Overview of access rules on Health Data Registers in Sweden
To conduct research on register data, an approval from the Ethics Review Authority is needed. To get access to data in a National Quality Register an assessment of data secrecy issues must be conducted before data can be released. An assessment of harm, which means that the person responsible for the release of data assesses whether or not the release is of harm for the patient or the patient’s relatives. According to the Publicity and Secrecy Act (2009: 400, OSL) This is done by the central data protection authority (the CPUA authority). When a release of quality registry data from the CPUA authority to researchers takes place, a responsibility is also transferred regarding the handling of data over to the recipient. This means that the data protection regulations rules on IT security and the handling of personal data will also apply to the receiving party (the research principal) and if this is an authority, the Public and Secrecy Act.
Data released from the quality registers and samples from biobanks may only be used for the purpose described in approved decisions by the ethical review authority and consent. A new research question therefore always requires new ethical approval and a new application for access to sample or data.
A summary of the process for accessing data from Swedish Quality Registers .
1. Establish contact with the registry:
- Contact the registrar or a member of the steering committee to confirm if it is possible to use the quality register data for your research.
- Obtain the required application forms and contacts.
2. Contact the national board of health and welfare (national registry service) to:
- Discuss whether or not it would be possible to use their registries for comparison to the national registry data.
- Obtain information on how to apply for data extraction (if not provided by the Registry).
Apply to the Regional Ethical Review Board (EPN):
- Apply for permission to carry out your research with the EPN.
- Clearly define in the application what data may be used and how it will be processed.
- Ensure that a patient information and consent form is available for the project.
- If biobank samples will be included in the research project this needs to be part of the application.
Apply to the registry for data extraction:
- Apply for permission to have the data released from the quality register using the form provided by the registry and/or its personal data holding authority (CPUA).
- If no form is available, use the “Application for registry Data from the Quality Registry for Research Purposes” form available on the Registry Centre Organisations website.
- If data will be obtained from several registers, separate applications must be submitted.
Processing of the application:
- Application is reviewed by a designated representative for CPUA (County council personal data controller). This is typically the registrar and the registry steering committee/research council.
Disclosure approval and agreement drafted:
- A decision on disclosure is made.
- If “Yes” an agreement is drafted which covers terms such as; costs for extraction, what variables will be disclosed, access time, results reporting, archiving and destruction of copies and publications.
Disclosure of data:
- Data release according to agreed terms.
Access to data from quality registers is mainly regulated by these laws:
- Act concerning the Ethical Review of Research Involving Humans (2003:460)
- General Data Protection Regulation (GDPR)
- Publicity and Secrecy Act (2009: 400)
determine how the information can be disclosed. (in Swedish)
- The Patient Data Act (2008: 355).
Useful links when accessing quality registers:
- Quick Guide for researchers to quality registry data disclosure
- Decision on disclosure of data for research
- Application for Registry Data from Quality Registries for Research Purposes
- Publications using data from the quality registry must specify which registry the data is taken from in the methodology section.