Collection of personal data for research projects - Kunnskapsbasen
Collection of personal data for research projects
If your research- or student project involves personal data, you need to check whether you must notify NSD/Sikt. This also applies to student projects at Bachelor and Master level.
The General Data Protection Regulation (GDPR) applies as a law in Norway from 20 July 2018. This entails some changes in the rules for the processing of personal data, but research projects processing personal data electronically must still notify NSD.
NSD must also be notified for health research projects led by other faculties at NTNU than the Faculty of Medicine and Health Sciences (MH) for assessment of the privacy aspects of the project.
Norsk versjon - Behandle personopplysninger i student- og forskningsprosjekt
- What is personal data?
- Risk assessment
- Which projects should send in notification to NSD?
- Medical and health research
- Collection of data outside Norway
- Internet Research
- Changes to the research project
- The research participants' right to access
- Roles and responsibilities
- Storage of research data
- Reporting Personal Data Breach
- See also
What is personal data?
Personal data is information that directly or indirectly can identify a person. Information that can directly identify a person includes names, personal ID numbers, voice or other personal characteristics. Information that can indirectly identify a person includes background information that can be traced back to an individual, e.g. place of residence or institutional affiliations combined with information about age, sex, occupation, nationality, and so forth.
Before processing personal data, you must perform a risk assessment in order to prevent undesirable incidents or deficiencies. Key factors in the risk assessment are the scope of the project, the sensitivity of the information, the threats to the environment in which the data is processed and stored, and the duration of the project.
A specific template has been prepared for risk assessments of research projects at NTNU.
The following are described as examples of acceptable risk levels in connection with health research (in Norwegian only). This is also relevant in a risk assessment for other projects processing special categories of personal data (“sensitive data”).
Which projects should send in notification to NSD?
- Health research projects where faculties other than MH are responsible for research
- Other research projects that process personal data electronically
- Student projects that process personal data electronically (applies to both bachelor and master degrees)
The notification requirement applies regardless of whether the personal data contains substitutions designed to hide identities, such as numbers, codes, fictional names or something similar, but that nevertheless is linked to a separate list containing the personal data. Use of video and audio recordings of persons must also be reported if:
- the recording is processed or stored by electronic means (on a computer as an audio or image file)
- transcriptions contain personal data and are processed electronically (computer)
- transcriptions contain personal data and are systematized in a manual register
Even if all project publications are anonymized, NSD must still be notified if personal data is processed during the project.
The same applies if you are manually processing personal data to be entered into a register.
The Project Manager or supervisor of a student project is responsible for reporting the project to NSD. The project must be reported 30 days before the collection of data is initiated, at the latest. NSD also offers archiving for project data when the project is finished.
Medical and health research
Medical and health research led by the Faculty of Medicine and Health Sciences (MH) must be approved by the Regional Committee for Medical and Health Research Ethics (REK) before the project is initiated. These projects should not be reported to NSD. NTNU has created its own portal for medical and health research with administrative procedures and guidelines to ensure that medical or health research is carried out in a safe way and according to the law.
Health research projects led by other faculties must be reported to NSD as well as to REK.
Medical or health research is defined as research on humans, human biological material or health information, where the objective is to obtain new knowledge about health and disease. The same applies to research that contains pilot studies and experimental treatments. The health research portal contains more information about the distinctions between medical and health research and other research containing personal data.
Collection of data outside Norway
If you are a student/researcher at an institution in Norway and you are going to collect data in countries outside Norway, you need to comply with the requirements in the same way as for data collection in Norway.
Will you be conducting research on information found on the Internet? In that case, your project will be subject to notification if you process personally identifiable information on a computer. Examples of such processing may be saving documents from open or closed discussion forums, containing "nicknames" or names of participants. Furthermore, direct quotations can be searchable, and thus might be considered personally identifiable information.
As a general rule, one should provide information to participants and they should give their consent to the processing of personal data in connection with research projects. However, there may be exceptions from these requirements for information. See more about Internet research on NSD 's website (Norwegian only).
Changes to the research project
If significant changes are made to the project, NSD must be notified. Projects with REK approval must notify REK. The changes cannot be implemented until REK/NSD has provided feedback.
Participation in research projects should as a general rule be based on documented informed consent from the participants.Research participants cannot be included in a research project until a declaration of consent.If the processing of personal data is to take place based on another legal basis than consent, the reason for this must be documented before the data collection starts.
- Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.
- The consent must be based on specific information about a specific research project. Research participants may give consent to certain areas when this complies with recognized ethical standards for scientific research. The research participants should be able to give their consent only to certain research areas or parts of the research project to the extent permitted by the intended purpose.
- Research participants may give consent to certain areas of scientific research when this is in alignment with recognized ethical standards for scientific research. The research participants should be able to give their consent only to certain research areas or parts of the research project to the extent permitted by the intended purpose.
- Broad consent can be given in health research if the requirements under the Health Research Act are met.
- Research participants must be able to withdraw their consent. This must be stated in the consent form.
- The information letter shall contain information that the researchers are subject to a duty of confidentiality and that data is treated confidentially. The project manager must consider whether it should be stated in the information letter that the duty of confidentiality is not absolute. This may be relevant in projects where the research participants might provide information that a serious criminal offense may be committed. The project manager will then have a responsibility according to Section 196 of the Penal Code to seek to avert such action.
- Information about the person who does not wish to participate in the project cannot be used in the research. This also applies to churn analyses.
- The research participant may withdraw their consent to participate in the research.
For more information, see NSD's web pages about information and consent.
Competence to consent
- The consent of persons of legal age may be unethical due to physical or mental disturbances that make them unable to understand what the consent encompasses.
- Persons under legal guardianship shall to the fullest extent be given the opportunity to consent. If this is not possible, the guardian shall consent.
- Health Research: Minors between the ages of 16 and 18 may consent unless otherwise provided by special legal provisions or the nature of the measure. Parental/guardian consent is required if the research involves bodily intervention or drug testing. Section 17 of the Health Research Act contains further provisions on competence to consent.
- Other research: Depending on the nature and scope of the project, common practice is a 15-year age limit for when children can consent themselves to participate in research. For sensitive personal data, the age limit is 16-18 years. If minors (under the age of 18) are to be able to give valid consent to the processing of personal data, this requires that they understand the consequences. The possibility of understanding depends on factors such as age, nature, and scope of personal data, as well as the purpose of the collection. It must always be informed of the age limit that applies when it is up to minors to provide personal data.
- When including minors, age-appropriate requests must be prepared that take into account the minor's maturity and experience background.
- If the research takes place without consent, the project manager is obliged to inform the participants unless there are exceptions to the duty of disclosure.
The research participants' right to access
The research participants have the right to access their data.
- Research participants who wish to gain access to their given data can be accessed, following NTNU's routine: Access to your personal data.
- The project manager / the student's supervisor shall ensure that the research participant is given access.
Roles and responsibilities
If you are a project manager for research projects
- The project manager must submit a notification to the Norwegian Centre for Research Data (NSD) and/or an application to the Regional Committee for Medical and Health Research Ethics (REK) and ensure that agreements required to safeguard information security and privacy are entered into by the person who has the authority to enter into such agreements.
- The project manager must involve the research manager in advance of the application to REK or notification to NSD and submit an application and notification form if requested by the research manager.
- The project manager must carry out a risk assessment and consult with NTNU's Data Protection Officer if an Data Protection Impact Assesment (DPIA) is to be carried out based on Article 35 of the EU General Data Protection Regulation (GDPR).
- The project manager prepares the consent form and associated information letter.
- The project manager must create a data management plan.
- The project manager shall ensure access control if there is a need for confidentiality when processing personal data in the project.
- The project manager shall ensure that relevant and necessary documentation requirements are met in the project.
If you are a student or supervisor for a student project
- The supervisor functions as a project manager in student projects. Student assignments are defined as assignments that are carried out in connection with the bachelor/master/master's thesis at NTNU. PhD projects are defined as ordinary research projects.
- The supervisor shall assess whether the student project is covered by the Health Research Act.
- The supervisor shall assess whether the planned processing will comply with the basic principles of general data protection according to the EU General Data Protection Regulation, including that there is a legal basis (statutory provision) for the processing or shall be obtained consent from the participants in the project.
- The supervisor shall assess whether the student project can be carried out without notification to NSD, i.e., that no personal data is processed electronically in the student project. This only applies if everything throughout the process is anonymous. Online forms must then be completely anonymous, i.e. so that the respondent's e-mail / IP address cannot at any time be linked to the questionnaire. In the case of interviews and observations, data must be recorded only in the form of notes by hand. No recordings of calls or filming of people can be made.
- The supervisor, together with the student, shall carry out a risk assessment that will help prevent undesirable incidents or deficiencies in the processing of personal data that may have consequences for the research participants. The risk assessment must be documented.
- The supervisor shall consult with the Data Protection Officer if there is a requirement for a Data Protection Impact Assessment according to Article 35 of the EU General Data Protection Regulation.
- The student shall, in consultation with the supervisor, write a data management plan.
- The supervisor, or student whose supervisor has approved this, must notify the Norwegian Centre for Research Data (NSD) no later than 30 days before the start of processing. The supervisor or student fills out the notification form to NSD, as well as prepares the associated attachments. If the project is health research, the project manager must apply for prior approval to the Regional Committee for Medical and Health Research Ethics (REK). In addition, the health research project must be reported to NSD unless MH is responsible for the research.
- The supervisor shall ensure that an agreement is entered into with students who do not have an appointment relationship at NTNU if they are to have access to NTNU's systems.
- The student must in some instances sign a non-disclosure agreement. See Taushetserklæring studenter for more information (in Norwegian only).
- The student should have completed the necessary training in information security and privacy before processing personal data in student projects.
Storage of research data
The project manager is responsible for the data that the project collects and uses and should have access to all research data included in the project. The project manager assigns access rights and keeps records of who has access to the data. The project manager is also responsible for the management of active research data and for deletion/storage of data in a satisfactory way at the end of the project. See NTNU Data Storage Guide for more information about storage options.
NTNU IT has signed an agreement on behalf of NTNU with the University of Oslo (UiO) for use of the TSD 2.0 services used for secure storage of sensitive personal data, including health data. The solution includes 1 TB of storage, as well as access to computer power and tools according to the description. If you need more storage or other capacity than the basic package includes, the project must buy this from UiO.
Storage of active research data
- Storage and processing of personally identifiable or pseudonymous data shall take place in NTNU's systems or in systems where there is a data processing agreement with NTNU. On the Data Processing Agreement page, you will find NTNU's data processing agreement template.
- Do not use private equipment (personal laptop/computer) for storage of personal data.
- If e-mail is to be used for transfer of personal data, the content must be encrypted.
- Data should not be stored on portable media such as a USB flash drive, laptop, or the like, without the information being encrypted. Note that encryption is not the same as pseudonymization. Encryption should be at least at the level of 256 bits AES or equivalent.
- Health or other sensitive personal data that is directly identifiable may only be stored in encrypted form or areas with a high degree of security, e.g. TSD at UiO, HUNT data center, or in other infrastructure approved for storing sensitive personal data.
- As a general rule, health information and other special categories of personal data should be kept pseudonymized, i.e., research data should be stored separately from the list of identifying elements (link key/scrambling key) and the researchers should only have access to the pseudonymized research data.
- Paper-based research data that are not anonymized should be stored in locked cabinets or archives where only personnel subject to the organization's instructional authority have access. If paper-based research data is stored in an office, the office must be locked when leaving.
- The link key must be stored by a trusted third party, such as the registration officer. If both data and link keys are stored electronically, they are required to be stored in different sites, and the link key/scrambling key must be specially secured.
- The storage of active data must be clarified before data collection is initiated.
- Active research data may be retained during the project period. Notification to NSD or application to REK shall contain information on how personal data is planned to be collected, processed, and stored - with an assessment of the protection needs of the information concerning the storage medium planned to be used and the safeguards taken to prevent unauthorized access to the information.
Upon completion of the project
- At the end of the project, the project manager shall ensure that the personal data is anonymized, deleted or archived according to approvals and consent.
- The project manager must send a final report to NSD/REK when the project has been completed and, if necessary, confirm that the personal data has been anonymized or deleted. Upon completion of a student project, this must be done immediately after grading.
- If the processing has not been done with de-identified data, all direct and indirect personally identifiable information must be removed from the research data for it to become anonymous.
- The requirement for deletion/anonymization applies to all information where the research participant's identity directly or indirectly appears.
- The project manager shall ensure that copies of the data are handled in the same way.
- A copy of fully anonymized data can be retained. If the data is de-identified, anonymization usually takes place by deleting the link key/scrambling key.
- When students or project staff leave, the project manager must ensure that research material they have collected or accessed is securely stored or deleted if there is no longer a need for storage.
- If the data is to be stored beyond the end of the project, the project manager in cooperation with the research manager (normally the department) must decide how this storage should be carried out.
- Source data or other research data and documents shall not be deleted if the supervisory authorities have open cases related to the research project, or if the project manager or employees are investigated by The National commission for the investigation of research misconduct.
Reporting Personal Data Breach
Students and researchers must report breaches of information security and privacy. The purpose is to make it possible to restore the condition, remove the cause of the discrepancy, reduce negative consequences, and to prevent future security breaches and privacy violations.
Examples of personal data breaches
- emails with sensitive personal data are sent to the wrong person
- National identity number is sent unencrypted by e-mail or made available openly online
- lost equipment (mobile, laptop, tablet, notes, and the like)
- wrongful disclosure or publication of personal data
- technical errors or flaws that may compromise security concerning access control, equipment, or software
- guidelines that are missing, not functioning, or that are not being followed
- personal data being stored openly or without proper access control
- NTNU Data Collection guide
- NTNU Data Storage Guide
- Norwegian Centre for Research Data (NSD). Provides guidance for researchers and students concerning data collection, data analysis, methods, privacy, and research ethics. Here you will also find the notification form.
- NTNU's health research portal. How to plan, carry out and end research projects.
- Guidelines for the processing of personal data at NTNU (Norwegian only)
- General information about privacy and GDPR at NTNU (EU General Data Protection Regulation)
- Tools for surveys on "Innsida" (Norwegian only).
- DPIA at NTNU
If you have questions relating to NSD notification requirements or preliminary approval of medical and health projects, please contact:
- Anne Marie Snekvik
- Gjøvik: Stein Runar Olsen
- AD-Faculty: Sunita Prugsamatz Ofstad
- HF-Faculty: Hanne Siri Sund | Marte Lintoft
- IE-Faculty: Harald Lenschow
- IV-Faculty: Astrid Vigtil
- NV-Faculty: Marianne Bjordal Havnes
- SU-Faculty: Rune Dahl
- ØK-Faculty: Gunnar Bendheim
Research Data @NTNU provides general support, advice and guidance related to research data management.