Pilot SV Legal FWK

'Big data analytics' and processing of
health data for scientific research

purposes : the Swedish legal framework
Research Protocol by Christine Storr, Faculty of Law, Stockholm University, and Pam Storr, Independent Legal
Consultant and Teacher in IT law
in Stockholm, Sweden, 6 April 2018
www.aegle.uhealth.eu
Contents
Overview of the legal framework........................................................................................................................ 3
a. Which laws regulate the processing of health data for research purposes (the current regime, in force till 25
May 2018) ..................................................................................................................................................................... 3
b. Revision of the current legal framework under the GDPR ................................................................................. 6
c. The national data processing authority .............................................................................................................. 7
Transposition of Article 8.4 of Directive 95/46 ................................................................................................... 8
a. Transposition of Article 8.4 of Directive 95/46 ................................................................................................... 9
b. The regime applying to the processing of personal data for health research purposes ................................. 10
c. Are there additional specific conditions governing the processing of data for scientific research purposes?
11
d. Formalities prior to processing: the general regime under the current framework ....................................... 15
Further processing of health data (for research purposes): the current regime ............................................. 16
The GDPR’s impact on the current regulatory framework for the processing of health data for research
purposes ..................................................................................................................................................................... 17
a. The impact of the GDPR on the rules applying to processing for research in the field of health ...................... 17
b. Modification to the processing authorisation procedure applying to research in the field of health ............ 18
Further processing for research purposes under the GDPR ............................................................................. 20
Health data sources for research purposes ...................................................................................................... 22
a. Sources of data and their regulation .................................................................................................................. 22
b. Application of the national framework to the AEGLE cases ............................................................................. 26
1. Type 2 diabetes .................................................................................................................................................. 26
2. Intensive Care Unit (ICU) ................................................................................................................................... 27
3. Chronic Lymphocytic Leukaemia (CLL) .............................................................................................................. 28
AEGLE in your country Page 2 of 29
Partners
Co-funded by the Horizon 2020
Framework Programme of the
EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler
European Union under Grant Technologies Limited, UPPSALA UNIVERSITET, UNISR, time.lex, EUR,
Agreement nº 644906. CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU
Overview of the legal framework

First, we would like to get an overview of the current and upcoming legal framework applying to the processing of
health data for research purposes in your country.
a. Which laws regulate the processing of health data for research purposes
(the current regime, in force till 25 May 2018)
What are the relevant applicable provisions governing the processing of health data in your
country? Please provide online references (also to an English version, if available), a brief
description and any specific relevant information.
With regards to health data, there are two main laws that are applicable, the Personal Data Act [Personuppgiftslag
(1998:204)]1 which transposed Directive 95/462 and which is generally applicable to all types of data processing,
and the Patient Data Act [Patientdatalag (2008:355)] which is specifically applicable to health data processing carried
out by private or public healthcare providers.
In addition, the Swedish Patient Security Act [Patientsäkerhetslag (2010:659)] and the Public Access to Information
and Secrecy Act (OSL) [Offentlighets- och sekretesslag (2009:400)] stipulate requirements for healthcare providers
regarding security and confidentiality, though OSL only applies to public authorities.
Section 19 of the Personal Data Act states that sensitive data can be used for research purposes if the processing
has been approved according to the Act (2003:460) concerning the Ethical Review of Research Involving Humans
(Ethical Review Act) [Lag (2003:460) om etikprövning av forskning som avser människor]3. As health data is
considered sensitive data all research projects that process health related data must go through the vetting process
by the Ethical Review Board.4
Public authorities’ processing of personal data is commonly regulated in designated statutes. These statutes are
generically called database laws or register statutes (registerförfattningar) and regulate the conditions under which
processing is allowed, which principles should be followed, which authority is responsible, who can access the data
and how long the data should be kept. Some examples of these database laws within the healthcare sector will be
mentioned below.
The Swedish Research Council (Vetenskapsrådet) has published information to help researchers when trying to
access data for research purposes. The website is available in Swedish at https://www.registerforskning.se/.
1
An older English translation is available at https://www.datainspektionen.se/in-english/legislation/the-personal-data-act/
2Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data.
3 An English translation is available at https://www.epn.se/en/start/regulations/
4 https://www.epn.se/en/start/
Partners
Main legislation on databases containing health data
When it comes to the structure of the healthcare sector, there are two main possibilities for databases containing
health data. One concerns databases kept by healthcare providers, so-called quality registers (kvalitetsregister), and
the other one concerns biobanks which can be administered by both private and public healthcare providers.
Quality registers
The quality registers have been established in Sweden for a while with the goal to increase the quality of healthcare.
There are around 100 quality registers which contain data on health problems, diagnoses, treatment and results. 5
The registers are integrated into clinical workflows and can generate data in real time. A group of healthcare
professionals, researchers and patient representatives supports each register. 6 Registers can be focused either on
patients with a specific illness, or on a specific treatment or risk group. Therefore, the quality registers can differ
with regards to level of coverage and data quality.
The National Board of Health and Welfare (Socialstyrelsen) administers some of the registers, e.g. the national
patient register (NPR)7, and offers support for accessing other registers. 8 The NPR has existed for approximately 50
years and contains both patient data (the Swedish personal identity number, gender, age, place of residence),
geographical data (which county, which hospital), administrative data (date of admission, date of discharge, etc.)
and medical data (main diagnosis, secondary diagnosis, external cause of injury). Healthcare providers (both public
and private) must submit information into the NPR.
In general, the registers are decentralised and often administered by healthcare providers in different regions. In
most cases, personal data is being collected through the patient journal.
The quality registers are covered by Chapter 7 of the Patient Data Act. Section 7 states that only public authorities
may be data controllers, although the government can allow for exceptions to this principle. According to Section 5
in Chapter 7 personal data in a national or regional quality register may be used for research or statistical purposes.
Researchers can apply to use data from the quality registers.9
The registers kept by the National Board of Health and Welfare (Socialstyrelsen), e.g. NPR, are also regulated in the
Act on Health Data Registers (lagen (1998:543) om hälsodataregister) and several regulations, e.g. Regulation on
Patient Registers with the National Board of Health and Welfare (Förordning (2001:707) om patientregister hos
Socialstyrelsen). They are also covered by strict secrecy according to the Public Access to Information and Secrecy
Act [offentlighets- och sekretesslag (2009:400)].
Biobanks
5 A list is available in English at http://www.kvalitetsregister.se/englishpages/findaregistry/allswedishqualityregistries.2028.html
6
Read more in English at the official page at http://www.kvalitetsregister.se/englishpages.2040.html
7 Information in English available at http://www.socialstyrelsen.se/register/halsodataregister/patientregistret/inenglish
8 more information in Swedish at http://www.socialstyrelsen.se/register and a shorter overview at http://www.socialstyrelsen.se/statistics
9 A detailed overview of the application process is available in English at

http://www.kvalitetsregister.se/englishpages/useregistrydatainyourresearch/quickguideforresearchers.2409.html
Partners
The Act on Biobanks within Health and Medical Care (Biobank Act) (lagen (2002:297) om biobanker i hälso- och
sjukvården m.m.)10 regulates how human tissue can be collected, stored and used. According to the Act (Chapter 2
Section 2) biobanks can only be established for healthcare, treatment and other medical purposes as well as quality
assurance, training, research, clinical trials, development or other equivalent activities. If the biobank is mainly to be
used for research and clinical trials, it may only be established after approval by the Ethical Review Board (Chapter
2 Section 3 Biobank Act). The biobank may not be used for purposes other than those approved by the Board.
Biobanks have to be reported to Health and Social Care Inspectorate (IVO) (Inspektionen för vård och omsorg)11
according to Chapter 2 Section 5 Biobanks Act. Today there are around 450 biobanks registered with IVO. Around
200 of these are kept by counties and contain around 90 % of all samples stored. 12 It is, however, possible for private
entities to administer a biobank, with the rules of the Biobank Act being applicable.
Biobank Sweden coordinates the various biobanks in the country and administers a catalogue over research sample
collections.13 It also publishes guidelines and templates for contracts for access to the biobanks.
Legislation concerning human tissue
The Transplant Act [lagen (1995:831) om transplantation m.m. (transplantationslagen)] regulates all types of
intrusion made on living or deceased humans for medical purposes. As these intrusions are carried out within
healthcare, the Biobank Act is also applicable.
The Act on Blood Safety (lagen (2006:496) om blodsäkerhet)14 applies for collection, production, control or storage
of blood or components of blood to be used for a transfusion. If blood or components of blood are to be used as raw
material for the production of medicine or technical products the Act on Medical-Technical Products (lagen
(1993:584) om medicintekniska produkter) as well as the Medicine Act (läkemedelslagen (2015:315) apply.
The Genetic Integrity Act (lagen (2006:351) om genetisk integritet m.m.)15 deals specifically with the use of genetic
investigations, genetic information and gene therapy. The Act contains provisions on e.g. whether genetic
information can be requested by insurance companies and stipulates requirements for genetic investigation. The
Act also deals with pre-natal and pre-implantation genetic diagnosis, research using human eggs, insemination, and
fertilisation outside the body.
10
An unofficial English translation is available as a pdf at http://biobanksverige.se/wp-content/uploads/Biobanks-in-medical-care-act-2002-
297.pdf
11 https://www.ivo.se/om-ivo/other-languages/english/
12More information in English at Biobank Sweden http://biobanksverige.se/research/basic-information-in-english/ Biobank Sweden (former

National Biobank Council (Nationella biobanksrådet) and BBMRI.se is a cooperation between counties and universities with a medical faculty,
dealing with biobank questions.
13 in Swedish at http://biobanksverige.se/forskning/nationell-katalog-over-forskningsprovsamlingar/
14The Act is based on Directive 2002/98/EC of the European Parliament and of the Council of 27 January 2003 setting standards of quality and
safety for the collection, testing, processing, storage and distribution of human blood and blood components and amending Directive 2001/83/EC.
15 An unofficial translation is available at http://www.smer.se/news/the-genetic-integrity-act-2006351/
Partners
Finally, the Autopsy Act [lag (1995:832) om obduktion m.m.] regulates the circumstances under which autopsies are
allowed. The principle according to Section 5 is that organs and other material can be taken out of the body for
examination if necessary for the autopsy. Biological material should be returned when the autopsy is finished unless
the aim of the autopsy requires the material to be looked at for a longer period of time. In this case, the Biobank Act
applies for the material.
Acts with Specific Purposes
The Act on Certain Databases for Research on what Inheritance and Environment means for Humans’ Health [Lagen
(2013:794) om vissa register för forskning om vad arv och miljö betyder för människors hälsa] applies to universities
processing healthcare data for research purposes. The Act is a result of a decision by the Swedish data protection
supervisory authority, the Data Inspection Board (Datainspektionen), declaring that consent was not specific nor
informed enough for individuals participating in the international LifeGene project.
The Act on Quality and Security Norms when Processing Human Tissue or Cells [Lagen (2008:286) om kvalitets- och
säkerhetsnormer vid hantering av mänskliga vävnader och celler (vävnadslagen)]16 applies when human tissue or
human cells are processed for use on humans or for the production of medicine for humans.
b. Revision of the current legal framework under the GDPR
How are the necessary changes to the national data protection framework introduced by the
GDPR addressed in your country? What is the adopted legislative approach?
A few governmental inquiries are assessing whether and how existing data protection legislation should be
amended, repealed or enacted due to the GDPR. Some of the more specific inquiries with regards to healthcare and
the research sector have led to Governmental Reports (SOU) between autumn 2017 and spring 2018. The Research
Data Inquiry Committee (Forskningsdatautredningen) published its Governmental Report (SOU) 2017:50 in May
201717, and a final Governmental Report (SOU) 2018:36 in June 2018 18; another Committee published the
Governmental Report (SOU) 2018:4 Future Biobanks19 in December 2017. The Research Data Inquiry Reports SOU
2017:50 and SOU 2018:36 are being drafted into a Government Bill currently (August 2018), so it is not clear at this
time when the proposed new Act on Research Databases (forskningsdatabaslagen) will be enacted.
16The Act is based on Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and
safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells.
17 The report with an English summary is available at www.regeringen.se/rattsdokument/statens-offentliga-utredningar/2017/06/sou-201750/
18The report with an English summary is available at www.regeringen.se/rattsliga-dokument/statens-offentliga-utredningar/2018/06/sou-

201836/
19 The report with an English summary is available at www.regeringen.se/rattsdokument/statens-offentliga-utredningar/2018/01/sou-20184/
Partners
The Social Data Protection Inquiry Committee has assessed, inter alia, the Patient Data Act and its compatibility with
the GDPR; it published the Governmental Report SOU 2017:6620 which has lead to a Government Bill Prop.
2017/18:171 Dataskydd inom Socialdepartementets verksamhetsområde – en anpassning till EU:s
dataskyddsförordning21. As of August 2018, the proposed changes have not yet been enacted.
The general inquiry looking into supplemental rules complementing the GDPR published the Governmental Report
(SOU) New Data Protection Act SOU 2017:39 (with an English summary), followed by a Government Bill Prop
2017/18:105, Ny dataskyddslag, on 15 February 201822. The Swedish Parliament enacted new legislation on 25 May
2018 as a result; in total three pieces of legislation were enacted: Act containing supplementary provisions to the
EU General Data Protection Regulation (Lag (2018:218) med kompletterande bestämmelser till EU:s
dataskyddsförordning) – in short Data Protection Act (dataskyddslag), Ordinance containing supplementary
provisions to the EU General Data Protection Regulation (Förordning (2018:219) med kompletterande bestämmelser
till EU:s dataskyddsförordning), and Act amending the Public Access to Information and Secrecy Act (lag (2018:220)
om ändring I offentlighets- och sekretesslagen (2009:400)).
The main inquiries within the health and research sector do not all necessarily focus on the GDPR but rather take a
wider approach and discuss potential pitfalls with the current regulation on research data and biobanks respectively
and aiming to improve the general legal framework.
c. The national data processing authority
Can you provide a short description of the role of the data protection supervisory authority in
your country in the domain of processing health data for research purposes under the current
legal framework?
The Swedish Data Inspection Board (Datainspektionen)23 is the responsible supervisory authority with regards to
data protection. The authority is also responsible for supervising the application and implementation of the Swedish
Patient Data Act, and its remit therefore includes processing of health data.
The Personal Data Act includes an obligation to notify the Data Inspection Board of the processing of personal data
before any processing begins. Researchers must therefore register with the Board according to Section 36 Personal
Data Act. However, according to the Data Inspection Board’s regulations, notification is not required where
individuals have consented to the processing. The Personal Data Act also provides for an exception to registration
where a data protection officer is appointed and registered with the Board. After implementation of the GDPR,
organisations that process a large amount of data or particularly sensitive data are required to register a data
protection officer with the Board according to Article 37 (7) GDPR.
20 http://www.regeringen.se/rattsdokument/statens-offentliga-utredningar/2017/08/sou-201766/
21 http://www.regeringen.se/rattsdokument/proposition/2018/03/prop.-201718171/
22 Available in Swedish at www.regeringen.se/rattsdokument/proposition/2018/02/prop .-201718105/
23 www.datainspektionen.se
Partners
Within the health sector, the main supervisory authority is the Swedish government agency Health and Social Care
Inspectorate (Inspektionen för vård och omsorg – IVO)24. The Inspectorate’s task is to supervise that the public
receives safe, good quality health and social care. Healthcare providers must register with the Inspectorate, in
accordance with Chapter 2 Section 1 of the Swedish Patient Security Act [Patientsäkerhetslag (2010:659)].
The National Board of Health and Welfare (Socialstyrelsen)25 is also involved in health and social care, particularly
eHealth. The Board is mentioned in the Patient Data Regulation [Patientdataförordning (2008:360)] as one of the
responsible authorities for patient data issues; one of its main tasks is to build a basis for documentation and
interoperability.
Can you describe the adopted or proposed changes to this role of the national data
protection authority to ensure compliance with the GDPR?
The Government Bill Prop 2017/18:105, Ny dataskyddslag suggests that the Swedish data protection authority, i.e.
the current Data Inspection Board, has to consider complaints within three months, In accordance with the
timeframe set out in the GDPR. The Bill also suggests that it should be possible to impose administrative fines on an
authority that does not adhere to the GDPR; this has been adopted in Chapter 6 Section 2 paragraph 1 of the new
Data Protection Act. In general, decisions taken by the supervisory authority can be appealed to an administrative
court.
The Research Data Inquiry Committee proposes in SOU 2017:50 and 2018:38 that the Swedish Data Inspection Board
should also be the supervisory authority for the new Research Data Act. 26
In a press release, the Government has stated that it will increase the annual budget of the Data Inspection Board
by SEK30 million (about €3 million) and has proposed that the name of the Board will change to the Privacy
Protection Authority (Integritetsskyddsmyndigheten).27
Transposition of Article 8.4 of Directive 95/46

Did your national legislator insert any additional exemptions for the processing of health data
for research purposes? How is it/are they formulated? Please explain. Are there additional
exemptions issued by the DPA?
24www.ivo.se. The Inspectorate was created in June 2013 and took over the supervisory activities of the National Board of Health and Welfare
(Socialstyrelsen). It therefore now supervises health and medical care as well as social services.
25 www.socialstyrelsen.se/english
26 SOU 2017:50 pp 36-37 and SOU 2018:38 p 31.
27Press release by the Government (15 December 2017) <http:// www.regeringen.se/pressmeddelanden/2017/12/datainspektionen -blir-
integritetsskyddsmyndigheten/> accessed 15 January 2018 (in Swedish).
Partners
Article 8.4 of Directive 95/46: “Subject to the provision of suitable safeguards, Member States may, for reasons of
substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law
or by decision of the supervisory authority.”
a. Transposition of Article 8.4 of Directive 95/46
In Sweden, data concerning health is classed as sensitive personal data and as such its processing is prohibited
according to Section 13 (2) of the Personal Data Act. However, exceptions to this prohibition are permitted in
accordance with Section 14, and these grounds are found in Sections 15-19 of the Act. Processing of sensitive data
is permitted under Swedish law where for example a data subject has expressly consented (Section 15); where
processing is necessary for medical purposes (Section 18) (this provision encompasses preventive healthcare,
medical diagnoses, care or treatment, and the administration of healthcare); and processing for research and
statistical purposes (Section 19).
Processing of sensitive personal data for research purposes is therefore expressly permitted in Sweden due to
Section 19 Personal Data Act. However, Section 19 (1) states that such processing must be authorised in accordance
with the Act concerning the Ethical Review of Research Involving Humans (lagen (2003:460) om etikprövning av
forskning som avser människor, Ethical Review Act). The Ethical Review Act also defines the term “research”
purposes.28
According to Section 20 Personal Data Act, the government or supervisory authority may issue further exemptions
from the prohibition to process sensitive data (including health data) “where necessary for reasons of substantial
public interest”.29 The Data Inspection Board has however not issued any specific regulations in accordance with this
provision.
It was noted in the preparatory works when transposing the Directive that the Swedish constitutional principle of
openness (offentlighetsprincipen) was considered a substantial public interest and therefore an exemption foreseen
in Article 8.4 of the Directive. There was deemed to be no obstacle in the application of existing Swedish rules on
access to public documents, leading to a requirement of notification to the Commission pursuant to Article 8.6. 30
Archival was also deemed to be a substantial public interest; as archival of public documents can include sensitive
personal data, a legal provision was deemed necessary, leading again to a requirement of notification to the
Commission pursuant to Article 8.6.31
These two issues (access to public documents and archiving) have been included in the national law and are found
in Section 8 Personal Data Act. Section 8 (1) states that the provisions of the Personal Data Act shall not apply in
cases where they would restrict an authority’s obligations according to Chapter 2 of the constitutional Freedom of
28 Section 2 Ethical Review Act defines “research” as scientific, experimental or theoretical work to obtain new knowledge, and also
developmental work carried out on a scientific basis, with the exception of that which is carried out as part of a programme of study at an institute
of higher education.
29Government Bill 1997/98:44 p. 127 states that the Swedish wording ”viktigt allmänt intresse” shall have the same meaning as in Article 8.4
Directive 95/46 (i.e. a reason of substantial public interest).
30 Governmental Report 1997:39 p. 215-216; Government Bill 1997/98:44 p.44
31 Governmental Report 1997:39 p. 220; Government Bill 1997/98:44 p.47-48
Partners
the Press Act to disclose personal data; Section 8 (2) states that the provisions of the Personal Data Act do not
prevent an authority from archiving or storing public documents, or from being handled by an archiving authority.
b. The regime applying to the processing of personal data for health

research purposes
Is there a specific regime applying to data processing for research in the field of health
purposes?
The Ethical Review Act, mentioned above, is the main piece of legislation relating to research in the field of health
purposes in Sweden. The Act encompasses research involving humans (both living and deceased persons), biological
material from humans, along with processing of sensitive personal data and personal data concerning criminal
offences (Sections 3 and 4 Ethical Review Act). The aim of the Act, according to Section 1 (2), is to protect individuals
and human dignity when research is conducted. Personal data processing for research in the field of health research
purposes therefore forms a part of this wider-ranging Act relating to research involving humans.
All research referred to in the Ethical Review Act may only be conducted where approval has been granted following
an ethical vetting (Section 6 Ethical Review Act). Research involving the processing of personal data is only allowed
where approval for this processing has been given as part of the ethical vetting. Approval is valid for two years,
meaning that the research must be commenced within this time period. For approval to be given, research must
meet certain conditions, for example be conducted or supervised by a researcher with the necessary competence
(Section 11), and be of sufficient scientific value to outweigh any risks to the research subject’s health, safety and
personal integrity (Section 9). Approval cannot be given where the anticipated result can be achieved through other
means that entail fewer risks to the research subject’s health, safety or personal integrity (Section 10 (1)). In addition,
research involving the processing of sensitive personal data may only be approved if such processing is necessary
for the research to be carried out (Section 10 (2)).
Personal data (of a non-sensitive nature) may also be processed according to Section 10 (d) Personal Data Act, where
it is deemed necessary for the public interest. Such public interest includes archiving, research and statistics.
Previously, when Directive 95/46 was transposed, this provision even applied to sensitive personal data; sensitive
data could therefore be used for research purposes provided that the public interest of such research clearly
outweighed the risk for any violation of the individual’s privacy.32 Following an amendment to the Personal Data Act
in 2003, this possibility was removed and the system of ethical research vetting was applied to sensitive data, as
detailed above.
To the extent the research includes the collection of personal data, other legislation such as the Biobank Act and
other laws mentioned in Chapter I A in this report may be applicable.
32 See Government Bill 1997/98:44 p.68.
Partners
From which generally applicable data protection provisions are researchers exempted and
under what conditions?
In general, researchers are not exempted from the generally applicable data protection provisions. One exemption
is provided for in Section 24 (3) Personal Data Act, in relation to informing an individual of the processing of their
personal data. According to this provision, information does not need to be provided where it would not be possible
or would involve disproportionate efforts. In relation to research this section can be applied in line with Recital 40
Directive 95/46, taking into account for example the number of data subjects and the age of the data.
Although not an explicit exemption, the common interpretation of the Biobank Act has been that storing tissue
samples in biobanks does not amount to processing of personal data as such.33 The Act distinguishes between tissue
samples and personal data connected to the samples. The databases that are connected to the biobanks do contain
personal data and therefore must be processed in accordance with the Personal Data Act.
c. Are there additional specific conditions governing the processing of data

for scientific research purposes?
What are the suitable safeguards applied to the exemption foreseen by Article 8.4 of the
Directive in your country?
As mentioned above, Section 19 (1) Personal Data Act permits the processing of sensitive personal data for research
purposes only after approval in accordance with the Ethical Review Act. There are, however, no specific security
measures applicable to sensitive personal data. Rather, the general security provisions apply, following the
transposition of Article 17 Directive 95/46 regarding appropriate technical and organisational measures to protect
personal data that is processed. Section 31 Personal Data Act specifies that the measures shall provide a level of
safety that is appropriate considering the technical possibilities that are available, the implementation costs of
particular measures, the risks associated with the processing and how sensitive the data is that is being processed.
In general terms, the more sensitive the data the higher the security measures. The Data Inspection Board has issued
guidelines on the required level of protection.34
Section 9 (4) Personal Data Act has been deemed a suitable safeguard to the exemption foreseen by Article 8.4
Directive 95/46.35 The section states that data processed for scientific purposes may only be used for measures
regarding the data subject if the data subject has given consent or there are special reasons due to the vital interests
33 SOU 2018:4, p 93 with further references, including Article 29 Working Party Opinion Nº 4/2007 - WP 136
(20.06.2007), p 8-9.
34 Available in Swedish at https://www.datainspektionen.se/Documents/faktabroschyr-allmannarad-sakerhet.pdf.
35 Government Bill 1997/98:44 p.119-120.
Partners
of the data subject. It is for the data controller to show that special reasons exist. Section 9 (4) does not apply,
however, in cases where an authority uses personal data in public documents.36
Specific examples are mentioned in the Governmental Bill, to illustrate when vital interests of the data subject would
allow for data to be used that has been processed for scientific purposes. 37 The first example is where a researcher
investigating a potential link between a particular medicine and a serious illness finds an actual link and therefore
uses data to warn research subjects who have taken such medicine so that they can be examined and receive
treatment. The second circumstance is where a statistical register is used to warn those who have purchased a
device found to have a serious error. These examples suggest that Section 9 (4) this provision is somewhat limited
in practice, as both involve a danger to life or risk of injury.
In addition, existing Swedish rules on confidentiality and professional secrecy that are generally applicable to
research and statistics are also considered to be suitable safeguards. 38 For example, Chapter 21 Section 1 Public
Access to Information and Secrecy Act (OSL) [Offentlighets- och sekretesslag (2009:400)] states that confidentiality
applies to information pertaining to an individual’s health or sex life, such as information about illness or abuse. In
addition, Chapter 21 Section 7 OSL states that confidentiality applies where disclosure would result in personal data
being processed in a manner contrary to the provisions of the Personal Data Act. Chapter 11 Section 3 OSL states
that if an authority, as part of its research activities, receives data from another authority that is classified as
confidential, this confidentiality will apply to the data at the receiving authority. The Ethical Review Act also refers
to rules on confidentiality and professional secrecy, stating in Section 12 that personal data may be disclosed for
research purposes unless otherwise provided by such rules.
In relation to the use of sensitive data for scientific research purposes, the ethical vetting procedure must be
followed, as detailed above. There is a presumption made in Section 19 Personal Data Act that where approval of
personal data processing has been granted by the ethical vetting board, in accordance with the provisions of the
Ethical Review Act, the public interest following of the research outweighs the risk for undue violation of individual
privacy. In other words, the ethical vetting procedure is in itself a sufficient suitable safeguard. 39 However, this was
initially a voluntary approval procedure; where no ethical vetting took place, there was a requirement under the
Personal Data Regulation (1998:1191) for the research’s data controller to carry out an assessment and notify the
Swedish Data Protection Board of the processing a minimum of three weeks in advance so that a prior check could
be carried out. Assessment by the researchers themselves is no longer necessary, due to the now mandatory nature
of the ethical vetting procedure.40
Are there any specific provisions concerning: (i) professional secrecy, (ii) express consent for
specific data, or specific provisions for (iii) deceased data subjects, or (iv) specific provisions
for minors or persons subject to guardianship?
36 Section 8 (2) Personal Data Act. See also above on exemptions for public authorities relating to the constitutional principle of openness.
37 Government Bill 1997/98:44 p.120.
38 Government Bill 1997/98:44 p.69
39 See Government Bill 1997/98:44 p.71.
40 See further Government Bill 2002/03:50 p. 173.
Partners
Professional secrecy
The applicable rules on professional secrecy are dependent upon the organisation carrying out the research. The
Swedish principle of openness (offentlighetsprincipen) applies to public healthcare providers and research
institutions, entailing a presumption of access to public documents. This presumption, however, can be negated due
to reasons of confidentiality and secrecy, in accordance with the Public Access to Information and Secrecy Act (OSL)
[Offentlighets- och sekretesslag (2009:400)]. Chapter 24 OSL regulates secrecy in the area of research and statistics.
Accordingly, documents are not permitted to be handed out if they are subject to professional secrecy.
The principle of openness does not apply to private healthcare providers, nor the rules contained in the Public Access
to Information and Secrecy Act (OSL). Instead, provisions on professional secrecy are found in the Patient Safety Act
(Patientsäkerhetslagen (2010:659)), and are intended to give the same protection as under the OSL provisions.
However, the protection only extends to healthcare, not to research. 41 There is therefore no legislative provision on
professional secrecy for research carried out by private healthcare providers. In these instances such professional
secrecy is regulated by contract.42 The Governmental report (SOU) 2018:38 proposes, however, an obligation for
private research organisations to observe professional secrecy, to be included in the new Act on Research Databases
(forskningsdatabaslagen).
Express consent
The research subject must consent to research according to Section 17 Ethical Review Act; this consent must be
voluntary, explicit and specific, given after receiving information on the research detailed in Section 16, and be
documented. Exceptions to the consent requirement exist, due to for example illness or mental disorder, and these
are detailed in Sections 20-22.
According to the Biobank Act consent must be explicit and documented in the patient’s journal (Chapter 3 Section
7). One of the principles of the Biobank Act is informed consent; if the tissue donor withdraws her or his consent,
the biobank must either destroy or anonymise the sample (Chapter 3 Section 6).
According to the Transplant Act, biological material can only be taken for medical purposes if the data subject has
consented. If there is a risk of damages, the consent has to be in writing (Section 6).
Deceased data subjects
Neither the Ethical Review Act nor the Biobank Act contain any provisions on consent or information when it comes
to deceased data subjects, but refer to the Transplant Act and the Autopsy Act (Section 13 (2) Ethical Review Act and
Chapter 3 Section 4 Biobank Act). The Autopsy Act mainly deals with the question when an autopsy may be carried
out, not with questions on research.
According to the Transplant Act biological material may be taken if the deceased has consented or if the procedure
can be assumed to be in line with her or his beliefs. Biological material can also be taken if the deceased has not
opposed the procedure/surgery in writing or spoken out against the procedure, or if there are reasons to assume
the procedure would be against the deceased’s beliefs. If there is any doubt, the procedure should be not performed
(Section 3). In case the deceased’s next of kin opposes the procedure, it should not be undertaken (Section 4).
41 Governmental Report 2017:50 p.274. See Chapter 6 Section 12 PSL.
42 Governmental Report 2018:4 p. 111.
Partners
The Research Data Inquiry Committee discusses in Governmental Report (SOU) 2018:36 research on deceased
persons. The Committee did not suggest any changes to the legislative framework in this regard and found that the
existing legislation along with its proposal for research secrecy provides sufficient protection for data about
deceased persons.43
Minors and persons subject to guardianship
For minors, specific consent provisions apply according to Section 18 Ethical Review Act. For research subjects
between the ages of 15-17, who understand the implication of the research, the general information and consent
provisions apply. In other cases involving minors, the legal custodians are to be informed and must consent to the
research in accordance with the provisions of the Act. The research subject is however, as far as possible, to be
informed of the research. According to Section 18 (2), even in cases where a custodian consents, research may not
be conducted where a research subject under the age of 15 understands the implications of the research and
opposes it.
The Biobank Act does not specify any particular age but also follows the same principle that the parent or guardian
should be asked for consent unless the minor is able to make such a decision herself (Chapter 3 Section 2).
In relation to persons subject to guardianship, Section 20 Ethical Review Act allows for research to be conducted
without consent in cases of illness, mental disorder, impaired health or other similar circumstance. However, certain
conditions must be met in these cases, in accordance with Section 22. The individual shall, as far as possible, be
personally informed of the research, consultation with the individual’s next of kin and any legal guardian must take
place, in accordance with Chapter 11 Parental Code [Föräldrarbalken (1949:381)]. The research may not be
conducted where the research subject in any way expresses a wish not to participate or if any of those consulted
oppose the research.
Are there specific requirements about the data subject’s information or about the person
from whom the data was collected?
The research subject is to receive information about the research in accordance with Section 16 Ethical Review Act,
on for example the purpose of the research, the methods used, the consequences and risks the research may entail,
the responsible research body, the voluntary nature of participation and the right of the research subject to cease
participation at any time.
Are there specific penalties if the conditions for processing for scientific research in the field
of health purposes are not respected? What do those penalties entail?
Intentional violation of the provisions of the Ethical Review Act can result in fines or imprisonment for a maximum
of six months; minor violations will, however, not lead to any sanction. 44
43 SOU 2018:38 pp 35.
44 Section 38 Ethical Review Act.
Partners
Intentional or negligent violations of the Personal Data Act can result in fines or imprisonment for a maximum of
two years. As for the Ethical Review Act, minor violations will not lead to any sanction.45 Compensation can also be
paid to the individual for injury and violations of personal integrity caused by any processing contrary to the
provisions of both the Personal Data Act46 and the Biobank Act47.
In cases of violation of professional secrecy (“brott mot tystnadsplikt”) Chapter 20 Section 3 of the Swedish Penal
Code (Brottsbalk (1962:700)) will be applicable; this can result in fines or imprisonment for a maximum of one year.
d. Formalities prior to processing: the general regime under the current

framework
Is there a regime requiring the fulfilment of certain conditions prior to any processing
activities different from that applicable to research in the field of health? If yes, what does
that regime entail?
As stated above, all research referred to in the Ethical Review Act may only be conducted where approval has been
granted following an ethical vetting. Research involving the processing of personal data is only allowed where
approval for this processing has been given as part of the ethical vetting. In addition, research subjects must consent
to the research in question, as detailed above.
Since 2004, there is one central ethical vetting board and six regional boards. Each regional board is responsible for
its own geographically defined catchment area; applications for research approval should therefore be made to the
relevant regional board.48 Changes are to be made to the current system, effective 1 January 2019, whereby the
regional boards are to be phased out and the responsibility for ethical vetting will instead fall on a new central
authority. The reason for this change is to increase efficiency and create a more uniform application of the legal
framework.49
An application must be made for research approval and a fee paid by the person responsible for the research. A
written procedure is generally used by the boards. At the meetings, any one of three decisions can be made: an
application may be approved, approved subject to certain conditions or rejected. The regional boards should
normally make a decision within sixty (60) days of receiving a fully completed application.
45 Section 49 Personal Data Act.
46
Section 48 Personal Data Act.
47 Chapter 6 Section 2 Biobank Act.
48For more information on the ethical vetting organisation see the Central Ethical Review Board’s website, https://www.epn.se/en/start/the-
organisation/.
49 See Government Bill 2017/18:45 (Prop. 2017/18:45 En ny organisation för etikprövning av forskning som avser människor).
Partners
Further processing of health data (for research purposes): the

current regime
How is the notion of further processing regulated in your national framework?
Further processing is regulated in Section 9 (1)(d) Personal Data Act. Further processing is only allowed where
compatible with the original purpose for which the data was collected. Data must be collected for a specific purpose
(Section 9 (c)) and can therefore not be processed in a manner that is incompatible with this purpose.
Are there specific conditions to the further processing for scientific research in the field of
health purposes?
The Swedish Personal Data Act includes a specific provision on the further processing of data for scientific purposes.
Section 9 (2) states that further processing of data for historical, statistical or scientific purposes shall not be deemed
incompatible with the initial purpose of collection. Further processing for scientific research purposes is therefore
permitted under the Swedish framework.
Personal data is not permitted to be retained for longer than necessary for the purpose of processing (Section 9
(1)(i)). However, personal data can be retained a longer period of time for historical, statistical or scientific purposes,
provided that it is not retained for longer than necessary for such historical, statistical or scientific purposes, in
accordance with Section 9 (3).
The newly enacted Data Protection Act does not contain a similar section on this question but allows processing of
health data in Chapter 3 Sections 2-7 in accordance with Article 9 (2) GDPR if the processing is based on an important
public interest. The Act does not mention scientific purposes anymore, however.
Chapter 4 of the Biobank Act regulates sharing of tissue samples. According to Section 4 tissue samples that are
shared shall be depersonalised or coded. According to Section 10 personal details may not be linked to the tissue
samples if both are shared at the same time.
What are the rights of the data subject when it comes to further processing?
The data subject has a right to be informed of processing and further processing, in accordance with Sections 23-25
Personal Data Act. The data controller must inform the data subject about: its identity, the purpose of the processing,
and other information needed so that the data subject can take advantage of their rights in connection with
processing, such as information on the recipients of the data, the obligation to provide information and the right to
apply for the correction of data.50 Information does not need to be provided that is already known by the data
subject.51 There is no requirement to provide the information in writing, but it is the data controller who must prove
that the information has been given.
Section 24, described earlier, deals specifically with the rights of the data subject for further processing. The data
controller must inform the data subject, if the data was not collected from him/her, about the processing of data at
50 Section 25 (1) Personal Data Act.
51 Section 25 (2) Personal Data Act.
Partners
the time when the data is registered. However, Section 24 (2) provides an exemption to the information requirement
where provisions on the registration or disclosure of personal data are included in another law or regulation.
Furthermore, the information does not need to be provided, as mentioned previously and stated in Section 24 (3),
where it would not be possible or would involve disproportionate efforts.
The newly enacted Data Protection Act does not contain similar sections in this regard so the GDPR is applicable.
What about the data subject’s rights and further processing for scientific research purposes?
As no general exemptions from the data protection provisions exist for research purposes, the relevant provisions
are those mentioned above, namely Section 24 Personal Data Act. There is a potential exemption for researchers to
inform data subjects if this would involve disproportionate efforts, as mentioned above and as in line with Recital
40 Directive 95/46.
The GDPR’s impact on the current regulatory framework for

the processing of health data for research purposes
a. The impact of the GDPR on the rules applying to processing for research in
the field of health
Please provide a summary of the main relevant characteristics of the new law/Bill (as far as it
is relevant for processing health data for research purposes). How is (or will be) Article 9(2)(j)
implemented in your country?
The Government Bill for a new data protection act (Prop 2017/18:105, Ny dataskyddslag) briefly discusses data
processing within healthcare but does not mention research in any more detail, and refers to the Research Data
Inquiry Committee (Forskningsdatautredningen) and the Governmental Report (SOU) 2017:50. Research purposes
are not mentioned in the new legislation enacted by the Swedish Parliament in 2018.
The Research Data Inquiry Committee proposes the introduction of a new Research Data Act (forskningsdatalag)
“with the purpose of enabling personal data to be processed for the purpose of research and to protect the freedoms
and rights of the individual in conjunction with such processing of personal data.” 52 Though SOU 2017:50 was
followed up by a final Governmental report SOU 2018:38 and is currently drafted into a Government Bill, it is not
yet clear to what extent changes will be made in the final law. Among the notable suggested changes is a provision
enabling both public and private research actors to cite “task carried out in the public interest” as the legal basis for
processing personal data for research purposes (Article 6 (1) (e) GDPR). According to Article 6 (3) GDPR public
interest must be based on EU or national law. For public research actors, the legal basis are statutes that stipulate
research as a main task, e.g. for universities Chapter 1 Section 2 Higher Education Act (högskolelagen). For private
52 Governmental Report 2017:50, p 30.
Partners
actors, SOU 2018:38 proposes that a public interest is established if the private research actor has received approval
for its research database through the ethical review procedure.53
According to Chapter 2 Section 3 of the proposal for a Research Data Act, sensitive data may be processed according
to Article 9 (2)(j) GDPR if the processing has been approved in accordance with the Ethical Review Act and the
research actor has secured financing for the research database. The Ethical Review Act stipulates further
requirements for the vetting procedure. According to the proposal the Act allows personal data to be processed in
research databases in order to be used and shared in future research projects. Both the research database and the
research project must be approved by an ethical review.
Another notable change is a provision stating that personal data must be pseudonymised or protected in an
equivalent manner when processed for research purposes, provided that the purpose can be attained by doing so. 54
Another point worth mentioning is that SOU 2018:38 discusses the possibility for Swedish research organisations to
share research databases with other EU organisations. According to the proposal, the Governmental Inquiry suggests
a secrecy override applicable to research databases operated by research organisations which are covered by the
GDPR. This override would mean that, under certain conditions, data that is subject to secrecy may be disclosed to
a research organisation outside Sweden if the receiving organisation falls under the GDPR. If it would be possible to
release the data to Swedish research database in corresponding cases, and if the research organisation is subject to
secrecy rules corresponding to those that apply under the Public Access to Information and Secrecy Act and the
Research Databases Act, the releasing authority may examine whether the data can be released. 55
SOU 2018:38 also proposes giving the Swedish Research Council (Vetenskapsrådet) the task of drafting a code of
conduct for the processing of personal data in research databases 56 and following up the work of research databases
in Sweden.
b. Modification to the processing authorisation procedure applying to

research in the field of health
No major changes to the authorisation procedure in any of the on-going inquiries mentioned in I.B were identified
for this report. The organisation coordinating the quality registers has, however, published guidelines with regards
to the GDPR,57 which mainly concern the administration of quality registers and less the authorisation procedure.
53 See in Swedish SOU 2018:38 pp 245-246.
54 Governmental Report 2017:50 p 38.
55 Governmental Report SOU 2018:38 p 34
56 Governmental Report SOU 2018:38 p 31
57 Available in Swedish at http://kvalitetsregister.se/drivaregister/juridikochregelverk.1946.html
Partners
How will the processing authorisation procedure (if any exists) be affected by the
implementation of the GDPR? Can you describe any such change?
At this stage, no significant changes to the Ethical Review Act are proposed. The Research Data Inquiry Committee
suggests minor changes to the Act regarding references to the GDPR instead of the current Personal Data Act. 58
According to the final report SOU 2018:38, however, the Committee finds that changes to the ethical review
procedure should be investigated. The Committee believes that not all processing requires a full ethical review, as
current ethical review requirements also cover processing of personal data that can generally be regarded as less of
a risk for the individual.59
Another inquiry, SOU 2017:104 Etikprövning – en översyn av reglerna om forskning och hälso- och sjukvård, has
examined the Ethical Review Act from a more general perspective and has not focused on the GDPR. The inquiry
suggests certain changes in order to make the Act clearer and easier to follow; for example, the inquiry proposes
updating the basic definitions of “research” and “research principal” in order to clarify the scope of the act. 60 In
addition, the inquiry suggests that retrospective ethical review should be possible in some cases; this would apply
where a research activity in Sections 3–5 of the Ethical Review Act relates to health and medical services and a
patient’s life or health would be threatened to await the ethical review. The new rules are suggested to enter into
force on 1 January 2019. Again, the Government Bill has to be awaited in order to see if any significant changes to
the proposal are made.
What about the right of the data subject and the obligations of the controller?
Article 89 (2) GDPR allows Member States to enact derogations from the rights referred to in Articles 15, 16, 18 and
21 subject to the conditions and safeguards referred to in Article 89 (1). The Research Data Inquiry Committee
proposed in its earlier report certain restrictions in the new Research Data Act.
According to SOU 2017:50 the right to restriction of processing (Article 18 GDPR) “shall not apply where the data
subject contests the accuracy of the data during the verification period […] if this means that the research cannot be
carried out or would be crucially delayed or impeded. The same shall apply when the data subject has objected to
processing, pending the verification whether the legitimate grounds of the controller override those of the data
subject.”61
The right to rectification (Article 16 GDPR) shall not apply to personal data that is only preserved to document and
archive research that has already been completed (Section 13 of the new Research Data Act). The right to
rectification shall otherwise apply without derogations. Section 13 is not part of the final proposal in SOU 2018:38.
The Research Data Inquiry Committee also proposes that individuals should be able to contest their personal data
being processed for research purposes. If this option proves to be impossible or involves disproportionate effort, or
58 See in Swedish SOU 2017:50 pp 47-48.
59 SOU 2018:38 pp 28-29.
60 SOU 2017:104 p 31.
61 SOU 2017:50 p 36.
Partners
if the purposes of the research cannot otherwise be attained, the data may nevertheless be processed (Section 9 of
the new Act).62 Section 9 is not mentioned in the final proposal in SOU 2018:38.
The final report SOU 2018:38 does, however, stipulate technical and organisational security measures in Chapter 3
and introduces an obligation for the controller to assign resources for information security.
Further processing for research purposes under the GDPR

The notion of further processing under the GDPR:
The Research Data Inquiry Committee points out that the current Personal Data Act may need clarification in relation
to further processing for research purposes. According to the Committee, it is not clear if a new legal basis is needed
for further processing, particularly in cases where the data was originally gathered through consent. 63 It is currently
unclear whether any changes will be made in this regard, however, as the Committee concludes that further
processing for research purposes can be understood as compatible with the original processing.
A new controller, however, “must have their own legal basis for their processing for research purposes once the
personal data has been transferred to them. This means that research actors that collect personal data for research
purposes that was previously collected for other purposes, for example, by another agency, must cite a legal basis
under Article 6(1) for the new processing. Such a legal basis may be research carried out in the public interest under
Article 6(1)(e) GDPR.”64
The Committee views that it is in line with Article 9 (2)(a) GDPR to process sensitive personal data for research
purposes with consent as the legal basis if consent exists together with ethical approval in accordance with the
Ethical Review Act.65
How to measure the compatibility of purpose of the further processing:
Neither the general inquiry for a new Data Act (Prop 2017/18:105, Ny dataskyddslag) nor the Research Data Inquiry
Committee discuss compatibility in detail. The Research Data Inquiry Committee does however consider that
research is generally compatible with the original purpose.
62 SOU 2017:50 p 38.
63 SOU 2017:50 pp 32-33.
64 SOU 2017:50 p 33.
65 SOU 2017:50 p 33.
Partners
The Research Data Inquiry Committee also discusses compatibility with regards to more specific laws, such as the
LifeGene Act, and comes to the conclusion that only the purposes stated in the specific Act can be deemed
compatible.66
The particularities of scientific research: a presumption of purpose compatibility
The Committee interprets Article 6 (1) GDPR to mean that further processing for research purposes by the same
data controller does not need a new legal basis. It is enough that the original data collection was based on a legal
ground according to Article 6 (1).
When it comes to sharing personal data for research purposes with another data controller the “new” processing
shall be considered compatible as long as the purpose is research. The “new” data controller, however, has to state
a legal ground according to Article 6 (1) for the “new” processing. Such a legal ground can be public interest according
to Article 6 (1) (e).67
The Research Data Inquiry Committee proposes that further processing of personal data for research purposes by
the same data controller shall be considered compatible with the original purpose even if the data was collected
based on consent by the data subject.
If the original data collection was based on consent, further processing of personal data for research purposes should
generally be covered by obtaining new consent, irrespective of whether this is carried out by the same or a new
controller. This should apply irrespective of the wording of Article 5 (1)(b) second sentence if it is possible in practical
terms and not inappropriate on ethical grounds. In other words, the Research Data Inquiry Committee proposes that
further processing of personal data for research purposes should require asking for consent again, if the original
processing was based on consent. This is irrelevant of whether the processing is carried out by the same data
controller or a new data controller.68
The data controller is, in all cases, advised to follow the Council of Europe Recommendation No. R (83)10. 69
Given the regime applied to further processing in the GDPR, can you describe the
consequences, if any, in your national legal framework?
As most of the inquiries only reached the stage of Governmental Reports, the actual consequences are not clear at
the moment. There is still a possibility that the Government Bills will introduce some changes, and as such the
consequences are not easy to predict. However, the only substantial amendment currently proposed is to introduce
a specific Research Act, meaning that the practical consequences are limited in nature. Further processing for
66
SOU 2017:50 p 390.
67 SOU 2017:50 pp 146-147.
68 SOU 2017:50 pp 182-183.
69RECOMMENDATION No. R (83)10 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES ON THE PROTECTION OF PERSONAL DATA USED FOR
SCIENTIFIC RESEARCH AND STATISTICS' (Adopted by the Committee of Ministers on 23 September 1983 at the 362nd meeting of the Ministers'
Deputies), https://search.coe.int/cm/Pages/result_details.aspx?ObjectID=09000016804bc647
Partners
research purposes is considered within the scope of the new framework, as it is already today in the Personal Data
Act.
Update August 2018: Though most of the general reports have now been enacted, e.g. the Data Protection Act was
enacted in May, the more relevant legislation for this report – the Research Data Act – has not yet reached the
government bill stage. It seems, however, that the changes will not be substantial, as the focus is on the ethical
review procedure. These changes may facilitate access to research databases but also decrease the predictability of
the conditions for the approval, as much discretion is left to the ethical vetting boards.
Health data sources for research purposes

a. Sources of data and their regulation
Does your national framework contain specific provisions for anonymised or pseudonymised
health data?
According to Chapter 7 Section 8 Patient Data Act an individual’s personal identity number (in Swedish
personnummer) or name may only be used in the quality registers if coded personal data, i.e. pseudonymised data,
is not sufficient for the purpose of the processing.
According to Chapter 4 Section 4 Biobank Act tissue samples that are shared shall be depersonalised 70 or coded. The
code keys shall be stored with the healthcare provider that collected the data initially and that stores the tissue
samples in a biobank. Code keys shall be stored securely. The usage of code keys can be viewed as an example of
pseudonymisation.71
The Research Data Inquiry proposes a provision in the new Research Data Act stipulating that personal data must be
pseudonymised or protected in an equivalent manner when processed for research purposes provided that the
purpose can be attained by doing so. 72
What are the different sources of health data that can be used for research purposes?
• DIRECT COLLECTION FROM PATIENTS:
70 The Swedish wording is avidentifierade which is not a synonym for anonymised.
71 Compare also SOU 2017:50 p 263.
72 SOU 2017:50 p 38 and SOU 2018:38 p 43 proposal for Chapter 5 Section 2 Research Data Act.
Partners
Under the current legal framework: please explain the currently applying rules that a
researcher, who intends to collect health data directly from individuals (e.g. via a survey, or
by asking patients to wear a monitoring device, etc.), should follow.
The main applicable legislation in this case is the Ethical Review Act with the requirements of application for
approval. In addition, all individuals must receive information regarding the research, and the type of data processing
the research will involve, for a valid consent to be granted.
Depending on which data is being collected some of the other Acts mentioned in Chapter I.A. can be applicable as
well, e.g. the Biobank Act.
Any processing of personal data has to follow the Personal Data Act. To the extent the research involves patient
care, the Patient Data Act applies instead.
Under the revised legal framework: will the currently existing procedures and rules change in
view of the implementation of the GDPR in your country?
Based on the current on-going governmental inquiries no substantial changes are being proposed with regards to
the GDPR. One of the main proposals in SOU 2017:50 is that research can be based on the legal grounds of public
interest according to Article 6 (1)(e) GDPR and that the newly proposed Research Data Act should serve as the legal
basis for both public and private research actors. 73 According Section 6 in the new Act (mentioned in SOU 2017:50),
which refers to Article 6 (1)(e) GDPR, personal data can be processed for research purposes if the processing is
necessary and proportional for conducting research of public interest. Research of public interest can be carried out
by public authorities, municipalities, counties, other legal persons and individual companies. SOU 2018:38 proposes
in Chapter 2 Section 3 that personal data may be processed in a research database if it was approved by ethical
review and the research actor has secured financing for the database. The Act does not mention research, mainly
focusing on rules for research databases rather than specific research projects.
Otherwise no changes in procedure are currently proposed, so focus lies still on the ethical review.
• COLLECTION FROM HEALTH PROFESSIONALS AND HEALTH INSTITUTIONS
Under the current legal framework: please explain the rules currently applying that a
researcher, who intends to obtain health data from medical staff, hospitals, etc., should
follow.
A variety of quality register exist today in Sweden 74 and the providers of these registers may share data provided
certain conditions are fulfilled. In order to access data a researcher has to contact the register itself, the National
73 SOU 2017:50 p 151.
74 A full list is available in English at http://kvalitetsregister.se/englishpages/findaregistry.2027.html
Partners
Board of Health and Welfare (Socialstyrelsen) and apply for permission to conduct research with the Ethical Review
Board.
A quick guide for researchers to quality registry data disclosure is available in English at
http://kvalitetsregister.se/englishpages/useregistrydatainyourresearch/quickguideforresearchers.2409.html. A
more detailed overview can be found in English at
http://kvalitetsregister.se/englishpages/useregistrydatainyourresearch/guidanceondisclosureofregistrydata.2410.
html.
In addition, biobank providers may share data from their biobanks according to the Biobank Act. The
recommendation by Biobank Sweden for release of samples and personal data for research proposes the following
requirements:
1. The research subject must have consented for the sample to be used for the purpose in question. For
research, explicit and specific consent is required for the specific research study. The Ethics Review Board
may allow exemptions from the information and consent requirement, however.
2. Enough material must be left for diagnosis and treatment.
3. Existing contracts and regulations for the biobank must be respected
4. The research study must have been approved by the Ethical Review Board. The approval includes use of
samples as well as personal data.
5. If the release concerns an existing research related biobank, coordination with the researcher of the existing
biobank is recommended.
6. Biobanks should be shared with other researchers in order to stimulate further cooperation. 75
None of the on-going inquiries (see I.B.) propose substantial changes in the existing procedure. The above mentioned
Research Data Inquiry Committee proposes, however, in SOU 2018:38 that the ethical review procedures should be
further investigated as not all processing of personal data necessarily requires a full ethical review. 76
• PRIVATE DATABASES
Under the current legal framework: please explain the rules currently applying for the setting
up of and the use of a private database with health data for research purposes.
75Biobank Sweden, Principer för tillgång till biobanksprov och personuppgifter för forskning, 24 January 2018, http://biobanksverige.se/wp-
content/uploads/k1-principer-tillgang-till-biobanksprov-51.pdf, p 15.
76 See above p 15-16.
Partners
From a Swedish point of view, there is no clear-cut distinction between private and public, but rather between
quality registers and biobanks. Databases falling within the definition of a quality register can only be administered
by public authorities, according to Chapter 7 Section 7 Patient Data Act. Biobanks, however, can be established by
private entities. Creating a private database containing health data is not prohibited as such. An application is,
however, necessary in accordance with the Ethical Review Act.
According to Chapter 3 Section 1 Biobank Act (Consent and Information) tissue samples may only be collected and
stored in a biobank if the research subject has consented after receiving information on the aim and purpose of the
biobank. Chapter 3 Section 5 further states that if research or clinical trials involves a new purpose the Ethical Review
Board has to approve the new purpose and also decide the requirements for information and consent of the
individual. This also reflects Section 15 of the Ethical Review Act.
If samples are released from a biobank (see above), the receiver of the samples becomes responsible for a secondary
biobank which must not be shared with anybody else. 77 The only exception to this rule is Chapter 4 Section 5 Biobank
Act which allows tissue samples to be sent to another healthcare provider for analysis and samples to be sent to
another unit for research. In both cases samples may be sent abroad, though the specimens shall be coded at all
times and destroyed if no longer needed for the original purpose.
The on-going inquiries do not suggest any substantial changes for the conditions applying to private databases. The
SOU 2017:50 does, however, propose that personal data be pseudonymised or protected in an equivalent manner
when processed for research purposes provided that the purpose can be attained by doing so (Section 8 of the new
Research Data Act).
• PUBLIC DATABASES
Under the current legal framework: do public authorities make available health data for
research purposes in your country and under what conditions?
As mentioned in I.A., quality registers have been established in Sweden for a time. There are around 100 quality
registers, containing data on health problems, diagnoses, treatment and results. 78 Following an application to a
provider of a specific register, an application to and vetting procedure by the Ethical Review Board and contact with
the National Board of Health and Welfare (Socialstyrelsen)79, researchers can receive access to this data.
Quality registers do not require consent of the patient, but are based on an opt-out model. Chapter 7 Section 3
Patient Data Act does, however, stipulate that the data subject has to be informed about the processing. Chapter 7
77Biobank Sweden, Principer för tillgång till biobanksprov och personuppgifter för forskning, 24 January 2018, http://biobanksverige.se/wp-
content/uploads/k1-principer-tillgang-till-biobanksprov-51.pdf, at 14.
78 A list is available in English at http://www.kvalitetsregister.se/englishpages/findaregistry/allswedishqualityregistries.2028.html
79 A quick guide for researchers to quality registry data disclosure is available in English at
http://kvalitetsregister.se/englishpages/useregistrydatainyourresearch/quickguideforresearchers.2409.html. A more detailed overview can be
found in English at http://kvalitetsregister.se/englishpages/useregistrydatainyourresearch/guidanceondisclosureofregistrydata.2410.html.
Partners
Section 2 Patient Data Act states that personal data may not be processed in a quality register if the individual
opposes the processing. As only pubic authorities are allowed to administer quality registers, the data is protected
by the Public Access to Information and Secrecy Act, as mentioned in II.C.
The on-going inquiries do not suggest any substantial changes to the rules applicable to the use of public databases.
The Government Bill Prop. 2017/18:171 proposes only small amendments in the wording of the provisions in Chapter
7 Section 8 Patient Data Act: sensitive personal data may be processed based on Article 9 (2) (h) GDPR under the
condition that the requirement of confidentiality in Article 9 (3) is met. The changes have not been enacted yet,
however.
In general, the proposed changes in the Government Bill are not substantial. The organisation coordinating all quality
registers has, however, published guidelines on the GDPR implementation 80, specifically with regards to the
obligations of the data controllers, and detailing the different requirements of the GDPR. The changes affect
primarily the providers of quality registers in their daily processing and administering of the registers.
b. Application of the national framework to the AEGLE cases
In the AEGLE project, the “research objective is to establish the use of Big data analysis in the prediction of outcomes
in three working scenarios: Chronic Lymphotic Leukemia (CLL), Intensive Care Units and type 2 diabetes for the
prediction of adverse outcomes. The research methodology is Big Data analysis to establish predictive values that
may apply in three clinical scenarios and to see if this can be generalised to other healthcare disease models”. 81
To achieve its objective, the AEGLE project must base its approach on the study, and thus the processing, of data
concerning health. This section aims to address each of the three proposed AEGLE cases, and to determine the
requirements in general terms for access and the processes relevant to data under the Directive (the current
framework) and the GDPR.
1. Type 2 diabetes
The AEGLE project uses, after pseudonymisation, existing databases with health data collected from patients who
expressed their consent to their data being used for research purposes.
80 In Swedish at http://www.kvalitetsregister.se/drivaregister/juridikochregelverk.1946.html
81 AEGLE Grant Agreement, Annex 1, p. 83.
Partners
One of the Swedish quality registers contains health data on type 2 diabetes. 82 The general rules of access to quality
registers apply to access this data. A researcher needs to contact the registry itself, the National Board of Health and
Welfare (Socialstyrelsen) and apply for permission to conduct research with the Ethical Review Board. 83 The
application procedure for approval must be undertaken in accordance with the Ethical Review Act.
The application to the specific registry must be made in accordance with their own guidelines. 84 There is no legal
right of access to registry data, even for researchers, rather access is dependent on approval from both the Ethical
Review Board and the quality registry.
As such activity involves processing of sensitive data, the rules of the Personal Data Act apply. In addition, the Public
Access to Information and Secrecy Act applies to the registers. In the event the researcher accessing the data is not
a public authority and therefore not bound by the Public Access to Information and Secrecy Act, confidentiality
clauses are required.
Following the enactment of the GDPR, the procedure as such will remain unchanged. However, it may be possible
for private researchers to claim a public interest as a legal ground for processing data if the proposed Research Data
Act is implemented in its current form. Pseudonymisation will be explicitly required according to Section 8 of the
new Research Data Act. In addition, a data protection officer will be required according to Article 37 GDPR and the
supervisory authority needs to be provided with this information.
2. Intensive Care Unit (ICU)
AEGLE uses data generated by ICU devices without collecting the patient’s consent (after pseudonymisation).
The National Quality Registry for Intensive Care (SIR) contains data on diagnoses, interventions, inpatient care,
patient-reported health effects, and follow-ups from intensive care units.85 The same rules regarding access to
quality registry data apply, as for type 2 diabetes above.
A researcher needs to contact the registry itself, the National Board of Health and Welfare (Socialstyrelsen) and
apply for permission to conduct research with the Ethical Review Board. 86 The application procedure for approval
must be undertaken in accordance with the Ethical Review Act.
82 See more in English at

http://www.kvalitetsregister.se/englishpages/findaregistry/registerarkivenglish/nationalqualityregistryfordiabetesndrwithswediabkids.2161.ht
ml and the registry website https://www.ndr.nu/#/english
83 See for an overview in English

84 The application for the diabetes quality registers is available in Swedish at https://www.ndr.nu/pdfs/ansokan_utlamnande_forskning.doc
85 See an overview in English at

http://kvalitetsregister.se/englishpages/findaregistry/registerarkivenglish/nationalqualityregistryforintensivecaresir.2175.html and the website
of the registry http://www.icuregswe.org/en/
86 See for an overview in English

Partners
The application to the specific registry must be made in accordance with their own guidelines. 87 There is no legal
right of access to registry data, even for researchers, rather access is dependent on approval from both the Ethical
Review Board and the quality registry.
As such activity involves processing of sensitive data, the rules of the Personal Data Act apply. In addition, the Public
Access to Information and Secrecy Act applies to the registers. In the event the researcher accessing the data is not
a public authority and therefore not bound by the Public Access to Information and Secrecy Act, confidentiality
clauses are required.
Following the enactment of the GDPR, the procedure as such will remain unchanged. However, it may be possible
for private researchers to claim a public interest as a legal ground for processing data if the proposed Research Data
Act is implemented in its current form. Pseudonymisation will be explicitly required according to Section 8 of the
new Research Data Act. In addition, a data protection officer will be required according to Article 37 GDPR and the
supervisory authority needs to be provided with this information.
3. Chronic Lymphocytic Leukaemia (CLL)
The AEGLE project re-uses, after pseudonymisation, data coming from biobanks. In this instance, patients have given
their informed consent for the samples and for the processing of their data. But this consent was given in general
terms and not specifically for AEGLE.
The rules for biobanks are both established in the Biobank Act and the guidelines of a specific biobank. Biobank
Sweden recommends for biobanks to be clear when collecting data to what extent future research projects are
encompassed. For example, it recommends that consent for further research be limited to a particular type of illness
and apply for a certain period of time. Depending on the phrasing of the original consent form, AEGLE research may
or may not be encompassed. A new ethical vetting procedure is in any case required and the Ethical Review Board
may decide that additional consent is required for the research to take place.
In general, access to biobank data requires88
• approval from the Ethical Review Board
• the fulfilment of any conditions of the ethical approval
• consent and information provided to the patient
• established routines and responsibility for coding/pseudonymisation
• a valid contract with the biobank
87 Application forms are available in Swedish at http://www.icuregswe.org/sv/Om-SIR/FoU-ansokningar/
88 Information in Swedish available at http://biobanksverige.se/forskning/tillgang-till-prov-for-forskning/
Partners
There is also a relevant quality register in Sweden, the National Quality Registry for Leukaemia89 which includes CLL.
In this case, the same procedure applies as to any other quality register in Sweden, 90 see scenarios 1 and 2 above.
Note:
While AEGLE has to apply to the different registries for access to the data, it might be possible to file one application
to the Ethical Review Board. This is dependent on the scope of the project and may be possible where the application
concerns different parts of the same research project. Approval from the Ethical Review Board is in all cases required
to then apply to the specific registries or biobanks, and is therefore the first recommended step.
89 http://www.kvalitetsregister.se/englishpages/findaregistry/registerarkivenglish/nationalqualityregistryforleukaemia.2116.html and the

registry’s website in Swedish https://www.cancercentrum.se/samverkan/cancerdiagnoser/blod-lymfom-myelom/
90 Some information in Swedish is available at https://www.cancercentrum.se/samverkan/cancerdiagnoser/blod-lymfom-myelom/kronisk-

lymfatisk-leukemi-kll/kvalitetsregister/. The principles for access are available in Swedish at
https://www.cancercentrum.se/globalassets/cancerdiagnoser/blod-lymfom-myelom/rcc-styrdok_hematologi_160311.pdf
Partners

Pilot SV Legal FWK

Uploaded by

Copyright:

Available Formats

Pilot SV Legal FWK

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pilot SV Legal FWK

Uploaded by

Copyright:

Available Formats

'Big data analytics' and processing of

health data for scientific research

AEGLE in your country Page 2 of 29

Overview of the legal framework

3 An English translation is available at https://www.epn.se/en/start/regulations/

AEGLE in your country Page 3 of 29

Main legislation on databases containing health data

5 A list is available in English at http://www.kvalitetsregister.se/englishpages/findaregistry/allswedishqualityregistries.2028.html

7 Information in English available at http://www.socialstyrelsen.se/register/halsodataregister/patientregistret/inenglish

8 more information in Swedish at http://www.socialstyrelsen.se/register and a shorter overview at http://www.socialstyrelsen.se/statistics

9 A detailed overview of the application process is available in English at

AEGLE in your country Page 4 of 29

Legislation concerning human tissue

12More information in English at Biobank Sweden http://biobanksverige.se/research/basic-information-in-english/ Biobank Sweden (former

15 An unofficial translation is available at http://www.smer.se/news/the-genetic-integrity-act-2006351/

AEGLE in your country Page 5 of 29

Acts with Specific Purposes

b. Revision of the current legal framework under the GDPR

17 The report with an English summary is available at www.regeringen.se/rattsdokument/statens-offentliga-utredningar/2017/06/sou-201750/

18The report with an English summary is available at www.regeringen.se/rattsliga-dokument/statens-offentliga-utredningar/2018/06/sou-

19 The report with an English summary is available at www.regeringen.se/rattsdokument/statens-offentliga-utredningar/2018/01/sou-20184/

AEGLE in your country Page 6 of 29

c. The national data processing authority

22 Available in Swedish at www.regeringen.se/rattsdokument/proposition/2018/02/prop .-201718105/

AEGLE in your country Page 7 of 29

Transposition of Article 8.4 of Directive 95/46

26 SOU 2017:50 pp 36-37 and SOU 2018:38 p 31.

AEGLE in your country Page 8 of 29

a. Transposition of Article 8.4 of Directive 95/46

30 Governmental Report 1997:39 p. 215-216; Government Bill 1997/98:44 p.44

31 Governmental Report 1997:39 p. 220; Government Bill 1997/98:44 p.47-48

AEGLE in your country Page 9 of 29

b. The regime applying to the processing of personal data for health

32 See Government Bill 1997/98:44 p.68.

AEGLE in your country Page 10 of 29

c. Are there additional specific conditions governing the processing of data

34 Available in Swedish at https://www.datainspektionen.se/Documents/faktabroschyr-allmannarad-sakerhet.pdf.

35 Government Bill 1997/98:44 p.119-120.

AEGLE in your country Page 11 of 29

37 Government Bill 1997/98:44 p.120.

38 Government Bill 1997/98:44 p.69

39 See Government Bill 1997/98:44 p.71.

40 See further Government Bill 2002/03:50 p. 173.

AEGLE in your country Page 12 of 29

Deceased data subjects

41 Governmental Report 2017:50 p.274. See Chapter 6 Section 12 PSL.

42 Governmental Report 2018:4 p. 111.

AEGLE in your country Page 13 of 29

Minors and persons subject to guardianship

43 SOU 2018:38 pp 35.

44 Section 38 Ethical Review Act.

AEGLE in your country Page 14 of 29

d. Formalities prior to processing: the general regime under the current

45 Section 49 Personal Data Act.

47 Chapter 6 Section 2 Biobank Act.

AEGLE in your country Page 15 of 29

Further processing of health data (for research purposes): the

50 Section 25 (1) Personal Data Act.

51 Section 25 (2) Personal Data Act.