The supervisor is responsible for the research project, but as a master's student you are responsible for various tasks related to the implementation.
The responsibilities and tasks specified here are limited to privacy and data protection and do not cover all aspects of the master's thesis/master's study.
Master students - privacy
Master's students do not have formal research competence and must, according to the supervision agreement:
- fill in and confirm that you will comply with the guidelines for the processing of personal data in the master's project (form in Norwegian only)
- familiarize yourself with and follow guidelines for privacy in research at NIH
- seek assistance from a supervisor if doubts arise about which guidelines apply or how they should be understood/practiced.
- ensure that the supervisor quality checks notification to NSD/applications to REK and the Ethical Review Board before these are sent.
- share registration form with supervisor
- follow conditions from NSD, REK and Ethical Review Board.
- de-identify collected personal data as quickly as possible and deliver the connection key to the supervisor.
To learn about the researcher/supervisor's responsabilities, see more information on the pages "I am a researcher or a PhD student" and on "Privacy and Research Routines"
Closing, termination notifications and archiving
In the closing phase, collected personal data must be deleted, anonymised or stored for further storage. NIH has decided that data from research projects must be stored for 5 years for possible inspection and control. For master students' projects, data must be stored until final exam.
End of project - privacy
Master students must work in collaboration with their Supervisor to
- delete or anonymise all personal data regarding participants or informants that should not be kept for control and inspection.
- ensure safe storage of personal data regarding participants or informants that should be kept for control and inspection.
Submit thesis/Termination notification
When you submit your thesis, you must include a confirmation that you have complied with the rules for handling of personal information (form in Norwegian)
At the end of a research project, a notification must be sent Sikt and, if relevant, also to REK.
Access to Sikt's message portal requires access to the @student.nih.no e-mail.
In accordance with the guidance agreement, the link key must not, as a general rule, be deleted before censorship has taken place. The supervisor must notify Sikt when the link key is deleted.
- ensure that all personal information about respondents or informants that is not to be kept after the end of the project is properly deleted;
- ensure that personal data to be stored after the end of the project is anonymised, for example by destroying the link key for de-identified data
Report issues re privacy and information security
In case of an undesired incident, inform sikkerhetsavvik@nih.no. Describe what has happened. You should also inform your direct leader - if possible.
Examples of undesired incidents include personal information distributed to wrong persons (maybe included in an attachment or in "the tail" of an e-mail), password made available due to "phishing", information wrongly classified so available to more people than intended.
NIH - at institutional level - must report breach of GDPR to Datatilsynet within 72 hours.
General Privacy Advice
Protect the Privacy of Others
- Make sure not to leave prints in the printer (use secure printing) or on your desk when you are not present. Printouts should be stored in lockable cabinets and should not be taken outside the office/work site.
- Do not send sensitive personal information such as bank account numbers, social security numbers, etc. by email, instead use access-regulated areas.
- Use employee numbers rather than social security numbers where possible.
- Remember that information from the payroll and personnel system and financial systems should only be used internally at NIH. External persons who want access to data from our systems must contact the system owner.
- Do not store reports on personal home directories or unencrypted memory sticks. If you are going to store a report, this should be done in a common area where as few others as possible have access.
- Your user account in the systems is personal and should never be shared with others or otherwise misused. It is important that you protect your passwords so that they do not go astray.
- Always remember to lock (Windows key + L) or log off your PC when you leave your seat, even if it's just for a minute or two.
- Be aware that you have access to information that could harm your co-workers'/colleagues' privacy if it goes astray.
Assess the Need to Print or Save a Report
You should carefully consider before saving or printing the results of a report. Do you really need this information later? Or is it perhaps enough to see the result on the screen there and then? Try not to save or print the results of a report unless really necessary.
Clean Up After Yourself
If you have chosen to save or print a report from the systems, it is important that you delete/shred this as soon as the purpose is fulfilled. Be sure to incorporate a good routine for regularly cleaning and deleting documents.
Be Aware of Your Responsibilities
Set a good example and help your co-workers and colleagues adopt your good habits and attitudes towards the use of personal data.