Information about personal data in academic publications

Here you can read about the rules for the publication of personal data in academic journals and publications, and the extent to which editors can access personal data for the purpose of verification of source data.

Academic articles and other academic publications are often based on research containing personally identifiable data. This document describes the rules stipulated in the General Data Protection Regulation (GDPR) and in the Danish Data Protection Act for the processing of personal data in connection with publishing academic articles and other academic publications.

Personally identifiable data includes data such as names, addresses, civil registration numbers or photographs that make it possible to identify a particular individual. This data is called ordinary personal data.

Academic work may also include sensitive personal data. Sensitive personal data is defined as information about race or ethnic origin, political, religious or philosophical beliefs or opinions, trade union membership, health, sexual relationships or sexual orientation, and genetic and biometric data processed for the purpose of unique identification. Criminal records and associated classified information are also considered sensitive personal data.

Disclosure of data to the editor for the purpose of verification of source data

Personally identifiable research data may be disclosed to the editor of an academic journal or an academic publication for the purpose of verifying source data. The verification of source data is considered part of the processing for research purposes. In other words, this stage of the publication process is considered part of the research project.

The disclosure of personal data to the editor for the purpose of verifying source data is therefore subject to the same rules governing the processing of personal data in the research project. When personally identifiable data is disclosed, even if it has been pseudonymised, the editor must give a declaration of compliance with the terms for disclosure of personal data at the University of Copenhagen. Pseudonymised data is still considered personal data, even if the editor is not granted access to information that can be linked to the data subjects. If the editor is registered outside of the EU, the project manager must enter into an agreement with the editor that includes the European Commission’s standard provisions for the disclosure of personally identifiable research data.

Personally identifiable research data that is disclosed to the editor of an academic journal or an academic publication for the purposes of verification must be disclosed in pseudonymised form, as far as possible. The editor must delete or return the personal data once it is no longer needed for verification purposes.

The details may only be shared with individuals on the academic journal’s editorial team who are authorised to access the personal data in question. Authorisation may only be granted to individuals who have good reason to process personal data. The individuals concerned must not be authorised to use the data for other, unnecessary purposes. The editor is responsible for making sure that the necessary instructions are given to employees who process personal data.

Publication of anonymous and aggregated personal data

It is legal to publish anonymous personal data. Anonymous personal data is defined as data where it is not – or is no longer – possible to link it to a specific person. Pseudonymised personal data is not considered anonymous if the University of Copenhagen, a data processor or others are in possession of a key that links the data to a participant in a research project.

It is legal to publish aggregated data, i.e. tables or other lists in which a project or sub-project’s results are jointly presented. It must not be possible to identify individuals based on the aggregated data.

Personal data may be published in academic publications and databases with the consent of the individual concerned.

It is legal to publish both ordinary and sensitive personal data in an academic article, an academic publication or in a publicly accessible research database if the individuals in question have given informed and specific consent to use their personal data in the publication or research database concerned.

Ordinary personal data may be published in pseudonymised form without the person’s consent.

It is legal to publish an academic article or other academic publication containing ordinary personal data. It is a condition for the publication of ordinary personal data in an academic article or publication that doing so is a necessary part of a project that is in the public interest. In other words, it must be necessary to publish the personal data in order to convey the results of the project. The personal data must be published in pseudonymised form, as far as possible.

If the academic article or publication contains images of recognisable individuals, then the individuals concerned must be informed of the proposed publication and have the right to object to it. If an individual objects, the image must not be published.

Similarly, it is legal to publish general personal data in publicly accessible databases, provided that the data is pseudonymised and that publication is a necessary part of a project that is in the public interest.

Sensitive personal data may be published in pseudonymised form with the permission of the Danish Data Protection Agency.

As a general rule, it is not legal to publish sensitive, personally identifiable research data in academic publications without the consent of the individual in question.

In some circumstances, however, the Danish Data Protection Agency may grant permission for sensitive, personally identifiable research data to be published in a recognised academic journal. In practice, the Danish Data Protection Agency has granted permission to disclose personal data for publication purposes in journals on the BFI list on the Ministry of Higher Education and Science’s website at level 2 (high level). 

It is not possible to grant permission for the publication of sensitive personal data in journals not included on this list. 

Sensitive personal data may therefore only be published in other journals or publications with the consent of the individual(s) concerned.

The project manager at the University of Copenhagen is responsible for seeking permission to publish personally identifiable research data.

Permission for the disclosure of sensitive personal data for the purpose of peer review of an academic article must be obtained becausethe review is equated with  publication of the article containing pseudonymised personal data.

The Danish Data Protection Agency grants permission for the publication of pseudonymised personal data. The Agency will therefore not grant permission for the publication of personal data, including photographs, in which it is possible to identify individuals.

Permission from the Danish Data Protection Agency is awarded pursuant to Section 10(3), 3 of the Danish Data Protection Act no. 502 of 23 May 2018.

The Danish Data Protection Agency’s permits for the disclosure of sensitive personal data for the purpose of publication in recognised academic journals are published on its website (in Danish only).