Wikier

Collection of personal data for research projects

This wiki describes how to process personal data in student (i.e. bachelor or master) and research projects at NTNU.

Norsk versjon - Behandle personopplysninger i student- og forskningsprosjekt

Are you going to process personal data in your research or student project? NTNU has an agreement with Sikt (previously called NSD) for data protection services, hence all research projects and student projects that process personal data must notify Sikt, at least 30 days before data collection is due to start. Health research projects led by the Faculty of Medicine and Health Sciences (MH) are the only exception to this rule, and should instead be pre-approved by the Regional Committees for Medical and Health Research (REK). Health research projects where a faculty other than MH is responsible for the research must be both pre-approved by REK and notified to Sikt.

Wikipages related to GDPR

What is personal data?

Personal data is information that can be linked to an individual - either directly or indirectly - and make it possible to identify that person. Typical examples of directly identifying personal data include a person's name, social security number, e-mail address, telephone number and other personal characteristics. IP addresses are also considered personal data, and the same applies to images and audio recordings if a person can be recognised. An individual's voice is also personal information, thus audio recordings are considered personally identifiable even if no names are mentioned. Biometric characteristics such as fingerprints, iris patterns and head shape, are also considered personal data. The same applies to behavioral patterns; it can, for example, be easy to identify an individual based on where that person has been during the day.

Indirectly identifying personal information refers to background information that can be used to trace the information back to an individual, such as place of residence or institutional affiliation combined with information about age, gender, occupation, nationality etc

When do data protection laws apply?

The Norwegian Personal Data Act, including the EU's General Data Protection Regulation (GDPR), applies to all processing of personal data carried out by students and employees at NTNU, including when the processing takes place outside of Norway. This data protection legislation does not apply to the processing of anonymous information, i.e. information that cannot be linked in any way to a single individual. It also does not apply to information about the deceased; however, there are other laws that can limit the processing of such data. Examples of these are the Health Register Act, the Health Research Act, the Health Personnel Act and the Patient Records Act. In addition, information about the deceased can occasionally reveal something about living relatives, and hence will then be covered by data protection regulations. For more information, see Sikt's pages on research on the deceased (in Norwegian only).

Special categories of personal data (sensitive)

Some types of personal data have stricter requirements for processing grounds and information security than so-called general personal data.

The following are special categories of personal data:

  • information about racial or ethnic origin
  • information about political opinion, religion and philosophical beliefs
  • information about trade union membership
  • genetic information
  • biometric information for the purpose of uniquely identifying someone
  • health information
  • information about sexual relationships
  • information about sexual orientation

In addition, these requirements apply to personal information about criminal convictions and offences.

Information about people in vulnerable situations must also be treated as a special category of personal data. Children also have special protection which means that information about children must be treated with particular care. In some cases, a data protection impact assessment (DPIA) must also be carried out when processing special categories of personal data or information about vulnerable groups.

Classification of personal data

All information must be classified to determine the level of security required during collection, storage and processing. At NTNU, four confidentiality classes are used for research data and other information.

Colors of confidentiality categories

  • Open (green) - The information is available to everyone without logging in. Research data with personal data rarely end up in this category.
  • Internal (yellow) - The information is available to selected internal and external users, but requires logging in.
  • Confidential (red) - The information requires strict access control. The classification is used if publication would harm public interests, the institution or individual(s).
  • Strictly confidential (black) - The information requires very strict access control. The classification is used if publication will cause significant damage to public interests, the institution or individuals.

General personal data is often classified as internal (yellow), while the special categories of personal data require special protection, and will usually end up in the confidential (red) category. Other examples of personal data that should be classified as confidential are information about criminal convictions and offences, or information about people from vulnerable groups or in vulnerable situations. Strictly confidential is only when there is a possibility for causing significant damage to the public interests, the institution, an individual or a cooperation partner, if the information becomes known to unauthorized persons.

De-identified/pseudoanonymised personal data

De-identified, or pseudonymised personal data, is used for data material where directly personally identifying characteristics have been replaced with, for example, a number, a code or fictitious names. Indirect personally identifying information must be categorized into broad categories or removed for the data material to be considered de-identified. The only way to identify individuals in de-identified data material must be through a re-identification key, and as long as the key exists, the data must be considered personal data (i.e. not anonymous). This applies regardless of where and how the key is stored.

Carry out your project anonymously

As a general rule, as little personal data as possible must be processed to achieve the research purpose (data minimization principle). In some cases, it is possible to carry out a project without collecting personal data at all. If the data collection is to be carried out anonymously, the interview and observation must be recorded in the form of notes without any directly or indirectly identifying information, and online questionnaires must not be linked to the respondent's e-mail or IP address. For more information about anonymous questionnaires, see Ensuring anonymity in Nettskjema (in Norwegian only).

Remember that background information can identify people even if the survey itself is anonymous. An example is if an anonymous survey is carried out in a small workplace and the participants have stated their age and gender. Therefore, take into account that even anonymous questionnaires can make it possible to identify individuals.

For more information, se Sikt's page on Carrying out a project without processing personal data.

If the entire data collection takes place anonymously, the project does not need to be notified to Sikt. Note that carrying out a project anonymously is different from anonymising. If personal data is collected which is then anonymised, this is processing of personal data which must be notified to Sikt in the usual way.

Remember that if a survey is conducted anonymously, from a research ethics perspective you must still ensure that the participants are informed and have consented to participate. However, consent is not required as a legal basis for processing, as no personal data is processed. Thus, the information for participants should not say anything about access, correction or the right to withdraw consent. Instead, it can, for example, be stated that the data collection is anonymous, and that by completing the survey, one is considered to have consented. There must NOT be any signature or similar that can identify the participant. It should also not be stated that the data material will be treated confidentially if this is not the case. If the data material is to be shared or published afterwards, for example in an open data archive, you must nevertheless draw attention to this.

Risk assessment

Before processing personal data, you must perform a risk assessment in order to prevent undesirable incidents or discrepancies in the processing of personal data. The aim of a risk assessment is to uncover the current level of risk and identify measures that can help reduce the risk. Central factors in the risk assessment are the scope of the project, the sensitivity of the information, potential threats/security issues linked to the environment in which the information is processed and stored, and the duration of the project.

The risk assessment must be approved by the project manager (or the student's project supervisor), and an approved and signed version must be available on request (can be scanned and stored digitally). The assessment should be reviewed at regular intervals and adapted to any changes in the project.

A separate wiki for risk assessment of research projects at NTNU has been created (including a template you can use for risk assessment). There is also a simplified template for student projects.

Data Protection Impact Assessment

If it is likely that a type of processing will entail a high risk for the rights and freedoms of individuals, an assessment must be made of what consequences the planned processing will have for privacy. This also applies to research. This assessment is called a data protection impact assessment (DPIA) and is a more comprehensive review of the processing of personal data.

For projects that are notified to Sikt, Sikt will assess whether a DPIA is necessary and assist NTNU's data protection officer in carrying out the assessment.

Which projects should be notified to Sikt?

Research and student projects that process personal data, as well as health research where a faculty other than MH is responsible for the research, must be notified to Sikt.

Sikt has an advisory role and must assess whether the project meets the requirements of the EU's data protection regulation. The processing of personal data cannot start until Sikt has given feedback to the project manager that the planned processing is in accordance with the EU's data protection regulation, and that the necessary prerequisites and recommended measures and assessments are carried out.

The project manager or supervisor of a student project is responsible for sending the notification to Sikt. Sikt must be notified at least 30 days before the data collection is due to start.

 Notify Sikt

Collection of data outside Norway

If you are a student/researcher at an institution in Norway and you are going to collect data abroad, you need to comply with the requirements in the same way as for data collection in Norway (i.e. an application must be sent to REK and/or the project must be reported to Sikt, depending on the nature of the research and the responsible faculty).

Changes to the research project

If significant changes are made to the project, Sikt must be notified. Projects with REK approval must notify REK. The changes cannot be implemented until REK or Sikt has provided feedback.

Medical and health research

Medical and health research must be pre-approved by the Regional Committees for Medical and Health Research (REK) before the project starts. REK carries out an ethical assessment of the project. NTNU has created a portal for medical and health research with administrative procedures and guidelines to ensure that medical or health research is carried out in a safe way and according to the law. Health research projects led by another faculty besides the MH faculty must both pre-approved by REK and notified to Sikt.

Medical or health research is defined as research on humans, human biological material or health information with the purpose of acquiring new knowledge about health and disease. The same applies to research that contains pilot studies and experimental treatments. The health research portal contains more information about the distinctions between medical and health research and other research involving personal data.

Internet Research

Will you be conducting research on information found on the Internet? In that case, your project will be subject to notification if you process personally identifiable information on a computer. Examples of such processing may be saving documents from open or closed discussion forums, containing "nicknames" or names of participants. Furthermore, direct quotations can be searchable, and thus might be considered personally identifiable information.

As a general rule, one should provide information to participants and they should give their consent to the processing of personal data in connection with research projects. However, there may be exceptions from these requirements for information. See more about Internet research on Sikt 's website (Norwegian only).

Lawful basis

A legal basis is required for the processing of personal data for research purposes. Traditionally, consent has been the main legal basis for processing personal data in research (although other legal bases do exist). If consent from the research participant is the basis for processing, it must be given explicitly. Participants must be informed that personal data will be collected and informed about what is the purpose of its collection.

A valid consent must be:

  • Freely given
  • Specific and informed
  • Unambiguous
  • Explicit
  • Documentable
  • Just as easy to withdraw as to give

This means that it must be clearly stated what participation in the research project entails, who is responsible for the data processing, what data is collected and what it will be used for (see Sikt's pages on Information for participants in research projects). Furthermore, consent must be explicit and affirmed in a clear statement. This means that they must actively sign, tick or fill in something if they agree. Verbal consent is also possible, but all forms of consent must be documented. Participants must also be informed of the right to withdraw consent, and in the event of withdrawal, the data material about the person concerned must be deleted (or possibly anonymised).

When consent is obtained, the participants must be informed of how long the information will be processed. In long-term projects, it may be necessary to provide supplementary information at regular intervals. It may also be necessary to obtain new consent in case of major changes.

Competence to consent

  • Certain persons of legal age may be unable to give informed consent because they may be physically or mentally impaired in such a way that they cannot understand what the consent encompasses.
  • Adult persons under legal guardianship must, to the fullest extent, be given the opportunity to consent. If this is not possible, consent must be obtained from their legal guardian/representative.
  • Health Research: minors between the ages of 16 and 18 may consent unless otherwise provided by special legal provisions. Consent from their parents/legal guardian(s) is required if the research involves physical interventions or drug testing. Section 17 of the Health Research Act contains further provisions on competence to consent.
  • Other research: Children and young people can themselves consent to participation in research when they are 15 years of age (although this depends on the nature and scope of the project). If special categories of personal data are to be collected, the minimum age is 16-18 years. To be able to give informed consent, minors (i.e. those under 18 years of age) must be able understand the consequences of the processing of their personal data. Their capacity to understand depends on factors such as age, the nature and scope of the personal data, as well as the purpose of its collection.
  • If minors are included, all information provided to them must be prepared in a way that take into account their level of maturity and experience.
  • If the research takes place without consent, the project manager must inform the participants unless there are exceptions to the duty to inform.

Public interest

In certain cases, the processing of personal data can take place without having obtained explicit consent if it is necessary to carry out a task in the public's interest. For general categories of personal data, the condition of public interest is met if it can be shown why the processing is necessary to achieve the purpose of the research. For special categories of personal data and information about criminal convictions and offences, it must also be described how the benefit to society exceeds any potential harm to the data subjects.

It must also be described what measures are introduced that reduce the risk for the data subjects, for example de-identification of the material where possible.

For more information on consent and the public interest, see Sikt's page on Legal bases for personal data processing in research.

The research participants' right to access

The research participants have the right to access their data.

  • Research participants who wish to gain access to personal data can do so according to NTNU's routine: Access to your personal data.
  • The project manager/the student's supervisor must ensure that the research participant is given access.

Roles and responsibilities

For the responsibilities described below, student projects/assignments are defined as those that are carried out in connection with a bachelor/master degree at NTNU. The student's supervisor acts as the project manager in student projects. Doctoral theses are defined as ordinary research projects. A doctoral candidate can be considered the project manager of their research project (although for health research conducted at the MH faculty, special regulations apply). If there is only one researcher involved in the project, they are considered the project manager.

The project manager for a research project:

  • must carry out a risk assessment to assess the data protection risks in the project in question.
  • must ensure that appropriate measures - in relation to the level of risk determined - are taken to mitigate/reduce the risk.
  • is responsible for the data that the project collects and uses and must have access to all research data that the project includes.
  • assigns access rights and keeps track of who has access to the data.
  • must follow up inquiries about access etc. from the research participants and is responsible for ensuring that the obligation to inform towards them is followed up.
  • has operational responsibility and internal control for the project and must ensure compliance with relevant legislation, guidelines on research ethics and internal procedures for information security and data protection.
  • must notify Sikt and/or apply for pre-approval from the Regional Committees for Medical and Health Research (REK) and ensure that all information provided is in accordance with how the project is to be carried out in practice.
  • must involve the person or body responsible for the research at their unit before notifying Sikt or submitting an application to REK and be able to provide the notification/application if demanded.
  • shall develop a data management plan.
  • must ensure that agreements that are required for the safeguarding of information security and data protection are entered into (for the establishment of data processor agreements, see the wiki Data processor agreement).
  • must assess whether the personal data can be de-identified.
  • must report serious, undesirable and unexpected medical events to the person or body responsible for the research at their unit and the Norwegian Health Authority. The research participants must also be informed immediately if they have been harmed or if complications have arisen as a result of the research project.
  • Must ensure that the personal data is anonymised or deleted at the end of the research project if, according to the approvals that have been granted or requirements from the funder, there is no need for the data to be stored. They must also ensure that the necessary confirmations are sent to REK and Sikt.

The supervisor for a student project:

  • must assess whether the student project is covered by the Health Research Act or whether it concerns other research that processes personal data.
  • must assess whether the planned processing will be in accordance with the basic data protection principles of the EU's GDPR, including whether there is a legal basis (statutory provision) for the processing and whether consent must be obtained from the participants in the project.
  • must assess whether the student project can be carried out without having to notify Sikt, i.e. that no personal data is processed electronically in the project. This is only possible if everything throughout the process is anonymous. Online forms must then be completely anonymous, i.e. so that the respondent's e-mail / IP address cannot at any time be linked to questionnaires. In the case of interviews and observations, data must be recorded only in the form of handwritten notes. It is not possible to record conversations or film people.
  • must, together with the student, carry out a risk assessment that will help prevent undesirable incidents or shortcomings in the processing of personal data that may have consequences for the research participants. The risk assessment must be documented.
  • must consult with the Data Protection Officer if there is a requirement for a Data Protection Impact Assessment (DPIA) according to Article 35 of the EU General Data Protection Regulation.
  • must notify Sikt at least 30 days before the data collection is due to start (this task can be delegated to the student, with the supervisor's approval). The supervisor or student fills out the notification form for Sikt, and prepares the corresponding attachments. If the project concerns health research, the supervisor must send an application for prior approval to the Regional Committee for Medical and Health Research (REK) (i.e. this task cannot be delegated to the student). In addition, Sikt must be notified unless the MH faculty is responsible for the health research project.
  • must ensure that an agreement is entered into with students who are not enrolled at NTNU, if they are to have access to NTNU's systems.
  • must ensure that the student signs a non-disclosure agreement where required. See Taushetserklæring studenter for more information (in Norwegian only).
  • must ensure that the student has completed the necessary training in information security and data protection before the student processes personal data in their project.

The student:

  • must, together with the supervisor, carry out a risk assessment that will help to prevent unwanted incidents or discrepancies in the processing of personal data that may have consequences for the research participants. The risk assessment must be documented.
  • must, in consultation with the supervisor, write a data management plan.
  • shall (if approved by the supervisor) notify Sikt at least 30 days before data collection is due to start. The supervisor or student fills out the notification form for Sikt, and prepares the corresponding attachments. If the project concerns health research, the supervisor must send an application for prior approval to the Regional Committee for Medical and Health Research (REK) (i.e. this task cannot be delegated to the student). In addition, Sikt must be notified unless the MH faculty is responsible for the health research project.
  • shall sign a non-disclosure agreement where required.
  • must have completed the necessary training in information security and data protection before they process personal data in their student project.
  • must be familiar with the routines on the processing of information with private ICT-equipment, if an NTNU-administered PC is not available.

Sikt Data Protection Services:

  • shall give advice on how NTNU, as data controller, can best safeguard privacy and ensure data protection in research projects.
  • shall receive notifications about processing of personal data in research projects and keep a protocol/overview of such processing in a separate notification archive

Data Protection Officer at NTNU:

  • must provide NTNU's management and employees with information and advice about NTNU's obligations under the EU's data protection regulation and other relevant legislation on data protection.
  • must, on request, give advice on data protection impact assessments (DPIA) and control their implementation
  • must check compliance with the EU's personal data protection regulation and other relevant legislation data protection and internal guidelines.
  • must stay informed about and follow up on discrepancies that may arise in the event of a breach of privacy.
  • shall cooperate with and be the point of contact for the Norwegian Data Protection Authority and other competent authorities.

Research Data@NTNU:

  • shall provide advice and guidance related to the processing of personal data in research projects.
  • shall cooperate with and be the point of contact for Sikt for the follow-up of certain projects.

Collection, storage of and use of active research data

NTNU's guide to data collection lists the approved methods for collection personal data. Personal data must not be stored longer than is necessary for the purpose for which it was collected, unless otherwise determined by law or e.g. because of requirements from the research funder. Personally identifiable or de-identified data must be stored and processed in NTNU's systems, or in systems that have a data processor agreement with NTNU. See the data storage guide for an overview of available solutions at NTNU. NTNU's template for a data processor agreement can be found on the Data processor agreement page.

As a general rule, private equipment (e.g. a home PC) must not be used for the storage and use of personal data. If there is no other option but to use private ICT equipment for the processing of personal data, this must be done in accordance with the guidance described on the page Processing of information with private ICT equipment. Students who only have access on a private PC can look at the outlined data flows for various data types.

Access

During project implementation, the research data must only be available to approved project staff. The project manager decides who should have access to de-identified personal data and the re-identification key. The project manager must have a documentable overview of who has access to data. The overview must be available to the person or body responsible for the research at the unit.

Project staff should not normally have access to the re-identification key. In those cases where they have access to the re-identification key, the data is no longer regarded de-identified, but directly personally identifiable, which tightens the requirements for proper processing and storage.

Upon completion of the project

  • At the end of the project, the project manager shall ensure that the personal data is anonymized, deleted or archived according to approvals and consent.
  • The project manager must send a final report to Sikt or REK when the project has been completed and, if necessary, confirm that the personal data has been anonymized or deleted. Upon completion of a student project, this must be done immediately after grading.
  • The requirement for deletion/anonymization applies to all information where the research participant's identity directly or indirectly appears.
  • The project manager shall ensure that copies of the data are handled in the same way.
  • A copy of fully anonymized data can be retained. If the data is de-identified, anonymization usually takes place by deleting the link key/scrambling key.
  • When students or project staff leave, the project manager must ensure that research material they have collected or accessed is securely stored or deleted if there is no longer a need for storage.
  • If the data is to be stored beyond the end of the project, the project manager in cooperation with the research manager (normally the department) must decide how this storage should be carried out.
  • Source data or other research data and documents shall not be deleted if the supervisory authorities have open cases related to the research project, or if the project manager or employees are investigated by The National commission for the investigation of research misconduct.

Reporting discrepancies in the processing of personal data

Students and researchers must report discrepancies in information security and privacy. This is to ensure that the discrepancy, or even a potential breach of personal data, can be dealt with, its negative consequences reduced, and that future security incidents and privacy violations can be prevented.

Examples of discrepancies in processing or personal data breaches

  • emails with sensitive personal data are sent to the wrong person
  • National identity number is sent unencrypted by e-mail or made available openly online
  • lost equipment (mobile, laptop, tablet, notes, and the like)
  • wrongful disclosure or publication of personal data
  • technical errors or flaws that may compromise security concerning access control, equipment, or software
  • guidelines that are missing, not functioning, or that are not being followed
  • personal data being stored openly or without proper access control

Online course on personal data in research projects

The online course Introduction to personal data in research projects has been created especially for NTNU. The course takes 45 minutes to complete and gives you a good insight into how we process personal data in research projects. If you are processing personal data in your student or research project, we encourage you to complete in the course.

Further guidance:

Contact

If you have questions about notification to Sikt or pre-approval of health research projects, please contact: