Privacy in Research
Here we present which privacy considerations must be taken into account in research projects.
Who is in charge?
The researchers themselves holds the main responsibility for complying with all requirements in research projects. However, should you need assistance, you are welcome to seek advice from the administrative support system.
Advice on notification obligation to NSD and REK, informed consent and data processing agreements in research projects;
Advice on assessment of privacy consequences (ROS, DPIA and advance discussions with the Data Protection Authority), data management plan, secure storage of research data;
The General Data Protection Regulation (GDPR);
- Legal Advisor/ Privacy Ombudsman Knut Erik Gaustad
Students writing a bachelor's or master's thesis are followed up by their supervisor.
On the 25th of May 2018, the European Union and the EEA received a new European privacy regulation called The General Data Protection Regulation (GDPR).
The Norwegian version of the GDPR is the Act on the Processing of Personal Data (also called the Privacy Regulation or the Personal Data Act).
The new Privacy Regulation entered into force as Norwegian law on the 20th of July 2018, and then replaced the Personal Data Act of 2000 (with regulations).
The Act on the Processing of Personal Data (only in Norwegian) defines personal data in Article 4, part 1. The Data Protection Authority reproduces this on its website, but in a slightly simpler language:
Personal data is information that can directly or indirectly identify a person. Directly identifiable personal data is a name, social security number, e-mail address, telephone number, IP address or other personal characteristics. Indirectly identifiable personal data is background information that can make it possible to trace the information back to an individual, for example, the municipality of residence or the association of the institution combined with information on age, gender, occupation, nationality, etc.
"Special categories of personal data" overlap mainly with what was previously known as "sensitive personal data".
The processing of personal data about racial or ethnic origin, political beliefs, religion, philosophical beliefs or trade union membership, as well as processing of genetic and biometric information for the purpose of uniquely identifying a natural person, health information or information about a physical person's sexual relationship or sexual orientation, is prohibited.
The processing of special categories of personal data is thus prohibited in principle. However, Part 2 of Article 9 states that the prohibition shall not apply if one of the following conditions are fulfilled; read the terms that allow processing of specific categories of personal data in Article 9, part 2 of the Act.
The data controller is the institution / company / other legal person who decides the purpose of the processing of personal data and which tools to use. The person responsible for processing can, for example, be the university, the university college, the health enterprise or the research institute at the top level of the management.
To be the data controller signifies a formal position and entails requirements for compliance with a number of obligations in the law. In a research project, the institution responsible for data processing - represented by the principal investigator - will be obliged to ensure that all external data processors in the project have an adequate level of security. This is done through a risk and vulnerability analysis.
The duty of the controller is statutory in Article 24 of the Privacy Regulation.
NSD > Privacy Services > Data Protection Services > Get help notifying your project > Vocabulary > data controller
Processing personal data is to collect, record, store and possibly compile and disclose personal data.
NSD > Privacy Services > Data Protection Services > Get help notifying your project > Vocabulary > Processing personal data
In accordance with Article 6, Part 1A of the Privacy Regulation, it is only legal to process personal data for which the data subject has given his/her informed consent. See separate section on information sheet and consent form below.
A data processor is a person or business outside the organization of the controller, who processes personal data on behalf of the controller. Examples of data processors may be an external questionnaire provider, transcription assistant, or interpreter.
NSD > Privacy Services > Data Protection Services > Get help notifying your project > Vocabulary > Data processor
The Privacy Regulation, Article 28, Part 3 requires that the relationship between the responsible institution and the external data processor is regulated in a data processor agreement. The external data processor shall process personal data in accordance with the agreement.
- Unit’s Template for data processing agreement
- The Data Protection Authority’s Guide on data processing agreement (only in Norwegian)
Remember that before a data processor agreement is signed, a risk and vulnerability analysis (ROS-assessment) must be performed. Otherwise, the data processor agreement will not be valid.
A data management plan (DMP) describes how data will be collected, stored, processed and applied during a research project in progress, and what will happen to the data after the project is completed (whether the data will be destroyed / archived / made available).
Research should not be performed on individuals or groups without these having explicitly given their informed consent for the research to take place. Prior to the study, the research participants should have received a written information letter explaining the purpose of the research project, that participation is voluntary and what it will imply for them to participate.
The written information sheet and the declaration of consent must be formulated in a clear and simple language adapted to the recipients. The consent of the informant must be documented for posterity, which in most cases means that the informant signs a written consent declaration. The legal basis for this is found in Article 4 (Part 11), Article 6 (Part 1A) and Article 7 of the Privacy Regulation, and Chapter 4 of the Health Research Act.
Information letters must state:
- The institution responsible for treatment.
- Contact information to the researcher (possibly student / supervisor).
- The purpose of the project and what the information will be used for.
- That it is voluntary to participate, and that one can withdraw without giving any reason as long as the study is still ongoing.
- How consent can be withdrawn. For example, contact information may be provided to a specific person whom the research participant may contact to withdraw their consent. The legal basis for this is found in Article 7, Part 3 and Article 17 of the Privacy Regulation.
- The scheduled time for completion of the project and an explanation of what will happen to the personal data after project completion (deletion or further storage).
In addition, the information letter should contain:
- An introduction that presents the purpose of the project and which invites the recipient to participate.
- A description of the methods which will be used to obtain information and what this means for the participant.
- A confirmation that the information will be treated confidentially.
- A list of who has access to the personally identifiable data.
- Which bodies the project has been reported to, or already approved by (i.e. NSD, REK, the Norwegian Data Protection Authority).
Who has consent capacity:
- People of legal age
- Minors after the age of 16 have consent capacity, unless otherwise stipulated by special statutory provisions or by the nature of the research.
Who does not have consent capacity:
- Persons with impaired consent capacity, i.e. with physical or mental disorders who therefore are unable to understand what the consent implies.
- Patients in clinical emergencies.
- Minors between the ages of 16 and 18 if the project concerns an intervention or drug testing.
- Minors under 16 years. However, children between the ages of 12 and 16 have the right to demand that the information they provide in the project should not be made known to parents or others.
- A consent must be voluntary, indisputable and documentable:
- Voluntary implies that the consent must be given without undue influence.
- Indisputable implies that the consent must be an explicit act, such as signing a statement or making a keystroke.
- Documentable implies that the consent must be recorded for posterity.
- The principal investigator holds the overall responsibility for properly obtaining consents, but the task can be delegated. The delegate must have the necessary and sufficient competence for the research project in question, in order to be able to fulfil the task.
- The consent declaration must have a signature and date field, and a statement such as: "I have received written information and am willing to participate in the study."
- The informant must have a copy of both the information written and the signed declaration of consent.
- Significant changes in the research project, which is believed to be important for the research participant's consent, requires that a new consent is obtained. REK may approve exceptions to this requirement.
Storage of consent declarations:
- The principal investigator is responsible for ensuring that all original, signed consent declarations are kept properly while the research project is ongoing, meaning in original paper format and locked down.
- In student projects, the student, under the guidance of the supervisor, is responsible for keeping all original, signed consent declarations properly while the project is in progress.
- All statements of consent must be deleted when data is anonymized or deleted.
Guides and templates
- The Data Protection Authority’s Guide on consent (only in Norwegian)
- NSDs template for information sheet and consent declaration (only in Norwegian)
- REKs template for information sheet and consent declaration
The legal basis for informed consent
- The act on the processing of personal data (The Privacy Regulation) artikkel 4, 6, 7 og 17.
- The act on medical and health research (The Health Research Act) § 13 – 20 og § 28.
- The patient and user rights law (The Patient and User Rights Act) § 1-3, 4-2, 4-3, 4-4 og 4-7.
- Regulations on the organization of medical and health research § 9.
Privacy in research and student projects
NSD > Privacy Services > Data Protection Services > Get help notifying your project > Vocabulary > Processing personal data
Take NSDs test to check whether your project should be notified to NSD.
Submit the notification form
Reduce the assessment time
The assessment time will be shorter if you provide complete information about the project in the message form and submit the necessary documentation. Complex projects may take longer to assess. NSDs top tips on how you may contribute to a faster process.
NSDs contactperson at Kristiania University College bears the day-to-day responsibility for a proper and just compliance with the law's provisions on information security and internal control. The contact person must be employed at the institution responsible for treatment.
- In research projects (including PhD projects), the contact person is the principal investigator/researcher him/herself.
- In student projects (bachelor or master), the supervisor (or a person with academic responsibility at the place of study) should be a contact person. The student himself cannot be a contact person.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Sentrale begreper > Kontaktperson ("contact person" is only defined in the Norwegian vocabulary at NSD)
The principle of data minimisation
As a researcher (and student researcher), you should only obtain information that is relevant and necessary for your research purpose (Article 5 of the Personal Data Act, Part 1C). Hence, think carefully about whether it is necessary to collect personal data to carry out the project's investigations. Can anonymous data, i.e. information which cannot be directly or indirectly traced back to individuals, serve the project's purpose equally well?
The privacy principle of limiting the collection of personal data to what is necessary for the purpose is called "data minimisation". Data minimisation is defined as follows on NSD's websites:
Data minimisation means that you should not collect more information about your sample than is necessary to realize your research purpose. If any of the personal data you wish to collect is not necessary for the purpose, do not collect it. Data minimisation is one of the privacy principles of the Privacy Regulation.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Sentrale begreper > Dataminimering (only in Norwegian)
What is anonymous data?
Anonymous data is information that cannot in any way identify individuals in a data material;
- neither directly by name or social security number
- indirectly through background variables
- or through a name list / link key or encryption formula and code
A data material is thus not anonymous if only what is published in the finished report, article, master's thesis or the like is anonymized. The raw data must also be anonymized.
NSD > Personverntjenester > Data Protection Services > Get help notifying your project > Vocabulary > Anonymous data
How can I complete a project without having to notify NSD?
Projects which process anonymous data throughout the research process should not be notified to NSD. For data to be processed anonymously, the data cannot be linked to personal data via code or scrambling key. Here are some methods that can be used:
- When interviewing and observing, data must be recorded only in the form of notes (not audio recordings). Ensure that no name or person identifiable background information is recorded in the data material.
- Questionnaires must be obtained in paper form, without names and indirectly identifiable information.
- In order for online surveys not to be covered by the law, you must ensure that the ICT solution is completely anonymous (i.e. that the respondent's email /IP address is not linked to a questionnaire at any time) and that the questionnaire itself does not contain questions about identifiable information. NB! Most online surveys involve registering an email /IP address, and the processing will then have to be reported, even if only the service provider has access to this information.
- Registry-based studies and journal data can be used without notification as long as only anonymous data is retrieved. The information must not be transferable to individuals in any way. There are a number of anonymous registry data available on the Internet. In example at Statistics Norway and NSD.
NSD > Personverntjenester > Data Protection Services > Get help notifying your project > Frequently asked questions > How can a project be carried out without being subject to notification?
How do I anonymize the data?
Anonymization means processing the data so that no individual can be recognized in the data material you are left with. You must then review your data and decide what information to remove or rewrite.
Usually, anonymization involves:
- To delete directly identifiable information (including link key / name list)
- To delete or rework indirectly identifiable information (for example, by roughly categorizing variables such as age, place of residence, school, etc.)
- To delete (or edit / delete) audio recordings, images, and video recordings
If you use a data processor, the data processor must also delete identifying information.
You are usually allowed to keep anonymous data after the end of the project, since the Privacy regulation does not apply to anonymous data. However, you must make sure that you have reworked the data sufficiently so that no individuals can be recognized. There are cases where you still have to delete the entire data material. This applies, for example, if you yourself have promised the informants to delete the data material, or when data owners, such as Statistics Norway, instruct you to delete the entire data material at the end of the project.
Please note that you are not required to delete personal data in the publication / thesis. If you have a scientific justification for it, and you have obtained consent from the participants, personal data can usually be published. Please refer to the Data Protection Authority's guide to anonymisation.
NSD > Personverntjenester > Data Protection Services > Get help notifying your project > Frequently asked questions > How do I anonymise my data material?
Norwegian Data Protection Services (NSD)
The Norwegian Data Protection Services (NSD) has a database of thousands of data sets that you can request access to. Some datasets are also available online. Read more on NSD's new search portal "We're on the way" (only in Norwegian).
Microdata.no is another site subject to NSD that facilitates the use of registry-based data for research.
Statistics Norway (SSB)
Statistics Norway (SSB) lends microdata to research projects, and has data related to people, businesses and enterprises. Read more on Statistics Norway's website.
Researchers and students at an institution in Norway that collects personal data abroad must apply for permits from NSD in the same way as for data collection in Norway.
NSD > Personverntjenester > Data Protection Services > Get help notifying your project > Frequently asked questions > I will collect data abroad. Will my project be subject to notification in Norway?
Researchers / students doing research on information made available on the Internet must report the project to NSD if they process personal data using a computer.
For example, the processing of personal data may imply to store documents from open or closed discussion forums containing the user names of the discussion participants. Another example is using direct quotes from websites. Quotes are browsable and will in this way point back to identifiable individuals.
As a general rule those studied must consent to being included in the study, but exceptions may be granted in certain cases. More about internet research on NSD's websites.
The principle investigator for the project is responsible for ensuring that the data is anonymised, deleted or if relevant properly long-term stored in accordance with the permissions the project has received.
In student projects, it is the student who must submit a final message to NSD when the project is completed. If this is not done, then NSD will contact Kristiania University College who will contact the student and supervisor and request that a final notification be submitted.
These projects must be approved by REK in advance
- Medical and health research projects
- General research biobanks
- Exemption from confidentiality for other types of research
Enter your Cristin ID when applying to REK
- Find your Cristin person ID and store it on your personal card in REK (only in Norwegian). Your Cristin ID must be registered on your personal card in REK's application portal before the application is submitted to REK.
- When / if the project is approved by REK, it will be automatically transferred to Cristin (via SPREK). The project manager also receives an e-mail with a link to the project.
- Always edit on the project that REK has created in Cristin, because this is the project that REK monitors. Do not create a duplicate in Cristin, as this will allow information about project participants, results and other things to be registered on the duplicate.
- How to edit a health project from REK in Cristin (only in Norwegian).
Application to REK
- REK's upcoming application deadlines
- Create a user account with REK
- Electronic forms for project application to REK
Submit final message to REK
When the project is completed, submit a final message to REK on a separate form. Information about the form can be found in REK’s case portal.
Previously, it was sufficient that research projects subject to Helseforskningsloven (the Health Research Act) applied for approval from REK, but with the introduction of the Privacy Regulation (GDPR) 20.07.2018, it is now required by law that all processing of personal data is pursuant to the Privacy Regulation.
The institution responsible for a research project shall ensure that the conditions set out in Article 6 (a-f) and Article 9 (a-j) of the Privacy Regulation are met, and be able to document it's processing of personal data:
- In the day-to-day running of a research project, the Principal Investigator is responsible for conducting research in compliance with the Privacy Regulation. More about this under the section Who is in Charge? at the top of this page, and the Responsibilities and tasks section at the bottom of this page.
- NSD's message form and message archive serve as a document archive of treatments for Kristiania University College.
Clinical trials should prior to the study be registered at clinicaltrials.gov. Subsequent registration is not accepted. Most medical journals require such registration to publish results from clinical trials.
This practice came into being in 2005, when The International Committee of Medical Journal Editors (ICMJI) introduced this requirement to publish clinical trial results in its journal.
The practice was later followed by most medical journals. More about Clinical Trials at ICMJI.
Registration of clinical trials is also supported by the Health Research Act Chapter 8, section 39, where it is stated that the research manager and project manager are responsible for ensuring transparency around the research.
Assesment of privacy consequences and advance discussions
Before the project processes personal data, a risk and vulnerability analysis (ROS assessment) must be carried out, in order to determine whether the information security is sound and, if necessary, what measures must be taken for information security to be sound. The ROS assessment will also help prevent unwanted incidents or deficiencies in the processing of personal data.
Key factors considered in a risk and vulnerability analysis are the scope of the project, the sensitivity of the information, the threat image surrounding the environment in which the data is processed and stored in, and the duration of the project.
- sikresiden.no: Template for risk assessment of personal data.docx (only in Norwegian)
Important: In projects that make use of external data processors, these must enter into a data processing agreement with the institution responsible for treatment. The responsible institution must then perform a risk and vulnerability analysis of the project before the data processor agreements are signed - otherwise the data processor agreements will not be valid.
The Privacy Regulation, Article 35, requires that a data protection impact assessment (DPIA) is carried out in advance of projects of a particularly intervening character. I.e. projects where special categories of personal data are processed on a large scale.
A DPIA must always be prepared in collaboration with the institution's management, the privacy ombudsman and the principal investigator.
The Privacy Regulation, Article 36 requires that an advance discussion be made with the Data Protection Authority in cases where a data protection impact assessment (DPiA) has been carried out, but one still believes that the processing can pose a high risk to the rights and freedoms of the data subjects.
Read more about advance discussions with the Data Protection Authority (only in Norwegian).
Responsibilities and tasks
Below are some key points about which responsibilities must be fulfilled by the principle investigator, or a project employee to whom the principle investigator delegates the task. All points may not be relevant in all projects. This must be considered in each case:
- In accordance with the principle of data minimization, the principal investigator must assess which data is adequate and relevant to the project's purpose and limit the data collection to these data.
- The principal investigator shall consider whether the research project can be carried out without collecting and processing personal data.
- The principal investigator shall assess whether the research project is subject to the Privacy Regulation and therefore obliged to notify the Norwegian Data Protection Services (NSD).
- If the research project is to process personal data, the principal investigator must send a message to NSD at least 30 days before the treatment is to start.
- The principal investigator must inform his or her research manager before applying to NSD or REK and be able to display the application and report form if requested by the research manager.
- The principal investigator shall ensure access control if there is a need for confidentiality when processing personal data in the project.
- The principal investigator must ensure that relevant and necessary documentation requirements are met in the project.
- If the research project wants to process personal data, then the principal investigator must conduct a ROS assessment of the project's information security. This is to prevent undesirable incidents or deficiencies in the processing of personal data which may have consequences for the research participants. The ROS assessment must be documentable. Use the ROS form from sikresiden.no: Template for risk assessment of personal data.docx (only in Norwegian)
- If NSD recommends conducting a Privacy Impact Assessment (DPIA) pursuant to Article 35 of the Privacy Regulation, then the principal investigator is responsible for involving the management and privacy ombudsman at Kristiania University College, and ensuring that a DPIA is conducted prior to the project start-up. NSD can also carry out a DPIA (only in Norwegian. See the section NSD assists), but it costs money and must therefore be approved by the management.
- The principal investigator shall create a data management plan for the data processing in the project. Use NSD's digital data management plan.
- The principal investigator shall assess whether the research project is covered by the Health Research Act so that it is obliged to report to the Regional Committee for Medical and Health Research Ethics (REK).
- If the project is covered by the Health Research Act, then the principal investigator must submit an application for advance approval to the Regional Committee for Medical and Health Research Ethics (REK).
- If the project involves clinical trials - then the principal investigator must register it in ClinicalTrials.
- The principal investigator shall prepare a consent declaration and information letter for the research project.
- The principal investigator must send a final message to NSD when the project is completed - if the project has been filed there.
- The principal investigator must send a final message to REK when the project is completed - if the project has been filed there.
- The principal investigator must properly eliminate all data when the project is completed.
The supervisor acts as the principal investigator in student projects at the bachelor / master level, and will provide students with training in privacy, research ethics and information security prior to the student’s project start up.
Below are some key points about which responsibilities must be met. All points may not be relevant in all student projects. This must be considered in each case:
- In accordance with the principle of data minimization, the student must - under the guidance of his / her supervisor - consider which data is adequate and relevant to the project's purpose and limit the data collection to this data.
- The student must - under the guidance of his / her supervisor - consider whether the student project can be completed without processing personal data.
- The student must - under the guidance of his / her supervisor - consider whether the student project can use data from Statistics Norway/NSD/microdata.no.
- The student must - under the guidance of his / her supervisor - consider whether the student project is covered by the Privacy Regulation so that it is obliged to notify NSD.
- If the student project is to process personal data, the student, under the guidance of his supervisor, must send a message to the Norwegian Center for Research Data (NSD) at least 30 days before the treatment is to start.
- If the student is to process personal data, the student must - under the guidance of his supervisor - make a risk assessment of the project's information security. This is to prevent undesirable incidents or deficiencies in the processing of personal data which may have consequences for the research participants. The risk assessment must be documentable. Use the ROS form from sikresiden.no: Template for risk assessment of personal data.docx (only in Norwegian)
- The student has a duty of confidentiality regarding personal data processed in a student project:
- The National Research Ethics Committees; The general research ethics guidelines, section 5 Confidentiality (only in Norwegian)
- The Higher Education Act; 4-6 The student's duty of confidentiality (only in Norwegian)
The exception to this duty of confidentiality is if you come across circumstances where you have a legal duty to avert serious criminal offenses. It is very unlikely that students will receive information of this kind, but should it happen, the student should immediately seek advice from their supervisor.
- Student projects should never be of such a nature that it is necessary to conduct a Privacy Impact Assessment (DPIA) in accordance with Article 35. of the Privacy Regulation. The supervisor is responsible for providing the student with clear information on this.
- The supervisor is obliged to consider whether a proposed student project is covered by the Health Research Act. If the project is covered by the Health Research Act, this will not be possible to accomplish without the student being part of a larger research project.
- At Kristiania University College, student projects that require the approval of REK will normally be part of a larger research project led by researchers at the college or an approved project at another institution. Clinical trials should be registered with ClinicalTrials.
- The student must - under the guidance of his / her supervisor - prepare a consent declaration and information letter for his / her student project.
- The student must send a final message to NSD - if the project has been filed there.
- The student must, under the guidance of his / her supervisor, properly eliminate all data that has been processed in connection with the project.