IFAU

Introduction and responsibility

The work at IFAU builds on the basic principles of the Swedish Data Protection Act for processing personal data. Personal data is data that concerns an identified or identifiable natural person (the registered). IFAU is the personal data controller and is responsible for personal data being processed in accordance with the current legislation.

When a natural or legal person outside of IFAU processes personal data on behalf of IFAU, a personal data processing agreement is drawn up. The data processor is only allowed to process the data in accordance with the instructions from IFAU and must take the necessary security measures.

Legal grounds for processing data

Complete a contract with the registered person, for example an employment contract
Fulfil a legal obligation, for example the Swedish Accounting Act
Fulfil a task that is of general interest, for example research.

IFAU has a registry of all data processing and thus, the government authority can, in a systematic way, check that all data processing has legal grounds.

Personal data in the daily activities

Employees, temporary employees with a fixed renumeration and self-employed contractors

As an employer, IFAU has the legal right to process personal data on employees, temporary employees with a fixed remuneration and self-employed contractors to the extent that it is necessary in order to fulfil the employment contract or the contract with self-employed contractors.

The name and photograph of employees are published on the website ifau.se. It is voluntary for employees to have their name and photograph on the website.

When an employment is terminated, the personal data that is no longer needed will be erased, such as e-mail accounts and the name on the website. Certain information needs to be kept longer, for example such information that is needed for pension payments.

Recruitment

Personal data that is used in recruitment processes is only available to those individuals working with recruitments. CV, personal letter and other information are erased after two years. The personal data for the individual who becomes employed is kept in accordance with the current rules.

Since IFAU is a government authority, applications that are received will become official documents and can be handed out in accordance with The Swedish Principle of Public Access to Information.

IFAU uses a recruitment firm as a personal data processor in certain recruitment processes. If the firm uses its own methods of work in order to process personal data, it might become the personal data controller for that part of its data processing.

Subscribers, courses and conferences

Personal data (name, address and e-mail) which is submitted in connection with a subscription or placing an order for information material is only kept as long as it is needed for communication and administration. When the subscription ceases, the consent for processing personal data ceases and the personal data is removed.

Personal data which is submitted in connection with registrations for courses and conferences is only kept as long as it is needed for communication and administration. If food and beverages are included, information about food preferences can be processed due to allergies or other preferences.

Contact details and food preferences are erased when they are no longer needed. Information that is enclosed with the invoice is erased when the invoice is erased.

Applicants for research grants

IFAU awards research grants. Personal data included in applications is only used for the processing of research grants at IFAU. Applications that have been granted are kept.

All applications for research grants are entered into the registry and uploaded into the content management system of the government authority. For applications that are not awarded grants, the e-mail and the original application material will be erased in accordance with IFAU’s document management plan. Due to technical limitations, applications that have been uploaded are currently not erased from the content management system.

Since IFAU is a government authority, the applications are official documents. Thus, the personal data might be disclosed in accordance with The Swedish Principle of Public Access to Information.

Social media

IFAU uses social media in order to provide information about activities and research results at the government authority.

Posts and comments on IFAU’s social media might become official documents. Those who are registered should not enter any personal information on the social media of the government authority. IFAU will remove illegal, offensive and threatening comments. For more information, see IFAU’s policy for social media.

IFAU has no influence on how the users’ personal data is handled by the supplier of the platform.

Cookies

The IFAU website uses cookies which might constitute personal data. For more information about how cookies are dealt with, see IFAU’s external website.

Personal data in research

According to the Law (2012:741, revised 2018:261) on Processing of Personal Data at IFAU, IFAU has the right to have data collections in order to be able to fulfil its commitments. This is done in accordance with The Ordinance with Instruction for the Institution for Evaluation of Labour Market and Education Policy (SFS 2007:911, revised 2012:16).

Personal data used in research is subjected to secrecy according to chapter 24 § 8 in the Public Access to Information and Secrecy Act (OSL). The secrecy applies to all research and evaluations that are carried out at IFAU.

Personal data that is processed for research purposes is erased after the project has been completed, in accordance with the document management plan of the government authority. The purpose of the data processing is the research that is carried out within the project and when the project has been completed and the results have been published, the data can no longer be used by the researcher.

In order to be able to scrutinize the research results afterwards, IFAU usually keeps the data 5–10 years after the project has been completed. The data is kept in the local archives of the government authority.

When IFAU makes use of personal data processors for research purposes, for example in surveys or when a government authority provides data, the personal data processors process personal data on behalf of IFAU and in accordance with the instructions from the government authority.

Pseudonymised personal data

The research at IFAU is almost solely based on pseudonymised personal data, i.e. the civic registration number and the name have been replaced by a special serial number. The connection between the serial number and the civic registration number is kept at Statistics Sweden and IFAU does not have access to the key. It is prohibited by law to take any measures to try to find out the identity of specific individuals.

Pseudonymised personal data has been processed since 2014 in three research databases. Extracts from the databases are made to provide a basis for research studies. Only project participants who are mentioned in a project description that has been entered into a registry can get access to data and only to the extent that is required. No researchers or investigators have access to the entire database.

IFAU sometimes orders pseudonymised data from other government authorities within the framework of a specific project. This data cannot be connected to the IFAU databases.

For more information about pseudonymised data, see IFAU’s external website ifau.se.

Collected personal data

IFAU is also allowed to collect data directly from individuals for specific research purposes, for example through surveys. An explicit consent is required when such a survey is made. The respondents must receive information in accordance with the Swedish Data Protection Act so that they can safeguard their rights.

Data that is collected using surveys is always identity specified in the collection phase since the selections are often made using civic registration numbers and the contact details are required when making the collection. When the data no longer needs to be directly connected, it is replaced by a serial number.

In certain cases, IFAU uses personal data processors for data collection.

Sensitive personal data

Research including sensitive personal data is only allowed if it has first been approved by an ethical review board. According to § 7 Law on Processing of Personal Data at IFAU, the following categories can be processed at IFAU subject to ethical approval

Ethnic origin
Trade union membership
Data on health
Sexual orientation.

Regular storage and erasures

Personal data is cleaned, erased or deidentified on a regular basis. How data is saved depends on for what purpose it is being processed and what the legal obligations are. Personal data is never saved longer that what is required. IFAU’s document management plan contains information about the time period that the data should be saved.

Making personal data available

Since IFAU is a government authority, its official documents can be made available in accordance with the Principle of Public Access to Official Documents.

In order to be able to scrutinize research results afterwards, data might be disclosed after a confidentiality review has been carried out.

IFAU is also obliged to disclose personal data to The Swedish Agency for Government Employment, The Swedish Tax Agency, The National Government Employee Pensions Board, Statistics Sweden (SCB), IFAU’s publicly procured bank and The National Government Service Center.

Personal data can also be made available to our contract partners and IT suppliers which are personal data processors and process data on behalf of IFAU and in accordance with instructions from IFAU.

Official documents that are classified as secret are always scrutinized before a decision is made about disclosure. IFAU’s document management plans contain more information about publicity and secrecy.

Safety measures

IFAU takes technical and organisational measures in order to protect its information from unauthorised access, change or destruction.

Data can only be processed by employees who need it in order to perform their work tasks. Employees cannot have access to personal data unless there are relevant reasons.

An individual who is processing personal data is responsible for the processing being in accordance with IFAU’s instructions and the current laws. All data processing must be reported to IFAU’s data protection officer and be registered.

Examples of some security measures:

Computers and servers are protected against access (for example password protected/coding/permission) so that only authorised people have access to data.
Project-specific serial numbers (automatically generated when data is extracted from the IFAU databases/generated by Statistics Sweden (SCB) or any other government authority concerned/other action) in order to protect personal integrity.
Data availability through the IFAU servers only in order to provide protection against unintentional diffusion of data.
Project-specific amounts of data are usually delivered to IFAU using a file transmission protocol.
Data collection in accordance with IFAU’s policy and guidelines so that the data processing is done in a correct way.
Keeping the material locked up (section of shelves in the institute archives or a filing cabinet in the institute local archives).

Registered individuals have rights

Registered individuals have a number of rights according to the Data Protection Act. The rights might be limited due to other legislations, for example the Public Access to Information and Secrecy Act or the Swedish Archives Act.

IFAU will correct or complete personal data which turns out to be incorrect, incomplete or misleading.

The registered individual has the right to object to processing of data that is of general interest. If IFAU cannot prove that there are crucial legitimate reasons for this, the data processing must cease.

It is not possible to object to the processing of pseudonymised data. It is legally prohibited to try to identify data that has been pseudonymised. IFAU does not make any automated decisions, does not use personal data for marketing and does not carry out profiling.

The registered individuals might have the right to have their personal data deleted on legal grounds. However, there might be limiting legal obligations due to which data cannot be deleted immediately.

When IFAU processes personal data in order to fulfil a contract, it is in certain cases possible for the registered person to obtain the personal data in order to use it elsewhere, for example to transfer it to another personal data controller.

Registered individuals can make complaints to the Swedish Authority for Privacy Protection (IMY).

Request for register excerpts

Registered individuals have the right to obtain information about what personal data that is processed concerning themselves. The request is to be made in writing by regular mail or e-mail, including name, civic registration number, mailing address, phone number and e-mail. The request is free of charge.

Please note that this right does not apply to pseudonymised data.

Data protection officer

All government authorities are obliged to appoint a data protection officer. The role of the data protection officer is to control that the Swedish Data Protection Act is adhered to within the organisation. In order to contact the data protection officer, please write to: