This guide is an overview of tools available at NTNU for collection of data, focused on collection of personal data, sound and video recordings. The overview will help you make correct choices for managing data in your research or student project.

This data collection guide is an updated overview, showing the digital tools for data collection that are approved by NTNU, for what purposes these can be used, and information on how to start using them. Additionally, this data collection guide and the storage guide have information that is relevant for setting up a data management plan for your project.

Norsk versjon: Datainnsamling

Information security and classification

NTNU has guidelines for the classification of information. All information you process and share has different needs for security and shielding, based on its value. To determine the value of the information and which security measures are necessary, the data must be classified according to its level of information security. As the one collecting and managing data, you are responsible for familiarizing yourself with and deciding on the information security level of the data. Read more about NTNU's guidelines.

Read more about:

• Policy for Classification of Information Assests
• Classification of files and documents
• Collection of personal data for research projects

Classification of personal data

Research data is usually classified as internal (yellow) or confidential (red), and this also applies to research data containing personal data. Personal data is information and assessments that can be related to individual persons, either directly or indirectly. Examples include names, ID-numbers, e-mail, IP-addresses, photos, videos, interview recordings and transcribed interviews (this also applies if the interviews are de-identified and/or contain only indirectly identifying information).

Some types of personal information are known as special categories of personal data (often called sensitive data). These types of data require additional protection and will usually fall in the confidential category. These require special protection, and will usually end up in the confidential category. Special categories of personal data include information about racial or ethnic origin, political opinion, religion, belief or trade union membership, processing of genetic information and biometric information for the purpose of uniquely identifying a natural person, health information or information about a natural person's sexual relationship or sexual orientation . Other examples of confidential data are information about criminal convictions and offences, or information about people from vulnerable groups or in vulnerable situations.

Some personal data in research will fall into the strictly confidential (black) category. Strictly confidential is only used in cases where significant damage could be caused to public interests, the institution, individual or partner if the information becomes known to unauthorized parties. An example of such information could be information about persons who need special protection (code 7).

How to collect personal data digitally

To ensure that you collect data in a safe and responsible way, we recommend that you follow the steps described below.

Step 1 – Assess the level of information security and approvals

When you collect and process personal data several things must be in place before you can start the collection. All the following bullet points must be addressed before the collection starts!

• Reuse: Do I really need to collect new data, or could I reuse existing data collected by someone else? Read more about searching for data.
• Data minimization: What data do I actually need to conduct the project? Do I need to record sound and/or images? Remember the principle of data minimization. Read more (Norwegian).
• Classification: You have to be confident whether the data you are collecting are public, internal or confidential data.
  NB! If you consider that you might be processing highly confidential data, this should not be done digitally without a special review. Contact Digital Security (NTNU SOC) for further guidance.
• Notification: Should Sikt be notified about the project? Most likely: Yes. Read more and notify here.
• Notification about changes: For projects where Sikt has already been notified, but the data collection method will be changed, you must notify Sikt about the alterations. Use the message dialogue in the existing project on Sikt's webpage.

Step 2 – Choice of tools for collecting personal data

Students and employees have access to different tools, and you should follow the recommendations below to choose the appropriate tool for you projects and method of collecting data. As a rule, private equipment should not be used to collect and store personal data. There are however specific exceptions, like installation of the Nettskjema-Dictaphone app on your private mobile phone, or use of an external dictaphone with routines for transfer and deletion of files.

NTNU recommends that you should only use the tools listed in the tables below. Tools like Facetime, Google hangout, Skype (private), Messenger, Snapchat or similar must not be used to collect data in affiliation with NTNU. NTNU does not have a data processor agreement with Google, and this means that researchers and students at NTNU cannot use software and tools from Google when collecting personal data.

See the comments below the tables for additional information.

Interview with recording of sound and/or video

(X) UiO has previously reported technical instability related to storage of the recordings. We therefore recommend that you make a test recording first, and check after each recording to make sure that is is saved.

(1) You can use the integrated record function, but you have to make sure that the recorded file is stored and processed according to the relevant guidelines. See also the Data Storage Guide.

(2) The Dictaphone app has to be set up to collect and store data directly in TSD (Services for sensitive data).

(3) Requires good procedures for transfer of recordings to secure storage and deletion of files from the dictaphone.

(4) A complete classification of information security has not been carried out, contact the Digital Security Section.

Survey tools

For the collection of data with digital surveys for research and student projects, Nettskjema is recommended. For the collection of confidential (data), Nettskjema must be set up to collect and store data directly in TSD. UiO provides user guides for Nettskjema, and Research Data @NTNU can also offer advice, guidance and help.

Additional information

• Sound recordings with confidential information (red data): You can conduct an interview by telephone, Teams, Zoom or Skype and record the conversation with an external recorder/dictaphone. The file has to be transferred to secure storage for further processing. Alternatively you can use the Nettskjema-dictaphone app with transfer and storage directly in TSD.
• Video recordings with confidential information (red data): At the moment NTNU does not offer any digital tools that fulfil the requirements for information security when recording videos that contains confidential information. Digital security is currently reviewing which tools and procedures can be used and these will be announced when ready.

Step 3 – Protect and transfer data to storage location for further use

After you have collected your data, you have to make sure that you store and protect them. You can use the Storage guide to find the correct storage solution for your data. Remember:

• Can you collect data directly to the storage location you are using? If data has to be transferred from one storage location to another, this has to be done in a safe and secure manner, see more information on the Norwegian page Sikker sending og mottak av filer og dokumenter. Confidential data must be encrypted prior to transfer. Read more about encryption.
• Delete copies of collected data located on unsecured storage spaces and devices. Here's how to delete information from external devices such as memory cards and memory sticks:
  
  • Windows: Connect an external storage medium to the PC, find the medium, right-click and select Format. Select NTFS file system, make sure that "Quick format" is not ticked and click Start. NB: It is important to use full formatting to prevent the information from being recovered.
  • MacOS: Connect to external storage medium. Open Disk Utility, select device under External, click Erase and select the desired format from the menu. (Use MS-DOS (FAT) for 32GB and less, and ExFat for cards over 32GB unless you have a good reason to choose other formats.) Click Security Options and move the switch all the way to the right before clicking Erase.
• If you use the storage solutions provided by NTNU, these in general have automatic backup, and you do not need to make your own copies. The Storage guide has updated information about backup services.

Step 4 – Completing the processing of personal data

When you are done with the processing, personal data should be deleted. It may be appropriate to anonymize data, and to archive or publish it, and there are separate guidelines for how this is done. See Research Data Repository wiki for more information.

See also

• Research Data@NTNU - Support service for Research Data at NTNU
• Data storage and collaboration guide
• Processing of information with private ICT-equipment

Contact

Contact research-data@ntnu.no if you have questions regarding the data collection guide or suggestions for how the guide could be further improved.