Privacy in research

VID has a guideline for processing personal data in research. Everyone who conducts research at VID must familiarise themselves with the procedure and follow it.

On this page you will find extracts from the guidelines and other relevant information for projects that will process personal data. The guidelines can be read in their entirety by clicking on the link below. The guidelines must be seen in the context of the Framework for the processing of personal data in VID (in Norwegian).

Guidelines for the processing of personal data in research and student theses

Roles and responsibilities

The project manager is responsible for ensuring that privacy is safeguarded in each individual project. In student theses, the appointed supervisor is the project manager.

Project team members and students have a duty of confidentiality, must safeguard the privacy of participants, and must carry out the project in accordance with the assessment from Sikt and, if applicable, the approval from REK. Project team members and students must complete the necessary training in privacy and information security before processing personal data in the project.

The project manager's responsibilities

If it is necessary to process personal data:

Ensure that the project is sent to Sikt’s Data Protection Services (previously NSD).
Ensure that health research is approved by REK (Regional Committees for Medical and Health Research Ethics).
Ensure that an information letter is prepared for the participants (use Sikt’s template).
Ensure that a consent form is prepared for the participants (use Sikt’s template).
Ensure that a data management plan is created.
Consult the Data Protection Officer if there is a requirement for a Data Protection Impact Assessment (DPIA) according to EU’s Data Protection Regulation Article 35.
Secure personal data. Give access to and keep track of who has access to data.
Handle inquiries from participants about rights.
Ensure that personal data is deleted, anonymised, or archived at the end of the project and that a project completion notification is sent to Sikt and, if applicable, a final report to REK.

Requirements for the processing of personal data in the research project

All research and student projects that process personal data must be notified to Sikt, at least 30 days before planned data collection. Click on the boxes below to read more about the requirements for projects that process personal data.

Data management plan

At start-up and before data is collected, analysed, and stored, a data management plan must be created. The project manager, possibly together with project team members or students, should describe how personal data will be processed in the project. Read more about data management plans and different templates.

Notification to Sikt

Sikt’s digital notification form for personal data must be filled out when personal data will be processed in a research project. The form should be sent in no later than 30 days before data collection will start. Processing of anonymous data should not be reported. The notification form can be filled out by the person carrying out the project. Students must send a sharing link to the supervisor when registering. Sikt assesses whether the planned processing fulfills requirements for privacy. Data collection can begin when an assessment from Sikt is received.

Application to REK

Health research must be pre-approved by REK before the project can begin. Health research is research on people, human biological material, or health information where the purpose is to acquire new knowledge about health and disease. For information on the boundaries between health research and other research that processes personal data, see REK's website (in Norwegian).

Storage

Personal data must be processed in a way that provides sufficient security for the personal data and protects against unauthorized access and damage. Here you can find information about recommended storage solutions in research projects at VID.

Rights

The participants in the project must have the opportunity to exercise their rights in a simple way. Participants have the right to be informed, to access, to rectification, to erasure, to restrict processing, to object, and to data portability. All inquiries regarding rights must be addressed to and answered by the project manager within 30 days at the latest. The access form (innsynsskjema) can be found here (in Norwegian).

Disclosure of personal data

Personal data must not be disclosed to individuals outside the project. Disclosure may still take place if consent has been obtained from the participants or if dispensation has been given by REK and Sikt has assessed the disclosure. In order to receive the personal data, the body to which the data is to be disclosed must have a valid basis for processing. All such disclosures must be approved by VID. Contact personvernombud@vid.no for more information.

Completion of the project

Personal data must not be stored longer than necessary to achieve the purpose of the project.

At the completion of the project, the project manager must ensure that

The personal data is anonymised or deleted unless there is a requirement for storage beyond the project period (see section 6 on archiving).
If data are de-identified, anonymisation is usually accomplished by deleing the scrambling key.
A project completion notification to Sikt and, if applicable, REK confirms that personal data has been deleted or anonymized.
Copies of data have been managed in the same way.
A copy of fully anonymised data can be retained.
When students or project team members leave the project, ensure that any research material that they have obtained or had access to is securely stored or deleted.
Source data or other research data and documents are not deleted if the Norwegian Data Protection Authority (Datatilsynet) have open cases connected to the research project or if the project manager or project team members are being investigated by the National Commission for the Investigation of Research Misconduct (Granskingsutvalget).

Anonymizing

“Data is anonymous if it is no longer possible, with the tools that can reasonably be expected to be used, to identify individuals in a data set...When personal data are anonymised, they are no longer deemed to constitute personal data. The processing of such data therefore falls outside the scope of the Data Processing Act.” (Datatilsynet) Anonymizing data and avoiding the risk of reidentification kan be challenging. The Data Protection Authority has created a guide to help those attempting to anonymize personal data. Once data is anonymized, remember to send a project completion notification to Sikt to confirm that you are no longer handling personal data.

Archiving

If personal data will be stored after the end of the project, information must be given to the participants, in the notification form to Sikt, and, if applicable, in the application to REK. The project manager must explain the purpose of further storage, which societal interests can be safeguarded, and any disadvantages for the participants. The data must be stored in accordance with VID’s guidelines. Assessment from Sikt or REK will normally specify how long data can be saved.

Breaches

Anyone who discovers a discrepancy must immediately notify their immediate manager. The person who discovers the discrepancy, or the immediate manager, must report to the Pro-Rector for Research and the Data Protection Officer. The Data Protection Officer assesses whether the deviation should be reported to the Norwegian Data Protection Authority. See handling of breaches in the Framework for the processing of personal data at VID (in Norwegian) and the guidelines for handling breaches (in Norwegian).

Agreement templates for research projects

Here you will find relevant templates for your research project and information about the different templates.

Agreement templates

Data processor agreement

The template can be used if you outsource parts of the processing to a business/institution outside VID.

Joint Data Controller Agreement

The template can be used in cases where VID and an external institution must be considered to have a joint data controller responsibility and there must be a transfer of personal data between the businesses/institutions.

Joint Data Controller Agreement (english)

Declaration of confidentiality

The template can be used by external staff or students who are not employed by VID in a research project.

Do you need help?

Do you have questions about privacy in research, do you need help with a data processing agreement, or are you wondering where you can store your research data? Contact us at forskningsdatahandtering@vid.no. VID's data protection officer can be contacted at: personvernombud@vid.no.

Useful resources

The National Research Ethics Committees | Forskningsetikk: advises researchers and authorities on research ethics issues and works to make research ethics principles known.
Research ethics: information and routines for research ethics at VID.
Research Data Management: guidance and information on important aspects of research data management.
Data collection for master's theses: information to students who collect personal data in their projects.
Project support: support for all types of externally funded projects.
Research support: information about services and tools that support academic staff and PhD students during the research process.