Handling data from health research - Kunnskapsbasen
Handling data from health research
Norsk versjon: Håndtering av forskningsdata fra helseforskning
- Storage and processing of personally identifiable or de-identified data must take place via NTNU’s systems or in systems where there is a data processor agreement with NTNU.
- Personal equipment (home PCs) must not be used.
- Email must not be used for data transfer unless the content has been encrypted.
- Data must not be stored on portable media such as a USB flash drive or laptop unless the information is encrypted.
- Note that encryption is not the same as de-identification. Encryption should be at least at the level of 256-bit AES or equivalent.
- Health data that is directly identifiable can only be stored in encrypted form or in areas with a high level of security (such as TSD at UiO, the HUNT Data Center or other infrastructure after approval).
The main rule is that health research data must be stored in de-identified form, that is, research data and identifying elements (identifier) must be stored separately, and in such a way that the researchers only have access to research data.
Active research data can be stored as long as approval from the REC is in effect. The application to the REC must include information about the plans for collecting, processing and storing personal data - with an assessment of the need for protection of the personal data in relation to the planned storage medium and the security measures taken to prevent unauthorized access to the data.
The project manager must carry out a risk assessment of the project, so that measures can be taken on this basis. All assessments and measures must be documented.
Storage of research data
The project manager is responsible for secure storage of active research data - personal data and human biological material - and any identifier key is appropriately stored. NTNU recommends creating a data management plan.
The project manager must keep track of everyone who has access to the research data in the individual project and decide who should have access to de-identified research data and the identifier key. The research data must only be available to authorized project team members until completion of the project. Information must always be available to the person/body responsible for research.
Paper-based research data that has not been anonymized must be stored in locked archives, with access restricted to staff who are subject to the organization’s power of instruction. If paper-based research data are stored in an office, the office must be locked when you leave it.
As a general rule, the identifier key must be stored on paper. If both data and the identifier are stored electronically, they must be stored in different areas, and the identifier must be stored especially securely. Project team members must normally not have access to the identifier. In cases where they have access to the identifier, the data are no longer regarded as de-identified, but as directly identifiable to the person, which involves more stringent requirements for proper handling and storage.
How active data will be stored must be determined before data collection begins.
There are special regulations for the storage and safekeeping of human biological material.
Long-term storage after completion of the project
When the project is completed, the project manager must ensure that the research data are anonymized or deleted, unless the regional committee for medical and health research ethics (REC) has approved continued storage. The project manager must ensure that copies of the data are handled in the same way.
A copy of the complete anonymized data may be kept. Anonymization is usually achieved by deleting the identifier. If this is not done, all information that could directly or indirectly identify a specific person must be removed from the research data.
Access to archived data (“passive data”) must be tightly restricted.
To enable audit and supervision, in some cases there may be an obligation to store the research data.
- The REC may decide that the research data must be stored for up to 5 years after the project is completed.
- For clinical trials of medicines with human subjects, all source data must be available at each trial site for at least 15 years after the final report is available.
- Contractual provisions may also specify storage for longer periods. Retention of certain health data may be necessary under the regulations for health records or the Public Archives Act (arkivloven).
- When students or project team members leave the project, the project manager must ensure that the research material they have collected or have had access to is securely stored.
Source data or other research data and documents must not be deleted if supervisory authorities have open issues associated with the research project, or if the project manager or project team members are under investigation by the committee for misconduct in research (Uredelighetsutvalget for forskning).
Reuse of data
It may be desirable to archive research data in person-identifiable form to enable follow-up studies or study of related research questions based on the same data sample. In this case, the project manager must write a new research protocol and application to the REC for approval. If the objective of an approved project is changed substantially, notification of changes or a new application must also be submitted to the REC.
Depersonalizing and anonymizing data
Information that can related to individuals is regarded as personal data.
- De-identification is a process that makes it difficult to identify individuals, for example by replacing the name and national identity number with a code, but it will still be possible to trace the information back to individuals. The information is still regarded as personal data regulated by law.
- Anonymization means that it is not possible to link information to individuals.
Information is only regarded as anonymized when it cannot be linked with a group of fewer than 3-5 people. For example, for people who have a very rare diagnosis, or live in a small place, it may be possible to trace the information back to such a group.
Anonymized information is not personal data and is not regulated by data protection legislation.
Transfer of personal data
If you plan to transfer personal data to partners in Norway or abroad, this must be regulated in an agreement. The agreement must be signed by the Head of Department. Templates for agreements and more information can be found here: