Research ethics and data protection
Kristiania University College is subject to the Norwegian Research Ethics Act and associated regulations and adheres to national and European research ethics guidelines.
Kristiania University College has also drawn up dedicated research ethics guidelines based on the overarching regulations and a research ethics committee has also been established.
However, consideration for research ethics spans a much broader spectrum than just questions linked to permits/approvals pursuant to laws and regulations, and research group leaders must systematically ensure that the groups consider research ethics aspects.
- You must comply with both the rights and obligations set down in the Norwegian Act on Academic Freedom.
- You must be conscious of the fact that honesty is an absolute condition for scientific work.
- You must act in accordance with the ethical regulations applicable to your field of research.
- You must give recognition to colleagues and sources of information that are of significance to your own research.
- You must, provided it is possible, participate in a collegial community that communicates and analyses research methods and results.
- You must be able to explain how you manage the funds that have been made available to you.
- You must ensure that your scientific results are solid enough to support your conclusions and that raw data/source information for publications is available.
- You must follow the rules for scientific publishing for your field.
- You must allow for neutral dissemination of research: consequential thinking should include both possible benefits and possible ethical dilemmas.
- You must maintain and further develop your scientific qualifications.
- Each individual researcher is responsible for conducting research in accordance with laws and regulations, as well as recognised research ethics practices, and for complying with the ten commandments for proper research ethics.
- Teachers are responsible for training students in recognised research ethics practices where relevant.
- Supervisors are project managers for student assignments and are responsible for training their students:
- Recognised research ethics practices
- Data protection in research.
For supervisor and student responsibilities, please see: Ansvar og oppgaver > Veileder og student for et studentprosjekt on the Data protection in research web page.
- Research group leaders must ensure systematic consideration for research ethics and skills development (cf. applicable laws and regulations and recognised research ethics practices) in the research groups as part of quality follow-up.
- Heads of Department are responsible for supervising and ensuring that research in their own units is conducted in accordance with laws and regulations and recognised research ethics practices. They will also follow up on and ensure that any non-conformities are rectified.
- The institution of Kristiania University College has a general responsibility for ensuring that systems and frameworks have been put in place to ensure that research can be conducted in line with recognised research ethics practices and in compliance with laws and regulations. This includes a responsibility for ensuring that research employees have adequate research qualifications.
- The Research Ethics Committee(REC) at Kristiania University College has the overall supervisory responsibility and manages any matters relating to nonconformities (see below). The committee will also act as a driving force for research ethics considerations and skills development.
The Norwegian Research Ethics Act and regulations
Kristiania University College is subject to:
- The Norwegian Act on ethics and integrity in research (Research Ethics Act).
- Regulations on research ethics committees (Research Ethics Regulations).
Research Ethics Guidelines
Research at Kristiania University College must be conducted in accordance with:
- The general and field-specific research ethics guidelines that have been drawn up by The National Research Ethics Committees.
- The European Code of Conduct for Research Integrity drawn up by All European Academies.
The European Commission recognises this text as a reference for research integrity in EU-funded research projects and as a model for compliance for research institutions and researchers across Europe.
- Declaration of HelsinkiEthical principles regarding human experimentation. Developed by the World Medical Association. Last revised in October 2013.
- The Vancouver Convention:Recommendations for the Conduct, Reporting, Editing, and Publication of Scholarly work in Medical Journals (known as the Vancouver Convention or Vancouver recommendations), developed by the International Committee of Medical Journal Editors (ICMJE). The recommendations specify requirements that most medical journals use when publishing scientific articles. The recommendations provide both practical and ethical guidelines for authors. Read more about the Vancouver recommendations here.
Mandate and composition
The Research Ethics Committee will work to ensure that research at Kristiania University College takes place within the frameworks of research ethics and recognised research ethics practices and to promote consideration for research ethics.
The Research Ethics Committee will manage possible breaches of recognised research ethics standards as set out in the Norwegian Act on ethics and integrity in research (Research Ethics Act) and the Regulations on research ethics committees (Research Ethics Regulations).
The Committee will manage matters relating to scientific activities at Kristiania University College or that involve one or more parties with ties to the University College.
Scientific misconduct refers to falsification, fabrication, plagiarism and other serious violations of recognised research ethics standards that have been committed intentionally or grossly negligently during the planning, implementation or reporting of research . The committee will also play a preventive role in order to promote proper practice.
The Research Ethics Committee is appointed by and reports to the University College Board. The Board receives annual reports on the committee’s work .
 The Board has delegated the appointment of REC members to the Pro-Rector of R&D/AD.
- External chairperson
- Pro-Rector of R&D/AD
- Four members appointed by the Board
In addition to the permanent members, the committee may invite up to two other representatives, external or internal, as experts in each case. These must be experienced researchers with qualifications within the field to which the allegations of misconduct relate. When considering the case in question, these experts will be included as members of the committee.
The Integrity Committee will:
Consider allegations of deviations from proper scientific practice submitted to the committee and the committee shall, in line with Section 8 – Statements in cases of misconduct, provide a written statement and consider the following:
- a) Whether the researcher has committed scientific misconduct or not
- b) Whether there are any system errors at the institution and
- c) Whether the scientific work should be corrected or withdrawn.
Take the initiative for arranging lectures, seminars, meetings and other information sharing and training in accordance with Section 5 - Requirements relating to research institutions of the Norwegian Research Ethics Act.
Establish guidelines for the consideration of cases involving possible violations of recognised research ethics standards in accordance with Section 6 – Consideration of misconduct cases at research institutions of the Norwegian Research Ethics Act.
Report possible serious violations to the Investigative Committee ( Section 7 – Investigative Committee of the Norwegian Research Ethics Act).
Misconduct cases may be submitted to the committee by the Rector or Pro-Rectors or by a Head of Faculty, subject to the approval of the rectorate. The committee may also independently decide to consider a misconduct case. In cases that are submitted, the committee has a responsibility to ensure transparent case management in which all involved parties are heard.
Members of the Research Ethics Committee (2021-2023):
The members of the Research Ethics Committee were appointed on 28 March 2019 and were reappointed in 2021 for a further two years.
- Chairperson: Associate Professor Nicolai Nyland, University of South-East Norway
- Deputy chairperson: Professor Anne Bang Lyngdal University of South-East Norway
- Pro-Rector R&D/AD: Professor Trine Johansen Meza, Kristiania University College
- Member: Assistant Professor Helge Hiram Jensen, Kristiania University College
- Member: Assistant Professor Merete Kolberg Tennfjord, Kristiania University College
- Member: Assistant Professor Øyvind Aas, Kristiania University College
- Member: Head of Faculty for the Faculty of Performing Arts, Music and Studio Jørgen Langdalen, Kristiania University College.
- Secretariat: Marianne Grøn, Kristiania University College
Meetings and minutes
The committee will hold two meetings each semester (and may convene additional meetings as needed). The secretariat will convene meetings, prepare the agenda and take minutes. The Board receives annual reports on the committee’s work.
Reporting possible violations of integrity in research
- Guidelines for the consideration of cases involving possible violations of recognised research ethics standards at Kristiania University College
- Report form in the event of possible violations of recognised research ethics standards at Kristiania University College
Please send the report form to: email@example.com
Data protection in research
Various data protection considerations must be assessed and safeguarded in connection with all research projects.
Data protection in research
The researcher (project manager) is responsible for ensuring that all requirements relating to data protection are met in the research project.
For bachelor’s and master’s theses, the supervisor will have the project management responsibility and will train and follow up on the student.
Kristiania University College has the institutional responsibility for accommodating and ensuring that data protection requirements are met. In the event that there is a need for advice and guidance, the following contact persons are available via the administrative support system.
Questions relating to the duty to report to NSD and REC, requirements concerning informed consent and data processing agreements in research projects:
- Research Adviser/Lawyer Leiry Cornejo Chavez
Questions concerning the assessment of risk and privacy consequences (ROS, DPIA and prior discussions with the Norwegian Data Protection Authority), data management plan, secure storage of research data:
- Security Adviser Ivan Talwar
Questions relating to the personal data act (GDPR):
- Lawyer/Data Protection Officer Taisiia Demina
The General Data Protection Regulation (GDPR) for the EU/EEA area:
The Norwegian version of the GDPR is the Norwegian Personal Data Act.
Information that can directly or indirectly identify a person. Directly identifiable personal data is names, personal identification numbers, e-mail addresses, telephone numbers, IP addresses or other personal characteristics. Indirectly identifiable personal data is background information that may make it possible to trace the information back to an individual, e.g. municipality of residence or institutional affiliation combined with information about age, gender, occupation, nationality, etc.
Special categories of personal data
(previously known as “sensitive personal data”)
According to the GDPR, the processing of the following personal data is prohibited:
- information about racial or ethnic origin
- information about political opinions
- information about religious beliefs
- information about philosophical beliefs
- information about trade union membership
- genetic information
- biometric information for the purpose of unambiguously identifying anyone
- health information
- information about sexual relationships
- information about sexual orientation
However, there are exceptions to such prohibition.
The Data Controller is the institution/company/other legal person (represented by senior management) that determines the purpose of the processing of personal data and the aids that will be used. In a research project, the project manager must ensure that all external data processors in the project have sufficient levels of security (cf. the data protection impact assessment, DPIA).
A Data Processor is an individual or company outside of the Data Controller’s organisation that processes personal data on behalf of the Data Controller. Examples of data processors include external providers of questionnaires, transcription assistants or interpreters. Please refer to the data processing agreement templates here.
Processing of personal data
The processing of personal data refers to collecting, registering, storing and, if applicable, compiling and disclosing personal data. The data subject must have provided informed consent (cf. the information letter and consent).
Data management plan
A data management plan (DMP) sets out the project manager, project name, project period, which data will be collected, stored, processed and used, including how and who by, while a research project is ongoing, as well as the storage location, retention period and what happens to data after the conclusion of the project (whether the data will be destroyed/archived/published).
Kristiania University College plans to use the information in the data management plan to also keep an overview of the institution’s data registers. This is important in order to ensure compliance with the GDPR and requirements for secure data storage, as well as to ensure that the collection of data is coordinated between projects and that existing data is reused (cf. Open Science)
No research must be conducted on individuals or groups without these having explicitly given informed consent to participate in the research. Prior to the study, the research participants must have received a written information letter that explains the purpose of the research project, that participation is voluntary, what their participation would entail and that they can leave the study without providing any reason.
The information letter and declaration of consent must be worded using clear and simple language that can be understood by participants. The consent given by the research participant must subsequently be documentable, which, in most cases, would require a written signature on a declaration of consent. This has been set down in law in Article (part 11), Article 6 (part 1A) and Article 7 of the GDPR and Chapter 4 of the Norwegian Health Research Act.
The information letter must specify:
- The Data Controller’s institution.
- Contact details for the researcher (or student supervisor).
- The purpose of the project and what the data will be used for.
- That participation is voluntary and that participants may withdraw at any point during the study without providing any reason.
- How to withdraw consent. For example, the contact details for a specific person that the research participant can contact to withdraw their consent. This has been set down in law in Article 7, part 3 and Article 17 of the GDPR.
- The planned conclusion date for the project and an explanation of what will happen to personal data after conclusion of the project (deletion or continued storage).
The information should also include:
- An introduction that presents the purpose of the project and that asks if the recipient would like to participate.
- A description of the methods that will be used to collect data and what this means for the participant.
- Confirmation that the data will be treated confidentially.
- A list of who has access to personally identifiable data.
- Details of which agencies the project has been registered with or already approved by (e.g. NSD, REC, the Norwegian Data Protection Authority).
Competence to consent
The person who consents to participate in a research project must have competence to consent.
The following have competence to consent:
- Persons of legal age.
- Minors older than 15 years of age have competence to consent, unless otherwise set out in special legal provisions or determined by the nature of the research.
- For children under 15 years of age, parents should consent on behalf of the child, but the child should want to participate. If special categories of personal data will be collected, the young person must be 16 years of age or older in order to participate.
For medical and health research, there are special rules relating to competence to consent, as defined in Section 17 of the Norwegian Health Research Act and Section 4-3 of the Norwegian Patient and User Rights Act.
The following do not have competence to consent:
- Persons of legal age with physical or mental disorders and who are unable to understand what the consent encompasses and entails.
- Patients experiencing clinical emergencies.
- Minors between 16 and 18 years of age if the project relates to bodily intervention or pharmaceutical trials.
- Minors under the age of 15. Nevertheless, children between 12 and 16 years of age do have the right to demand that the data they provide as part of the project will not be disclosed to parents or others.
Declaration of consent
- Consent must be voluntary, explicit and documentable:
- Voluntary means that consent has been given without unreasonable influence.
- Explicit means that the consent must be an explicit action, such as signing a declaration or making a keystroke.
- Documentable means that it must be possible to retrospectively demonstrate the consent.
- The Project Manager has the overall responsibility for ensuring that consent is obtained correctly, but the task can be delegated. The person to which the task has been delegated must have the necessary and sufficient knowledge of the research project in question in order to fulfil the task.
- The declaration of consent must include a signature field and a date field, as well as a declaration such as: “I have received written information and I am willing to participate in the study.”
- The informant must have a copy of both the information letter and the signed declaration of consent.
- A new declaration of consent must be obtained in the event of significant changes to the research project that it is assumed will have an impact on the research participant’s consent. The REC may approve exceptions from this requirement.
Storage of the declaration of consent:
- The Project Manager is responsible for ensuring that all original, signed declarations of consent are properly stored while the research project is ongoing, i.e. the original paper copies must be securely locked away.
- In student projects, the supervisor is responsible for securely storing all original signed declarations of consent while the project is ongoing.
- All declarations of consent must be deleted when data has been anonymised or deleted.
Guides and templates
- The Norwegian Data Protection Authority’s guide to consent
- The NSD template for information letters and declarations of consent
- The REC template for information letters and declarations of consent
Legal basis for informed consent
- Article 4, 6, 7 and 17 of the General Data Protection Regulation.
- Sections 13-20 and 28 of the Norwegian Act on Medical and Health Research (the Health Research Act).
- Sections 1-3, 4-2, 4-3, 4-4 and 4-7 of the Norwegian Act on Patient and User Rights (the Patient and User Rights Act).
- Section 9 of the Regulations on the organisation of medical and health research.
Duty to notify the Norwegian Centre for Research Data (NSD)
Projects that will process personal data are subject to the GDPR and must be reported to NSD. Please note that the duty to notify applies even if you will not be publishing any personal data. The crucial factor in determining whether to submit a notification form to NSD for the project is how you will process personal data throughout the entire project, from the time of commencement of data collection until results are published. The legal basis for the above is set down in Article 2, part 1 of the GDPR.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Sentrale begreper > Behandling av personopplysninger
Take the “duty to notify” test
Take the NSD “duty to notify” test if you are unsure whether your project has a duty to notify.
Register your project
Reduce the assessment time
The assessment time will be shorter if you provide complete information about the project in the notification form and submit the required documentation. Assessment may take longer for complex projects. Read the NSD tips to reduce assessment time.
The NSD contact person
The NSD contact person at Kristiania University College is the person responsible for correct and proper compliance with the legal provisions relating to information security and internal control. The contact person must be employed by the data controller institution.
- In researcher-led projects (including PhD projects), the contact person will be the Project Manager.
- In student-led projects (bachelor’s or master’s), the supervisor (or assistant supervisor or subject coordinator at the place of study) will be the contact person. The student themself cannot be the contact person.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Sentrale begreper > Kontaktperson
The principle of data minimisation
As a research (and student researcher), you must only collect data that is relevant and necessary for the purpose of your research ( Article 5, part 1C of the GDPR). It is therefore important that you carefully consider whether it is necessary to collect personal data in order to conduct the project investigations. Could anonymous data, i.e. data that cannot be traced back to individuals either directly or indirectly, serve the purpose of the project just as well?
The data protection principle of limiting the collection of personal data to what is necessary for the purpose is called “data minimisation”. Data minimisation is defined as follows on the NSD web pages:
Data minimisation means that you should not collect more data about your sample selection than is necessary to fulfil the purpose of your research. If any of the personal data you wish to collect is not necessary to achieve the purpose, the data should not be collected. Data minimisation is one of the data protection principles set down in the GDPR.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Sentrale begreper > Dataminimering
Kristiania University College also recommends that project managers coordinate collection and facilitate the reuse of data.
What is anonymous data?
Anonymous data is data that cannot identify individuals in data material in any way;
- either directly through names or personal identification numbers
- or indirectly through background variables
- or through name lists/link keys or encryption formulas and codes
In other words, data material is not anonymous if only what is published in the final report, article, master’s thesis or similar is anonymised. Raw data must also be anonymised.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Sentrale begreper > Anonyme opplysninger
How can I implement a project without reporting it?
Projects that process anonymous data throughout the entire research process should not be reported to NSD. In order for data to be considered anonymous, it must not be possible to link the data to personal data using a code or link key. Here are some of the methods that may be used:
- Data is recorded only in the form of notes (no audio recordings) in connection with interviews and observations. Ensure that no names or other personally identifying background data are recorded in the data material.
- Questionnaires must be collected as paper copies, without names or any indirectly identifying data.
- In order for the use of online questionnaires not to be covered by the act, it is important to ensure that the IT solution is completely anonymous (including ensuring that the e-mail/IP address of the respondent cannot be linked to the questionnaire at any time) and that the questionnaire itself does not contain any questions about identifying data. NOTE: Anyone at Kristiania University College can use Nettskjema, which offers an anonymous solution.
- Register data and record data can be used without reporting as long as only anonymous data is retrieved. It must not be possible to trace the data back to any individuals in any way. There is a large amount of anonymous register data available online, including from Statistics Norway and NSD.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Hvordan kan jeg gjennomføre et prosjekt uten at det må meldes?
How do I anonymise data material?
Anonymisation involves processing the data in such a way that no individuals can be recognised from the remaining data material. You must therefore consider your data material and which information must be removed or changed.
Anonymisation normally involves:
- deleting directly identifying data (including link keys/name lists)
- deleting or reworking indirectly identifying data (for example by using general classification of variables such as age, place of residence, school, or similar)
- delete (or edit/censor) audio recordings, photos or video recordings
If you use a data processor, the data processor must also delete any identifying data.
You are generally permitted to store anonymous data material after the conclusion of the project, as the GDPR does not apply to anonymous data. Nevertheless, you must always ensure that you have reworked the data material sufficiently to ensure that no individuals can be recognised. However, there are still some cases in which you will be required to delete the full data material. This applies, for example, if you have promised the sample selection that the data material will be deleted or when data owners, such as Statistics Norway, require you to delete the complete data material upon completion of the project.
Please note that you are not required to delete personal data in publications/theses. Personal data can generally be published, provided you have a scientific justification and you have obtained consent from participants. Please also refer to the Norwegian Data Protection Authority’s guide to anonymisation.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Hvordan anonymiserer jeg datamaterialet?
Norwegian Centre for Research Data (NSD)
The Norwegian Centre for Research Data (NSD) has data materials comprising thousands of datasets, to which you can request access. Some of the datasets are also available online. Read more on the new NSD search portal “Vi er på vei”
Microdata.no is another web page subject to the NSD, which facilitates the use of register data for research.
Statistics Norway lends out microdata for research projects and holds data relating to individuals, organisations and companies. Read more on the Statistics Norway web pages.
Collection of personal data abroad
Researchers and students at institutions in Norway that collect personal data abroad must apply for permission from NSD in the same way as for data collection in Norway.
NSD > Personverntjenester > Få hjelp til å melde prosjekt > Jeg skal samle inn data i utlandet. Do I have to report the project in Norway?
Researchers/students that research information that has been made available online must report the project to NSD if they process personal data using a computer.
The processing of personal data may include storing documents from open or closed discussion forums that include the usernames of discussion participants. Another example would be to use direct quotes from web pages. Quotes are searchable and can therefore be linked back to identifiable persons.
Generally those who are being studied must consent to participating in the study, but exceptions may be granted in certain cases. There is more about online research on the NSD web pages.
Delete data and submit a final report to NSD when the project is completed
The Project Manager is responsible for ensuring that data is anonymised, deleted or securely stored in the long term in accordance with the permits granted to the project.
In student projects, the Project Manager (supervisor) must submit the final report to NSD when the project is completed. If this is not done, NSD will contact Kristiania University College, which in turn will contact the Project Manager to request submission of the final report.
Prior approval from the Regional Research Ethics Committees (REC).
All research projects that are subject to the Norwegian Health Research Act are required to obtain prior approval. REC approves applications pursuant to the Norwegian Research Ethics Act and the Norwegian Health Research Act. Please also refer to the section on permits and approvals.
Submission assessment: If you are unsure whether the project is required to obtain prior approval from REC, you can submit a submission assessment, which will provide REC with a basis for further guidance.
The following projects are subject to prior approval from the REC
- Project application: Application for prior approval of medical and health research projects
- General biobank: Application for the approval of a general biobank
- Exemption from duty of confidentiality relating to other research: Application for exemption relating to other research
Please provide your CRIStin ID when submitting an application to the REC
- Find your personal CRIStin ID and store it on your REC personal card. Your CRIStin ID must be registered on your personal card in the REC application portal before the application is submitted to the REC.
- When/if the project is approved by the REC, the project will be automatically created in CRIStin (via the SPREK portal, which is the REC register of REC-approved research projects). At the same time, the Project Manager will receive an e-mail containing a link to the project. No duplicates of REC-approved projects may be created in CRIStin.
- Changes to REC-approved projects must be registered in CRIStin so that REC has access to the changes.
Submit a final report to REC
When the project has been concluded, the Project Manager must submit a final report to REC using a separate form. Information about the form can be found in the REC case portal.
Health research and the duty to notify NSD
The GDPR stipulates that all processing of personal data must have a legal basis for processing set down in the GDPR. The fact that the project has been registered with REC does not preclude registration with NSD.
Clinical trials must be registered in ClinicalTrials
Clinical trials must be registered with clinicaltrials.gov prior to the study commencing. Late registrations will not be accepted. The purpose of registration includes providing an overview of and transparency in relation to ongoing clinical trials for patients, healthcare personnel, authorities and research communities. Most medical journals require such registration in order to publish the results of clinical trials. More about Clinical Trials from the ICMJI.
Public registration of clinical trials will contribute to a greater degree of transparency in relation to ongoing clinical trials and will thereby increase participation in clinical trials and provide opportunities for access to experimental treatment. Chapter 8, Section 39 of the Norwegian Health Research Act clarifies that the Research Manager and Project Manager are responsible for ensuring transparency in relation to the research.
Population-based health trials
The Regulations relating to population-based health trials govern the collection and processing of health data and human biological material in population-based health trials. Section 1-2 outlines the scope of application of the regulations.
Risk and vulnerability assessment (RVA)
Before the project can process personal data, a risk and vulnerability assessment (RVA) must be conducted in order to identify whether information security is appropriate and, if applicable, which measures must be taken in order to ensure appropriate information security. The RVA must also help prevent adverse events or shortcomings in the processing of personal data.
Key factors that are considered in an RVA are project scope, data sensitivity, the threat situation in relation to the environment in which the data is processed and stored and the duration of the project.
- no: MAL for risikovurdering av personopplysninger.docx (Template for the risk assessment of personal data)
Important: For projects that use external data processors, the data processors must enter into data processing agreements with the data controller institution. The data controller institution must then have conducted an RVA of the project prior to entering into a data processing agreement, as the data processing agreement would otherwise not be valid.
Data protection impact assessment (DPIA)
Article 35 of the GDPR requires data protection impact assessments to be conducted prior to projects of a particularly invasive nature. For example, projects in which special categories of personal data are processed on a large scale.
A data protection impact assessment must always be drawn up in partnership with the institution management, Data Protection Officer and Project Manager.
Prior discussion with the Norwegian Data Protection Authority
Article 36 of the GDPR requires a prior discussion to take place with the Norwegian Data Protection Authority in cases where a data protection impact assessment (DPIA) has been conducted but it is found that processing could entail a high risk to the rights and freedoms of data subjects.
Read more about prior discussions with the Norwegian Data Protection Authority.
The Project Manager of a research project
Some central factors relating to the responsibilities that must be managed by the Project Manager or a project employee to which the Project Manager has delegated the task are listed below. Not all factors may be relevant to all projects. The following must be considered on a case-by-case basis:
- the principle of data minimisation, the Project Manager must consider which data is adequate and relevant to the purpose of the project and limit the collection of data accordingly.
- The Project Manager must consider whether the research project can be implemented without personal data being collected and processed.
- The Project Manager must consider whether the research project is subject to the GDPR and is therefore subject to the duty to notify the Norwegian Centre for Research Data (NSD).
- If the research process will involve the processing of personal data, the Project Manager must notify NSD no later than 30 days before processing is scheduled to commence.
- The Project Manager must inform their Research Managerand the Department of Research Administration and Internationalisation before submitting an application to NSD or a notification to REC and must be able to present the application and notification form if requested by the Research Manager.
- The Project Manager is responsible for ensuring access control in the event that there is a need for confidentiality in connection with the processing of personal data in the project.
- The Project Manager must ensure that relevant and necessary documentation requirements are met in the project.
- If NSD recommends conducting a data protection impact assessment (DPIA) pursuant to Article 35 of the GDPR, the Project Manager will be responsible for involving Kristiania University College management and the Data Protection Officer to ensure that a DPIA is carried out prior to commencement of the project. NSD may also conduct a DPIA (please refer to the section concerning assistance from NSD), but this costs money and must therefore be approved by management.
- The Project Manager must create a data management plan for the processing of data in the project. Please use NSD’s digital data management plan
- The Project Manager must consider whether the research project is subject to the Norwegian Health Research Act and whether there is therefore a duty to notify the Regional Committee for Medical and Health Research Ethics (REC).
- If the project is subject to the Norwegian Health Research Act, the Project Manager must submit an application for prior approval to the Regional Committee for Medical and Health Research Ethics (REC).
- If the project includes clinical trials, the Project Manager must register the project with ClinicalTrials.
- The Project Manager must draw up a declaration of consent and information letter for the research project.
- The Project Manager must submit a final report to NSD when the project has been completed, if NSD has been notified of the project.
- The Project Manager must submit a final report to REC when the project has been completed, if REC has been notified of the project.
- The Project Manager must properly eliminate all data when the project has been completed.
Supervisors and students in student projects
Supervisors act as the Project Manager in student projects at bachelor’s/master’s level and will provide students with the necessary training in data protection, research ethics and information security before students start their student projects.
Some key factors relating to the responsibilities that must be fulfilled are listed below. Not all factors may be relevant to all student projects. The following must be considered on a case-by-case basis:
- the principle of data minimisation, the student, supervised by their supervisor, must consider which data is adequate and relevant to the purpose of the project and limit the collection of data accordingly.
- The student must, supervised by their supervisor, consider whether the student project can be implemented without personal data being processed.
- The student must, supervised by their supervisor, consider whether the student project can be implemented using data from SSB/NSD/no
- The student must, supervised by their supervisor, consider whether the student project is subject to the GDPR so that the duty to notify the NSD applies.
- If the student project includes the processing of personal data, the student, supervised by their supervisor, must submit a notification form to the Norwegian Centre for Research Data (NSD) no later than 30 days before processing is scheduled to commence.
- If the student will process personal data, the student, supervised by their supervisor, must carry out a risk assessment of the project information security. This is to prevent adverse events or shortcomings relating to the processing of personal data that could have consequences for research participants. The risk assessment must be documentable. Please use the RVA form from sikresiden.no: MAL for risikovurdering av personopplysninger.docx(Template for the risk assessment of personal data)
- The student will be subject to a duty of confidentiality relating to personal data processed in a student project:
- The National Research Ethics Committees’ general research ethics guidelines 5 Confidentiality
- The Norwegian Universities and University Colleges Act 4-6 The Student’s Duty of Confidentiality
The exception from this duty of confidentiality is cases where you identify matters for which you have a legal duty to avoid serious criminal offences. It is extremely unlikely that students will receive information of such a nature, but, in the event that it does happen, the student must immediately seek advice from their supervisor.
- Student projects should never be of such a nature that it is necessary to conduct a data protection impact assessment (DPIA) pursuant to Article 35 of the GDPR. The supervisor is responsible for providing the student with clear information about this.
- The supervisor has a duty to consider whether a proposed student project is subject to the Norwegian Health Research Act. If the project is subject to the Norwegian Health Research Act, the project cannot be implemented without being part of a larger research project.
- At Kristiania University College, student projects that require approval from REC will normally be part of a larger research project led by researchers at the University College or approved projects at other institutions. Clinical trials must be registered with ClinicalTrials.
- The student, supervised by their supervisor, must draw up a declaration of consent and an information letter for their student project.
- The student must submit a final report to NSD if NSD has been notified of the project.
- Under the direction of their supervisor, the student must properly eliminate all data that has been processed in connection with the project.