The public right of access to research data – an ethical dilemma?

In several countries, research data can be accessed via open repositories, direct researcher contact or through public agency records under Freedom of Information (FOI) laws, which aim to promote transparency and accountability (Corti et al., 2014; Charlesworth, 2012; Dutoit, 2022; Jubb, 2012; Kriesberg and Acker, 2022; Lucchi, 2017; Luscombe and Walby, 2017; Resnik, 2006; Shelby, 2000; Taylor and Whitton, 2020; Walterscheid, 1989; Wyburn, 2018). FOI legislation frequently covers research materials stored within universities and research institutions, meaning that researchers should be aware that materials stored on institutional premises may fall under FOI legislation. However, studies indicate that many researchers remain unaware of this possibility (Jubb, 2012). While FOI principles facilitate democratic oversight, they also raise concerns about protecting research participants’ privacy and preserving researchers’ control over their data. Notably, research on FOI-based data requests is limited despite its potential implications, especially in contexts such as Sweden, where regulatory frameworks prioritise openness and mandate that research data be archived as public records (RA-FS, 1999:1; Rosengren, 2017).

This article aims to critically compare two distinct cases in order to elucidate the implications of public access principles in the investigation of research misconduct. The first case involves a researcher and a paediatrician who requested access to research data to investigate misconduct, igniting media debate and calls for legal reform. In the second case, misconduct was exposed by whistle-blowers using hospital records, as institutional suppression precluded any discussion of FOI-based data access. These cases illuminate the tension between the democratic benefits of transparency and the challenges of safeguarding privacy.

The research questions guiding this study are:

Sweden represents a particularly intriguing case, as it possesses the world’s oldest FOI legislation, dating back to 1766. Since then, other nations have developed FOI laws that extend to research data. For example, the United Kingdom’s legislation explicitly classifies universities and publicly funded research institutions as public authorities, requiring the disclosure of requested information unless compelling reasons for nondisclosure exist (Jubb, 2012). Research data requests are not limited to Sweden and the UK In one notable instance, Vietnam War veterans sought access to research on the effects of Agent Orange, although the material was only released after significant media and congressional pressure. However, in the United States, data are typically disclosed only when the research is of substantial public interest or implicated in suspected fraud (Shelby, 2000). Additionally, there are cases in which US researchers have chosen to face legal sanctions rather than disclose their data. While these researchers received support from scholars and students, some research subjects expressed frustration that nondisclosure delayed court proceedings (Brajuha and Hallowell, 1986; Scarce, 1994, 1995, 1999).

In Sweden, provisions on confidentiality are exceptions to the constitutionally protected freedom of expression and of information. This means that public records can only be classified as secret if there is a legal basis for it. Secrecy provisions are designed to protect, among other things, national security and the personal or financial circumstances of individuals. There are circumstances when information can be disclosed despite confidentiality protection. For example, authorities can sometimes make an omission with reservations where the individual is imposed an obligation of secrecy and the authority will conduct a so-called test of harm (Österdahl, 2015).

Decisions regarding the disclosure of records are made by the official responsible for the safekeeping of the record (Chapter 6, 3§ of Offentlighets- och sekretesslag, 2009). It means that the researcher should conduct the test of harm. If a request is denied, the applicant has the right to have the matter reviewed by the authority, and the authority’s decision may be appealed (Chapter 6, §7, OSL). Notably, the secrecy designed to protect an individual does not extend to the individual themselves, meaning that each person is entitled to access information pertaining to themselves (Chapter 12, 1§, OSL). Unauthorised access to medical records is regulated in the Swedish Patient Data Act (2008:355) and the Penal Code (1962:700).

Sweden’s prioritisation of openness can be compared to that of its neighbouring country, Denmark. A Danish university was criticised by a newspaper because the university did not want to release unpublished research results. The university stressed the importance of academic freedom and that other records about the relevant research had been disclosed. The head of the department emphasised that they were more than willing to release the data after the research results had been published. According to the Legal Adviser to the Danish Government, the university’s decision is supported by Ombudsman practice (Aarhus University, 2021). A similar perspective to disclosure is illustrated in an Australian case where a draft research report was not released as it was believed that early-stage research should remain confidential while undergoing peer review, as a disclosure could be used to discredit the final research results (Wyburn, 2018).

This can be compared to Sweden, where ongoing research seems to have weaker protection. So-called “intermediate products” are not considered public records in Sweden. But according to Bohlin, who specialises in the right-of-access principle in Sweden, research should not be seen as handling a case, which is important from an administrative law point of view, as it means that research material can become public records before the research project is finished and can thus be requested (Bohlin, 1997). It is important to emphasise that the Swedish principle of public access only guarantees reactive disclosure, meaning authorities are obligated to release information upon request but are not required to proactively publish it (Jonason, 2017).

Previous research has typically focused on how researchers search, generate or interact with various types of data (e.g. Late et al., 2024) or with different research environments (e.g. Rousi et al., 2024), often emphasising the academic library’s role in research data management (e.g. Hackett and Kim, 2024). The empirical literature on the management and extent of FOI requests in research remains sparse, resulting in significant knowledge gaps. Much of the research on FOI lacks empirical data and is based on reflective assumptions. In contrast, there is a rich and expanding discourse on open data. Previous investigations into FOI legislation have examined its application and its role as a methodological tool in research. Proponents of FOI argue that increased public access to research data enhances transparency, enables verification of results and holds researchers accountable, thereby fostering collaboration and potentially accelerating innovation and discovery (Resnik, 2006). Yet, challenges persist. McMillan et al. (2006) illustrate the dilemma faced by industry-funded research, where the imperative to protect commercial interests through secrecy often conflicts with the public good achieved through open dissemination. To mitigate this conflict, they propose that industrial researchers and their companies engage in self-assessment to ensure that research findings are not unduly withheld and are disseminated within reasonable timeframes. As both Hansson and Björkman (2006) and Luscombe and Walby (2017) observe, the restriction of FOI laws to public actors reinforces existing asymmetries between public and private sectors.

Other studies have provided evidence that private companies may have incentives to withhold data that could expose methodological weaknesses or adversely affect profit margins, for instance, when medical products are discovered to have harmful side effects or addictive properties (Jasanoff, 2006; McMillan et al., 2006; Resnik, 2006). Such incidents have contributed to the open data movement, prompting the EU, governmental bodies, and academic journals to mandate or encourage the public accessibility of data generated through publicly funded research (Office of Science and Technology Policy, 2022; Directive 2019/1024, 2019, Article 10). Similar to FOI requests, these initiatives are believed to enhance transparency and expose unethical practices, thereby strengthening the credibility of research outcomes and driving innovation (Martin et al., 2015; Mullainathan and Obermeyer, 2022; Piwowar, 2011; Rani and Buckley, 2012; Resnik, 2006; Roche et al., 2015). Nonetheless, Resnik (2006) contends that such measures do not address situations in which pharmaceutical companies opt not to publish their research, nor do they ensure the release of clinical trial results from private entities.

Edquist (2021) highlights the paradoxical nature of records, arguing that while increased access can expose wrongdoing and enhance accountability, it also risks intruding on individual privacy. This dual nature renders records simultaneously oppressive and emancipatory, reflecting a complex interplay between knowledge and power. He further discusses the concept of ethical destruction, wherein some researchers oppose the requirement for archiving by deleting personal data at the conclusion of a research project.

These issues are exacerbated when data involving minority groups are processed without adequate involvement or when methodologically weak data are reused, potentially leading to misleading results (Pasquetto et al., 2024). Moreover, studies have shown that opposition to openness is not confined to private companies. Both Luscombe and Walby (2017) and Schmidt (2024) demonstrate how authorities circumvent FOI legislation by creating various barriers, such as imposing high fees, enforcing time delays, requiring requesters to narrow their inquiries and even directly questioning the intended use of the requested material in order to impede researchers’ access to governmental information. These measures disproportionately affect researchers with limited resources or temporary appointments and transform FOI legislation into a political instrument that undermines transparency and democratic ideals (Luscombe and Walby, 2017; Schmidt, 2024). Additionally, FOI Commissioners and Ombudspersons are frequently understaffed and lack the mandate necessary to hold non-compliant authorities accountable (Luscombe and Walby, 2017).

Other research has discussed the disadvantages of permitting research materials to be requested under FOI legislation. Jubb (2012) observes that the administrative complexity of FOI applications varies considerably by disciplinary context, with some fields facing substantial hurdles in terms of cost and complexity. Researchers may also resist disclosure due to concerns over losing competitive advantages if others publish their findings first, while administrative burdens associated with FOI requests can ultimately deter industry collaboration with academic institutions. Furthermore, secrecy can serve important protective roles, such as shielding researchers from harassment (Resnik, 2006).

Historical perspectives reveal that juxtaposing openness and secrecy is not new. Resnik (2006) traces the evolution of these dynamics from ancient Greece to the present, while Edquist (2021) and Wellerstein (2021) illustrate how historical instances of data misuse and controlled information flows have shaped contemporary debates regarding transparency and national security. Scholars such as Jasanoff (2006) and Resnik (2006) argue that restrictions on openness are sometimes necessary to protect national and international security, corporate secrets and the welfare of research subjects. For instance, effective pseudonymisation of research participants remains challenging, particularly when multiple datasets are integrated or when study populations are small, thus increasing the risk of re-identification (Jubb, 2012; Lupia and Alter, 2014; Resnik, 2006). Research on biobank data further underscores the delicate balance required to safeguard personal information while promoting scientific advancement (Lind, 2015).

Confidence in data confidentiality is also critical for encouraging public participation in research and healthcare services (Jubb, 2012; Nissenbaum, 2004). Hansson and Björkman (2006) stress that research legislation must account for the potential use of medical data beyond research, clarify the legal status of ethical review decisions, and caution researchers against making unfeasible promises to participants. Similarly, Charlesworth (2012) highlights the importance of proper metadata to avoid accidental disclosure. Inadequate data management practices, particularly when researchers change institutions, risk data loss and complicate FOI processes (Jubb, 2012). In response, universities, funding bodies and academic journals increasingly require data management plans and transparent statements on data availability (Jubb, 2012).

Finally, perspectives on data archiving reveal a nuanced interplay between researchers’ assumptions and participants’ views. While some medical researchers support the right-of-access principle for gaining access to public records and health data registers, they are simultaneously apprehensive about their own data being subjected to similar requests (Rynning, 2005). Conversely, research subjects often view the archiving of their information as a beneficial contribution to the advancement of knowledge (Kuula, 2011). This divergence underscores the necessity for a more refined understanding of how data policies and practices affect various stakeholders within the research ecosystem.

Collectively, the literature provides an overview of the opportunities and challenges associated with FOI legislation and open data practices. At the same time, research on FOI requests and secrecy does not demonstrate when disclosures are justified or not, nor does it provide guidance on how institutions should manage this delicate balance. To illustrate this complexity, two Swedish cases will be analysed, each exemplifying, respectively, the disadvantages and advantages of research materials being subject to FOI requests in medical research.

This article examines the tension between the protection of individual privacy and the promotion of research subjects’ well-being through the disclosure of information under FOI legislation. To explore this tension, the study draws primarily on Helen Nissenbaum’s theory of contextual integrity, complemented by elements from Laufer and Wolfe’s multidimensional privacy model (1977), Daniel Solove’s taxonomy of privacy harms (2006) and the principle of proportionality within data protection law. Together, these frameworks offer a means for nuanced conceptualisation of how privacy is shaped, interpreted and potentially compromised in institutional, legal and research contexts.

Nissenbaum’s (2004, 2010) theory of contextual integrity provides a systematic framework for evaluating whether information flows align with the social norms of a given context. It distinguishes between norms of appropriateness (what kind of information is suitable to share) and norms of distribution (how that information should be shared). A breach of contextual integrity occurs when these norms are violated. Instead of defining privacy as mere confidentiality, Nissenbaum sees it as the proper flow of information within context-specific expectations, shaped by the roles of information subjects, senders, recipients and transmission principles governing access and use. This theory is especially relevant when research data are reused or shared beyond the scope of original consent. As Dahabiyeh and Taha (2024) point out, open data practices frequently challenge contextual integrity due to the limited scope of consent regarding third-party use. Nissenbaum’s structured inquiry into actors, contexts and governing norms offers a way to access not only whether a violation has occurred, but also whether such a breach can be ethically and politically justified.

Extending Nissenbaum’s relational and norm-based view of privacy, Laufer and Wolfe (1977) conceptualise privacy as a multidimensional construct of environmental, interpersonal and self-ego dimensions. This study focuses particularly on the environmental and interpersonal aspects, along with the concept of the privacy calculus. The environmental dimension recognises that cultural norms, physical settings and life cycle stages influence how individuals perceive privacy intrusions. The interpersonal dimension concerns an individual’s ability to manage boundaries in social relationships, with violations occurring when that control is undermined. Additionally, the calculus of behaviour, where individuals weigh perceived benefits against risks when disclosing information, helps explain why people may consent to data sharing, despite potential harms. Later refinements (e.g. Kehr et al., 2013) acknowledge that these decisions are not purely rational but shaped by emotional and situational factors.

Solove (2006, p. 497) adds a legal-theoretical perspective by arguing that the law’s reliance on the “secrecy paradigm” (defining privacy solely as confidentiality) obscures many forms of privacy harms. In response, he developed a taxonomy that classifies privacy violations into four categories: information collection, processing, dissemination and invasion. Though not prescriptive, the taxonomy serves as a tool for identifying institutional practices that may conflict with legal or normative expectations. In this study, particular attention is paid to subcategories as secondary use (using data for purposes beyond the original intent), exclusion (denying individuals insight into or control over how their data is used), identification (linking data to identifiable individuals, often circumvented through anonymisation or pseudonymisation), breach of confidentiality (violating trust by revealing information promised to be kept private), disclosure (sharing truthful but potentially damaging information) and intrusion (unwarranted access to private aspects of one’s life). Secondary use and exclusion are especially pertinent as the former challenges the principle of purpose limitation, while the latter highlights power asymmetries when individuals are denied insight or control over their information. Solove argues that breaches of confidentiality are particularly harmful, as they involve both disclosure and a betrayal of trust, which amplifies their ethical severity.

In this study, the theoretical perspectives of Nissenbaum, Solove, Laufer and Wolfe are complemented by a legal-theoretical lens derived from the balancing of interests and proportionality principles in Swedish and European data protection law. These legal frameworks allow personal data to be processed under certain conditions, such as with the data subject’s consent or under other statutory grounds, such as “legitimate interest.” Disclosure is only lawful if the public benefit outweighs the intrusion into personal privacy (Jonason, 2017). Swedish law does not provide an exact definition of privacy; instead, violations are assessed based on context, purpose, dissemination and consequences (Jonason, 2017). Government Bill 2005/06:173 underscores the need to balance privacy with freedom of expression and information. It states that data must not be collected or processed excessively or for improper purposes, that it must be accurate and corrected when necessary, and that confidentiality and professional secrecy must be upheld (Regeringskansliet, 2006). Jonason (2017) summarises this by stating that the balancing of interests is between the authorities’ demands for transparency and informing citizens about their activities, and the citizens’ need for access to information to monitor state actions and participate in public debate.

By integrating privacy theory with legal principles of proportionality, this study develops an analytical framework for evaluating when public disclosure is ethically and legally justified. While the theories of Nissenbaum, Solove and Laufer and Wolfe illuminate how privacy is shaped, contextualised and potentially violated within institutional and informational practices, the legal dimension introduces a normative tool for determining when such intrusions may be justified. This study proposes a combination of these theories, termed the Public–Privacy balancing Framework, which treats privacy not as a fixed right to secrecy, but as the contextually appropriate flow of information. This integrated approach enables a nuanced analysis of whether transparency genuinely advances democratic goals such as accountability and participation, or whether it results in disproportionate harm to individual integrity.

The study employs document analysis as outlined by Bowen (2009) in a comparative case study of two high-profile Swedish research misconduct cases. The analysis involves a systematic, iterative process of reading, coding and interpreting documents to uncover patterns, institutional priorities and normative tensions. Particular attention is given to how institutional actors justify or resist data disclosure, how privacy is positioned in relation to legal obligations and how competing values are balanced in official reasoning. The records are examined with regard to their origin, purpose and intended audience, enabling contextual interpretation of their content (Bowen, 2009).

The Gillberg case and Macchiarini affair were selected for their public visibility, accessibility and direct relevance to issues of research ethics, privacy and transparency. In Swedish legal practice and scholarship, the Gillberg case remains the most influential legal precedent concerning the public status of research records, representing a fundamental conflict between openness and data protection (Gornall, 2007; Hansson and Björkman, 2006; Reichel, 2013; Rynning, 2005). The Macchiarini affair is Sweden’s most prominent case of alleged research misconduct and highlights critical questions about institutional accountability, ethical oversight and privacy (Boeckstyns et al., 2020; da Silva, 2017; Vogel, 2016).

The dataset comprises over 1,000 pages of public records, including court rulings (see the  Appendix: G3–G4; G7–G13; G15–G16; M5–M6), reports from oversight bodies (G5; G14; M3; M7–M8) and university records (G1–G2; M1–M2; M4). To broaden the analytical perspective, supplementary materials have been included to capture public discourse and media framing. These include opinion pieces (Adolfsson et al., 2003), correspondence and debate articles attached to court rulings (see G12) as well as literature (Beckman, 2007; Kärvfe, 2000; Vågerö and Kärfve, 2006), Asplund’s investigation and relevant documentaries. For a complete list of primary sources, see references marked G1–G16 and M1–M9 in the  Appendix. Selection was guided by institutional referencing and verified for completeness and relevance. Ethical approval was granted by the Swedish Ethical Review Authority (2024-00533-01).

Despite the prominence and depth of the selected cases, the findings are not generalisable. Rather, the study offers conceptual insights into the tensions between privacy and transparency. Particularly as they emerge in widely published and contested cases. It also provides a foundation for future empirical research, including interviews with researchers, university leadership and ethics board representatives.

A longitudinal research study was started at the University of Gothenburg (GU) in 1977 concerning children with hyperactivity disorders, followed by four follow-up studies. Participation was voluntary and the research subjects were promised confidentiality. Professor and neuropsychiatrist Gillberg, after whom the case is known in the news, did not initiate the study but came to take over responsibility for it. The material contained privacy-sensitive information about both the children and the parents (G12).

In 2002, paediatrician Elinder and sociologist Kärfve, both critical of the medical research group’s findings, questioned the validity of the treatment recommendations for hyperactive children. Elinder, who had implemented these protocols, became increasingly sceptical about their effectiveness (Gornall, 2007), while Kärfve, noting variability in incidence figures and unusually low dropout rates in follow-up studies, suspected that the discrepancies might stem from research misconduct (Beckman, 2007, p. 73; Hansson and Björkman, 2006; Kärfve, 2000; Rynning, 2005; Vågerös and Kärfve, 2006). Consequently, they requested that GU investigate these concerns. Although the university ultimately found no evidence of misconduct, attributing the issues instead to epistemological differences, Elinder and Kärfve later exercised their right under FOI legislation to obtain the research data (Gornall, 2007; Hansson and Björkman, 2006). GU denied their request, citing potential harm to research participants due to re-identification risks (G1; G2). This decision was subsequently challenged in the Administrative Court of Appeal, which re-referred the case to GU for a review of the possibility of releasing a redacted version of the data. However, GU considered that de-identification would be very time-consuming as the material covered over 100,000 pages and required that the sociologist’s project obtain ethical approval and secure informed consent from research participants. Given that approximately 80 study participants had objected to the release of their data, such stipulations would have precluded access to a substantial part of the material. Consequently, the paediatrician and the sociologist appealed and in February 2003, the court ruled that the records should be released with reservations (G3; G4). The rulings were appealed without effect (G7).

The Parliamentary Ombudsman (JO) criticised GU’s long turnaround time in June 2003 (G5; G6). GU introduced additional access restrictions and required research participants to consent to the disclosure of the material. However, the Court of Appeal overturned these conditions, and subsequent requests for review to revoke the ruling were denied (G8; G9; G10). Eventually, GU decided that the research group should disclose the material in August 2003 (G11). But the research data were not disclosed after all, as the research group refused to give access to the premises where the material was stored. Three colleagues of Gillberg destroyed the records in May 2004, and these employees were sentenced in 2006 for suppressing records (G14). In 2005, Gillberg and the vice-chancellor were convicted of misuse of office, while the chairman of the university board was acquitted. Because Gillberg had premeditation, he was sentenced to a fine and a suspended sentence, while the vice-chancellor only received a fine (G11). The judgment was confirmed by the Court of Appeal for Western Sweden in 2006. The court found, among other things, that Gillberg’s confidentiality pledge went beyond what the Official Secrets Act allows and that there is no legal possibility to provide more extensive confidentiality than what the law allows. Furthermore, confidentiality determinations can only be made after a FOI request has been submitted, meaning his promise does not override a court’s interpretation of the legal rules (G12). The judicial decision was appealed to the Supreme Administrative Court, which did not take up the matter, and thus the Court of Appeal’s judgment won legal force (G13).

Gillberg then chose to take the case to the European Court of Human Rights, which examined Sweden’s compliance with the European Convention on Articles 8 and 10. The first deals with the right to protection of private and family life, and the second with freedom of expression. Gillberg claimed that the Court of Appeal misunderstood that the material belonged to GU. It was an unfinished longitudinal study with material that had not been archived. The chamber did not agree but acquitted Sweden in 2010. Five out of seven judges considered that the public has a clear interest in research results to be scrutinised, and if it is to be assumed that records cannot be disclosed if someone has given a promise of secrecy, courts would never be able to obtain “confidential” records even when other important interests were at stake. Two judges disagreed as they considered that the promise of confidentiality is vital for research subjects daring to be truthful (G15).

Given the fact that Kärfve did not conduct a research project linked to the material she wanted to investigate, the judges considered that the verdict against Gillberg was disproportionate, as he only wanted to protect the privacy of the research subjects. The case then went to the grand chamber, where 17 international judges tried the case in 2012, and it was announced that Sweden had not violated the European Convention. The Great Chamber did not consider that Gillberg’s interests could be compared to those of a journalist who wishes to protect his sources, because he opposed the principle of publicity, which should work for freedom of expression, and because the material belonged to GU. He was also not the research subjects’ doctor. Hence it was not a case of doctor-patient confidentiality. He was a researcher working as a public official exercising public authority at the university. Gillberg was never asked to testify about the research subjects and would not have received any other reprisals if he disclosed the material. Gillberg felt that the state put him in an impossible situation: he was required to give a confidentiality promise to the research subjects in order to conduct research and then forced to either break the promise or to be convicted of misconduct. However, the Grand Chamber agreed with previous courts that Gillberg had not succeeded in proving that the ethics board had forced him to give such a promise of confidentiality (G16).

The Gillberg case attracted a lot of media attention and divided the research community (G12; Beckman, 2007, p. 109). While medical researchers generally supported Gillberg’s position, social scientists tended to side with the sociologist. Some emphasised that it was a mistake to make promises that cannot be kept, namely that no one outside the research group will ever have access to the material. Others believed that the researcher’s main task should be to protect the privacy of the respondents. Several of the patients and parents agreed and organised demonstrations in favour of Gillberg (Hansson and Björkman, 2006). Both Gillberg and the ones requesting the material felt exposed to a campaign of calumniation (Beckman, 2007, p. 109). Gillberg stated that he did not object to external scrutiny, but simply did not want to break his promise of confidentiality (Gornall, 2007; Hansson, 2015).

Some believed that the release of records undermines clinical research and that the Freedom of the Press Act (TF) is not intended to be used to investigate research fraud. They believe that misconduct must be tried according to the established regulations, where the complainant cannot also be the judge (Adolfsson et al., 2003). The Press Ombudsman, for its part, assessed that TF can be used to request research material (Hansson and Björkman, 2006). Interestingly, the court lifted the provision that if a researcher requests access to research data, they must have an ethics approval. This brings us to the next case, where significant emphasis was placed on the absence of ethical permission and informed consent.

Moving on to a parallel case, we proceed to analyse the so-called Macchiarini affair. This case also attracted extensive media coverage, ranging from a Swedish documentary series that made the surgeon notorious among the Swedish public (Dokument inifrån: Experimenten, 2016) to a Netflix documentary that portrays him as a narcissistic mythomaniac (Bad Surgeon: Love Under the Knife, 2023) and the Peacock documentary from the same year (Dr Death: Cutthroat Conman).

In October 2010, the Karolinska Institute (KI), the largest medical university in Scandinavia, hired Macchiarini as a visiting professor in clinical regenerative surgery. The employment contract included that he would also work as a chief surgeon at the Karolinska University Hospital (KS). There were plans to establish a new centre for advanced airway surgery. In 2011, Macchiarini performed the world’s first transplant with a “synthetic” trachea. Before that, the operation had not been carried out on humans or animals. The trachea was prepared with the patient’s bone marrow cells and three growth preparations. Of the latter, only two were approved for medical use in Sweden. The same year, another patient was operated. Macchiarini applied for ethical review of animal experiments after surgeries had already been carried out on two patients. In August 2012, a third patient received a synthetic trachea, which was replaced with a new one the following summer. The first two patients were seriously ill with tracheal cancer, while the third had the trachea damaged during an operation (M5).

After the transplants, all patients suffered from severe complications such as fistulas, clots, inflammation and bleeding. One patient’s synthetic trachea had dislodged and another had to have his oesophagus removed due to fistula formation and the patient also suffered kidney damage (M5; M6). Patient 1 died in January 2014 and Patient 2 in 2012. Patient 3 was sent to the United States in 2016 to receive new organs from a deceased donor and passed away in 2017 (M5). Macchiarini had performed more transplantations outside of Sweden, where the patients likewise suffered complications (Asplund, 2016; M5).

In November 2013, Macchiarini’s employment at KS was terminated, while it was extended at KI. In June 2014, the first allegation of research misconduct was filed (M1), followed by more claims (M2). It was alleged that six articles falsely reported that patients were free of complications and that surgeries were successful. He was acquitted in April 2015 by KI for the first report of misconduct, and the same month, he was reported to the police by the Medical Products Agency. In May, the external review based on the other misconduct cases concluded that Macchiarini was guilty of research fraud. Despite this, he was acquitted by KI’s ethics committee (M2). In June 2015, the Swedish Health and Social Care Inspectorate pressed charges for violating the law on ethical review of research involving human subjects (M6).

In January 2016, the Swedish public service television company (SVT) showed a documentary about the cases that made Macchiarini known to a wider public. Media interest grew, as did criticism of both the operations and the research. Macchiarini was dismissed from KI in March of the same year. In 2016, the new vice-chancellor of KI opened the misconduct cases, and Macchiarini was convicted along with other researchers for research misconduct in studies published in six scientific articles (M4). A few years later, the Swedish National Board for Assessment of Research Misconduct convicted him for research published in two more articles (M7; M8).

In December 2017, the university faced criticism from JO for the prolonged turnaround time in disclosing records related to Macchiarini’s research. The request concerned data on the trials, analyses, and results of an article published in The Lancet. KI attributed the delay to the surge in record requests following the scandal and the broad, imprecise nature of the request. The disclosure process was further complicated by the disbandment of Macchiarini’s research group, which led to some research data not being archived. Additionally, certain lab books were missing, possibly lost when equipment and materials disappeared from the research group’s premises in the summer of 2016. KI reported the missing items to the police, but no preliminary investigation was initiated. It later appeared that a researcher from another department possessed data for one of the figures in the article. However, the researcher initially questioned whether he was obligated to disclose the data. KI requested him to do so, and he eventually complied. Despite this, JO deemed the university’s response time unacceptable (M3).

In 2022, Macchiarini was sentenced by the Solna District Court for causing bodily injury. The penalty was a suspended sentence (M5). That sentence was then changed by the Court of Appeal in 2023 to three counts of aggravated assault, where the penalty was imprisonment for 2 years and 6 months. The prosecutor argued that the transplants were done for research purposes without ethics approval, while Macchiarini held that the operations were done for care purposes. Both courts considered that the operations were not performed in accordance with good scientific conduct and proven experience, and therefore, the Court of Appeal considered that the operations could not be seen as medical care. This court also stressed that Macchiarini wrote in The Lancet that his team had ethical approval, which must have meant that Macchiarini himself regarded it as research. The court stated that Macchiarini was the driving force in the operations being carried out. He described the patients’ condition as worse than it was and the methods as more proven than they were to justify their use. For example, he allegedly had a patient give his consent to the surgery by claiming that the procedure had been tested on pigs, that there were no side effects, and that it was the patient’s only chance to see his children grow up (M5). The Supreme Court did not grant leave to appeal that confirming the Court of Appeal’s judgment.

The scandal was revealed by whistle-blowers who claimed to have experienced ostracism, been subjected to malevolent rumours and had their research grants reduced (M9; Nordin, 2023). As co-authors on the publications, these individuals were implicated in allegations of research fraud, a charge they view as retaliatory, prompting an appeal to the European Court (M9; Cederberg, 2024). They assert that patient confidentiality prevented them from knowing the first patient’s health status. To retain ongoing access to project materials for internal scrutiny, they accepted co-authorship. Subsequently, an ethics application was submitted to access patients’ medical records. The whistle-blowers also received permission from the relatives of patients 1 and 3 to access the medical records. The ethical review was approved, allowing them to compile a report for KI’s management that was ultimately met with silence. Parts of the medical records were published on the website Retraction Watch. In 2014, KS initiated legal proceedings based on log extracts documenting who accessed the records; however, the investigation was discontinued because the individual responsible for leaking the information to the website could not be identified. In retrospect, it was established that the hospital focused much of its attention on the illegal medical record intrusion instead of whether or not Macchiarini was conducting research fraud. Even before the whistle-blowers, one more researcher had tried to draw the management’s attention to flaws in Macchiarini’s articles, similarly without success (Asplund, 2016; Kindbom, 2018).

While the Gillberg case demonstrates how publicly requested research data can compromise the integrity of both researchers and subjects, the Macchiarini affair exemplifies the risks of inadequate archival practices, where overtly unethical research was revealed only by cross-referencing published articles with patients’ case files, hypothetically acquired by unlawful disposal.

The results show that in the Gillberg case, a paediatrician and researcher requested access to sensitive research data from an ongoing project. Although the university refused disclosure, a court later mandated its release, leading the research group to erase the material to uphold confidentiality. In contrast, the Macchiarini affair involved the treatment of patients with an unvalidated method, with published results that misrepresented ethical approval and patient consent. The whistle-blowers may have unlawfully accessed medical records to verify claims, thereby breaching the Swedish Patient Data Act.

These cases, which share the underlying theme of researchers verifying colleagues’ findings, will now serve as the basis for the discussion. First, I will analyse the Gillberg case and the Macchiarini affair using Nissenbaum’s theory of contextual integrity, situating each within this framework. The analysis of this is summarised in Table 1. Subsequently, I will examine the cases from the perspective of balancing of interests to explore whether violations of contextual integrity may, in certain circumstances, be justified.

The findings in Table 1 highlight that while Nissenbaum’s framework provides critical insights, it alone is insufficient to resolve the complex conflict between public access to information and the protection of privacy. A paradox arises where the disclosure of data violates the individual’s privacy while potentially saving the person’s life or health through increased scrutiny and accountability. In the Macchiarini case, transparency, despite intrusions into individual privacy, can enable scrutiny, liability and correction of errors that may save future patients. The role of transparency is to ensure the legitimacy of healthcare and research institutions and to protect individuals’ lives and health. At the same time, individuals’ expectations regarding how their data is used must be respected. Moreover, privacy, as Nissenbaum and Jubb suggest and as Gillberg and the European court stated, may be more important than transparency because it can encourage individuals to seek healthcare and participate as research subjects. The question is therefore whether the disclosure of research data without individuals’ consent can be considered proportionate and ethically defensible in relation to its potential benefit.

In the cases in question, the objective was not to publish data openly for the general public, but rather to share it with a selected group of researchers and physicians bound by confidentiality. According to the rulings in the Gillberg case, the data should have been pseudonymised, and it is likely that the same restrictions would have applied had the whistle-blowers requested Maccharini’s research material. Such measures would have aligned with the protective provisions of data legislation, thereby limiting the intrusion into the privacy of research participants, since it is unlikely that the researchers or physicians would have exploited the information for extortion. The potential benefit of disclosing the data (despite the intrusion into individuals’ privacy) is the possibility of uncovering research misconduct. This could lead to actions aimed at preventing further harm and ensuring that affected individuals receive corrective treatment. When the violation is minimised through using strategies such as pseudonymisation and strictly controlled access, the balance between saving lives and improving health is more effectively achieved, supporting the view that the disclosure of data in these cases is both proportionate and justified.

This article critically compares two distinct cases to elucidate the implications of public access principles in the investigation of research misconduct. It explores how the tension between protecting individual privacy and ensuring transparency can lead to complex ethical dilemmas and practical challenges.

The disclosure of research data constitutes a privacy violation according to both Nissenbaum’s concept of contextual integrity and Solove’s privacy taxonomy. From the viewpoint of Nissenbaum’s framework (2004; 2010), the forced disclosure of research data emerges as a violation of contextual integrity of the research setting, where participants expect strict confidentiality based on established norms of academic research and medical ethics. According to Solove (2006), disclosing data for purposes other than those for which it was originally collected constitutes secondary use and therefore violates privacy.

Similarly to how Solove theorised (2006), both the courts in the Gillberg case and the hospital administration in the Macchiarini affair framed the issue primarily as a matter of legal confidentiality, without adequately considering the perspectives of research participants. While the Gillberg case centred on the principle of public access, the Macchiarini affair involved concerns about unlawful intrusion into medical records. In the Gillberg case, the court determined that exceptions to confidentiality existed and permitted the disclosure of records under specific conditions. This arguably constituted exclusion, as participants were denied any influence over how their data would be used. Both Gillberg and the university considered the act a breach of confidentiality. Similarly, in the Macchiarini affair, patient data were leaked on Retraction Watch, further complicating the ethical status of the disclosure.

Laufer and Wolfe (1977) emphasise that privacy is not a fixed or universal construct but is shaped by cultural expectations, social norms and psychological factors that evolve over time. Perceptions of what constitutes privacy can shift depending on an individual’s life stage and the broader socio-cultural environment in which information is shared. In both the Gillberg and Macchiarini cases, participants’ willingness to share sensitive information with researchers appears to have been influenced by the prevailing cultural assumption that physicians and researchers act in the best interests of patients. This perceived alignment of values fostered a sense of trust and security in disclosing personal data.

A plausible interpretation is that participants in both cases weighed the risks of participation against the potential benefits, concluding that access to care or support outweighed any foreseeable risks. However, the Gillberg case illustrates how changing circumstances, such as the involvement of external actors who questioned the legitimacy of participants’ diagnoses, altered the context in which the original consent was given. What had initially been perceived as a secure, purpose-bound information flow transformed into an intrusive and contested exposure of personal data. As the balance between benefit and risk shifted, participants effectively lost control of how their information was used, highlighting the relational, evolving and context-sensitive nature of privacy. Although in light of the privacy theories, both cases unfold as privacy violations, the legal principle of proportionality suggests that such intrusions may be justified when they serve to protect lives or prevent harm. Importantly, it is only in retrospect that we now know Macchiarini committed misconduct while Gillberg was exonerated. This outcome underscores an ethical dilemma in which the FOIA may simultaneously serve as an intrusion into privacy and as a safeguard for the individual whose privacy is at risk. Previous research, such as Linds’s study on biobanks (2015), also illustrates the inherent difficulty of balancing individual privacy against the demands for transparency.

Even though the disclosure of research data may be considered legitimate if adequate security measures are implemented, several ethical and practical challenges remain. As Edquist (2021) has shown, archiving is not without risk, since archived materials can be requested and potentially used in unintended ways. This opens the possibility for FOI requests to be misused, as stated by Resnik (2006), for example, researchers might obtain emails or other data to undermine colleagues or to gain a competitive advantage. Moreover, the time-consuming nature and urgency of such requests may divert valuable time and resources from ongoing research activities.

The “records paradox” described by Edquist (2021) is evident in both cases under review. In the Gillberg case, data originally collected with the aim of developing treatments for children (which initially had an emancipatory function) later became a source of oppression when its risk of disclosure led to parental accusations and blame. Similarly, in the Macchiarini affair, whistle-blowers were accused of unlawfully intruding into patient records, yet their actions ultimately revealed evidence of substandard care. These examples illustrate how the same records can both protect and harm, depending on the context and the manner in which they are used.

The Gillberg case exemplifies ethical destruction for ideological reasons, where records are discarded due to perceived inadequacies in existing confidentiality regulations (Edquist, 2021). The Gillberg case is partially consistent with Schmidt’s (2024) findings, as GU deliberately delayed disclosure and implemented various barriers both to avoid releasing material initially and, subsequently, to limit the scope of disclosure.

In the Macchiarini case, parts of the research material were never archived. Conversely, in the Gillberg case, the concern was not with the collection or secure storage of data per se, but with its potential disclosure and review by an external researcher, which diverges from Kuula’s (2011) findings, in which research participants considered external review to be beneficial. It is possible that the research context and the type of data collection in question affect the research participants’ attitudes towards external review. This underscores the importance of managing informed consent appropriately, as emphasised by Charlesworth (2012), Hansson and Björkman (2006). Despite the complexities of attaining genuine informed consent, researchers must clearly communicate how participants’ data will be managed under archival law, ensuring that they understand the possibility of future access beyond the immediate research team. It is challenging to secure truly informed consent for future research, as participants cannot foresee societal changes that might affect how their data are used. Moreover, this study demonstrates that consent does not inherently prevent unethical research, since it relies heavily on trust and participants are often unaware of how future developments may alter the use and interpretation of their information.

The outcomes of both cases further reveal that not only research participants but also the involved researchers, may suffer from breaches of privacy, as underscored by Resnik (2006). In the Gillberg case, both the data requesters and Gillberg himself reported feeling subjected to a campaign of defamation and personal attacks, mirroring the experiences of the whistle-blowers in the Macchiarini affair. This observation suggests that an FOI request can simultaneously infringe upon the privacy of both research subjects and researchers. In situations where a researcher is wrongly accused of misconduct and subsequent review exonerates them, the intrusion into the researcher’s privacy might serve as a means of obtaining redress.

Given these complexities, it is imperative that researchers receive guidance at the onset of a project regarding the organisation and storage of research material. Such support would help avoid allegations of data concealment and ensure that informed consents are written in a manner that complies with both legal requirements and ethical norms, thereby safeguarding the privacy of research participants while facilitating future investigations. Some researchers, as observed during the Gillberg trial, argued that certain types of research cannot proceed if there is a risk of data being requested and disclosed. Although existing confidentiality measures, such as data masking and informed consent (Lupa and Alter, 2014), are intended to protect research participants, these were deemed insufficient in both the Gillberg and Macchiarini cases. The identifiability of individuals constitutes a privacy violation within the framework of Solove’s taxonomy (2006).

This discussion underscores the need to delineate clearly under which circumstances data should not be disclosed, and to establish who should be responsible for reviewing research material in cases of suspected misconduct. It also highlights the necessity for additional control mechanisms. For instance, mandatory controls for clinical trials where ethical approvals are verified by an independent third party before treatments are administered could serve as a model. Lawmakers have, following the Macchiarini incident, enacted a new law on research misconduct (2019:504), which admittedly does not prevent research fraud but is only applied after incidents have occurred. However, its punitive nature suggests that further preventive measures are needed, particularly with respect to independently verifying informed consent.

An alternative solution might involve restricting FOI access to research data so that requests can only be made by designated authorities rather than private individuals. GU opposed the request by Elinder and Kärfve on the grounds that they acted as private individuals. Kärfve maintained that she made the request as a researcher at another public university; however, GU argued that she lacked the required ethical approval, a requirement the court ultimately rejected. These differing interpretations of the secrecy act and the criteria for requesting data raise questions about equal treatment. As Hansson, Björkman (2006), Luscombe and Walby (2017) discuss, it is problematic that research data can only be requested from research institutions under government auspices (which, admittedly, constitute the vast majority in Sweden) but not from private ones. This creates a disparity between public and private cases, in contrast to other legal contexts such as public procurement and workplace regulations, where equal treatment is rigorously enforced.

Future research could interview ethics committees and researchers to determine reasonable safeguards that enable independent review in cases of suspected misconduct while ensuring that sensitive information is not disclosed without the consent of the research subjects. Furthermore, studies could investigate how confidentiality assessments are conducted at universities and the frequency of FOI requests for research data. One potential compromise is to archive data that researchers wish to preserve, but not publish openly, under clearly defined user terms, and to tighten the criteria for when research data can be requested under FOI legislation. Such measures would restrict Sweden’s principle of public access at public universities, yet if applied equally to private research institutions, they could help ensure that the review of research is not contingent upon the institutional affiliation of the researcher.

The cases highlight the need for clear guidelines, robust oversight mechanisms, and equitable application of legal principles across both public and private research institutions to ensure that the pursuit of transparency does not come at the unjust expense of individual privacy.

In several countries, FOI legislation can be used as a basis to request research data. However, this can be an intrusion into the research participants’ privacy. The question is in which cases such an intrusion is justified. The article has examined two well-known cases in Sweden that have shown that contextual integrity was violated when research data was requested as public records and also disclosed without the consent of the research participants. However, after weighing the competing interests, in these cases, the interest in openness outweighs the need to protect individual privacy. The dilemma highlights that, in addition to more control mechanisms within healthcare and research, researchers need to be clearer in the informed consent process that they can never promise research participants absolute confidentiality or that no one other than the research team will ever have access to the data.

To navigate this tension, the theoretical framework Public-Privacy Balancing, developed and applied in this study, offers a way to reconcile the principle of public access to official records (vital for accountability) with Nissenbaum’s contextual integrity. It does so by recognising life and health as overriding rights in exceptional cases, thus enabling ethically and legally sound decisions. Both theoretical reflection and practical measures are needed to determine how to strike a fair balance between transparency and privacy in research. The integrity of research participants must be protected, yet research must also be subject to scrutiny in order to prevent misconduct. The two analysed cases show that conventional safeguards, such as masking, pseudonymisation, and informed consent, are not sufficient. It is striking that if Macchiarini or Gillberg had worked at a private university, the outcomes of these cases could have been entirely different. According to the principle of equality before the law, all individuals should be treated equally; however, under current Swedish legislation, researchers are de facto treated differently depending on how their research is conducted. This discrepancy raises fundamental questions about fairness and justice in the governance of research ethics and transparency.

The author would like to thank Prof Isto Huvila and Dr Olle Sköld for their valuable feedback on the manuscript, and the anonymous reviewers for their helpful comments.

• G1: Gothenburg University, statement 2002-08-30, case no. H5 1493/02

• G2: Gothenburg University, statement 2002-09-10 & 2004-03-17, case no. H5 901/02

• G3: The Gothenburg Administrative Court of Appeal, verdict 2003-02-06, case no. 5741-2002

• G4: The Gothenburg Administrative Court of Appeal, verdict 2003-02-06, case no. 6208-2002

• G5: Parliamentary Ombudsman (Justieombudsmannen, JO) decision, 2003-06-10, case no. 3591-2002

• G6: JO-decision, 2003-06-11, no. 3781-2002

• G7: Swedish Supreme Administrative Court, decision 2003-07-22, case no. 3963-2003

• G8: The Gothenburg Administrative Court of Appeal, verdict 2003-08-11, case no. 3395-03

• G9: The Gothenburg Administrative Court of Appeal, verdict 2003-08-11, case no. 3396-03

• G10: Swedish Supreme Administrative Court, decision 2003-11-05, case no. 4691-4692-2003

• G11: Gothenburg District Court, verdict 2005-06-27, case no. B 2894-04

• G12: The Court of Appeal of Gothenburg, verdict 2006-02-08 and appendices of case no. B 3339/05. The appendices comprise, inter alia, opinion pieces, email correspondence from Gillberg, statements from GU and minutes from board meetings.

• G13: The Supreme Court of Sweden, Record of Leave to Appeal Decision, 2006-04-25, case no. B 1049-06

• G14: JO-decision, 2006-06-26, case no. 1568-2003, 1606-2003

• G15: European Court of Human Rights (ECtHR), judgment 2010-11-02, case no. 41723/06

• G16: ECtHR, judgment 2012-04-03, case no. 41723/06

• M1: KI, Vice-chancellor’s decision 2015-04-07, case no. 2-2167/2014

• M2: KI, Vice-chancellor’s decision 2015-08-28, case no. 2-2184/2014

• M3: JO-decision, 2017-12-20, case no. 6418-2016

• M4: KI, Vice-chancellor’s decision 2018-06-25, case no. 2-723/2016

• M5: Solna District Court, verdict 2022-06-16, case no. B 10553-18

• M6: Svea Court of Appeal, verdict 2023-06-21, case no. B 9036-22 and file appendix I and II

• M7: Swedish National Board for Assessment of Research Misconduct (Npof), decision, 2023-09-20, case no. 3.2-22/0092

• M8: Npof, Decision 2023-10-05, case no. 3.2-22/0078

• M9: ECtHR, application no. 37988/21

• Netflix, Bad Surgeon: Love Under the Knife, 2023.

• Peacock documentary, Dr Death: Cutthroat Conman, 2023.

• Sweden’s Television Stock Company (SVT), Dokument inifrån: Experimenten, 2016.