Research and GDPR
All student and research projects that process personal data need to be registered and has to apply for the necessary approvals. In some cases, a data protection impact assessment (DPIA) must also be made.
Prior to starting a research project that processes personal data you have to, in addition to a lawful basis for processing, have the necessary approval that applies to your project. Where to apply for approval depends on what personal data you are going to process.
The Norwegian Centre for Research Data (NSD) provides privacy services for UiO. Student and research projects that process personal data, and that do not have purposes in medical or health research, must be notified to NSD.
When do you have to notify your project to NSD?
All student and research projects that process personal data must be notified to NSD. If you only process fully anonymous data in your project, you do not need to notify NSD. Fully anonymous data is information that can not in any way identify an individual – either directly through name or national identity number, indirectly through background variables, or through a name list / scrambling key, encryption formula and code. If you are unsure, contact NSD for more information.
The project must be notified to NSD no later than 30 days before data collection begins.
If you want to make changes in your project that differ from the information NSD's assessment is based on, a separate change request form must be submitted to NSD.
How to notify a research project
NSD has prepared a notification form that is to be used when notifying (new) research and student projects. It is important that all projects that process personal data are notified to NSD, and that you provide as many details as possible about your project in the form.
You can find the notification form on NSD's website. Here you will also find useful guidance and answers to frequently asked questions. NSD also has a chat feature you can use if you have questions while filling out the form.
The notification form is to be filled out by the person who is conducting the research project.
What should you include in the notification form?
Depending on the project; a copy of the questionnaire, interview guide, registration form, information letter, consent statement, advanced approval from The Regional Committees for Medical and Health Research Ethics for medical and health research projects or dispensation from professional secrecy requirements for other types of research (if applicable), etc. If you submit the notification form before the advanced approval is available, a copy of the approval must be submitted when available.
Saving personal data on a private device
In NSD's notification form, there is an option to save the personal data you have processed on your private device. If you choose this option, you will be asked to upload guidelines for saving processed personal data on a private device or an approval to do so by UiO.
Where you can save different types of data depends on the type of information you are researching. You can read about the different data categories (green, yellow, red, black) in UiO's data classification matrix. Only green data can be freely saved on a private device. Yellow data can be saved on a private device under certain conditions you can read about here. You are responsible for complying with UiO's procedures for saving processed personal data.
When you notify your project to NSD, they will assess its data protection and privacy impact. If the project is considered to likely not result in high risk to the privacy of natural persons, NSD will get back to you and give you clearance to start the project and data collection. If the project is assessed to likely result in a high risk to the privacy of natural persons, NSD will conduct an in-depth data protection impact assessment (DPIA). In the DPIA, NSD will map out the project's privacy risks and mitigating measures to those risks. NSD's final assessment, based on the DPIA, will then be forwarded to UiO, where the university's executive data controllers – by virtue of being responsible for the project – will evaluate and approve or reject NSD's assessment. UiO will then send its approval or rejection of the project back to NSD, who in turn will contact you with the result. All communication related to the project will take place between you and NSD.
When a student or research project is approved, it will be registered in NSD's project archive. The project archive is updated continuously and contains all information about your project.
Archiving project data
At the end of the project, NSD will contact the project manager, offering to archive project data.
If you have questions related to filling out the notification form, NSD can be contacted on 555 82 117 or e-mail: firstname.lastname@example.org. At UiO, questions can be addressed to email@example.com.
On the NSD website you can also check whether your project should be notified or not.
Medical and health research projects
All medical and health research with the purpose of obtaining new knowledge about health and disease, is subject to the Health Research Act, and must apply for advanced approval from the Regional Committee for Medical and Health Research Ethics (REC). REC is also responsible for providing advance approval for general and thematic research biobanks and dispensation from professional secrecy requirements for other types of research. REC’s assessments only address the research ethical aspects of a project, while the project’s privacy impact is assessed by UiO.
When do you need to apply for advance approval from REC?
REC shall provide advance approval for:
- medical and health research projects
- general and thematic research biobanks
- dispensation from professional secrecy requirements for other types of research
REC will reject your application if your research project falls outside their scope and mandate. Rejection from REC is not an approval, and you will need to contact NSD or UiO to ensure that your research projects receives other necessary approvals.
Medical and health research
For medical and health research projects on humans, human biological material or data concerning health, advanced approval of the project is required. According to the Health Research Act, applications for advance approval are to be sent to the Regional Committee for Medical and Health Research Ethics (REC).
The purpose of the research project is decisive regarding whether the project is to apply for advance approval from REC pursuant to the Health Research Act, or if it is to be notified to NSD pursuant to the Personal Data Act and the General Data Protection Regulation. For some projects, an application or notification to other agencies must be sent in addition to the REC application. This applies to clinical trials of pharmaceuticals on humans, clinical trials of medical equipment and research projects that are subject to the Biotechnology Act.
Research on patients and data concerning health for purposes other than obtaining new knowledge about health and diseases, for instance for purposes of social science, is regulated by the Personal Data Act and the General Data Protection Regulation (GDPR) and must be notified to NSD.
If you want to use previously collected data in research, this may require new approvals. Contact REC for clarification.
REC assesses whether the research project is ethically acceptable; the project’s benefits and risks are weighed against each other.
Read more about ethics and research ethics on REC’s website.
Data protection impact assessment (DPIA)
Because REC’s assessments only include the research ethical aspects of a project, it is UiO’s responsibility to assess a project’s privacy and data protection impact. Most medical and health research projects will meet the criteria that trigger a need for a data protection impact assessment (DPIA). This is an in-depth assessment of the project’s privacy and data protection risks and identification of mitigating measures to those risks. This assessment is conducted at UiO, where the executive data controllers and the data protection officer – based on the information from REC’s advanced approval – determine whether the project can start or not, or on what conditions the project can start up.
If you have received advanced approval from REC, it is important to remember that you can not start the project until you have received final approval from UiO.
If you have questions, contact firstname.lastname@example.org.
Quality assurance system for medical and health research
The quality assurance system for medical and health research is a guideline at UiO which aims to ensure that medical and health research, including clinical trials of pharmaceuticals and medical equipment, is planned, implemented and reported in such a way that ethical, medical, scientific and privacy matters are safeguarded. It also aims to ensure that the research holds a professional and satisfactory standard.
Forskpro is a system for keeping record of all medical and health research projects at UiO. The purpose of the system is to ensure compliance with the Health Research Act in keeping continuous record and overview of all projects. All medical and health research projects must be registered in Forskpro (information in Norwegian). Some institutes at UiO also require that all research at that institute be registered in Forskpro. This applies regardless of whether the purpose of the project is in medical and health research or not. Ask your research advisor about the guidelines at your department/institute.