Guidelines for the processing of personal data in research and student theses at VID Specialized University

These guidelines apply to researchers, supervisors, and students who will process personal data in research projects and student theses at VID. The guidelines ensure that the privacy of research participants (participants) is safeguarded. These guidelines also replace the previous routine for processing personal data in health research.

These guidelines are to be used in connection with Framework for the processing of personal data at VID (in Norwegian).

2.1 Project manager

The project manager is responsible for ensuring that privacy is safeguarded in each individual project. In student theses, the appointed supervisor is the project manager. The project manager's responsibilities are, among other things, to:

• Determine the purpose of the project and assess whether it is necessary to process personal data to achieve the purpose.

If it is necessary to process personal data:

• Ensure that the project is sent to Sikt’s Data Protection Services (previously NSD).
• Ensure that health research is approved by REK (Regional Committees for Medical and Health Research Ethics).
• Ensure that an information letter is prepared for the participants (use Sikt’s template).
• Ensure that a consent form is prepared for the participants (use Sikt’s template).
• Ensure that a data management plan is created.
• Consult the Data Protection Officer if there is a requirement for a Data Protection Impact Assessment (DPIA) according to EU’s Data Protection Regulation Article 35.
• Secure personal data. Give access to and keep track of who has access to data.
• Handle inquiries from participants about rights.
• Ensure that personal data is deleted, anonymised, or archived at the end of the project and that a project completion notification is sent to Sikt and, if applicable, a final report to REK.

2.2 Project team members and students

Project team members and students have a duty of confidentiality, must safeguard the privacy of participants, and must carry out the project in accordance with the assessment from Sikt and, if applicable, the approval from REK.

Project team members and students must complete the necessary training in privacy and information security before processing personal data in the project.

3.1 Data management plan

At start-up and before data is collected, analysed, and stored, a data management plan must be created. The project manager, possibly together with project team members or students, should describe how personal data will be processed in the project. A template for data management plans can be found on Sikt’s website.

3.2 Notification to Sikt

Sikt’s digital notification form for personal data on Sikt’s website must be filled out when personal data will be processed in a research project. The form should be sent in no later than 30 days before data collection will start. Processing of anonymous data should not be reported.

The notification form can be filled out by the person carrying out the project. Students must send a sharing link to the supervisor when registering. Sikt assesses whether the planned processing fulfills requirements for privacy. Data collection can begin when an assessment from Sikt is received.

Significant changes to the project must be reported in the notification form. See information on Sikt’s

website. Such changes cannot be implemented until an assessment from Sikt has been received.

If the project is believed to involve a high risk for the participants' privacy, Sikt must, in collaboration with the individual researcher or student, carry out a DPIA. A checklist for when a DPIA must be carried out can be found in the Framework for the processing of personal data at VID (in Norwegian). The DPIA must be approved by the Pro-Rector for Research and the Data Protection Officer at VID before data collection can begin.

Sikt’s Privacy handbook for research (in Norwegian) provides further information on requirements for privacy protection in research.

3.3 Application to REK

Health research must be pre-approved by REK before the project can begin. Health research is research on people, human biological material, or health information where the purpose is to acquire new knowledge about health and disease. For information on the boundaries between health research and other research that processes personal data, see REK’s website (in Norwegian).

Ethical pre-approval from REK must either be attached to the Sikt notification form on submission or added afterward.

Significant changes in the project must be submitted to REK. Changes cannot be implemented until REK has provided feedback.

3.4 Storage

Personal data must be processed in a way that provides sufficient security for the personal data and protects against unauthorized access and damage. See VID’s Data collection and storage guide.

Only people who are members of the project team are allowed to have access to personal data. To limit access to personal data further, pseudonymisation can be used. This means that directly identifying information is removed, so that the personal data can no longer be linked to a specific person without the use of additional information. Also assess whether personal data can be deleted during the project period.

3.5 Rights

The participants in the project must have the opportunity to exercise their rights in a simple way. Participants have the right to be informed, to access, to rectification, to erasure, to restrict processing, to object, and to data portability. All inquiries regarding rights must be addressed to and answered by the project manager within 30 days at the latest. The access form (innsynsskjema) can be found on VID's website.

3.6 Disclosure of personal data

Personal data must not be disclosed to individuals outside the project. Disclosure may still take place if consent has been obtained from the participants or if dispensation has been given by REK and Sikt has assessed the disclosure. In order to receive the personal data, the body to which the data is to be disclosed must have a valid basis for processing. All such disclosures must be approved by VID. Contact personvernombud@vid.no for more information.

4.9.1 Transfer of personal data to third countries

Transfer of personal data to third countries (outside the EU/EEA area) can be permitted according to EU’s Data Protection Regulation Article 46. The transfer must be described in the notification form to Sikt and, if applicable, the application to REK before it can take place. Contact personvernombud@vid.no if the project involves data transfer to countries outside the EU/EEA area.

Personal data must not be stored longer than necessary to achieve the purpose of the project. At the completion of the project, the project manager must ensure that:

• The personal data is anonymised or deleted unless there is a requirement for storage beyond the project period (see section 6 on archiving).
• If data are de-identified, anonymisation is usually accomplished by deleting the scrambling key.
• A project completion notification to Sikt and, if applicable, REK confirms that personal data has been deleted or anonymized.
• Copies of data have been managed in the same way.
• A copy of fully anonymised data can be retained.
• When students or project team members leave the project, ensure that any research material that they have obtained or had access to is securely stored or deleted.
• Source data or other research data and documents are not deleted if the Norwegian Data Protection Authority (Datatilsynet) have open cases connected to the research project or if the project manager or project team members are being investigated by the National Commission for the Investigation of Research Misconduct (Granskingsutvalget).

If personal data will be stored after the end of the project, information must be given to the participants, in the notification form to Sikt, and, if applicable, in the application to REK. The project manager must explain the purpose of further storage, which societal interests can be safeguarded, and any disadvantages for the participants. The data must be stored in accordance with VID’s guidelines.

Assessment from Sikt or REK will normally specify how long data can be saved.

• REK can decide that documents that are necessary for project follow-up must be stored for five years after the final report is sent (cf. Health Research Act § 38).
• Sikt and REK can assess whether personal data can be archived for follow-up studies or related research questions based on the same data selection and basis.
• If personal data will be used for a purpose other than research (e.g., for instruction), VID’s privacy contact or Data Protection Officer must be contacted.
• If processing of personal data requires consent and data must be stored longer than entitled by the original consent:
  • New consent must be obtained from the participant, or
  • An application must be sent for dispensation from the duty of confidentiality for further storage without consent (REK)

Anyone who discovers a discrepancy must immediately notify their immediate manager. The person who discovers the discrepancy, or the immediate manager, must report to the Pro-Rector for Research and the Data Protection Officer. The Data Protection Officer assesses whether the deviation should be reported to the Norwegian Data Protection Authority.

See handling of breaches in the Framework for the processing of personal data at VID (in Norwegian) and the breach form (avviksskjema) on VID’s website.

• Framework for the processing of personal data at VID (in Norwegian)
• Risk assessment template for research for VID Specialized University
• Data breach form for VID Specialized University
• Access form for VID Specialized University
• Privacy handbook for research (Sikt, in Norwegian)
• Notification Form for personal data (Sikt)
• Template for information letter and consent (Sikt)
• REK-portalen (in Norwegian)