Data protection in research

What is personal data?

Personal data is information that can directly or indirectly identify a person. Directly identifiable personal data is names, personal identification numbers, e-mail addresses, telephone numbers, IP addresses, photographs, voice recordings or other personal attributes. Indirectly identifiable personal data is background information that may make it possible to trace the information back to an individual, e.g. municipality of residence or institutional affiliation combined with information about age, gender, occupation, nationality, etc.

Research projects that will process personal data must be notified to SIKT – Norwegian Agency for Shared Services in Education and Research before the collection of personal data can commence.

What are special categories of personal data?

Special categories of personal data, also referred to as “sensitive personal data”, require additional protection pursuant to the act.

This includes information relating to:

• race or ethnic origin
• political opinions
• religion
• philosophical beliefs
• trade union membership
• genetical data
• biometrics (when the purpose of the processing is to unambiguously identify someone)
• health
• sexual relationships
• sexual orientation

Generally speaking, special categories of personal data must not be processed. Exceptions may be made in cases for which there is a special basis to process such information in addition to the basis for processing. Research projects that will process special categories of personal data require to be notified to SIKT and, if applicable, approval from the REC. Please contact the Department of Research Administration and Internationalisation for further guidance.

What are the relevant regulations relating to data protection in Norway?

In July 2018, the EU General Data Protection Regulation (GDPR) was incorporated into Norwegian law.

The Act relating to the processing of personal data (also known as the Personal Data Act) also includes provisions that adapt or supplement the GDPR in areas where Norway can establish national rules.

What does “processing” of personal data mean?

Processing of personal data refers to collecting, registering, storing and, if applicable, compiling and disclosing personal data. The data subject (informant or respondent) must have provided informed consent (cf. information letters and consent) before the processing of personal data can commence.

Who is the data controller?

The Data Controller is the institution/company/other legal person (represented by senior management) that determines the purpose of the processing of personal data and the aids that will be used.

Projects that process anonymous data throughout the entire research process do not need to be notified to SIKT. In order for data to be considered anonymous, it must not be possible to link the data to personal data using a code or link key. 

When is data anonymous?

Anonymous data is data that cannot be used to identify individuals in any way,

1. either directly through names or personal identification numbers
2. or indirectly through background variables
3. or through name lists/link keys or encryption formulas and codes

In other words, data material is not anonymous if only what is published in the final report, article, master’s thesis or similar is anonymised. Raw data must also be anonymous.

Here are some of the methods that may be used:

1. Data is recorded only in the form of notes (no audio recordings) in connection with interviews and observations. Ensure that no names or other personally identifying background data are recorded in the data material.
2. Questionnaires must be collected as paper copies, without names or any indirectly identifying data.
3. In order for the use of online questionnaires not to be covered by the act, it is important to ensure that the IT solution is completely anonymous (including ensuring that the e-mail/IP address of the respondent cannot be linked to the questionnaire at any time) and that the questionnaire itself does not contain any questions about identifying data. NOTE: All employees and students at Kristiania University College can use Nettskjema, which offers an anonymous solution.
4. Register data and record data can be used without notifying SIKT, as long as only anonymous data is retrieved. It must not be possible to trace the data back to any individuals in any way. There is a large amount of anonymous  register data available online, including from Statistics Norway, SIKT and Microdata.

What does the principle of data minimisation mean?

Data minimisation is a legal personal data protection principle that limits the collection of personal data to only the data that is necessary for the purpose. As a researcher, you must only collect data that is relevant and necessary for the purposes of your research (Personal Data Act, Article 5, part 1C). It is therefore important that you carefully consider whether it is necessary to collect personal data in order to conduct the project investigations. Could anonymous data, i.e. data that cannot be traced back to individuals either directly or indirectly, serve the purpose of the project just as well?

Kristiania University College also recommends that project managers coordinate the collection and facilitate the reuse of data (Open Science).

Draw up a Data Management Plan

A Data Management Plan (DMP) specifies who the Project Manager is, the project name, project period and key information about the data. The plan will describe which data will be collected, stored, processed and used, including how and by whom, while a research project is ongoing, as well as the storage location, retention period and what happens to the data after the conclusion of the project (whether the data will be deleted/archived/published).

Kristiania University College plans to use the information in the data management plan to keep an overview of the institution’s data registers. This is important to ensure that data storage complies with the GDPR and to ensure that data can be made available and coordinated between projects, as well as for reusing existing data (cf. Open Science).

1. The SIKT digital data management plan can be edited and shared digitally. Please contact the Department of Research Administration and Internationalization for guidance.
2. Projects funded by the EU must adhere to the instructions on data management in the Participant Portal H2020 Online Manual.

Do you plan to share collected data with partners outside of Kristiania University College? Please be aware that the sharing and processing of data are governed by law. Please contact the Department of Research Administration and Internationalization  for important advice.

Prepare information letters and declarations of consent

If you will be conducting interviews, distributing questionnaires or intend to use other methods to collect personal data for a research project, you will generally have to inform the informant (project participant) of the data collection in advance. This includes providing information about e.g. the purpose of the project, the methods that will be used, which information will be collected and the duration of the project. Read more about the content of information letters on the SIKT website.

If the processing of personal data is legally based on informed consent (GDPR Article 6(1)(a)), after informants have read the information letter, they must be able to freely decide whether or not they wish to participate in the research project. No research must be conducted on individuals or groups without these having explicitly given voluntary and informed consent to participate in the research. The information letter and declaration of consent must be worded using clear and simple language that can be understood by participants. The consent given by the research participant must subsequently be documentable, which, in most cases, would require a written signature on a declaration of consent.

If the processing of personal data is legally based on public interest (GDPR Article 6(1)(e)), you will need to inform anyway data subjects about the nature and purposes of data processing and their rights. Researchers are excepted from providing information letters to data subjects when the data has not been obtained from the data subject and such a notification will be impossible or involve a disproportionate effort (GDPR Article 14(5)(b)).

Use the Kristiania University College templates for information letters and declarations of consent.

Consider whether you need to conduct a DPIA or RVA analysis

Some research projects need to conduct a data protection impact analysis (DPIA) or risk and vulnerability analysis (RVA analysis).

The necessity of conducting such analyses will depend on the special characteristics of the research project.

As an example, a research project that will process special categories of personal data must conduct a DPIA (GDPR, Article 35).

It is also recommended that some research projects map the probability and consequences of adverse events through an RVA analysis. RVA analyses have a broader scope than data protection impact analyses, as RVA analyses may also consider matters such as infrastructure, budget, available databases, personal safety, etc.

For further information and guidance, please refer to the section on “Assessment of privacy consequences and risks”

Reporting the processing of personal data to SIKT - Norwegian Agency for Shared Services in Education and Research

Projects that will process personal data must be notified to SIKT. Please note that the duty to report applies even if you will not be publishing any personal data. Processing is considered to occur from the time at which data collection commences until the results have been published. You can notify your project to SIKT here.

Tips:

1. Take the SIKT “duty to notify” test if you are unsure whether your project has a duty to notify.
2. Read the SIKT tips to reduce assessment time. Assessment may take longer for complex projects.

The SIKT contact person

The SIKT contact person at Kristiania University College is the person responsible for correct and proper compliance with the legal provisions relating to information security and internal control in the project. The contact person must be employed by the data controller institution.

1. In researcher-led projects (including PhD projects), the contact person will be the Project Manager.
2. In student-led projects (bachelor’s or master’s), the supervisor (or assistant supervisor or subject coordinator at the place of study) will be the contact person. The student cannot be the contact person.

Collection of personal data abroad

Researchers and students at institutions in Norway that collect personal data abroad must notify SIKT in the same way as for data collection in Norway.

Report any changes to SIKT

In the event of any changes relating to the processing of personal data in the research project after the project has been assessed by SIKT, you need to report those changes  for a new assessment.

Further information about the changes that need to be reported can be found here.

Anonymisation of data

Anonymisation involves processing data in such a way that no individuals can be recognised in the data you are left with. This includes the researcher. In other words, you need to assess your data and decide which data needs to be removed or rewritten.

Anonymisation usually involves:

1. deleting directly identifying data (including link keys/name lists)
2. deleting indirectly identifying data (or reworking such data using general classification of variables such as age, place of residence, school, or similar)
3. deleting (or editing/censoring) audio recordings, photos or video recording. 

If you use a data processor, the data processor must also delete any identifying data.

Personal data and health data must not be stored for longer than is necessary to complete the research project. When the project is finished, the Project Manager will be responsible for ensuring that research data is deleted or anonymised, unless long-term storage has been authorised by the REC/SIKT.

You are generally permitted to store anonymous data material after the conclusion of the project, as the GDPR does not apply to anonymous data. Nevertheless, you must always ensure that you have reworked the data material sufficiently to ensure that no individuals can be recognised. However, there are still some cases in which you will be required to delete the full data material. This applies, for example, if you have promised the sample selection that the data material will be deleted or when data owners, such as Statistics Norway, require you to delete the complete data material upon completion of the project.

Please note that you are not required to delete personal data in publications/theses. Personal data can generally be published, provided you have a scientific justification and you have obtained consent from participants. Please also refer to the Norwegian Data Protection Authority’s guide to anonymisation.

Anonymisation of data

The Project Manager must consider whether to anonymise personal data at the end of the project. The processing of anonymised data is not covered by the GDPR and the data can therefore be stored and retained for reuse (pursuant to the Open Science and FAIR principles).

Deletion of data

At the end of the project, the Project Manager must ensure that personal data is deleted if there is no requirement for storage beyond the project period, e.g. in the event of prior approval from the REC, legal requirements or requirements from the external funder of the research.

The deletion requirement applies to all data in which the identity of the data subject is directly or indirectly available.

Final report to SIKT

The Project Manager must submit a final report to  SIKT/REC when the project has finished and, if applicable, confirm that personal data has been anonymised or deleted. Upon completion of a student project, the final report must be submitted immediately after examination.