3.1 Data management plan

At start-up and before data is collected, analysed, and stored, a data management plan must be created. The project manager, possibly together with project team members or students, should describe how personal data will be processed in the project. A template for data management plans can be found on Sikt’s website.

3.2 Notification to Sikt

Sikt’s digital notification form for personal data on Sikt’s website must be filled out when personal data will be processed in a research project. The form should be sent in no later than 30 days before data collection will start. Processing of anonymous data should not be reported.

The notification form can be filled out by the person carrying out the project. Students must send a sharing link to the supervisor when registering. Sikt assesses whether the planned processing fulfills requirements for privacy. Data collection can begin when an assessment from Sikt is received.

Significant changes to the project must be reported in the notification form. See information on Sikt’s

website. Such changes cannot be implemented until an assessment from Sikt has been received.

If the project is believed to involve a high risk for the participants' privacy, Sikt must, in collaboration with the individual researcher or student, carry out a DPIA. A checklist for when a DPIA must be carried out can be found in the Framework for the processing of personal data at VID (in Norwegian). The DPIA must be approved by the Pro-Rector for Research and the Data Protection Officer at VID before data collection can begin.

Sikt’s Privacy handbook for research (in Norwegian) provides further information on requirements for privacy protection in research.

3.3 Application to REK

Health research must be pre-approved by REK before the project can begin. Health research is research on people, human biological material, or health information where the purpose is to acquire new knowledge about health and disease. For information on the boundaries between health research and other research that processes personal data, see REK’s website (in Norwegian).

Ethical pre-approval from REK must either be attached to the Sikt notification form on submission or added afterward.

Significant changes in the project must be submitted to REK. Changes cannot be implemented until REK has provided feedback.

3.4 Storage

Personal data must be processed in a way that provides sufficient security for the personal data and protects against unauthorized access and damage. See VID’s Data collection and storage guide.

Only people who are members of the project team are allowed to have access to personal data. To limit access to personal data further, pseudonymisation can be used. This means that directly identifying information is removed, so that the personal data can no longer be linked to a specific person without the use of additional information. Also assess whether personal data can be deleted during the project period.

3.5 Rights

The participants in the project must have the opportunity to exercise their rights in a simple way. Participants have the right to be informed, to access, to rectification, to erasure, to restrict processing, to object, and to data portability. All inquiries regarding rights must be addressed to and answered by the project manager within 30 days at the latest. The access form (innsynsskjema) can be found on VID's website.

3.6 Disclosure of personal data

Personal data must not be disclosed to individuals outside the project. Disclosure may still take place if consent has been obtained from the participants or if dispensation has been given by REK and Sikt has assessed the disclosure. In order to receive the personal data, the body to which the data is to be disclosed must have a valid basis for processing. All such disclosures must be approved by VID. Contact personvernombud@vid.no for more information.

4.9.1 Transfer of personal data to third countries

Transfer of personal data to third countries (outside the EU/EEA area) can be permitted according to EU’s Data Protection Regulation Article 46. The transfer must be described in the notification form to Sikt and, if applicable, the application to REK before it can take place. Contact personvernombud@vid.no if the project involves data transfer to countries outside the EU/EEA area.

1. Introduction

2. Roles and responsibilities

3. Requirements for the processing of personal data in the research project

4. Completion of the project

5. Archiving

6. Breaches

7. Relevant resources