Data protection in research

A separate guide has been made for student assignments that process personal data. Additional conditions apply regarding medical and health research.

The researcher’s responsibility in research projects:

• Planning and startupCopy linkCopied

  This phase starts with the work on the project outline and continues until the collection of data (personal data) begins.

  A research ethics assessment must be made if applicable.

  During planning and start-up, the project manager is responsible for the following:

  • Determining and keeping track of the types of personal data to be processed in the project. According to Nord University’s guidelines for research data management, all research projects must be equipped with a data management plan (DMP).
    
    
  • Preparing consent forms. Respondents and informants must be presented with this and give their consent. Read more about consent at the Norwegian Data Protection Authority and at forskningsetikk.no.
    
    
  • Preparing information letters for respondents or informants about their data protection rights during and after the implementation of the project (Nord University has its own data protection policy for research participants​, in which the most important rights are stated.)
    
    
  • Registering the project at the Norwegian Agency for Shared Services in Education and Research (SIKT) no later than 30 days before data collection is due to start. SIKT conducts data protection assessments on behalf of Nord University. The project must be reported if you process personal data at some point in the project, even if you are anonymising all persons in the final product. The duty to notify also applies to health research projects.
    
    Example of a notification form
    Guide to the SIKT notification archive
    
    

  • Applying for approval from REK if the research project ‘is carried out using scientific methodology to obtain new knowledge about health and disease’, also called health research, see Section 4a of the Health Research Act.
    
    
  • Preparing a Data Protection Impact Assessment (DPIA) if necessary. If the processing of personal data in the project entails high risk regarding the informants’ data protection, SIKT will give you feedback that a DPIA must be carried out. SIKT will then prepare this together with you and Nord University’s Data Protection Officer. The DPIA must be approved by the dean.
    
    
  • Entering into agreements with any external information providers, such as registry owners.
    
    
  • Entering into agreements with any external partners or data processors who will have access to personal data, e.g. transcribers, translators, or collaborating research institutions. The agreements must clarify how the responsibility for personal data is to be distributed and safeguarded. Data processing agreements must be quality assured by a lawyer before signing.
    
    Information about and template for data processing agreements (in Norwegian)
    
    ​​If data is to be shared with partners in countries outside the EU/EEA, it must first be clarified whether there is a legal basis for transfer. You can read more about this on the Norwegian Data Protection Authority’s website (in Norwegian). Contact a lawyer or data protection officer for assistance.
• ImplementationCopy linkCopied

  From data collection to analysis of collected data (personal data). 

  During implementation, the project manager must:

  • Respond to inquiries from informants in the project about how they can safeguard their data protection rights.
    
    
  • Ensure the proper deletion or anonymisation of personal data if informants withdraw their consent to participate in the project.
    
  • Check that personal data that is processed in the project is not used for other purposes or in other ways than those to which informants have consented.
    
    
  • Ask informants for new consent if collected information is to be processed for other purposes or in other ways, for example stored for longer periods or used in a new project, than those to which they originally consented.
    
    
  • Submit a notification of change to SIKT and/or REK if one must make changes during the course of the project. This applies, for example, if you need to conduct interviews via Teams instead of a physical interview, or if you need to collect more/other information than what was originally reported.
    
    
  • Verify that the terms and conditions of agreements with any external information providers, such as registry owners or partners at other institutions, are actually complied with.
    
    
  • Ensure that crypto-​keys are adequately secured when processing de-identified personal data.
    
    
  • Report non-conformities in personal data security if any discrepancies occur when processing the personal data of project informants. 
• Final phaseCopy linkCopied

  The final phase deals with the part of the project in which the data analysis has been completed and the collected data (personal data) are to be deleted, anonymised or transferred to others for further storage/archiving.

  In the final phase, the project manager must:

  • Decide which personal data about respondents and informants are to be deleted and which will be stored/archived after the project has ended. The assessment must be conducted in accordance with Nord University’s guidelines on the management of research data.
    
    
  • Ensure that all personal data about respondents and informants that is not to be stored after the project has ended is properly deleted. 
    
    
  • Ensure that personal data that are to be stored after the project has ended are anonymised, for example by destroying the crypto-key for de-identified information.
    
    
  • Ensure that personal data that are to be retained after the project has ended are securely stored.

• What is personal data?Copy linkCopied

  Personal data is any information that can be linked to a person. For example, personal data may include your national identity number, name, address, e-mail address or IP address.

  A photo is considered personal data if people can be recognised, and audio-recorded voices are always considered personal data even if no name is mentioned in the recording.

  It is also possible that a body of compiled information can be linked to a person. For example, if the person’s exact age, place of residence and field of study are registered, and there is only one person out of 37 from Verdal who studies nature management.

  The extent to which background information can enable identification of a person depends on the variables/registered data, but it also depends on the context, topic and criteria of the sample.

  Since pseudonymous personal data may be linked to a particular person using additional information/a crypto-key, these are considered personal data.

  Anonymous information is not personal data, but be sure to check if the information is actually entirely anonymous.

• Important to remember when processing personal dataCopy linkCopied

  When processing personal data, the following principles of the General Data Protection Regulation (GDPR) must always be followed:

  You must have permission

  • You must have a legal basis for processing personal data, either in the form of consent or other grounds.
    
    
  • Personal data cannot be reused for purposes incompatible with its original purpose. If you wish to reuse the information for other purposes, you must have an independent/new legal basis.

  You must have a good reason

  • Personal data must only be processed for specific, expressly stated, and legitimate purposes. This means that the purpose of processing personal data must be precisely identified and described. All purposes must be explained such that all concerned have the same understanding of what the personal data will be used for. Having a legitimate purpose entails, in addition to having a legal basis, that the purpose must be in accordance with other ethical and legal societal norms.

  You must not process more personal data than necessary nor longer than necessary

  • The principle of data minimisation involves limiting the amount of personal data collected to what is necessary to achieve the purpose of the data collection. If personal data is not necessary to achieve the purpose, it must not be collected.
    
    
  • Personal data must be deleted or anonymised when no longer necessary for the purpose for which the data were collected.

  You must ensure proper security

  • Personal data must be processed in a way that ensures adequate security of the personal data. This includes ensuring that the data are protected from access by unauthorised persons.

  You must show respect for the informants and their rights

  • Processing must be done with respect for the informants' interests and reasonable expectations. The processing must be made clearly understandable to the informants and not be conducted in secretive or manipulative ways.
    
    
  • The use of personal data must be clear and predictable for the informants. Transparency helps to create trust and it enables the informants to exercise their rights and safeguard their interests.
    
    
  • Processed personal data must be correct and must be updated if necessary. This means that you must make sure you immediately delete or rectify personal data that is incorrect.
    
    
  • You must ensure that the informants have the opportunity to exercise their rights.
• Duty of confidentialityCopy linkCopied

  You have a duty of confidentiality relating to information you have obtained as a researcher, cf. Section 13e of the Norwegian Public Administration Act.

  The information may only be used for purposes necessary for the research itself and in accordance with the terms and conditions stipulated. Breach of the duty of confidentiality or of terms and conditions is punishable pursuant to Section 209 of the Norwegian Penal Code.

• How to collect and safely store data? Copy linkCopied

  How to assess the storage area and equipment that can be used?

  Nord University has guidelines for the classification of information. Information must be classified either as green/openly accessible, yellow/protected, red/confidential or black/strictly confidential data. 

  • Before you collect data, classify all information based its need to be protected. Use Nord University’s guidelines for classification of data and the guidelines for storing research data at Nord University. You can request assistance from the data protection officer if you are unsure what classification your data should have. 
    
    
  • After clarifying the classification of your data, check which storage areas and equipment you can use to process this data. An overview of this can be found in the Nord University Storage Guide. Among other things, it explains the requirements for storage areas and equipment that must be used for yellow, red and black data. Please note that black data can only be stored in TSD ( Sensitive Data Services). TSD is a storage service operated by the University of Oslo which Nord University uses through an agreement.
    
    Information on how to store data in TSD

  How to collect information in a digital questionnaire – Nettskjema?

  If you are collecting information through a questionnaire, you must use Nettskjema.

  You must log in using your FEIDE account when accessing Nettskjema. Data should only be stored in Nettskjema, and you must be careful not to download data to your own computer or other insecure storage areas. If there is a need to transfer the data to another storage area, you must use OneDrive, see ‘Secure Storage’ below.  

  You can create anonymous questionnaires. If you create anonymous questionnaires, it is important that questions are only used with radio buttons/checkboxes or drop-down lists, and that no questions are asked that can indirectly identify individuals.  

  If you want to collect information that will enable identification of the informants in the questionnaire, the form must contain explanatory information and a compulsory checkbox for consent. 

  Template for information letter including consent (in Norwegian)

  Nettskjema can be used to obtain consent from informants. This is required if, for example, you are going to interview someone. This is done by creating a form where you enter the text from SIKT's template for information to participants (in Norwegian). You must also enter information specific to your project.

  When creating the form, you must choose that informants log in via the ID-portal so that you have an overview of those who have filled out the form and that no one responds more than once. You must not download/retrieve the consent forms from Nettskjema, as it is most secure that these are stored in Nettskjema. The form in Nettskjema is normally deleted 6 months after the last submitted form. If the form must be stored for a longer period of time, you must enter a fictitious form before 6 months have passed.

  The form in Nettskjema must be deleted when the project has ended. 

  How to conduct a digital interview?

  You can use Zoom or Teams to conduct an interview. You must then ensure that the meeting link is given only to the person being interviewed and that no third parties attend the meeting.

  If you need to make audio recordings, the Nettskjema Dictaphone must be used. You can do this by placing your mobile phone w/ Nettskjema Dictaphone app next to your PC speaker during the interview.  

  How to make audio recordings of interviews?

  A person's voice is to be regarded as personal data in itself, so all audio recordings of persons must be processed in accordance with data protection regulations.  Audio recordings must be made using the Nettskjema Dictaphone app - University of Oslo (uio.no). This app is downloaded to your mobile phone. The audio recording is not saved on the mobile, but is sent directly to Nettskjema. To listen to the recording, you must log in to Nettskjema using your Nord University FEIDE account. Tips and information can be found on UiO's website pertaining to Nettskjema.  

  If poor internet access prevents you from using Nettskjema Dictaphone, an audio recorder without internet access may be used. Audio recorders can be borrowed from some departments at the University Library. Some faculties/research projects may also have audio recorders available. Audio recorders, cassettes, memory sticks, etc. containing audio recordings must be stored securely and should be encrypted if possible. Once data has been transcribed or transferred to secure storage, the recordings must be deleted. It is important to check that all recordings have been deleted before returning a borrowed audio recorder. 

  Can video recordings be made of the informants?

  If it is necessary to make video recordings, the project manager must clarify how this can be carried out in a secure manner and in accordance with applicable guidelines. The Data Protection Officer at Nord University can assist in the assessment.
  If you are conducting a research interview via a Zoom meeting, the following additional requirements apply to recording. Read more about planning and preparing for video recordings in Zoom (in Norwegian).

  Where can data be stored?

  OneDrive​

  All employees at Nord University have access to the OneDrive cloud service in Office 365. Here you can store information classified as green, yellow, or red data. AIl employees at Nord University have access to the cloud service.

  Before you save data to OneDrive, it is important that you check the following: 

  • Make sure files/folders are not shared with others
  • Make sure OneDrive doesn’t automatically synchronise with your private PC/Mac
  • Provide additional protection (encryption) if you need to store red data 

  How to secure red data in OneDrive?

  If you are processing red data, storage in OneDrive should be additionally protected by encrypting it. This will be especially relevant if you are processing sensitive personal data or other confidential information. You can contact IT Help for assistance. 

  How to prevent synchronisation with OneDrive?

  If you have already installed Office 365 (the applications), all data in your OneDrive may be automatically synchronised to your machine. Settings exist that easily ensure that certain folders in OneDrive are only available in the cloud solution. To prevent certain types of data from being stored on a private PC, follow these steps: 

  1. Find the blue OneDrive symbol in the tools menu in the lower-right corner of your PC. 
  2. Click Help & Settings, and then click Settings. 
  3. A small window with the OneDrive account information should pop up (Account). This shows the locations (accounts) that are synchronised. Click ‘choose folders’. De-select the folders that are not to be synchronised.

  Sensitive Data Services (TSD)

  Black data must be stored in TSD. TSD is operated by UiO and is a platform for collecting, storing, analysing and sharing sensitive data in accordance with Norwegian data protection legislation. 

  To register a new project in TSD, you must attach a research ethics approval from either REK, SIKT or the Norwegian Data Protection Authority.
  
  See frequently asked questions about TSD

  Where should the crypto-key be stored?

  The crypto-key must be encrypted and must always be stored separately from the rest of the data. If you store pseudonymised/de-identified data in OneDrive, the crypto-key must be stored in a different secure location, such as at SIKT or an encrypted USB flash drive that is kept under lock and key.  

  Physical material 

  Flash drives and other portable media containing yellow or red data must be encrypted. Printouts, audio recorders, USB flash drives, etc. must be kept under lock and key so that others cannot access them.

• Terms and definitionsCopy linkCopied

  Anonymous information
  Anonymous information is information that can in no way identify individuals in a body of data, either directly through name or national ID number, indirectly through background variables, or through name list/crypto-key or encryption formula and code.

  Processing 
  Any operation performed using personal data, e.g. collection, registration, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of disclosure, compilation or coordination, restriction, deletion or destruction.

  Data controller
  The person who determines the purpose of the processing of personal data and the aids that are to be used. Nord University is the data-controller institution for personal data that is processed in research and student assignments at the university. The day-to-day/administrative responsibility for data control has been delegated to the faculties c/o the dean.  

  Basis for processing
  Legal basis for processing personal data. For example, this may include consent from persons about whom information is being processed.

  Breach of personal data security 
  A breach of security that results in accidental or unlawful destruction, loss, alteration, dissemination of or access to personal data that has been transferred, stored or otherwise processed.

  Data minimisation
  Data minimisation means that you must not collect more information about your sample than is necessary to fulfil your research purpose. If any of the personal data you wish to collect is not necessary to fulfil the purpose, do not collect it. Data minimisation is one of the data protection principles of the GDPR.

  GDPR 
  Abbreviation of The General Data Protection Regulation,  (EU)

  Indirectly identifiable personal data
  A person will be indirectly identifiable if it is possible to identify them through background information such as municipality of residence or institutional affiliation combined with information about age, gender, occupation, diagnosis, etc.

  Informant
  An individual from whom you collect personal data and to whom the information may be linked. Often called a research participant, respondent or the data subject.

  Information security
  Securing information by adherence to the principles of confidentiality, integrity and availability.

  Integrity 
  The principle that personal data must be protected against accidental or unauthorised alteration or deletion.

  Crypto-key
  A crypto-key is a list of names or a file that enables individuals in a dataset to be identified. Creating a crypto key involves replacing a name, national ID number, e-mail address, or other person-specific characteristics in a dataset with a code, number, fictitious name or the like, that refers to a separate list in which each code refers to names. The crypto-key must be kept separate from the data material itself to ensure that unauthorised persons cannot access the links between names and codes.
  For information security reasons, a crypto-key should be used for most projects in which personal data is processed, and especially in projects where sensitive personal data is processed.

  Confidentiality
  The principle that personal data must be safeguarded against unauthorised access to it.

  Encryption
  Method of making data (such as text) unreadable to others using a mathematical function (encryption technique/algorithm) and a predetermined key.

  NSD
  Abbreviation of Norwegian Centre for Research Data. Nord University has an agreement with NSD that involves them assessing data protection in student and research projects where personal data is processed. 

  Personal data
  Information or assessment that can be linked to an individual. This may include a name, address, phone number, email address, voice, vehicle registration number, photos or date of birth.

  Data Protection Officer
  A person appointed by the data controller. Toril Irene Kringen is the data protection officer at Nord University. The task of the Data Protection Officer is to help Nord University comply with the data protection regulations, and is an ombudsperson for the persons about whom Nord University processes personal data. 

  Project
  The term project is used for research projects. In this guide, R&D, candidate, bachelor’s and master’s theses are referred to as ‘projects’.

  Project manager
  In NSD’s notification form, the student will be asked to identify the project manager. If the supervisor is employed at Nord University, this person is the project manager for R&D, candidate, bachelor’s and master’s theses. If the supervisor is not employed at Nord University, the course coordinator is the project manager. 

  Pseudonymisation
  The information is pseudonymised if the name, national ID number or other person-specific characteristics have been replaced with a number, code, fictitious names or the like, referring to a separate list of directly identifiable personal data (crypto-key). Please note that indirectly identifiable personal data must also be categorised into broad categories or removed in order that the data material can be considered pseudonymised. Broad categories means, for example, a region instead of specified municipalities or cities, age intervals (10–19 years, 20–29 years, etc.) rather than precise ages etc. The only way to identify individuals in a pseudonymised dataset must be via the name list/crypto-key. Please note that pseudonymised information is considered personal data regardless of who keeps the list of names, or of where and how it is stored.

  REK – Regional Committee for Medical and Health Research Ethics
  All research projects that are pursuant to the Health Research Act must be receive preliminary approval from REK. REK also processes applications for exemptions from the duty of confidentiality.

  Consent 
  A voluntary, specific, informed, unequivocal and active declaration from the data subjects that they agree to the processing of information about themselves.

  Cloud service
  A collective term for data services provided over the internet that are set up to work with other data services.

  Sensitive personal data/special categories of personal data
  This is information that requires extra protection. In the Act, ‘special categories of personal data’ are defined as personal data of racial or ethnic origin, political conviction, religion, philosophical beliefs or trade union membership, as well as the processing of genetic and biometric information for the purpose of unambiguously identifying a natural person, health information or information about a natural person’s sexual traits or sexual orientation.

  Transcribe audio recordings
  To make a transcript of an audio recording.

  Third party
  An individual who is not included as an informant/research participant/respondent, but to whom information can be linked. If, for example, an informant provides information about their mother, and the information you process can be linked to the mother, the mother will be the third person about whom you process personal data.