Norwegian version of this page

I am a Researcher, Supervisor or PhD student

The researcher is responsible for ensuring that the project complies with the requirements in the data protection regulation. A researcher who is project manager is responsible for ensuring that everyone working on the project has sufficient knowledge of privacy and data protection. PhD students must comply with special rules.

Published Nov. 9, 2023 12:42 PM - Last modified Apr. 15, 2024 10:20 AM

PhD Students - Privacy

PhD students do not, by definition, have research competence. The supervisor thus has formal responsibility for the PhD student's research project.

PhD students have their own responsibility for familiarizing themselves with and following rules and routines for privacy and personal data protection in their research project.

PhD students can report their project with Sikt for assessment of planned privacy and personal data protection in the project. Report to Sikt and any attachments, including any applications to REK and NIH's Ethics Committee, must be quality checked by the supervisor.

For practical reasons, the PhD students can register their projects in Prosjektweb/assume the role as project manager in Prosjektweb. The supervisor and PhD student must together clarify who is responsible for the archiving of agreements and other archive-worthy project documents.

Supervisor's Responsibilities

Responsibilities/Tasks here are limited to the area of privacy and information security and does not include all tasks related to the role of supervisor.

Responsibility Supervisor for Master Student

The Supervisor's responsibilities:

The Supervisor must ensure that the master student has sufficient knowledge of routines and rules. The Supervisor is responsible for ensuring that conditions for approvals are followed and must ensure that data is collected and stored in accordance with regulations.

Specification of tasks - the supervisor must:

  • Quality check messages/applications to Sikt, REK and NIH's Ethics Committee before they are submitted.
  • Check whether access to the master's thesis must be restricted for a shorter or longer period.
  • Store the link key safely and delete it in accordance with the conditions from Sikt. As a general rule, the link key cannot be deleted before the master exam is finished.
  • Inform Sikt when the link key has been deleted/all personnel data has been anonymized.

The Supervisor must also ensure that the project is registered in Prosjektweb if the project includes personal data. The master student can possibly be added as a project member in Prosjektweb (the student's @student.nih.no email must be used for this).

Responsibility supervisor for PhD student

The Supervisor's responsibilities:

The Supervisor must ensure that the PhD student has sufficient knowledge of routines and rules. The supervisor is responsible for ensuring that conditions for approvals are followed and must ensure that data is collected and stored in accordance with regulations.

Specification of tasks - the supervisor must:

  • Quality check messages/applications to Sikt (NSD), REK and the Ethical Review Board before they are submitted.
  • Contact the data protection representative if this is relevant - for example if there is a need to prepare a Data Processing Impact Assessment (DPIA).

The Supervisor must also ensure that the project is registered in Prosjektweb if the project includes personal data. The Supervisor must clarify with the PhD student who is responsible for archiving project documents via Prosjektweb.

Approvals and assessments before start-up

NIH expects researchers to clarify with the head of department before the project starts and before other approvals are sought. For PhD students' and master students' projects, the supervisor must ensure such clarification.

Different kind of research projects require different kind of approvals. All research projects involving collection of/treatment of personnel information, must be notified Sikt - personverntjenester (previously NSD). For projects that fall within the scope of the Health Research Act or will require the approval of NIH's Ethical committee, see links below.

For more information (in Norwegian) - see "Prosedyrer for oppstart av et prosjekt under Forskningsadministrative rutiner"

Sikt notification

All research projects that include personal data or research on human biological material must be reported to Sikt. Sikt gives its assessment of whether privacy is safeguarded in the project. The responsibility still lies with the researcher/NIH. Report the project via sikt.no/MinSide.

See additional information from Sikt regarding the notification form.

Important documents that must be attached for assessment by Sikt:

  • Questionnaire
  • Interview guide
  • Declaration of consent
  • Project description

If the notification form is submitted before other decisions have been made (for example, approval from REK or from NIH's Ethics Committee), a copy of these must be included.

Re application to REK or to NIH Ethical Review Board

Regional committee for medical and healthcare research ethics - REK homepage

Approval Ethical Review Board - see information about NIH Ethical Review Board

 

Registration Prosjektweb

All research projects carried out by NIH employees must be registered in Prosjektweb. Project web is available via Innersvingen. If personal data is collected, select project type "research on people externally funded" or "research on people internally funded". In Prosjektweb, the project manager and project members have access to checklists/remember lists for project administration. By uploading project documents such as agreements, budgets and reports, you also fulfill the archiving obligation (automatic transfer to P360). See guidelines at Innersvingen.

Prosjektweb is only available to staff and to students at NIH via @nih.no-mail.

Legal basis for processing

The project manager is responsible for ensuring that there is a legal basis for processing of personal data. The most important bases for research is the consent of the participants, but other grounds may be relevant. In the case of special categories of personal data ("sensitive data"), express consent is required, usually a signature. 

Link Read more about the basis of treatment on the page about routines 

Collection of data

Only when all approvals are available - including confirmation of consent from the participants/subjects - can the collection of data begin. The project manager is responsible for how data that is collected and processed. Personal data shall not be stored longer than is necessary for the purpose for which it was collected. 

Link  - Read more about collection on the routines page.

Storage - classification of data

The project manager is responsible for ensuring data protection during the process and must make an assessment of how to store the data material. The level of security will depend on the type of personal data that is processed. The strictest storage requirements are for data in categories black and red.

Information about how data is to be stored must be included in the notification to NSD and in the application to REK.

Link Read more about storage and classification.

Access, Transfer or Sharing

The project manager must also consider who should have access to active research data.

The institutions/researchers/students or employees who will have access to personal data must be specified in the report to NSD and in the application to REK. The research participants must also be informed about and have consented to such sharing of personal information.

Read more about access and sharing on the routines page

 

Follow-up participants' privacy

Anyone who has agreed to participate in a research project can, as a general rule, require access to and correction of incorrectly registered information. They can also withdraw from further participation without justification/revoke given consent. Requests from participants must be replied to within 30 days.

Amendment reports 

In the event of significant changes to the project, the researcher/project manager must send an amendment report to the same institutions that originally granted approval. It may also be necessary to obtain new consent from the participants.

Examples project change

  • Change in design and analysis
  • New knowledge about risk, disadvantage or benefit for the research participants
  • Change of project manager, research manager, research biobank or project employee.
  • Postponement or extension of the project period
  • Increase in the number of research participants
  • Change in recruitment procedure
  • Change in inclusion and exclusion criteria
  • Content-related change of information letter and request for participation
  • Change in given conditions for dispensation from confidentiality
  • Change in who has access to personally sensitive information
  • Change of storage and processing of health information or biological material.

The project leader fills in the form for changing the research project - see the websites of NSD/REK/Etisk Komte. Contact the relevant institution(s) if there is any doubt as to whether the changes in the project require an application/amendment.

Report issues re privacy and information security

In case of an undesired incident, inform sikkerhetsavvik@nih.no. Describe what has happened. You should also inform your direct leader - if possible.

Examples of undesired incidents include personal information distributed to wrong persons (maybe included in an attachment or in "the tail" of an e-mail), password made available due to "phishing", information wrongly classified so available to more people than intended.

NIH - at institutional level - must report breach of GDPR to Datatilsynet within 72 hours.

Closing, final announcements and archiving

In the closing phase, collected personal data must be deleted, anonymised or stored for further storage. NIH has decided that data from research projects must be stored for 5 years for possible inspection and control. For the same reason, data for master students' project must be stored until approval of exam.

Closing - personal information

Researcher must

  • ensure that all personal information about respondents or informants that is not to be kept after the end of the project is properly deleted;
  • ensure that personal data to be stored after the end of the project is anonymised, for example by destroying the connection key for de-identified data;
  • ensure that personal data to be kept un-anomynised after the project is properly stored.

Final announcements/reports

Researcher must

  • send a final report to Sikt and possibly to REK.
  • update Prosjektweb

 

Archiving of data

Archiving must not be confused with active storage of data that is in use during the project period.

NIH requires that data from research projects should be kept for five years after the end of the project (for control and authentication). This requirement does not apply to master student's projects unless they are part of a larger research project. After the prescribed storage period, the project manager must ensure that personal data is anonymised or deleted.

E-mail this page