Gå til innholdet
We are launching new web pages. We appreciate your patience as we work to get all our content in place.

Roles and requirements

Roles

The Data controller is the institution that determines the purposes for which and the means by which personal data is processed. If two or more data controllers jointly determine the purposes and means of data processing, they will be joint data controllers and must enter into a joint data controller agreement.

The project manager is responsible for ensuring that privacy is safeguarded in each individual project. PhD students are project managers for their own projects. In student theses, the appointed supervisor is the project manager. The project manager’s responsibility is to determine the purpose of the project and determine whether it is necessary to process personal data to achieve this purpose.

Project team members and students have a duty of confidentiality, must safeguard the privacy of participants, and must carry out the project in accordance with the assessment from Sikt and, if applicable, the approval from REK. Project team members and students must complete the necessary training in privacy and information security before processing personal data in the project.

Approvals, assessments, and agreements

The project management must determine whether certain approvals, assessments and agreements are necessary before the project begins:

  • Processing personal data: If personal data will be processed, the project must be sent into Sikt for assessment. See the page about the Sikt notification form.
  • Health research: Health research must be preapproved by REK before the project can start.  Health research is research on people, human biological material or health information where the purpose of the project is to acquire new knowledge about health and disease. For information about the distinction between health research and other types of research that handle personal data, see REK’s website. Ethical preapproval from REK should be included in the Sikt notification form. Read more about REK procedures.
  • High risk: If it is likely that the project will involve a high risk for the participants' privacy, a Data Protection Impact Assessment (DPIA) must be carried out.
  • Data processor agreement: if you outsource parts of the processing to a business/institution outside VID.
  • Joint data controller agreement: when VID and an external institution must be considered to have a joint data controller responsibility and there must be a transfer of personal data between the businesses/institutions.
  • Data transfer agreement: when transferring personal data between two data controllers in relation to a specific project.
  • Transcription agreement: for research projects where an individual will transcribe interviews for a research project. In addition, a declaration of confidentiality must be signed. If a company/business will be used for transcriptions, a data controller agreement should be used instead.
  • Declaration of confidentiality: when external staff or students who are not employed by VID in a research project.
  • Master’s project that is part of a larger research project: An agreement must be made to clarify expectations regarding the student's participation in a larger project.

Templates for these agreements are available on the Privacy in Research page.