibilities to use consent as a legal ground Research is primarily conducted as a task carried out in the public interest The data protection principles in Article 5 and the principles of proper research practices apply to all actors SOU 2017:50 cont. On ethical review Can constitute a safeguard in accordance with GDPR Ethical review according to the same principles as today Sensitive personal data and personal data on criminal convictions and offenses applies to all actors regardless of which legal ground It is not reasonable to require ethical review for processing of all categories of personal data There is a need to differentiate the ethical review procedure
SOU 2017:50 cont. General safeguards Pertains to all processing of personal data for research purposes New Pseudonymisation or equally strong protection Conditional right to opt out Transferred from the Personal Data Act To take action with respect to the data subject SOU 2017:50 cont. Rights of the data subject Some proposed limitations No right to rectification when processing for archival purposes No right to restriction of processing Article 18.1 in GDPR (contest of accuracy) Artikel 18.1 d i GDPR (verification that the legitimate grounds of the controller override those of the data subject) if excercising these rights leads to that the research cannot be carried out, or is seriously delayed or hampered
SOU 2017:50 cont. Legal technical adaption of two register laws The LifeGene Law The Law on the Forensic Psychiatry Research Register Restricted to necessary changes due to GDPR Previous considerations and decisions are accepted References are updated Legislate A Research Data Law is proposed Proposal: The Research Data Act Introductory provisions Scope of the law Processing of personal data for research purposes Legal ground General safeguards Sensitive personal data (special categories) Personal data on criminal convictions and offenses etc. Exemptions from rights of the data subject Disclosure of personal data
Remaining work Long term regulation of research databases Comprising The Luxembourg Income Study (LIS) Review of the regulation etc. of the Forensic Psychiatry Research Register Propose a regulation of the National Biobank Register Strengthened protection of data on deceased persons within forensic research? Challenges moving ahead Compliance with fundamental data protection principles Especially purpose imitation Data minimisation Position of the national supervisory authority in light of the governmental goal Potential tools A broad understanding of the research process Ethical reviews applied beyond conventional projects