Routines for processing personal data in research projects
All research projects that process personal data must apply to the Norwegian Center for Research Data (NSD) for an assessment of privacy. In some cases, it is also necessary to do a data protection impact assessment (DPIA).
A research project that process personal data must have a researcher who is responsible for ensuring that the project meets the requirements of the privacy regulations.
Project managers have an independent responsibility for the privacy of research projects. PhD students are considered project managers for their PhD project when it is not a medical and health research project. In medical and health research project, the responsibility is governed by procedure 2 "Project managers' responsibility" in the Quality System for Medical and Health Research.
Student supervisors are responsible for the privacy of student research at the bachelor and master's level. However, students also have an independent responsibility for ensuring that privacy is safeguarded.
When planning a research project that processes personal data, you must consider whether the project is in line with the research ethics guidelines. If this is not the case, adjustments must be made so that the project is in line with these guidelines.
Furthermore, in the planning of the research project, you must identify which approvals are necessary for your project, and consider what should be the project's legal basis for processing personal data.
Processing of personal data in student or research projects
NSD conducts privacy assessments on behalf of UiO. If you will be processing personal data in your project, you must apply to NSD.
This rule also applies to projects within medical and health research from 01.01.2020. For supplementary rules on medical and health research see the Quality System for medical and health research and information on transitional rules.
The project must apply to NSD at least 30 days before data collection starts. To reduce the assessment time at NSD, we recommend that you read Tips to reduce the assessment time (NSD). If changes are made to the project plan after NSD has completed their assessment, a separate change form must be submitted.
Medical and health research projects can apply for NSD in parallel with the application for ethical pre-approval by regional ethics committees (REK).
If you process fully anonymous data in your project, you do not need to apply to NSD. Anonymous data is data that cannot in anyway identify individuals - either directly through name or birth number, indirectly through background variables, or through the name/link key, encryption formula and code. If you are unsure whether the research project is processing personal data, please contact NSD.
How to report a research project?
NSD has compiled a form to be used for reporting research and student projects. It is important that all projects that process personal data are reported and that you provide as much details as possible about your project.
The form is available on NSD's website. Here you will find useful guidance and answers to frequently asked questions. NSD also has a chat feature you can use if you have questions while filling out the form. The person who will carry out the project must completed the form.
What should be attached to the form?
A copy of the questionnaire, interview guide, registration form, information letter, statement of consent, application / recommendation from the Regional Committee for Medicine and Health Research Ethics (if applicable), decision on exemption from the duty of confidentiality, etc. must be attached to the form. If the form is submitted before other decisions are made, a copy of these decisions must be later forwarded.
If you select "private device storage" when completing NSD's message form, you will be prompted to upload private storage policies, or UiO approval. You will find storage guidelines in UiO's Data storage guide. Where you can store different types of data depends on the type of information in your research project. You can read about the different categories of data (green, yellow, red, black) in UiO's data classification. Only green data can be stored freely on a private device. Yellow data can be stored on a private device under certain conditions that you can read about here. You are responsible for following the storage routines.
When you report your project to NSD, they will make an assessment of the project's privacy impact. If the project is not considered to result in a high risk to the data subjects` privacy, NSD will give you feedback that you can start the project and the data collection. If the project is assumed to pose a high risk to the data subjects' privacy, NSD will conduct an in-depth privacy impact assessment where risks and measures to mitigate the risks are mapped. This is called a DPIA. NSD's final assessment will then be submitted to the data handling officers at UiO, who will evaluate and approve NSD's overall assessment. UiO evaluation and decision is sent back to NSD. NSD will then contact you with the result. All communication, in connection with the project, will be between you and NSD.
When a student or research project is approved by NSD, it will be registered in NSD's project archive. The project archive is constantly updated, and contains all information about your project.
Sharing personal data
If you are going to share personal data with other people, institutions, organizations or businesses outside UiO, you must clarify whether you are allowed to share said data.
If others are to process personal data on your behalf, a data processing agreement is required. You can read more about data processing agreements here (Norwegian only).
Ensure safe storage
Personal data must be processed in a manner that provides adequate security and protection against unauthorized access and damage. At UiO, recommendations have been made for storing data based on a classification that safeguards these considerations.
Access to information should be limited to only those persons who are participating in the research project have access to personal data. A pseudonym can be used to further restrict access to sensitive information. This means that directly identifying information has been removed so that personal data can no longer be associated with a specific person without the use of additional information.
Archiving project data
Personal data shall not be stored for longer than is necessary to achieve the purposes for which the personal data is collected. When the research project is completed, the data shall either be deleted or anonymized. In some cases, the data may be archival-worthy and can then be transferred to an archive for further storage. NSD can recommend how to handle personal data at the end of the project.
Upon completion of the project, NSD will contact the project manager with an offer to archive project data.
Any deviations from these routines, or privacy regulations in connection with the processing of personal data in the research project, is to be reported to UiO-CERT.
Forskpro (formerly Helsforsk) is a system used for keeping track of medical and health research projects at UiO. The purpose of the system is to contribute to compliance with the Health Research Act's requirements for continuous review and follow-ups. All medical and health research projects must be registered in Forskpro. Additionally, some institutes at UiO require that all research projects at the institute are also registered in Forskpro. This applies regardless of whether it is a medical and health research project or not. Ask your research advisor about the routine of your institute.
Transitional rules for the new routine for medical and health research
Ongoing medical and health research projects that have previously received an assessment/approval of the project`s privacy risks do not, in principle, need to apply to NSD.
Ongoing medical and health research projects that implement project changes approved by REK after 01.01.2020 must also apply to NSD if the changes in the project have altered consequences for the privacy of the research participants. If you are in doubt whether the changes will have any privacy related consequences, please contact firstname.lastname@example.org.
Medical and health research projects that have applied to REK before 20.12.2019 can still obtain an internal approval of privacy if the data handling officers are notified of this at email@example.com.
If you have any questions related to the completion of the NSD form, NSD can be contacted on tel: 555 82 117, e-mail: firstname.lastname@example.org, or by chat. At UiO, questions can be addressed to email@example.com.
On NSD's website you can also check if you have to report your project.