The work at IFAU builds on the basic principles of the Swedish Data Protection Act for processing personal data.
IFAU is the personal data controller for processing personal data and is responsible for personal data being processed in accordance with the existing legislation. Each piece of information that concerns an identified or identifiable natural person (the registered person) is considered to be personal data.
Sometimes another natural or juridical person outside IFAU processes personal data on behalf of IFAU. This might, for example, be a government authority, institution or other agency. On these occasions, a written agreement is drawn up between IFAU (the personal data controller) and the other party (the personal data processor). It must be stated in the agreement that the personal data processor is allowed to process the personal data in accordance with the instructions from IFAU and must take the necessary security measures in order to protect the data.
The legal grounds for processing personal data
In order for the data processing at IFAU to be legal, there must exist a consent or, alternatively, the data processing must be necessary in order to
- Complete a contract with the registered person, for example an employment contract
- Fulfil a legal obligation, for example the Swedish Accounting Act
- Fulfil a task that is of general interest, for example research.
IFAU registers all data processing and thus, the government authority can, in a systematic way, check that all data processing has legal grounds.
How does IFAU process personal data in its daily activities?
Employees, temporary employees with a fixed remuneration and self-employed contractors
As an employer, IFAU has the legal right to process personal data on employees, temporary employees with a fixed remuneration and self-employed contractors to the extent that this is necessary in order to fulfil the employment contract or the contract with self-employed contractors.
Personal data for employees will be erased some time after the employment has been terminated. This, does, for example, apply to the employee’s e-mail account or information about employees on websites. It might be necessary to keep other kinds of personal data for a longer period of time, for example information that is necessary for the payment of pensions.
Individuals who apply for a job at IFAU
The personal data will only be used at the government authority for recruitment purposes. The data is only available to people who are working with recruitment. CV, personal letter and other information are erased after two years. Personal data on the individual who is hired will be kept.
In certain cases, IFAU will be using a recruitment firm and that firm will then become a personal data processor. Sometimes it is the recruitment firm that decides on the working methods and uses its own constructed method for processing personal data. In those cases, the firm is the personal data controller for its processing of personal data.
Subscribers and other people who are in contact with IFAU
Personal data (name, address and e-mail) which is submitted in connection with a subscription or when placing an order for information material is only kept as long as required in order to make the send out or deal with the order. When the subscription ceases, the consent for processing personal data and the actual personal data will be removed.
Personal data (name, address and e-mail) which is submitted in connection with registrations for courses and conferences is only kept as long as it is required for the administration of the course or the conference.
Applicants for research grants
IFAU allocates research grants in accordance with the Ordinance with Instructions (SFS 2007:911, revised 2012:16). The personal data that is stated in the application for research grants is only used for the processing of research grants at IFAU. Applications that are awarded research grants will be kept. All applications for research grants are entered into the registry and uploaded into the content management system of the government authority. For those who are not awarded grants, the e-mail and the original application will be erased in accordance with IFAU’s document management plan. Due to technical limitations, applications that have been uploaded are currently not erased from the content management system.
IFAU has accounts at Twitter and LinkedIn in order to distribute information about the activities of the government authority and research results.
What is written on IFAU’s social media might become a public document. Those who are registered should not enter any personal information on the social media of the government authority. IFAU will remove illegal, offensive and threatening comments. Read more at IFAU’s policy for social media.
IFAU has no influence on how the users’ personal data is being dealt with by the supplier of the platform.
How does IFAU deal with personal data for research purposes?
According to the Law (2012:741, revised 2018:261) on Processing of Personal Data at IFAU, IFAU has the right to have data collections in order to be able to fulfil its commitments. This is done in accordance with the Ordinance for Revision of the Ordinance (2007:911) with Instruction for the Institute for Evaluation of Labour Market and Education Policy SFS 2012:16.
The personal data is subjected to secrecy according to chapter 24 8 § in the Public Access to Information and Secrecy Act. According to this act, secrecy with support in chapter 24 8 § applies to all research and evaluations that are carried out at IFAU.
Sometimes, IFAU uses personal data processors, which might be a firm that assists in collecting questionnaires or a government authority that supplies data.
Pseudonymised personal data
The research at IFAU is almost solely based on pseudonymised personal data, i.e. the civic registration number and the name have been replaced by a special serial number. The connection between the serial number and the civic registration number is kept at Statistics Sweden (SCB). IFAU does not have access to the key. It is prohibited by law to take any measures to try to find out the identity of specific individuals. Pseudonymised personal data has been processed since 2014 in three research databases. Extracts from databases are made as a basis for IFAU’s research studies. Only project participants who are stated in a project description that has been entered into the registry can get access to data from the databases. The researcher or the investigator gets access to the part of the data that is needed for the purpose and does never get access to the whole database.
Sometimes IFAU orders pseudonymised data from other government authorities within the framework of a specific project. This data cannot be connected to the IFAU databases.
Collected personal data
IFAU is also allowed to collect data from individuals for specific research purposes, for example questionnaires. In those cases, there must exist an explicit consent and the respondents must receive information about the processing in accordance with the Swedish Data Protection Act for them to be able to safeguard their rights. Data that is collected using a questionnaire is always identity specified, both because those who are registered are usually selected based on their civic registration number and because identity and contact details are needed during the actual collection. The name and the civic registration number are usually replaced by a serial number when they are no longer needed. IFAU sometimes uses personal data processors in order to collect data.
Sensitive personal data
Research that includes sensitive personal data is only allowed if it has first been approved by an ethical review board. According to § 7 Law on Processing of Personal Data at IFAU, the following sensitive personal data can, after ethical approval, be processed at IFAU:
- Ethnic origin
- Trade union membership
- Data on health
- An individual’s sexual orientation
How long is personal data stored?
Personal data is cleaned, erased or deidentified on a regular basis. The personal data collected by IFAU is processed for different purposes and is thus saved for different periods of time depending on what it is to be used for and what the legal obligations are. However, personal data is never saved for a longer period of time than what is necessary for the purposes for which it is processed.
IFAU’s document management plans contain information about the time period the data should be kept.
When is personal data made available?
IFAU is a government authority. Official documents can be made available to journalists and individuals who ask to get access to official documents in accordance with The Principle of Public Access to Official Documents.
IFAU is also obliged to give personal data to The Swedish Agency for Government Employers, The Swedish Tax Agency, The National Government Employee Pensions Board, Statistics Sweden (SCB), IFAU’s publicly procured bank and The National Government Service Center.
Personal data can also be made available to our contract partners and IT suppliers. In those cases, the IT suppliers are the personal data processors and they process the personal data at the request of IFAU and in accordance with the instructions from IFAU.
Official documents that are classified as secret are scrutinized before a decision is made about disclosure. IFAU’s document management plans contain more information about publicity and secrecy.
What are the safety measures at IFAU?
IFAU takes technical and organisational measures in order to ensure that all information that is processed by IFAU is protected against unauthorized access, change or destruction. Notwithstanding if the information is to be kept forever or for a limited period time, it should be kept in a safe way.
Employees at IFAU are only allowed to process personal data that is necessary for their work tasks. This does, for example, mean that an employee is not allowed to look at personal data when there is no valid reason. All processing of data must be reported to IFAU’s data protection officer and be registered. An individual who is processing personal data is responsible for the processing being in accordance with IFAU’s instructions and the prevailing laws.
Examples of some security measures:
- Computers and servers that are protected against access (for example protected passwords/coding/ permission) so that only people with permission are to have access to the information.
- Project-specific serial numbers (automatically generated when data is extracted from the IFAU databases /generated by Statistics Sweden (SCB) or any other government authority concerned/other action) in order to protect personal integrity.
- Data availability through the IFAU servers only in order to provide protection against unintentional diffusion of data.
- Project-specific amounts of data are often delivered to IFAU through a file transmission protocol.
- Data collection in accordance with IFAU’s policy and guidelines so that the data processing is done in a correct way.
- Keeping the material locked up (section of shelves in the institute archives or a filing cabinet in the institute local archives).
What are the registered individuals’ rights?
IFAU is responsible for processing the personal data in accordance with the current legislation. Registered individuals have a number of rights according to the Data Protection Act. The rights might be limited due to other legislations, for example the Public Access to Information and Secrecy Act and the Swedish Archives Act.
IFAU will correct or complete personal data which turns out to be incorrect, incomplete or misleading.
When IFAU processes personal data in order to be able to carry out work tasks that are of general interest, the registered individual has the right to object to the data processing at any point in time. If IFAU cannot prove that there are crucial valid reasons for continuing to process the data, IFAU must cease the data processing.
It is not possible to object to the processing of pseudonymised data. It is legally prohibited to try to identify a piece of information that has been pseudonymised. IFAU does not make any automated decisions, does not use personal data for marketing and does not carry out profiling.
Depending on the legal grounds on which the data processing is based, the registered individuals have the right to have their personal data deleted. This means that they have the right to demand that their personal data is removed if it is no longer needed for the purpose for which it has been collected. However, there might be legal requirements due to which IFAU is not immediately allowed to erase this personal data.
If IFAU processes personal data about the registered person in order to fulfil a contract, it is in certain cases possible for the registered person to obtain her personal data in order to use it elsewhere, for example to transfer it to another personal data controller.
The registered individuals have the right to contact the Swedish Authority for Privacy Protection (IMY) with possible complaints concerning the processing of their personal data.
Request for register excerpts
The registered individuals have the right to obtain information about what personal data that is registered and processed about them at IFAU. The application must be made in writing (letter or e-mail) with name, civic registration number, mailing address, phone number and e-mail address. The application is free of charge.
Please note that these rights do not apply to pseudonymised data.
IFAU’s Data Protection Officer
All government authorities are obliged to appoint a data protection officer. The role of the data protection officer is to control that the Swedish Data Protection Act is adhered to within the organisation. In order to contact the data protection officer, please write to:
Data protection officer,
P.O. Box 513, 751 20 Uppsala
Or send an e-mail to: