Diversity in data protection


It is one of the key responsibilities of researchers and the Project Principal Investigators to familiarise themselves with the local laws, rules and ethical requirements for their projects.
When research crosses legal and jurisdictional boundaries researchers should always seek to apply the requirements of the legislation that has the most stringent requirements of the whole project. Where this is unclear, you should obtain advice from your institute, ethical committees or qualified legal professionals.

Since 25 May 2018, the General Data Protection Regulation (GDPR; European Union, 2016a) applies to any researcher who collects data on EU citizens. One of its key aims is to harmonise laws across the EU regarding data protection legislation.

In addition to the GDPR, each EU Member State has rules on data protection and legislation that you have to familiarise yourself with if you collect personal data. Because of this, some Member States have more restrictive data protection legislation than others.


In the tabs below some key national legislation affecting data protection is stated. This is by no means a complete coverage of all the issues.

Informing participants

Under the Finnish Data Protection Act it is a requirement that when personal data are collected or processed for research that participants are informed about the purpose of the research and what will happen to their contribution [Personal Data Act (523/1999), 1999].

Potential participants must have enough information to be able to make an informed choice on whether to partake in the research or not. Before collecting personal data in Finland, researchers must fill in the ‘Description of the scientific research data file’. Ethical review boards usually require this file, and research participants have the right to see it, should they wish to do so. In cases where the personal data are drawn from registers (and no consent has been asked from the participants), the description of the scientific research data file must also be sent to the Office of the Data Protection Ombudsman.

More information and advice can be found at the Finnish Social Science Data Archive (2017a). You can also contact the Office of the Data Protection Ombudsman (n.d.) directly.

Storage of raw research data for at least 10 years

For research conducted in the Netherlands, the raw research data are required to be stored for at least ten years. Additionally, this data must also be made available to other academic practitioners upon request (unless legal provisions dictate otherwise). Researchers who receive a Netherlands Organisation for Scientific Research (NWO) grant are required to disclose data even after ten years.

It is therefore important for researchers working on research projects in the Netherlands or collaborative projects which include research within the Netherlands to consider this in the Data Management Plan (DMP) and their project preparations, so as to ensure that they have a system in place to store the research data for at least ten years.

More information can be found in the Netherlands Code of Conduct for Research Integrity (Association of Universities in the Netherlands, 2018) and Research Data Netherlands (n.d.) which can provide further guidance and advice on this requirement.

Project notification

In Norway, if you are going to process personal data and you work at one of the institutions that have appointed the Norwegian Centre for Research Data (NSD) as their Data Protection Official for Research then you must notify NSD about the research project. If your institution does not have an agreement with NSD, you must either notify your institution’s own Data Protection Official (if they have one) or the Norwegian Data Protection Authority. A notification is not required only if the research project registers anonymous information only. However, you should note that you will still need to notify the NSD if you will be processing personal data during the project, even if the research project will publish anonymous data.

If you are a researcher employed at an institution outside Norway different rules apply: if the data controller (i.e. the responsible institution) is established in an EEA country, it is sufficient to submit a notification of the project to the relevant authorities in the country concerned. If the data controller is located in a country outside the EEA, the notification must be submitted in Norway by a Norwegian institution that undertakes the role of the data controller’s representative.

Further information and advice can be sought from the NSD (n.d.) directly.

Click to see examples of project notifications:

A researcher from the University of St. Andrews is going to conduct interviews with members of the Norwegian government. This will entail collecting their names and tape recordings of the interviews. The project does only need an approval from the appropriate authorities of Scotland.

A researcher employed at the University of Oslo will be conducting research in New Zealand, and the project will entail data collection (interviews and video recordings) among the Maori population. The project must be notified to NSD. The researcher should also check if there are any local regulations in New Zealand that must be followed.

The research project is an international collaboration between two institutions: PUCP (Peru) and the University of Bergen (Norway), and entails collecting personal data in several countries, including Norway. The two institutions have agreed that the Peruvian institution, PUCP, is the data controller. Since Peru is not a part of the EEA, a notification must be made to NSD before collecting data in Norway, and the University of Bergen will have to take the responsibility as the data controller’s representative.

Data protection in Switzerland is both regulated at the federal and the cantonal level. At the federal level, it follows the Federal Act on Data Protection (FADP) (The Federal Council, 2014) and the Ordinance to the Federal Act on Data Protection (OFADP) (The Federal Council, 2012). Besides the FADP, each of the 26 cantons has their own cantonal data protection act. Universities are regulated by cantonal laws.

The FADP is currently under revision and should align with the GDPR. See Finsterwald (2016) for more practical information.

In the UK, there is the Freedom of Information Act and a common-law tort of breach of confidence.

Freedom of Information Act
Researchers who work at a publically funded research institute or university in the UK are subject to the Freedom of Information (FOI) Act 2000. This Act provides members of the public with a right to access information held by UK public sector organisations (e.g. publically funded research institutes and universities). This means that a member of the public may make a request for access to a researcher’s research data.

There have been various examples of research data being requested through the FOI Act. For example, climate change researchers at the University of East Anglia had two such requests made in early 2007. The university initially refused to release data, however after one of the requesters drafted a letter to the ICO alleging that the university was in violation of the FOI Act the university released the requested research data (Booth, 2009).

An FOI request (GOV.UK, n.d.) can come in many forms, but for it to be valid, it must come in a written form, such as an email, letter or fax. An FOI request can also come from anyone, meaning that the requester does not have to have been a participant in the research project. The information needs to be provided unless an exemption or exception allows the researcher not to disclose the information. Researchers must respond within 20 working days of receiving the request and should seek assistance from their university/research institute before disclosing any information. This is particularly important where the FOI request requests access to data which is not that of the requester but is defined as ‘personal data’ under the GDPR of another ‘data subject’.

Researchers working on European projects need to be aware that they will need to comply with the UK FOI Act if there is a UK public research institute or university involved in their research project.

Further guidance on FOI (ICO, n.d.a) can be sought from your research institute/university or the UK’s Information Commissioner’s Office (ICO, n.d.b).

In the UK, there is a common-law tort of breach of confidence. A duty of confidence arises when confidential information comes to the knowledge of a person in circumstances where it would be unfair if it were then to be disclosed to others.

Disclosure of information subject to a duty of confidentiality would constitute a breach of the duty. The duty of confidentiality is not absolute and is not protected by legal privilege, and exceptions occur. For example, where the participant has consented to the information being used in specific ways, for agreed purposes, and by certain people or where a judge requires disclosure.

This applies to information not already in the public domain. If the consent form promises confidentiality, disclosing information unlawful may constitute a breach of confidence.