Privacy and data protection

Research activities that process personal data must comply with current regulations for privacy protection in research.

Content on this page:

↳ 1. Introduction to privacy in research

↳ 3. When you will start collecting data

↳ 5. When the research project is completed

Responsible: Dept. of Research Administration and Internationalisation; Published: 30.11.2024 Last updated: 13.12.2024

1. Introduction to privacy in research

In this section:

↳ 1.1 Guidance on privacy

↳ 1.2 What is personal data

↳ 1.3 What are special categories of personal data?

↳ 1.4 Relevant privacy legislation in Norway

↳ 1.5 What does "processing" of personal data mean?

↳ 1.6 Who is the data controller?

1.1 Guidance on privacy

When processing personal data in your research, you must comply with applicable regulations on privacy. Kristiania has an institutional responsibility to facilitate and ensure that privacy requirements are upheld.

For questions about data protection related to a research project or research application, contact your research advisor or send an email to forskadm@kristiania.no

For general questions about data protection in and outside research, send an email to personvernombud@kristiania.no

1.2 What is personal data?

Personal data are information that directly or indirectly identifies a person. Directly identifiable personal data includes names, personal ID numbers, email addresses, phone numbers, IP addresses, images, voice recordings, or other personal characteristics. Indirectly identifiable personal data includes background information that could potentially trace data back to an individual, such as the municipality of residence or institutional affiliation combined with information about age, gender, profession, nationality, etc.

Research projects involving the processing of personal data must be reported to SIKT – The Norwegian Agency for Shared Services in Education and Research. This must be done before the collection of personal data begins.

1.3 What are special categories of personal data?

Special categories of personal data, formerly referred to as "sensitive personal data," require additional protection under the law. These include:

Racial or ethnic origin
Political opinions
Religion
Philosophical beliefs
Trade union membership
Genetic data
Biometric data (when the purpose is to uniquely identify someone)
Health data
Sexual relationships
Sexual orientation

As a general rule, processing special categories of personal data is prohibited. Exceptions may be made when there is a specific legal basis, in addition to the lawful basis required for processing such data.

Research projects involving special categories of personal data must be reported to SIKT and may also require approval from REK (Regional Committees for Medical and Health Research Ethics). For further assistance, contact your research advisor at https://www.kristiania.no/forskning/forskningsstotte/.

1.4 Relevant privacy legislation in Norway

As of July 2018, the EU General Data Protection Regulation (only in Norwegian) (GDPR) has been implemented as Norwegian law.

In addition, the Personal Data Act (Personopplysningsloven) contains provisions that adapt or supplement the GDPR in areas where Norway can establish national regulations.

1.5 What does "processing" of personal data mean?

Processing refers to collecting, recording, storing, and potentially compiling or disclosing personal data. All processing of personal data must have a legal basis to be lawful. In research projects, the most common legal bases are consent and/or public interest.

Without a legal basis, the use of personal data is illegal.

1.6 Who is the data controller?

The data controller is the institution, company, or other legal entity (represented by top management) that determines the purpose of the processing of personal data and the means used. Kristiania is the data controller for all research projects conducted under its auspices.

2. Before you start collecting data

In this section:

↳ 2.1 When are data anonymous?

↳ 2.2 How can you collect anonymous data

↳ 2.3 Avoid unnecessary collection of personal data in research projects

↳ 2.4 Consider conducting a risk assessment (ROS) for data security

2.1 When are data anonymous?

Privacy legislation does not apply to anonymous data. Projects that process anonymous data throughout the research process do not need to be reported to SIKT. For data to be considered anonymous, they must not be traceable to personal information via a code or linkage key.

Data are anonymous when it is impossible to associate them with an identifiable individual. This must hold even if all reasonably available tools, such as background variables, linkage keys, or encryption codes, are used by either the data controller or any other party.

Note: Data are not anonymous if only the published material (e.g., the final report, article, or thesis) is anonymized. All raw data must also be anonymous.

2.2 How can you collect anonymous data?

There are several methods for collecting anonymous data:

Interviews and observations: Record data only in the form of notes (not audio recordings). Ensure no names or personally identifiable background information are registered.
Surveys: They should be paper-based. Collect responses without names or indirectly identifiable information.
Online surveys: To ensure compliance with privacy laws, use an IT solution that guarantees complete anonymity (e.g., no email/IP address linked to the survey). The survey itself must not include questions that reveal identity. Note: Kristiania staff and students can use Nettskjema, which offers an anonymous survey solution.
Registry data and journal data: These can be used without reporting to SIKT, provided only anonymous data are extracted. The data must not be traceable to individuals. Numerous anonymous registry datasets are available online, such as from SSB (Statistics Norway) and SIKT.
Internet or social media data collection: This requires special considerations; see the section below.

In health research, some projects may be based on anonymous data and, therefore, do not require prior approval from REK. Examples include:

Quality assurance and evaluation of health services. That is projects, examinations and evaluations that assess whether diagnostics and treatments meet expected results. See REK's guidelines on quality assurance versus projects requiring submission (only in Norwegian).
De-identified and/or anonymous data from central or legally mandated health registries may be used anonymously (exceptions may exist in registry-specific regulations).
Use of other anonymous data and assessments regarding health conditions (where the registry owner is responsible for anonymization).
Technical and methodological development that use human biological material without any associated personal information.

2.3 Avoid unnecessary collection of personal data in research projects

Data minimization is a legal privacy principle that limits the collection of personal data to what is necessary for the purpose.

As a researcher, you should only collect information that is relevant and essential to your research objectives (Article 5, 1c of the Norwegian Personal Data Act, only in Norwegian). Carefully consider whether collecting personal data is truly necessary for your study. Could anonymous data achieve the same goals, that is data that cannot be directly or indirectly traced back to individuals?

Kristiania also encourages project leaders to coordinate data collection and facilitate data reuse, in line with Open Science principles.

2.4 Consider conducting a risk assessment (ROS) for data security

Some research projects require an evaluation of the likelihood of adverse events and their potential consequences—a so-called Risk and Vulnerability Analysis (ROS analysis). This may be necessary even if personal data are not involved. This will be necessary, for instance, when the research data are highly sensitive, the project is particularly extensive or long-term, or there is a threat related to the environment handling and storing the research data. The ROS assessment may cover infrastructure, budgets, available databases, personal safety, etc.

Use Kristiania’s ROS assessment template (only in Norwegian) and archive it in the project folder. It is recommended to conduct the ROS assessment while preparing the Data Management Plan (DMP).

Contact Kristiania’s IT support for questions regarding ROS assessments. The Kristiania IT policy is available here.

Important: For projects involving external data processors, Kristiania must enter into a data processing agreement with the data controller institution. For the agreement to be valid, the external data controller must have conducted a ROS analysis of the project before Kristiania signs the agreement. Contact your research advisor for assistance.

3. When you will start collecting data

In this section:

↳ 3.1 Create a data management plan (DMP)

↳ 3.2 Conduct a risk assessment for data security (ROS), including personal data

↳ 3.3 Report the processing of personal data to SIKT

↳ 3.4 Who is responsible for reporting?

↳ 3.5 Will the project collect personal data abroad?

↳ 3.6 Assess privacy impact (DPIA) for high-risk research projects

↳ 3.7 Take special precautions for internet research

↳ 3.8 Prepare an information letter

↳ 3.9 Create a consent declaration

↳ 3.10 Seek REK approval for your health research project

↳ 3.11 Register clinical trials (Health Research)

3.1 Create a data management plan (DMP)

A Data Management Plan (DMP) describes details such as the project leader, project name, project duration, and essential information about the data. It outlines how and which data will be collected, stored, processed, and used, as well as by whom, during the research project. Additionally, it explains what will happen to the data after the project concludes (e.g., storage location, storage duration, and whether the data will be anonymized, deleted, archived, or made accessible).

Kristiania aims to use the information in the DMP to maintain an overview of the institution’s data registries. This is essential to ensure that data storage complies with GDPR. Additionally, efforts are made to make existing data available for reuse and to coordinate data collection across projects (cf. Open Science).

Available guidance and templates for a DMP:

SIKT’s digital Data Management Plan can be edited and shared online.
Projects funded by the EU must follow the data management guidelines outlined in the Participant Portal H2020 Online Manual.

Are you planning to share collected data with partners outside Kristiania? Please note that sharing and jointly processing data are regulated by law and require specific agreements. Contact your research advisor for further support.

3.2 Conduct a risk assessment for data security (ROS), including personal data

All research projects must prevent unwanted incidents and ensure compliance with data security and privacy requirements when collecting personal data.

Research projects involving a security risk must assess the likelihood of unwanted incidents and their potential consequences through a Risk and Vulnerability Assessment (ROS analysis). See here [LENKE til avsnitt over] for link to forms and contact persons). This is conducted in conjunction with the development of the DMP. A ROS analysis is also required when entering into an agreement with an external data processor.

Preventive measures must be implemented to ensure sufficient information security.

In research projects that include personal data, the ROS analysis should also help prevent incidents or issues with data processing.

When collecting personal data, ensure secure data storage and access control. Contact Kristiania's Data Security Officer for guidance.

3.3 Report the processing of personal data to SIKT

Research projects involving personal data must be reported to SIKT, the service provider for the knowledge sector. This reporting is mandatory and must occur at least 30 days before data processing begins, even if the personal data will not be published. The processing of personal data starts when data collection begins and continues until the results are published. Report your project to SIKT here.

Tips:

Take SIKT’s self-test to determine whether your project requires reporting.
Read SIKT’s advice on reducing assessment time. For complex projects, the review may take longer.

3.4 Who is responsible for reporting?

The project leader is responsible for reporting research projects to SIKT. The Pro-Dean for Research & Artistic Development Work and the research administration must be informed beforehand.

For Ph.D. projects, the Ph.D. candidate is responsible for reporting the project unless the Ph.D. project is already included in a larger research project reported to SIKT.

The person responsible for reporting the research project to SIKT is also responsible for ensuring compliance with the legal requirements for information security and internal control within the project. Project leaders must ensure that all documentation requirements are met during the project.

In exceptional cases, when personal data is processed in master’s theses, the supervisor (or a co-supervisor or course coordinator) is responsible for reporting the thesis to SIKT. The student cannot take responsibility for this.

3.5 Will the project collect personal data abroad?

Researchers and students at a Norwegian institution collecting personal data abroad must report their research projects to SIKT just as they would for data collection in Norway.

3.6 Assess privacy impact (DPIA) for high-risk research projects

Research projects of a particularly intrusive nature may involve processing of, for instance, special categories of personal data see here [LENKE til eget avsnitt øverst, s.9), or of health data for research purposes without consent. For such projects, Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) before data collection begins.

Read more about when a DPIA is required. SIKT may recommend conducting a DPIA.

The project leader must involve the Pro-Dean for Research and Artistic Development Work, the research administration, and Kristiania's Data Protection Officer and conduct a DPIA before the project starts. Note that a ROS analysis cannot replace a DPIA.

In cases where the project leader decides not to conduct a DPIA, a justification must be documented in the project folder.

To perform a DPIA or pre-DPIA, all academic staff at Kristiania can use DRAFTIT’s digital solution at no cost. If you lack access to the DPIA module in Draftit, email personvernombud@kristiania.no. Draftit’s video training on DPIA is available in the "GDPR" folder on Kristiania’s intranet under "Viktige verktøy."

Contact Kristiania’s data protection officer for support at personvernombud@kristiania.no

If a DPIA shows that the research project poses a high risk to the rights and freedoms of participants, the project leader must contact the Norwegian Data Protection Authority (Datatilsynet) for prior consultation (cf. GDPR Article 36, only in Norwegian).

3.7 Take special precautions for internet research

Data from the internet or social media may be accessible but not necessarily public. Research projects involving personal data must be reported to SIKT. Examples include:

Storing screenshots/documents from open or closed forums containing participants' usernames.
Using direct quotes from websites, as these can lead to identifiable individuals.

Internet research provides access to large datasets, so it is crucial to limit data collection. Researchers should consider:

Which data are unnecessary for the project but likely to be collected inadvertently?
How can the collection of such data be minimized?
What type of forums are the data sourced from, and how public do users perceive them to be?
How sensitive or private are the collected data?
Are internet users considered a vulnerable group?

Research projects involving personal data require:

Informing participants about the project.
Determining the legal basis for processing personal data.
Obtaining consent, with exceptions granted in specific cases (e.g., based on the public interest).

Internet research also involves ethical challenges. For more information, refer to NESH’s Research Ethics Guide for Internet Research.

3.8 Prepare an information letter

When including participants in your research, you must inform them about the project beforehand. The information should outline the project’s purpose, methods, type of data, and duration. The letter must be written in clear, simple language that participants can understand.

Information letters should also be used when processing anonymous data.

After reading the letter, participants should decide freely whether they wish to participate in the research project.

Read more about the content of information letters and find templates on SIKT’s website.

3.9 Create a consent declaration

Consent is a legal basis for processing personal data in research. If this is your chosen basis, obtain a signed consent declaration from participants.

A consent declaration is a document that demonstrates that the project participants have explicitly given their voluntary and informed consent to participate in the research project.

The consent declaration must clearly and simply explain the project. The declaration must be documentable for future reference, often requiring a written signature.

Use Kristiania’s consent form templates.

In health research involving health data or biological material, consent must usually be obtained, whether data are collected directly from individuals or sourced from patient records, registries, or biobanks.

Granted exceptions to confidentiality are necessary in case of research involving existing health data or biological material without consent. Exemption applications must be assessed by REK, in the case of medical and health related research (Norwegian Act on Health Research, §§ 15, 28 og 35) and for other types of research.

See more information on exceptions to consent here.

3.10 Seek REK approval for your health research project

All health research under the Norwegian Health Research Act must be pre-approved by REK. REK approves applications based on the Norwegian Research Ethics and the Norwegian Health Research Acts. This includes:

Medical and health-related research.
General research biobanks.
Exceptions to confidentiality under the Public Administration Act (§13d) or the Health Personnel Act (§29), for other type of research.

Examples of health research projects that do not require approval from REK are described here [LENKE til avsnitt over om hvordan du kan innhente anonyme data, s.11].

If you are unsure whether REK approval is required, submit a preliminary review for guidance.

Here you can find more information about REK's approvals (only in Norwegian).

Before submitting an application to REK for prior approval of a health research project, you must inform the Pro-Dean of Research and Development & Artistic Development Work, and the research administration. To apply to REK, you must also do the following:

Access REK's application portal and register your NVA ID on your REK personal profile.
Register and submit your application.
When/if the project is approved by REK, the project will automatically be created in NVA (via the SPREK portal, which is REK's register of REK-approved research projects). The project leader will simultaneously receive an email with a link to the project. Duplicate entries of REK-approved projects must not be created in NVA.

3.11 Register clinical trials (Health Research)

Clinical trials must be registered on the European portal for clinical trials clinicaltrials.gov before the study begins. It is not possible to register the trial after they have started. Most medical journals require registration for publishing results coming from clinical trials. More about Clinical Trials at ICMJI.

The purpose of the registry is to increase transparency and accessibility of ongoing clinical trials, benefiting patients, healthcare professionals, authorities, and researchers. This is intended to lead to increased participation and accessibility of experimental treatments for patients.

The project leader is responsible for ensuring transparency, as outlined in Chapter 8, §39 of the Health Research Act.

4. When you have collected data

In this section:

↳ 4.1 Consider anonymizing the data material during the project

↳ 4.2 Update the Data Management Plan (DMP) and risk assessments if changes occur

↳ 4.3 Report changes to SIKT

↳ 4.4 Report changes in REK-approved health research projects

4.1 Consider anonymizing the data material during the project

Privacy concerns can be mitigated by anonymizing data. Anonymization ensures that no individuals can be identified in the data you retain, not even by the researcher.

During the research project, you must evaluate your data and decide which information needs to be removed or altered. Anonymization typically involves deleting:

Directly identifiable information (including linking keys/name lists)
Indirectly identifiable information (which can be restructured, for example, by categorizing variables such as age, location, school, etc.)
Audio recordings, images, and videos (which may need editing or blurring)

If you are using a data processor, they must also delete identifying information.

4.2 Update the Data Management Plan (DMP) and risk assessments if changes occur

If changes occur during the project, such as modifications to the project design, data processing, or threat landscape, the project leader must update the project's Data Management Plan (DMP). A new risk assessment for data security (ROS) and, if applicable, for data protection impacts (DPIA) must also be conducted.

4.3 Report changes to SIKT

When changes occur in the processing of personal data in a research project after SIKT has reviewed it, it is necessary to notify SIKT and obtain a new review.

Here you can find information on which changes must be reported and which do not.

4.4 Report changes in REK-approved health research projects

Changes in a health research project must be reviewed by REK if they affect the conditions for approval. Changes to the REK-approved project must also be registered in NVA to ensure REK has access to them. This is how you edit a health research project in NVA (only in Norwegian).

Examples of project changes that must be reviewed again by REK:

Changes in design and analysis
New knowledge about risks, disadvantages, and/or benefits for participants or others
Changes in project leader, responsible organisation, research biobank manager, or project staff
Postponement or extension of the project period
Increase in the number of project participants
Changes in recruitment procedures
Changes in inclusion and/or exclusion criteria
Substantive changes to the request for participation (information sheet)
Changes in granted conditions for exemptions from confidentiality (e.g., who has access to personally identifiable information)
Changes in the storage and processing of health data or biological material

Examples of project changes that do NOT require a new review by REK:

Study materials (participant cards, diaries, medication bags, etc.)
Number of participants per center, provided the total number of participants remains unchanged
Lead investigator abroad
Contract Research Organization (CRO)
Pharmaceutical, chemical, or biological quality of the test preparations

5. When the research project is completed

In this section:

↳ 5.1 Consider anonymizing data

↳ 5.2 Ensure the deletion of data

↳ 5.3 Submit a final report for the research project to SIKT

↳ 5.4 Submit a final report for the health research project to REK

5.1 Consider anonymizing data

The project leader must evaluate whether personal data should be anonymized upon project completion. See here [Link to the section above, p.11] or refer to Norwegian Data Protection Authority's guide on anonymization.

The processing of anonymized data is not subject to GDPR, and anonymous data can therefore be stored and preserved for reuse (in line with Open Science and the FAIR principles).

5.2 Ensure the deletion of data

At the conclusion of the project, the project leader must ensure that personal data (including health information) is securely deleted. The requirement for deletion applies to all information that directly or indirectly reveals the identity of the research participant.

This does not apply if there are requirements for retention beyond the project period, such as prior approval from REK, legal obligations, or requirements from an external research funder.

Even for anonymous data, there are cases where you must delete the entire dataset—for example, if this was promised to the participants/informants. Data owners, such as Statistics Norway (SSB), may also require you to delete the entire dataset upon project completion.

Note that you are not required to delete personal data contained in publications or theses. If you have a scientific justification for retaining such data and a legal basis for processing it, personal data can generally be published. See also the Norwegian Data Protection Authority's guide on anonymization.

5.3 Submit a final report for the research project to SIKT

The project leader must submit a final report to SIKT/REK when the research project is completed, confirming whether personal data has been anonymized or deleted.

5.4 Submit a final report for the health research project to REK

When a health research project is completed, the project leader must submit a final report to REK using the designated form. Information about the form can be found in REK's portal..