Privacy for student assignments

This information is for students working on their bachelor’s or master’s assignment. The following information is based on Kristiania’s Internal guidelines for data collection in student assignments (decided by the rectorate on 22.11.2021).

The main rule is that students must not process personal data in student assignments. There is one exception for master's degree students who are involved in a research project.

What Does “Processing Personal Data” Mean?

Personal data are information that can directly or indirectly identify a person. Directly identifiable information includes names, personal numbers, email addresses, phone numbers, IP addresses, images, voice recordings, or other personal characteristics. Indirectly identifiable information includes background details that can trace back to an individual, such as residence municipality or institutional affiliation combined with age, gender, occupation, nationality, etc.

Special categories of personal data include information about racial or ethnic origin, political opinions, religion, philosophical beliefs, trade union membership, genetics, biometrics (when used for unique identification), health, sexual relationships, and sexual orientation.

Processing means collecting, recording, storing, and possibly compiling and disclosing personal data. All processing of personal data must have a legal basis to be lawful.

Students should not process personal data, including special categories of personal data.

What Types of Data Can Students Process?

Students can process anonymous data if necessary for their assignments. Assignments where only anonymous data are processed do not need to be reported to SIKT.

Even when processing anonymous data, students must inform, if possible, project participants and anonymous informants about the content and purpose of the project. This can be done via, for example, a website or an information letter.

When Are Data Anonymous?

Data are anonymous when they cannot be used to identify individuals in any way, either:

  • Directly through names or personal numbers
  • Indirectly through background variables
  • Or through a name list/linking key or encryption formula and code

Data are not anonymous if only the published report, article, thesis, or similar is anonymized. Raw data must also be anonymous.

How to Ensure No Personal Data Are Processed?

Students must ensure the following during data processing:

  • No names or personally identifiable background information should be recorded in the data.
  • Do not take audio recordings during interviews. Students can record data only in the form of notes. The voice is personal data.
  • Conduct interviews by phone or Zoom without recording the conversation, or note personal data.
  • It is possible to use web forms with anonymous settings. NB! All employees and students at Kristiania University College can use Nettskjema, which offers an anonymous solution.
  • Students can consider using anonymous data available from existing databases (such as SSB, SIKT, etc.)

Students should never collect identifiable health information or other special categories of personal data. This also applies if the material and information are later to be anonymized.

What Principles Are Relevant for Data Processing in Student Assignments?

Students should – under the guidance of their supervisor – follow the FAIR principles, which state that research data should be findable, accessible, and reusable.

Students should only collect information that is relevant and necessary for the student assignment (principle of data minimization). Therefore, think carefully about whether it is necessary to collect personal data to carry out the project’s investigations. Can anonymous data, i.e., information that can neither directly nor indirectly be traced back to individuals, serve the project’s purpose just as well?

Kristiania recommends that project leaders coordinate data collection and facilitate data reuse (Open Science).

When Can a Master’s Student Exceptionally Process Personal Data?

A master’s student can process personal data only when the master’s thesis is a sub-project in a larger research project.

This exception requires the following:

  1. The project leader for the larger research project must also be the supervisor for the master’s thesis.
  2. The supervisor must approve the exception. The approval must be documented.
  3. The student should only process personal data that are adequate and relevant for the purpose of the master’s thesis (principle of data minimization).
  4. The student should never process special categories of personal data. Therefore, it should not be necessary to conduct a data protection impact assessment (DPIA) or report the project to REK.
  5. The student should – under the guidance of their supervisor – prepare a data management plan and conduct a risk assessment of the project’s information security.
  6. The student should – under the guidance of their supervisor – consider and possibly prepare a consent form and an information letter for their master’s thesis. The consent form must be documented (e.g., via web form or on paper. See more information about this here)
  7. The student has a duty of confidentiality regarding personal data processed in a master’s thesis. See the general ethical guidelines of the national research ethics committees and the University and College Act § 12-7 Student’s duty of confidentiality (not available in english).
  8. The exception to this duty of confidentiality applies if one comes across situations where there is a legal obligation to prevent serious criminal acts.
  9. The student should – under the guidance of their supervisor – consider whether the personal data should be anonymized or deleted if there is no requirement for retention beyond the project period.
  10. The supervisor should be “responsible” for reporting the project to SIKT.

This means that:

  • The student should – under the guidance of their supervisor – prepare a notification to the Knowledge Sector Service Provider (SIKT) at least 30 days before the processing is to start. The supervisor approves the notification to SIKT and is registered as “responsible.”
  • The supervisor is responsible for ensuring that the notification is sent correctly.
  • The supervisor is responsible for following up on case processing with SIKT.
  • When the master’s thesis is completed, the supervisor is responsible for sending a final report to SIKT.

More information about privacy in research projects is available here.

What Applies to Practical Student Assignments with a Journalistic or Artistic Component?

In cases where student assignments involve creating a journalistic or artistic work, these are not considered research projects and are therefore not reportable to SIKT.

The Personal Data Act §3 provides exceptions for the processing of personal data for journalistic, artistic, or literary purposes. However, it is mandatory to take some precautions. Contact your supervisor to see if this applies to you.