Personal data shall be processed only when necessary and shall be processed within the framework of the data protection regulations. Students should generally avoid processing personal data, but may process personal data when necessary to achieve the learning outcomes.
Here you will find information about how information can be collected anonymously, and the rules that apply when students need to process personal data in their work as students.
The supervision applies to all types of student work for which the students process personal data, including practical training reports, work requirements and major projects such as bachelor's and master's theses.
Personal data is any information that can be linked with a person. For example, personal data may include your national identity number, name, address, e-mail address or IP address.
A photo or video recording is considered personal data if people can be recognised, and audio-recorded voices are always considered personal data even if no name is mentioned in the recording.
It is also possible that a body of compiled information can be linked to a person. For example, if the person’s exact age, place of residence and field of study are registered, and there is only one person out of 37 from Verdal who studies nature management.
The extent to which background information can enable identification of a person depends on the variables/registered data but it also depends on the context, topic and criteria of the sample.
Since pseudonymous personal data may be linked to a particular person using additional information/a crypto-key, these are considered personal data (insert link to definition).
Anonymous information is not personal data, but be sure to check if the information is actually entirely anonymous.
A data management plan is a recommended tool for anyone writing student assignments. It helps you gain an overview over what to collect, how to collect it, how to describe the data, where to store data, how to work with data, about other people who will have access to your data, what to do when you finish using the data, and more.
NSD has a template that you can use. This is a tool that is useful in the planning phase to indicate the security requirements for your data. Creating a data management plan will ensure that you have reviewed and thought about all relevant questions that apply, among other things, personal privacy.
Personal data shall be processed only when necessary, and all processing is subject to strict regulations. Students can often avoid processing personal data in their student work, but sometimes it is necessary to process personal data in order for students to achieve the learning outcomes.
You must always consider whether it is necessary to process personal data. Personal data are not to be processed beyond the extent necessary to achieve the defined purpose. If you can achieve the learning outcomes or purpose of your student project by processing only anonymous information [link to definition], you must do so.
- Can you collect the information anonymously? You can do this, for example, by writing an interview report but without providing information in the report that directly or indirectly identifies persons.
- Can you use anonymous datasets that have already been collected by others? On the Find Data | NSD you can find a large number of datasets within various topics.
Here are some good tips:
- How to carry out a project without processing personal data | NSD (in Norwegian)
- How to anonymise personal data | Norwegian Data Protection Authority
If strictly anonymous processing is impossible, data should be pseudonymised (de-identified) and the crypto-key/list of codes must be stored in a secure location other than where the data is located.
When processing personal data, the following principles of the General Data Protection Regulation (GDPR) shall always be followed:
You must have permission
- You must have a legal basis for processing personal data, either in the form of consent or other grounds.
- Personal data cannot be reused for purposes incompatible with its original purpose. If you wish to reuse the information for other purposes, you must have an independent/new legal basis.
- You must apply for the necessary permits where required; see more about this in section 10.
You must have a good reason
- Personal data shall be processed only for specific, expressly stated, and legitimate purposes. This means that the purpose of processing personal data must be precisely identified and described. All purposes shall be explained such that all concerned have the same understanding of what the personal data will be used for. Having a legitimate purpose entails, in addition to having a legal basis, that the purpose must be in accordance with other ethical and legal societal norms.
You must not process more personal data than necessary nor longer than necessary
- The principle of data minimization involves limiting the amount of personal data collected to what is necessary to achieve the purpose of the data collection. If personal data is not necessary to achieve the purpose, it must not be collected.
- Personal data shall be deleted or anonymized when no longer necessary for the purpose for which the data were collected.
You must ensure proper security
- Personal data shall be processed in a way that ensures adequate security of the personal data. This includes that you must see to it that the data are protected from access by unauthorized persons.
You must show respect for the informants and their rights
- Processing shall be done with respect for the informants' interests and reasonable expectations. The processing must be made clearly understandable to the informants and not be conducted in secret or manipulative ways.
- The use of personal data must be clearly transparent and predictable for the informants. Transparency helps to create trust and it enables the informants to exercise their rights and safeguard their interests.
- Processed personal data must be correct and must be updated if necessary. This means that you must make sure you immediately delete or rectify personal data that is incorrect.
- You must ensure that the informants have the opportunity to exercise their rights. You can read more about the informants' rights here: Your rights | Norwegian Data Protection Authority
You must notify us if you discover any discrepancies
- Report discrepancies in personal data security if any discrepancies occur in your processing of personal data
Practical training reports, reflection notes, work requirements and other minor student assignments shall in principle contain only anonymous information.
In a few cases, you may still need to process personal data. This may be relevant, for example, when describing situations you experience in your practical training, and background information makes it completely impossible to anonymize all persons.
If you believe that you will need to process personal data in order to achieve the learning outcomes, you must inform your course coordinator about this before you start collecting information. Together, you must assess whether processing of personal data is really necessary, and consider what measures need to be taken to safeguard personal data.
- Assess whether it is necessary to process personal data. If you are able to collect the information anonymously instead, you must do so.
- Remember that you cannot use confidential information in your thesis/practical training report!
- Follow the basic principles for the processing of personal data. Among other things, it is important to remember that you must always have a legal basis (e.g. consent) to process personal data.
- Make an assessment of any ethical research issues that may apply. This may be relevant, for example, if you are going to collect information at your own workplace.
- Classify the data in accordance with Nord University's guidelines for data classification, and ensure that the information is safeguarded according to its need for protection.
- Ensure that personal data is always securely safeguarded and that no unauthorized person is able to access it. You should use only technical solutions approved by Nord. Read more about this here
- Make sure that all information that can be linked to individuals is deleted when you have finished the processing/thesis.
- If you are going to submit a practical training report or other student work that contains personal data, you must ask the course coordinator to assess the need to restrict access to it.
- Report all discrepancies, if any, that occur during the processing of personal data.
- Ask for help if you are unsure about what rules apply.
By the term major student assignments we mean R&D, study programme graduate's, bachelor's or master's theses. In this type of written assignment, the supervisor or course coordinator is the project manager.
Even though the project manager is formally responsible for ensuring that guidelines and routines are complied with in the project, you as a student still have an independent responsibility to ensure privacy protection in the project. In addition, you will be responsible for the practical implementation in accordance with the project manager's instructions and guidance.
- Assess whether it is necessary to process personal data in the project. Can you instead collect the information anonymously or use anonymous datasets available, for example, from Norwegian Social Science Data Services or Statistics Norway?
- Follow applicable guidelines and procedures and the basic principles for processing personal data.
- In collaboration with your supervisor, make an assessment of any ethical research issues that may apply. This may be relevant, for example, if you are going to collect information at your own workplace.
- Do not begin to collect or otherwise process personal data until you have received permission from the Norwegian Centre for Research Data (NSD).
- Ask for assistance from your supervisor if you are unsure about what to do.
Some students participate in major research projects and write their thesis in connection with this. In these cases, the student must comply with the guidelines and permits that apply to the project in question.
Students who write a thesis during an exchange stay must normally follow the guidelines and instructions currently applicable at the host institution.
During the planning/start-up phase, you should plan how you will carry out data collection and ensure that the necessary permits etc. have been obtained.
During this phase, the student is responsible for the following:
- determining and having an overall list of the types of personal data to be processed in the thesis. Next, you will need to create an interview guide if you are conducting an interview, an observation guide if you are going to carry out observation, or a questionnaire if you are conducting a survey. It is recommended that you set up a data management plan.
- making sure that you have a basis for processing the data. In most cases, you must obtain consent from your informants. Here you can read more about consent and other bases for processing.
- If you are collecting personal data at your own workplace or practical training site, you must have permission from the management at the workplace/practical training site.
- If you wish to use personal data from patient records, health registries, etc., you must request permission from the institution in question, and apply for exemption from the duty of confidentiality to the Regional Committee for Medical and Health Research Ethics (REK).
- designing information for informants about their privacy rights. You will need to use NSD's template for information to the participants. The informational letter also serves as a consent form; see tips below on using a digital questionnaire to obtain consent.
- reporting the project to the Norwegian Centre for Research Data (NSD) no later than 30 days before data collection is due to start. You must report the project here. What you write in the notification form lays the foundation for what you are allowed to do with the personal data that you collect from the informants.
- sharing the notification form in NSD with the project manager.
- sharing the notification form in NSD with your private email account. This ensures that you receive necessary emails from NSD concerning the end of the project when you have finished your studies.
- If your project deals with health research, you must apply for approval from the Regional Committee for Medical and Health Research Ethics in the REK portal.
- classifying the data in accordance with Nord University's guidelines for data classification. This classification provides an indication of the level of restriction that is needed to protect the information.
Taking the examination
The implementation phase is the part of the project that includes data collection and analyses of collected data.
During this phase, the student is responsible for:
- ensuring that the personal data is always securely safeguarded throughout the phases of collection, storage, transfer and analysis etc. You are responsible for ensuring that no unauthorized person has access to the personal data. You should use only technical solutions approved by Nord. Read more about this here
- responding to inquiries from informants in the project about how they can safeguard their privacy rights
- ensuring proper deletion or anonymization of personal data if informants withdraw their consent to participate in the project
- checking to ensure that personal data processed in the project is not used for other purposes or in other ways than those to which informants have consented
- asking informants for new consent if collected information is to be processed for other purposes or in other ways, for example stored longer or used in a new project, than those to which they originally consented
- submitting a notification of change to NSD if you have to make changes during the course of the project. This applies, for example, if you need to do interviews over Teams instead of a physical interview, or if you need to collect more/other information than you reported in beforehand
- reporting all discrepancies, if any, that occur during the processing of personal data in your project.
The final phase is the part of the project in which the data analysis has been completed and the collected data (personal data) are to be deleted, anonymized or transferred to others for further storage.
During this phase, the project manager is responsible for the following tasks:
- deciding which data are to be deleted and which will be stored/archived after the end of the project. The assessment must be conducted in accordance with North's guidelines for research data management.
- ensuring that all personal data that is not to be stored after the end of the project is properly deleted.
- ensuring that personal data that are to be kept after the end of the project are anonymized, for example by destroying the crypto-key for pseudonymized/de-identified information.
- ensuring that personal data that are to be retained after the end of the project are securely stored.
- ensuring that texts containing confidential information have restricted-access status. Consider whether to postpone or deny electronic disclosure of the thesis.
- sending the final report to NSD and, if applicable, to REK.
During this phase, the student is responsible for assisting the project manager in the practical implementation. This includes the student's obligation to transfer, anonymize and/or delete information in accordance with the deadline set out in the notification form to NSD, and the project manager's instructions.
All R&D, study programme graduate's, bachelor's and master's theses involving the processing of personal data must be reported to NSD. The project manager is responsible for ensuring that the student project is reported, but it is usually the student who does the actual reporting.
The project must be reported to NSD if you process personal data at some point, even if you are going to anonymize all persons later in the process or in the written assignment itself. For example, if you make an audio recording of an interview that you later transcribe into anonymous text, the project must be reported to NSD.
You will be asked to submit an end date for the project. If you are going to keep data containing personal information until the assignment has been evaluated and graded, you must set the date to sometime after the deadline for grading.
How should the project be reported?
You must report the project here: Data protection services | NSD
Here you can view an example of the notification form
Here you will find information about filling out the notification form.
NSD can provide guidance on how to fill out the form. You may also request assistance from your supervisor or the data protection officer at Nord
How to follow up the report to NSD?
It is important that you follow up on questions and tasks that you get from NSD.
The sooner you answer any questions about the scheduled processing, the faster NSD can give you approval to start collecting data.
In some cases, NSD may notify you to upload guidelines or an authorization showing that the personal data may be processed as described. This is often due to the fact that NSD cannot approve that the personal data can be processed as you have described in the submitted notification. This may occur, for example, if you have stated that you are going to use a private PC or mobile phone when collecting or storing data. If you receive such a notification, you must consider changing the plan for processing personal data in the project so that it falls within North's prescribed guidelines. If you and your supervisor believe that there are special reasons why you need to process personal data in some way that does not conform to Nord's guidelines, you must contact the faculty for written approval.
When you have finished the thesis and all the personal data have been deleted or anonymized, you must send a final report to NSD.
REK processes applications for medical and health-related research that aims to acquire new knowledge about health and disease. REK also processes applications for exemption from the duty of confidentiality in other research.
Students will rarely need to report their projects to REK. Contact your supervisor if you believe that your project should be reported to REK, or if you are unsure as to whether your project is subject to the REK grant application requirement.
Students' duty of confidentiality
Students who, in a study context, acquire knowledge about someone's personal circumstances have a duty of confidentiality in accordance with the rules applicable to practising professionals in the occupational areas concerned. This means, among other things, that you cannot use confidential information in a practical training report, etc.
You have a duty of confidentiality relating to information you have obtained as a researcher, cf. Section 13e of the Norwegian Public Administration Act.
Can student assignments containing personal data be published?
As a point of departure, a student assignment should not contain personal data. Exceptions can be made if there is a scientific reason for publishing a paper containing personal data. You must consider this along with your supervisor. In addition, you need to ensure that the following criteria are met:
- The informants must consent to your publishing information about them. The informational letter must contain clear information about how the personal data will be published.
- The informants must have an opportunity to read through the parts of the thesis that disclose information about them before the thesis is published.
- Even if you have the consent of the informants that personal data can be published, an ethical assessment must be made as to whether the information should be published.
Can students collect personal data at their own workplace?
Collecting personal data in your own workplace may entail ethical challenges. It is important to be aware of these challenges and to assess them along with your supervisor. Here are some topics to consider before you start collecting personal data at your workplace:
- You must have permission from the employer (data controller) before collecting personal data in your workplace.
- What challenges might arise out of having a dual role as employee/researcher?
- Do you have a duty of confidentiality by virtue of your position in the workplace?
- You have a duty of confidentiality as a researcher, and in your role as an employee, you may not use/share personal data that informants have shared with you as a researcher. How to distinguish between information you receive as an employee versus information you receive as a researcher?
- Will the informants feel that their consent is voluntary if you have a relationship in which you are in a position of power? This may be relevant, for example, in a situation where the informants are your patients or pupils/pupils' parents.
How to assess the storage area and equipment that can be used?
North has a guideline for classifying information. This also applies to students who process data in connection with their written work as students. Information must be classified as green/open, yellow/protected or red/confidential. Students shall not process data that is so sensitive that it is classified as black/strictly confidential data.
- Before you collect data, classify all information based its need to be protected. Use Nord University's guidelines for data classification. You can request assistance from your supervisor or data protection officer if you are unsure what classification your data should have.
- After you clarify the classification of your data, check which storage areas, tools and equipment you can use to process this data. An overview of this can be found in the Nord University Storage Guide. Among other things, it explains the current requirements for storage areas and equipment that will be used for yellow and red data.
Can students use private devices?
As a starting point, yellow or red data cannot be processed on private devices. This means, among other things, that you can never make audio recordings by mobile phone.
Using a private PC/Mac to log into Nord's cloud storage against OneDrive is not considered use of a private device provided the data is not downloaded to a private PC/Mac. This requires that data in your OneDrive cannot be synced to your PC/Mac. Therefore, check the settings in your OneDrive before storing yellow or red data in OneDrive.
If, for special reasons, you need to process data on a private entity, you must obtain written approval from your faculty. Private devices must then be encrypted in accordance with the requirements set by the North.
How to obtain information in a digital questionnaire – Web form?
If you are collecting information through a questionnaire, you must use Nettskjema - North Help.
You need to log in with your FEIDE user to access Nettskjema. You are not permitted to download data from Nettskjema to your own machine or any other unsafe storage areas. If there is a need to transfer the data to another storage area, you must follow the provisions of Nord's storage guide.
If you want to obtain information that will enable identification of the informants in the questionnaire, the form must contain explanatory information and a mandatory checkbox for consent. When creating the form, you must choose that informants log in via the ID-portal so that you have an overview of those who have filled out the form.
You can create anonymous questionnaires. If you do so, it is important that only questions be used with radio buttons/checkboxes or drop-down lists, and that no questions are asked that can indirectly identify individuals.
The form in Nettskjema must be deleted when the project is over.
How to make audio recordings of interviews?
A person's voice is to be regarded as personal data in itself, so all audio recordings of persons shall be processed in accordance with the data protection regulations.
Audio recordings must be made using the Nettskjema Dictaphone app (University of Oslo). This app is downloaded to your mobile phone. The audio recording is not saved on the mobile, but is sent directly to Nettskjema. To listen to the recording, you must log in to Nettskjema using your Nord FEIDE account. Tips and information can be found on UiO's website pertaining to Nettskjema.
If poor Internet access prevents you from using Nettskjema Dictaphone, an audio recorder without internet access may be used. Audio recorders can be borrowed from some departments at the University Library. Some faculties/research projects may also have audio recorders available. Audio recorder, cassettes, memory sticks, etc. containing audio recordings should be stored securely and should be encrypted if possible. Once data has been transcribed or transferred to secure storage, the recordings should be deleted. It is important to check that all recordings have been deleted before returning a borrowed audio recorder.
How to conduct a digital interview?
You can use Zoom or Teams to conduct an interview. To do this, you must ensure that the meeting link is given only to the person to be interviewed and that no outsiders attend the meeting.
It is not permitted to video-record the conversation. If you need to make audio recordings, Nettskjema Dictaphone must be used. You can do this by placing your mobile phone w/ Nettskjema Dictaphone app next to your PC speaker during the interview.
Can students make video recordings of the informants?
Students are not allowed to make video recordings of informants in Teams or Zoom.
If special circumstances indicate that it is necessary to make video recordings, the student, together with the project manager, must clarify how this can be carried out in a secure manner, and apply to the Faculty for approval. The Data Protection Officer at Nord can assist in the assessment.
Where can data be stored?
On Nord's website under "Student" you will find the tab Office 365 (can be downloaded for free by our students). It takes you to a page that has Microsoft's OneDrive cloud solution. Here you can store information classified as green, yellow, or red data.
Before you save data to OneDrive, it's important that you check the following:
- Make sure files/folders are not shared with others
- Make sure OneDrive doesn't sync to your private PC/Mac automatically
- Provide additional protection (encryption) if you need to store red data
How to prevent syncing in OneDrive?
If you've already installed the Office 365 (applications), all data in your OneDrive may sync to your machine automatically. To prevent certain types of data from being stored on a private PC, follow these steps:
- Find the blue OneDrive symbol in the tools menu in the lower-right corner of your PC.
- Tap Help & Settings. Continue on to Settings.
- A small window with the OneDrive account information should come up (Account). This shows the location (accounts) that are synchronized. Click "choose folders"/"select folders". De-select the folders that are not to be synchronized.
How to safeguard red data in OneDrive?
If you are processing red data, storage in OneDrive should be additionally protected by encrypting it. This will be especially relevant if you are processing sensitive personal data or other confidential information. You can contact IT Help for assistance.
How should the crypto-key be stored?
The crypto-key should be encrypted and should always be stored separately from the rest of the data. If you store pseudonymized/de-identified data in OneDrive, the crypto-key must be stored in a different secure location, such as an encrypted USB flash drive that is kept under lock and key.
Flash drives and other portable media/devices containing yellow or red data should be encrypted.
Printouts, audio recorders, USB flash drives, etc. should be kept locked up so that others cannot access them.
Anonymous information is information that can in no way identify individuals in a body of data, either directly through name or national ID number, indirectly through background variables, or through name list/crypto-key or encryption formula and code.
Any operation performed with personal data, e.g. collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of disclosure, compilation or coordination, restriction, deletion, or destruction.
The person who determines the purpose of the processing of personal data and the aids that are to be used. Nord University is the data-controller institution for personal data that is processed in research and student assignments at the university. The day-to-day/administrative responsibility for data control has been delegated to the faculties by the dean.
Basis for processing personal data
Legal basis for processing personal data. This may include, for example, consent from persons about whom information is being processed.
Breach of personal data security
A breach of security that results in accidental or unlawful destruction, loss, alteration, dissemination of, or access to personal data that has been transferred, stored or otherwise processed.
Data minimization means that you should not collect more information about your sample than is necessary to fulfill your research purpose. If any of the personal data you wish to collect is not necessary to fulfill the purpose, do not collect it. Data minimization is one of the privacy principles of the GDPR.
Abbreviation for The General Data Protection Regulation, EU Data Protection Regulation. Also called the GDPR.
Indirectly personally identifiable information
A person will be indirectly identifiable if it is possible to identify them through background information such as the municipality of residence or institutional affiliation combined with information about age, gender, occupation, diagnosis, etc.
The individual from whom you collect personal data and to whom the information may be linked. Often also called a research participant, respondent, or the data subject.
Securing information by adherence to the principles of confidentiality, integrity, and availability.
The principle that personal data shall be protected against accidental or unauthorized alteration or deletion.
A crypto-key is a list of names or a file that enables individuals in a dataset to be identified. Creating a crypto key involves replacing a name, national ID number, e-mail address, or other person-specific characteristic in a dataset with a code, number, fictitious name or the like, referring to a separate list in which each code refers to names. The crypto-key must be kept separate from the data material itself to ensure that unauthorized persons cannot access the links between names and codes.
For information protection reasons, a crypto-key should be used for most projects in which personal data is processed, and especially in projects where sensitive personal data is processed.
The principle that personal data must be safeguarded against unauthorized access to it.
Method of making data (such as text) unreadable to others using a mathematical function (encryption technique/algorithm) and a predetermined key.
Abbreviation for "Norwegian Centre for Research Data". Nord has an agreement with NSD so that they assess privacy protection in student and research projects for which personal data is processed.
Information or assessment that can be linked to an individual. This may include a name, address, phone number, email address, voice, vehicle registration number, photos or date of birth.
Data Protection Officer
A person appointed by the data controller. Toril Irene Kringen is data protection officer at Nord University. The task of the Data Protection Officer is to help Nord University comply with the data protection regulations, and she is an ombudsman for the persons about whom Nord University processes personal data.
The term project is used for research projects. In this guide, R&D, study programme graduate's, bachelor's and master's theses are referred to as "projects".
In NSD's notification form, the student will be asked to identify the project manager. If the supervisor is employed at Nord, this is the project manager for R&D, study programme graduate's, bachelor's and master's theses. If the supervisor is not employed at Nord, the course coordinator is the project manager.
The information is pseudonymised if the name, national ID number or other person-specific characteristics have been replaced with a number, code, fictitious names or the like, referring to a separate list of direct personal data (crypto-key).
Please note that indirect person-identifiable information must also be categorized into broad categories or removed in order that the data material can be considered pseudonymised. Broad categories mean, for example, a region instead of specified municipalities or cities, age intervals (10–19 years, 20–29 years, etc.) rather than precise ages and the like. The only way to identify individuals in a pseudonymized dataset must be via the name list/crypto-key.
Please note that pseudonymized information is considered personal data regardless of who keeps the list of names, or of where and how it is stored.
REK – Regional Committee for Medical and Health Research Ethics
All research projects covered by the Norwegian Health Research Act must be pre-approved by REK. REK also processes applications for exemptions from the duty of confidentiality.
A voluntary, specific, informed, unequivocal and active declaration from the data subjects that they agree to the processing of information about themselves.
Collective term for data services provided over the internet that are set up to work with other data services.
Sensitive personal data/special categories of personal information
This is information that requires additional protection. In the Act, "special categories of personal data" are defined as personal data of racial or ethnic origin, political conviction, religion, philosophical beliefs or trade union membership, as well as the processing of genetic and biometric information for the purpose of unambiguously identifying a natural person, health information or information about a natural person's sexual traits or sexual orientation.
Transcription of sound recordings
To make a transcript of an audio recording.
An individual who is not included as an informant/research participant/respondent, but to whom information can be linked. If, for example, an informant provides information about their mother, and the information you process can be linked to the mother, the mother will be the third person about whom you process personal data.