Responsibility Privacy in Research
The CEO is responsible for research at the NIH. This includes responsibility for NIH having updated guidelines for privacy and data protection in research, and responsibility for establishing IT solutions for secure processing of research data.
Responsible implementation of research projects is a line responsibility - the tasks are delegated to the various departments.
Responsibility Privacy at Department level
The Head of department is delegated responsibility by the managing director for the follow-up of projects. Head of departments are responsible for ensuring that employees, as well as external researchers working at the department, are familiar with the routines presented here.
Department heads are also responsible for following up and checking that employees, external researchers and students comply with NIH's guidelines for privacy and data protection.
On leave/termination of employment, the Head of department must ensure that all research data is stored in accordance with the guidelines and that all necessary amenmend reports are sent to external partners - including Sikt and REK.
Responsibility Privacy at Project Level
The Project Manager is responsible for ensuring that research ethics norms and privacy rules are followed in the project. The Supervisor has project management responsibility for projects carried out by PhD or master students.
Supervisors are responsible for ensuring that PhD, master and bachelor students are familiar with these routines.
On leave/termination of study/work, the Supervisor must ensure that all research data is stored in accordance with guidelines and that all necessary amendment reports have been sent to external partners including Sikt and REK.
Each individual research worker and student has an independent responsibility for familiarizing themselves with and following the routines presented here.
What is personal data?
Personal data is information that makes it possible to identify a natural person. The identification can be done directly or indirectly. The information is owned by the individual. Assessments or information are considered personal data regardless of whether they are available as text, images, audio or video recordings.
Read more about personal data at Sikt (Norwegian Agency for Shared Services in Education and Research)
Regular personal data
Regular personal data refers to all types of assessments and information that may be associated with a particular individual, an identified or identifiable person, but which the General Data Protection Regulations (GDPR) does not define as special category of personal data ("sensitive personal data").
Note that a national identity number is not considered to be sensitive personal data. However, because the national identity number is often used to identify individuals, The Personal Data Act contains special conditions for processing this type of information. The conditions in the Act are that the national identity number can only be used when:
- there is an objective need for secure identification of individuals
- secure identification cannot be achieved in other ways, for example by use of employee or student numbers.
Read more about rules regarding national identy number at Datatilsynet.no
Special Categories of Personal Data
Special categories of personal data, often called sensitive personal data, refers to all types of assessments and information that can be linked to specific individuals and relate to:
- health information and health related conditions
- genetic or biometric information which can be used to identify a physical person
- ethnic or racial origin
- political, philosophical or religious perceptions and beliefs
- sexual orientation or sexual relationships
- trade-union membership
Examples of sensitive personal data may include:
- information on students' illness or diagnoses
- health information registered in connection with an employee’s sickness absence
- information about cheating or attempted cheating in exams
- need for a facilitated examination due to health reasons
- information about an employee’s alcohol or substance abuse
- information about trade-union activity
- information on attitudes to various religious or political issues that respondents in questionnaires are asked to provide
Sensitive personal data shall be especially well secured against breach of privacy and data protection.
Direct and Indirect Personal Data - Anonymous Data
A person will be directly identifiable via name, birth/personal identification number or other personal characteristics.
Personal Data regarding Third Party
Personally identifiable information about people other than the participants/correspondents themselves is considered third-party information
Pseudonymisation and Anonymisation
The information is de-identified (pseudonymised) if the name, social security number or other personally identifiable characteristics have been replaced with a number, a code, fictitious names or the like, which refers to a separate list/link key with the direct personal data.
In order for the data material to be considered de-identified, indirect personally identifying information must also be categorized into broad categories or removed completely. Broad categories mean, for example, parts of the country instead of specified municipalities or cities, age intervals (10-19 years, 20-29 years, etc.) instead of precise ages and the like. The only way to identify individuals in a de-identified data material shall be through the name list/link key.
The link key must always be stored separately from data. De-identified information is still considered personal data as long as a connection key exists.
Anonymisation of data requires that the connection key be deleted. Anonymised data is no longer personal data and is therefore not covered by GDPR.
Image and sound recordings must be transcribed to pseudonymise the personal data. Avoid using names or writing down information that can identify a person. For anonymisation, audio recordings must be deleted.
Legal Basis for Processing of Personal Data
Personal data cannot be collected or processed without a legal basis. The project manager is responsible for ensuring that this is the case. The most common basis for research is the consent of the participants, but there are also other bases.
Consent as Legal Basis - Details
The consent of the participants must be informed and voluntary. The project manager is responsible for ensuring that the individual participant understands what they agree to participate in. It may be necessary to create separate information documents for different groups of participants. For example - one document for parents and another for the children.
If the research project is to process special categories of (sensitive) personal data, the consent of the participants must be express - often by a signature.
See Sikt regarding requirements for consent and templates for information letters.
Broad Consent - Details
In some cases, it is possible to obtain broad consent where the participants consent to several different research projects. The participant must be informed about what it means to give broad consent. This assumes that they fall under the same defined research objective. REK can set conditions for the use of broad consent.
Persons without Consent Competence - Details
Research that includes minors and people without consent capacity can only take place if:
- Any risk or inconvenience to the person is negligible
- The person does not oppose participating.
- There is reason to assume that the results of the research may be of benefit to the person in question or to other people with the same age-specific disorder, disease, injury or condition.
For minors, it is required that similar research cannot be carried out on persons who are not minors.
As a general rule, children and young people can themselves consent to participation in research when they are 15 years old. For children under this age, parents should consent on behalf of the child. If special categories of personal data are to be collected, the young person must be 16 years of age to consent.
Parents or others with parental responsibility must consent if the research participant is under 16 years of age. The same applies if the participant is between 16 and 18 years of age and the research involves physical intervention or drug testing. Age-appropriate information letters must take into account the minor's maturity and experience. The same goes for information letters to the person who consents on behalf of the participant.
Participation in research must always be voluntary, regardless of who has the competence to consent.
For medical and healthcare research, there is a separate regulation which determines that children between the ages of 12 and 16 can themselves consent to the processing of personal data for certain types of research - see reference.
See more about consent from minors at the Norwegian Data Protection Authority (Datatilsynet) and at Sikt.
For persons without the competence to consent due to health conditions, mental retardation or incapacitation, it is required that there is no reason to believe that the person concerned would object to participation in research projects if the person concerned had the competence to consent, and that similar research cannot be carried out on persons with the competence to consent. Special rules apply to who must give consent, see § 17 and 18 of the Health Research Act.
Right to withdraw consent
The data subject/participant must have the opportunity to withdraw their consent as easily as it was given. The data subject does not need to state any reason for withdrawing.
Withdrawing consent means, firstly, that research participants no longer wish to take part in the project. Secondly, this means that we no longer have a legal basis for the processing. The personal data we hold about the person in question must therefore be deleted.
The right to withdraw consent is valid as long as it is possible to identify the person concerned in the data material. In projects with many participants, this means until the information is deleted or anonymised. For projects with few participants, it will technically be possible to withdraw consent and have information deleted even after anonymisation because the researcher knows the identity of the few participants.
When we publish research results, these will normally not include identifying information. The fact that a research participant withdraws his or her consent after publication does not mean that a published article must be withdrawn.
Examples - Legal Basis different Processing Objectives
Sending non-anonymous surveys - the basis varies depending on the processing carried out during the process:
- Sending out a survey to a wide selection (which has not been asked in advance) - the institution has a legitimate interest and the privacy disadvantage for the individual is low
- Obtaining answers - the participant gives their consent by answering
- Obtaining information about health (e.g. mapping of Covid-19) - public interest
Other examples of legal basis for processing personal data (not research):
- Obtaining health information in an emergency situation - protection of life and health
- Salary payment - agreement/contract
Approvals and assessments
Re approval and assessments before the project starts.
See "Research administration - procedures for starting a project" (page in Norwegian)
Collection of Data
Electronic surveys/interviews - Nettskjema
Students and staff at NIH can use Nettskjema for collection of data/electronic surveys. Nettskjema can also be used for interviews via an app.
See page about Nettskjema.
Zoom may be used for interviews - with or without photos - as long as the interviews/photos do not contain specific categories of personal data. Zoom cannot be used for collection of data outside NIH.
Biological material
See procedure for collection, storage and use of human biological material - see pages about Project administration (to be updated).
Privacy in Master students project - specific regulations.
Master Students who plan to process personal data in their master project must confirm in writing that they have followed routines and procedures for privacy and information security. This must be confirmed when reporting the project to Sikt before project start and also when submitting the thesis. See forms for confirmation on page regarding Exams.
Securing and Follow-up of Rights of Project Participants
Anyone who has agreed to participate in a research project, can as a rule claim the right to assess the information about themselves, that incorrect information is corrected, withdraw from further participation without any explanation/withdraw their consent. A request from participants should be replied within 30 days.
Tasks related to Follow-up of Project Participants
- Respond to requests from participants
- Delete or anonymise relevant research data if participants choose to withdraw from the project.
- Make sure that personnel information in a project is not used for other purposes than the participants have consented to.
- Request participants for a new consent if the collected data will be used for other purposes than originally planned or for longer periods than originally intended.
- Make sure agreements with cooperation partners are upheld.
Classification and storage
Information and research data are classified in different color-coded categories - according to how much damage it may cause to individuals or institutions if data goes astray. The strictest requirements are made for data in the categories black and red.
See separate page about classification of data.
See separate page about storage of data at NIH.
Category black - strictly in confidence
«Strictly in confidence» is used if NIH, its partners, public interest, or individuals may be subject to considerable harm if the information is exposed to third parties.
Black research data should be stored in NIHs Secure zone.
Category red - in confidence
«In confidence» is used if NIH, its partners, public interests, or individuals may be subject to harm if the information is exposed to third parties.
Red research data can be stored in NIHs Secure Zone, in crypted laptop set up by NIH or in a crypted memory stick. Researcher is responsible for safeguarding of equipment.
If in doubt whether research data belong to red or black category, you should consider the data as black.
Category yellow - limited
The information must have a certain level of protection. Can be accessible to external and internal, with controlled access rights. May cause some damage to the institution if the information becomes known to unauthorized persons.
Category green - open
This class is used if it concerns research data that can or should be available to everyone without special access rights. This essentially means data that is anonymised/does not contain personal data.
The integrity of the data must be ensured by ensuring that only persons with the correct rights have access to change the information. Although the data may be open, it is not free to choose what is done with it.
The table below is an abbreviated version. See NIH 's storage guide and classification guide for additional information on what kind of information can be stored where.
| Category/Where | Black | Red | Yellow | Green |
|---|---|---|---|---|
| NIH operated laptop | no | Yes | Yes | Yes |
| Private laptop | no | no | Yes | Yes |
| Memory stick - encrypted | no | Yes | Yes | Yes |
| Private memory stick | no | no | no | Yes |
| OneDrive | no | no | Yes | Yes |
| File server | no | Yes | Yes | Yes |
| Safe zone | Yes | Yes | Yes | Yes |
Storage of biological material
It is a fundamental principle that human biological material in a research biobank must be stored and treated properly, and that this is done with respect for the donor. The regulations apply regardless of whether material can be linked to the donor by directly identifiable characteristics; by using a code key or without any kind of connection option.
REK must have pre-approved the establishment of general research biobanks.
Head of Department must have an updated register of the department's biobanks, which shows who is responsible, and the routine for storage, destruction by end date and internal control.
REK has tightened the requirements for applications for a general biobank and requires that a protocol describing the biobank be attached. The requirement does not apply to general biobanks that were already approved, but if you are to submit a change application for a general biobank, you will be asked to attach a (revised) protocol.
Archiving of data
Archiving must not be confused with active storage of data that is in use during the project period.
NIH requires that data from research projects should be kept for five years after the end of the project (for control and authentication). This requirement does not apply to master student's projects unless they are part of a larger research project. After the prescribed storage periode, the project manager must ensure that personal data is anonymised or deleted.
Access to, sharing and transfer of data
The institutions/researchers/students or employees who will have access to personal data must be mentioned in the report to Sikt and possibly in the application to REK. The research participants must also be informed about and have consented to such sharing of personal information.
Access Safe zone via Prosjektweb
The project manager can give project staff access to personal data stored in the Safe zone via Prosjektweb.
The same registration form is used to indicate external and internal project employees will be involved. For external researchers, a mobile phone number must be provided (for two-factor login).
Safe zone can also be used for sharing data with researchers from countries that do not have similar privacy legislation such as the EU/EEA/Canada/Australia.
Access non-employees
If project staff not employed by NIH will have access to personal data, a separate agreement must be drawn up. See confidentiality statement for project employees.
If the cooperation will be with a public enterprise/institution, a non-disclosure agreement is not necessary. Master students sign the confidentiality declaration in connection with the supervision agreement for their project.
If external employees are to have access to NIH's IT system, a separate access agreement must be drawn up.
The project manager can give external researchers access to research data that is stored in NIH's Secure Zone. In this case, no data processor agreement will be needed. See more about Safe Zone in the Storage Guide.
Transfer - sharing with other institutions
If identifiable personal data is to be transferred to or stored at a collaborating institution, an agreement must be entered into which sets out the responsibilities and tasks for each institution. For the agreement, it is important to know what role and what tasks each institution must have:
If NIH allows an external party to process personal information only for NIH's own purposes, NIH is the data controller and instructs the data processor on how data should be processed. The data processor cannot use this data for its own purposes.
Joint processing responsibility arises when two or more separate data controllers decide on the purpose and the decisive means of processing. There is no requirement that the responsibility be equally distributed, but both parties must have a legal right to process the information.
See the Norwegian Data Protection Authority's pages/guidelines (In Norwegian only) on Data processing agreements and what is included in the terms data controller and data processor.
Transfer of personal data to countries outside the EU/EEA area requires special assessments and agreements. See more at the Norwegian Data Protection Authority.
The IT manager at NIH must sign data processing agreements, but the project manager is responsible for preparing proposals for the agreement.
Agreements on the transfer of physical material ((Material Transfer Agreement /MTA) can in most cases be signed by the head of department. Relevant examples are agreements on blood samples and muscle tissue to be analyzed in other laboratories.
Report issues re privacy and information security
In case of an undesired incident, inform sikkerhetsavvik@nih.no. Describe what has happened. You should also inform your direct leader - if possible.
Examples of undesired incidents include personal information distributed to wrong persons (maybe included in an attachment or in "the tail" of an e-mail), password made available due to "phishing", information wrongly classified so available to more people than intended.
NIH - at institutional level - must report breach of GDPR to Datatilsynet within 72 hours.
General Privacy Advice
Protect the Privacy of Others
- Make sure not to leave prints in the printer (use secure printing) or on your desk when you are not present. Printouts should be stored in lockable cabinets and should not be taken outside the office/work site.
- Do not send sensitive personal information such as bank account numbers, social security numbers, etc. by email, instead use access-regulated areas.
- Use employee numbers rather than social security numbers where possible.
- Remember that information from the payroll and personnel system and financial systems should only be used internally at NIH. External persons who want access to data from our systems must contact the system owner.
- Do not store reports on personal home directories or unencrypted memory sticks. If you are going to store a report, this should be done in a common area where as few others as possible have access.
- Your user account in the systems is personal and should never be shared with others or otherwise misused. It is important that you protect your passwords so that they do not go astray.
- Always remember to lock (Windows key + L) or log off your PC when you leave your seat, even if it's just for a minute or two.
- Be aware that you have access to information that could harm your co-workers'/colleagues' privacy if it goes astray.
Assess the Need to Print or Save a Report
You should carefully consider before saving or printing the results of a report. Do you really need this information later? Or is it perhaps enough to see the result on the screen there and then? Try not to save or print the results of a report unless really necessary.
Clean Up After Yourself
If you have chosen to save or print a report from the systems, it is important that you delete/shred this as soon as the purpose is fulfilled. Be sure to incorporate a good routine for regularly cleaning and deleting documents.
Be Aware of Your Responsibilities
Set a good example and help your co-workers and colleagues adopt your good habits and attitudes towards the use of personal data.