Research at UiO and the new data protection regulation
The mandate of UiO’s GDPR project is to account for the consequences the introduction of the General Data Protection Regulation has for the processing of personal data at UiO, as well as ensuring the implementation of necessary procedures compliant with the regulation.
The project has received many questions regarding the consequences for research at UiO. This memo therefore seeks to inform you of the impact the new regulation will have for research at UiO.
Many of you have probably heard that NSD’s and REK’s privacy roles are changing, and that the new regulation is stricter than today’s. The project group is working on ensuring that the bigger changes happen executively, and that in practice, the impact on our researchers’ and research advisers’ existing procedures are minimal. In essence, all research involving use of personal data still needs to be reported to and assessed by REK or NSD. We are working on an overall quality system for research and a central register for all research at the university to make the administration of research simpler and clearer.
Below is an elaboration of the most pressing issues concerning research and the new regulation.
UiO’s privacy pages are continuously updating, and will be fully updated and compliant with the new regulation in the course of the summer 2018.
The GDPR project
Concessions, decisions and approvals from The Norwegian Data Protection Authority, REK and NSD, pursuant to the old regulation
The new regulation changes the legal privacy significance of the concessions, decisions and approvals The Norwegian Data Protection Authority, NSD and REK until now have granted the University of Oslo. This could potentially have major consequences for our research projects. In order to meet this challenge, UiO has adopted a decision to continue already granted prior authorisations as they stand, as this will ensure our research subjects’, students’ and employees’ privacy in a better way than if research and administration at the university comes to a stop.
Requirement to have one Data Protection Officer
Supervisory authorities in Norway and Europe have interpreted the regulation so that it requires an entity to have only one superior Data Protection Officer (DPO) overseeing all processing of personal data. UiO has until now had an internal DPO for administrative processing of personal data and a DPO for research on personal data (NSD). These two roles has now been merged into one central DPO at UiO.
NSD and REK continues to assess research projects
The new regulation makes UiO responsible for assessing and approving research projects itself. Earlier, research projects were granted concessions by The Norwegian Data Protection Authority, ethical approvals for medical and health research from REK (which also meant a privacy approval, which GDPR no longer allows) and approvals from the Norwegian Centre for Research Data (NSD). To solve this issue, UiO is entering into an agreement with NSD so that they will still assess all projects in the same way as before, but then return with a recommendation that UiO largely will base their decision on.
REK will still make an ethical assessment of medical and health research. UiO must review REK's decisions and in addition make a privacy assessment. Our own assessment should be both seamless and effective.
Routines for researchers will therefore not change. Researchers at UiO will still apply to REK and NSD.
Overall quality system for research
For processing of personal data in research today, UiO has an internal quality system for medical and health research, while there is no such system for processing of personal data in other types of research. In order for UiO to have better and more comprehensive procedures concerning all types of research, we are working to expand the quality system for medical and health research to include all research, and with that establish a complete quality system for research.
Overview of all processing of personal data in research
The General Data Protection Regulation imposes on UiO to have a complete overview of all processing of personal data. For processing of personal data in medical and health research, UiO has such an internal overview in Forskpro (previously known as Helseforsk). For processing of personal data in other research, this overview lies externally in NSD’s research archive. In order for UiO to have a complete overview, as well as implementing better procedures for all research, we are expand Forskpro to include all research.