Privacy Protection and Research Papers
When writing a research paper (e.g. bachelor’s thesis, master’s thesis, etc.) in which you wish to include sensitive information, medical information, or other personal information from individuals, there are a number of requirements you must satisfy in addition to formally securing permission before you can begin work.
What types of research do these guidelines cover?
The requirements described here apply to all internally and externally funded research at UiO where personal information is used – whether in quantitative or qualitative form.
Limitation: These guidelines do not cover personal information used in medical and health studies research. See UiO’s web pages For Employees regarding routines and guidelines for handling of personal information in medical and health studies research.
What responsibility do student researchers have for research participants’ (respondents or informants) privacy protection?
The student researcher’s responsibilities include:
- Reviewing and understanding the rules that govern the use of personal information in research at UiO and routines for processing personal data in research projects.
- Following the rules for use of personal information in research at UiO.
- Seeking assistance from their advisor or coordinator for the work at their department if there is any doubt about what rules apply or how the rules should be interpreted or implemented.
- Not beginning collection or other use of personal information before the necessary permissions are in place.
What responsibility do you as a research paper author have for the personal information you gather and use in your work?
You are responsible for the privacy of the participants in your research project (respondents and informants) when you use their personal information.
Your responsibility covers all phases of the research project:
1. During the planning/start-up phase
The planning or start-up phase is the part of the research project that lasts from the conceptual development/application (for funds and/or permission) stage until the data collecting process begins.
During this phase, your responsibilities include:
- deciding on and documenting the types of personal information used in the research project.
- ensure and document that you have lawful basis for processing of personal data, such as consent (For Employees pages, in Norwegian).
- designing the document that will be distributed to respondents and informants informing them of their Personal Privacy Rights (as described on our For Employees pages, in Norwegian).
- registration of the research project with Norwegian Centre for Research Data (NSD) no later than 30 days before the data collection is to start via their registration form. Your advisor can help you with this.
- assuring that secure techniques for collection, storage, transfer, and analysis of the research data (personal information) provided by UiO are used for the project.
- carrying out a risk analysis of the information security (UiO’s For Employees pages, in Norwegian) of the research data (personal information) that is not processed with the technical solutions provided by UiO for secure collection, storage, transfer and analysis of such data.
2. During project implementation
The implementation phase is the part of the project that comprises data collection and analysis of the collected data (personal information).
Your responsibilities during this phase include:
- answering inquiries from respondents or informants regarding their personal privacy rights, as described on UiO’s For Employees pages in Norwegian.
- assuring responsible deletion (UiO’s For Employees pages in Norwegian) or anonymization of research data/personal information (UiO’s For Employees pages in Norwegian) in the event respondents or informants rescind their consent to participate in the project.
- verifying that personal information processed in the project is not used for entirely different purposes or in any other way than the respondents or informants have agreed to
- asking the respondents or informants for new/updated consent if the collected information is to be processed for other purposes or in other ways (e.g., stored longer or used in a new project) than they originally agreed to.
- verifying that terms in agreements with any external information providers, such as registry owners or partners at other institutions are followed.
- reporting irregularities that occur during the processing of information about respondents or informants in the project. See Rutine for melding av avvik (UiO’s For Employees pages in Norwegian).
3. At completion
The completion phase comprises the part of the research project when the data analysis is complete and the collected data (personal information) must be deleted, anonymized, or transferred to others for further retention.
During this phase, the project manager is responsible for the following tasks:
- Determine which personal information about respondents or informants shall be deleted and which information will be retained (archived) after the end of the project.
- Ensure that all personal information about respondents or informants which will not be retained after the end of the project is properly deleted (see UiO’s For Employee Pages in Norwegian).
- Ensure that personal data that will be retained after the end of the project is properly anonymized (see UiO’s For Employee Pages in Norwegian).
- Ensure that personal information that will be retained after the end of the project is properly stored.
- Ensure that the master's theses containing confidential information are properly categorized in DUO. It is also possible to postpone or deny electronic access to the material.
- Send a final report to NSD.