In order to be allowed to process personal data, the Swedish Personal Data Act requires either that the data subject has given his or her consent, or that the processing is necessary e.g. for research purposes (necessary in the manner stated in Section 10 of the Personal Data Act, implementing Article 7 of the EU Directive 95/46/EC).
Although there are many exceptions to the rule, it is still claimed that personal data may, in principle, be processed only if the data subject gives his or her informed consent. Nevertheless, Rynning (2004) states that the alternative conditions for legitimate processing under Swedish law seem to be treated as open alternatives in the sense that it would, in principle, be acceptable to rely on non-consent alternatives even if consent would be practicable and not inappropriate.
However, regarding processing of sensitive personal data, the regulations are more restricted. The general rule in the Personal Data Act stipulates that processing of sensitive personal data is prohibited. An exemption is if the data subject has given his or her explicit consent. Another exemption is for research purposes if the processing is approved by an ethical review board under the Ethical Review Act. Additionally, sensitive personal data may be processed for research and statistical purposes without the consent of the data subject, provided the processing is necessary, and the interest of society in the project is manifestly greater than the risk of improper violation of the personal integrity of the data subject (cf. Section 19). If the processing has been approved by an ethical committee these conditions are considered to be met.
Ethics committees do not need to balance the standards in the Personal Data Act, regarding that the public interest clearly shall outweigh the risk of intrusion into individual’s privacy. However, the balancing principle in the Act functions as guidance for the assessment of the committee.
According to the Ethical Review Act, minors aged 15 and over can give a legal consent to participate in research (cf. Article 18). The Act requires that data controllers have the consent documented.
Central Ethical Review Board [online]. Available at: <http://www.epn.se/en/start/startpage/>. [Accessed 25. February 2014].
Data Inspection Board [online]. Available at: < http://www.datainspektionen.se/lagar-och-regler/personuppgiftslagen/fors... [Accessed 14. March 2014].
EU Directive 95/46/EC, 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [online] Available at: <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:e.... [Accessed 14. March 2014].
Ministry of Justice, Personal Data Protection: Information on the Personal Data Act, 2006 [pdf] Available at: <http://www.datainspektionen.se/Documents/faktabroschyr-behandling-ju-eng.... [Accessed 14. March 2014].
Rynning,E.,2004. Processing of Personal Data in Swedish Health Care and Diomedical Research. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 381-402
The Ethical Review Act, 2003. The Act concerning the Ethical Review of Research Involving Humans [pdf] Available at: <http://www.epn.se/media/45159/the_etical_review_act.pdf>. [Accessed 25. February 2014].
The Personal Data Act, 1998 [pdf] Available at: <http://www.government.se/content/1/c6/01/55/42/b451922d.pdf>. [Accessed 25. February 2014].