EL3: Swedish legislation

Laws and regulation

Literature

Examination

The Swedish legal system will only be examined during the seminar ES1 (not in the DISA exam). You are allowed to use the sources during the seminar (no need to memorize individual laws and paragraphs by names and numbers). Nevertheless, read the literature before the seminar!

• Lecture handouts

• Web link (“Public Access and Secrecy | Swedish National Data Service” 2025)

• Report (Görman 2024). Most important: p. 26-32, 42-45, 49 and 75-90.

• Swedish reading students might enjoy lagen.nu for source material (however, this is not required for the course).

  • A translation using Google translate might be used for non Swedish reading students. However, please note that legal texts are formally valid only in their original language.

Swedish legal system

Backgrund to Swedish law

• Fundamental laws (“grundlagar”) decided by the parliament but stable over time
  • Asort of codified constitution distributed in four parts
  • The Freedom of the Press Act (Tryckfrihetsförordningen) of relevance
• Ordinary laws (parliament)
  • New ones all the time (previously twice a year)
  • New laws to update existing laws
• Published in Svensk författningsamling, SFS
  • Digitally since 2018-04-01 (previously printed)
  • The “big blue book” is only a smaller collection of important laws
• ordinances (“förordning”) from the government to implement laws
• regulations (“föreskrifter”) from authorities to implement laws and ordinances

Two main branches of law

• Civil and criminal law:
  • state what you can not do (everything else is “legal”)
  • Handled by ordinary courts
  • Ex: Brottsbalken kap 20 om tjänstefel m.m. (The Swedish Penal Code (Brottsbalken), Chapter 20 — Offences Relating to Public Office.)
• Public law: relationship between individuals and the state etc
  • state what the public authorities must and can do (everything else is “illegal”)
  • Handled by administrative courts
  • What we mostly care of here

The principle of freedom vs. the principle of legality

Private actors are generally free unless restricted by law, while public authorities require explicit legal authority to act.

Fundamental law

The Freedom of the Press Act (TF)

(🇸🇪: Tryckfrihetsförordningen)

• World’s oldest freedom of the press law (since 1766)
• Chapter 2: Public access to official documents
• Applies to public authorities and institutions
  • Including health care registers and medical records held by public authorities

In order to promote a free exchange of opinion, comprehensive and pluralistic information, and free artistic creation, everyone shall have the right of access to official documents. [TF 2.1]

But there are exceptions (TF 2.2): - e.g., if disclosure would violate privacy or national security - if so, the government has the right to provide ordinary laws that restrict access (which they do!)

Confidentiality

The Public Access to Information and Secrecy Act (OSL)

(🇸🇪: Offentlighets- och sekretesslagen)

• Law that regulates public access to official documents and confidentiality
• Applies to public authorities and institutions
• Defines what information is considered confidential and under what circumstances

OSL Chap 21

Confidentiality for private individuals’ personal circumstances no mater the context

• E.g., health data, economic circumstances, family relations

OFS 21.1: Secrecy applies to information concerning an individual’s health or sexual life, such as information about illnesses, substance abuse, sexual orientation, gender reassignment, sexual offenses, or other similar information, if it can be assumed that disclosure of the information would cause significant harm to the individual or to someone closely related to them.

OSL Chap 24

Secrecy for the protection of individuals in research and statistics.

• A few special research databases etc
• Some regulations for research ethics boards

OSL Chapter 25

Secrecy for the protection of individuals in activities relating to health and medical care etc.

OFS 25.1: Within the health and medical care services, secrecy applies to information concerning an individual’s state of health or other personal circumstances, unless it is clear that the information may be disclosed without causing harm to the individual or to someone closely related to them. The same applies to other medical activities, such as forensic medical and forensic psychiatric examinations, insemination, in vitro fertilization, abortion, sterilization, circumcision, and measures to prevent communicable diseases.

• Exceptions exists,
  • for example to submit medical patient data to quality registers
  • to share data between public organizations for research purposes or statistics (OFS 25.11 p. 5).

OSL Chapter 10

Provisions on disclosure overriding secrecy and provisions on exemptions from secrecy

OFS 10.28: Secrecy does not prevent information from being disclosed to another authority where a duty to provide information follows from an act or an ordinance.

• This would apply to data sharing for research purposes when there is a legal basis for that

Health care data

The Patient Data Act (PDL)

(🇸🇪: Patientdatalagen)

• regulates the processing of personal data within health and medical care in Sweden.
• Applies to healthcare providers (public and private).
• Main objectives:
  • Protect patient privacy
  • Ensure safe and effective healthcare
  • Enable secondary use of health data under strict conditions

Chapter 7 PDL

National and regional quality registers

Opt-out for patients (every one is included by default until they opt out)

PDL 7.4: Personal data in national and regional quality registers may be processed for the purpose of systematically and continuously developing and ensuring the quality of healthcare.

PDL 7.5: Personal data processed for the purposes set out in Section 4 may also be processed for the purposes of

• the production of statistics,
• estimating numbers for the planning of clinical research,
• research within health and medical care,
• disclosure to a party that will use the data for purposes referred to in Sections 1 and 3 or in Section 4, and
• …

The Health Data Registers Act

(🇸🇪: Lag om hälsodataregister [SFS 1998:543])

This law regulates health data registers outside the health and medical care system. A new law is being proposed to replace this one.

§ 1: A central administrative authority within the health care sector may carry out automated processing of personal data in health data registers. The central administrative authority that carries out the processing of personal data is the controller.

§ 3: Personal data in a health data register may be processed for for the following purposes:

• the production of statistics,
• follow-up, evaluation and quality assurance of health and medical care, and
• research and epidemiological studies

Specific registers

Register (Swedish)	Register (English)	Governing act / ordinance
Folkbokföringen	Population Register	Population Registration Act (1991:481); Population Registration Ordinance (1991:749)
Totalbefolkningsregistret (RTB)	Total Population Register	Official Statistics Act (2001:99); Official Statistics Ordinance (2001:100)
Nationella patientregistret	National Patient Register	Health Data Act (1998:543); Ordinance on the National Patient Register (2001:707)
Cancerregistret	Swedish Cancer Register	Health Data Act (1998:543); Cancer Register Ordinance (2001:709)
Dödsorsaksregistret	Cause of Death Register	Health Data Act (1998:543); Cause of Death Register Ordinance (2001:709)
Läkemedelsregistret	Prescribed Drug Register	Act on the Prescribed Drug Register (2005:258); Ordinance (2005:363)
Medicinska födelseregistret	Medical Birth Register	Health Data Act (1998:543); Medical Birth Register Ordinance (2001:708)
Tandhälsoregistret	Dental Health Register	Health Data Act (1998:543); Dental Health Register Ordinance (2008:194)

Other legislation

The Archives Data Act (ADL)

(🇸🇪 Arkivdatalagen)

• Regulates the management of public records and archives
• Applies to public authorities and institutions
• Differnt authorities then have different rules for how long data must be kept
  • For example research data is often required to be kept for at least 10 (or 25) years

GDPR and Swedish law

• GDPR is directly applicable in Sweden
• There are references to GDPR in Swedish laws such as PDL and OSL
• Swedish laws may provide additional regulations and requirements beyond GDPR
• Data protection authorities in Sweden: Integritetsskyddsmyndigheten (IMY)
• Should be easy to collaborate across EU borders due to GDPR, but more difficult with non-EU countries

Statistics and research?

• A statistical purpose refers to the production of aggregated information describing groups or populations (e.g. summary tables or prevalence estimates), and does not include analyses or decisions concerning identifiable individuals (e.g. individual predictions or case assessments).

  • Does not require particular statistical methods etc

• Research refers to systematic activities aimed at generating new, generalisable knowledge, and excludes activities focused on individual decisions, control, or routine administration.

The Ethical Review Act (EPL)

(🇸🇪: Etikprövningslagen)

• Regulates ethical review of research involving humans (including their data!)
  • Had received some criticism and might be revised
• Applies to research conducted in Sweden
• Requires ethical review and approval by the Swedish Ethical Review Authority
• Aims to protect the rights, safety, and well-being of research participants
• Based on the Declaration of Helsinki and other international ethical guidelines
• One application for each new research project
  • Ammendments for changes in already approved projects
• Application fees applies

Access to data

Public, non-sensitive individual information

• Certain individual data are public by default (e.g. declared income, address).
• Such information may be accessed upon request from authorities like the Swedish Tax Agency, unless specific secrecy provisions apply.
• Might still not be used for research without ethical review

Aggregated data (including health data)

• Aggregated information that cannot be linked to identifiable individuals may often be disclosed.
• Aggregated health statistics produced through “automated processes” might be disclosed upon request.

Individual-level health data for statistical purposes

• Access to identifiable health data is possible within authorities conducting statistical activities.
• This typically requires that the data are used solely for statistical purposes,

Individual-level data via register-holding authorities

• Identifiable data may be accessed by staff or contractors working on behalf of the authority responsible for the register.

Individual-level data for research

• Access to identifiable personal or health data for research purposes generally requires:
  • approval under the Ethical Review Act,
  • a lawful basis under GDPR,
  • and a disclosure decision under OSL by the data-holding authority.
• Data are typically provided under strict conditions (e.g. pseudonymisation, secure environments).

Görman, Ulf. 2024. “Guide to the Ethical Review of Research on Humans.” Uppsala. https://etikprovningsmyndigheten.se/wp-content/uploads/2024/05/Guide-to-the-ethical-review_webb.pdf.

“Public Access and Secrecy | Swedish National Data Service.” 2025. https://snd.se/en/research-data-support/introduction-legal-aspects-research/public-access-and-secrecy.