I am a Master Student

Master's students do not have project manager responsibility, but are responsible for the privacy of the participants in their research project

    The supervisor is responsible for the research project, but as a master's student you are responsible for various tasks related to the implementation.

    The responsibilities and tasks specified here are limited to privacy and data protection and do not cover all aspects of the master's thesis/master's study.

    Master students - privacy

    Master's students do not have formal research competence and must, according to the supervision agreement:

    Master's students must also:

    Approvals and assessments before start-up

    NIH expects the project to be clarified with the head of department before the project starts and before other approvals are sought. The supervisor must ensure such clarification for the master students' project.

    Research protocol

    For most research projects, a project description or possibly a research protocol will be the basis for applying for approvals/assessments. The supervisor must approve the project description before it is sent to other parties.

    Requirements research protocol

    The research protocol must contain:

    • Information about the research supervisor and project manager
    • Information on responsibilities and division of labor for the project manager and project participants
    • A description of the project given in a generally comprehensible way and a scientifically designed project plan with the project's purpose, justification, material, methods, probability that the chosen study design can answer the research question and estimated timeframes for the project.
    • Information on which criteria the project uses as a basis for selecting research participants and how these are recruited
    • Information about information to the research participants, privacy and consent, how consent should be obtained, possibly justification for why consent should not be obtained. 
    • Assessment of research ethical challenges in the project, particularly the benefit-risk aspect for research participants
    • Assessment of measures to ensure data quality
    • Data management plan. This must describe how data will be handled during the project period and after the project has ended. The purpose is to assess various aspects of handling research data, from collection/generation, processing, analyses, documentation, to storage and future sharing of data. 
    • How health information is to be processed, from which sources health information is to be obtained and whether the information is to be disclosed to others or transferred to countries outside the EU/EEA area.
    • From which sources human biological material is to be taken and whether such material is handed over to others or transferred abroad
    • Funding sources, interests and dependencies, researchers and research participants' possible financial conditions related to the research project in question 
    • Plan for publication of results and information on possible extended use, including commercial use, of research results, data or biological material. 

    Master student - notification to NSD

    All research projects that include personal data or research on human biological material must be reported to Norwegian Center for Research Data (NSD). NSD give their assessment of whether privacy is safeguarded in the project. The responsibility for compliance still lies with the researcher/NIH.

    As a student, after clarification with your supervisor, you can register the project with NSD ("MySide"). Project description and other documents must be quality checked by the supervisor before they are submitted. Remember to share the registration form with your supervisor at NIH. You can ask questions to NSD via a chat function.

    Re notification form NSD

    See additional information from NSD regarding the notification form.

    Important documents that must be attached for assessment by NSD:

    • Questionnaire
    • Interview guide
    • Declaration of consent
    • Project description

    If the notificatioin form is submitted before other decisions have been made (for example, approval from REK or from NIH's Ethics committee), a copy of these must be included.

    Health research - REK

    All research projects that fall within the scope of the Health Research Act must be sent to the Regional Committee for Medical and Health Research Ethics (REK) for prior approval. 

    Go to REK's website for more information on which projects to apply for and how. 

    The supervisor must have quality-checked the application to REK before it is sent.

    For drug testing or clinical testing of medical equipment, you must apply to  the Norwegian Medicines Agency  and  the Directorate of Health.

    Ethical considerations

    The ethics committee at NIH assesses whether research projects on humans are planned in accordance with research ethics norms.

    See additional information about the Ethics Committee at NIH. 

    The supervisor must quality check the application to the Ethics Committee before it is submitted.

    See also the national research ethics committees' research ethics guidelines for various fields.

    Registration in Project web

    All research projects carried out by NIH employees must be registered in Prosjektweb. For a master's project, the supervisor must register and give the student access. The student's @nih email must be used for this.

    In Prosjektweb, you get access to checklists/remember lists for project administration. By uploading project documents such as agreements, budgets and reports, the filing obligation is fulfilled (automatic transfer to P360). 

    Legal basis for processing

    You must be sure that there is a legal basis for processing of personal data. The most common basis for research is the consent of the participants, but other grounds may be relevant.

    In the case of special categories of personal data ("sensitive data"), express consent is required, usually a signature. 

    Read more about the basis of treatment on the page about routines.



    Only when all approvals are available - including confirmations from the participants - can the collection itself begin. Although the supervisor is responsible for the personal data, the master's student is responsible for following rules and routines.

    Read more about collection on the routines page.

    Storage - classification of data

    The project manager is responsible for ensuring that data material is properly secured during the process and must assess how it is stored. Master students must follow regulations and instructions.

    Information and research data are categorized in a privacy context into different levels (colours) - according to how much damage it can cause to individuals or institutions if data goes astray. The strictest requirements are made for data of type black or red.

    Specification of how data is to be stored must be included in the notification to NSD and possibly in the application to REK.

    Read more about storage and classification on the routines page.

    Access, Transfer or Sharing

    The supervisor is responsible for assessing who should have access to active research data. Master students must follow regulations and instructions. 

    The institutions/researchers/students or employees who are to have access to personal data must be specified in the notificatioin to NSD and in the application to REK. The research participants must also be informed about and have consented to such sharing of personal information.

    Read more about access, transfer or sharing on the routines page.

    Follow-up privacy participants

    Anyone who has agreed to participate in a research project can, as a general rule, require access to and correction of incorrectly registered information. They may also withdraw from further participation without justification/revoke their given consent. Requests for access from participants must be answered within 30 days.

    Examples follow-up of participants

    • Respond to inquiries from research participants 
    • Ensure proper deletion or anonymisation of research data if informants withdraw their consent
    • Ask respondents for new consent if collected information is to be processed for other purposes or in other ways, for example stored longer than what they originally consented to. 
    • Check that personal data processed in the project are not used for purposes other than those to which the participants have consented.
    • Check that agreements with business partners are complied with


    Amendment reports

    In the event of significant changes to the project, you must send an amendment report to the same institutions that originally granted approval. The supervisor must quality check amendment notifications to REK and the Ethics Committee.

    Examples changes to project

    • Change in design and analysis
    • New knowledge about risk, disadvantage or benefit for the research participants
    • Change of project manager, research manager, research biobank or project employee.
    • Postponement or extension of the project period
    • Increase in the number of research participants
    • Change in recruitment procedure
    • Change in inclusion and exclusion criteria
    • Content-related change of information letter and request for participation
    • Change in given conditions for dispensation from confidentiality
    • Change in who has access to personally sensitive information
    • Change of storage and processing of health information or biological material.

    The project leader fills in the form for changing the research project - see the websites of NSD/REK/Etisk Komte. Contact the relevant institution(s) if there is any doubt as to whether the changes in the project require an application.

    Breach of privacy

    Report undesired incidents

    An undesired incident is referred to as a nonconformance in that the processing of personal data does not confirm with legislation or NIH's routines for processing personal data. 

    As soon as you suspect that personal data have gone astray or been processed in breach of legislation or routines, you should report this to your immediate superior.

    Your superior should send a notification to sikkerhetssavvik@nih.no. Describe the event/what happened.

    The institution/NIH must assess the severity of the nonconformance and report the undesired incident to the Norwegian Data Protection Authority (Datatilsynet) within 72 hours.

    Examples undesired incidents

    • personal information, passwords or the like fall into the wrong hands as a result of "phishing" or fake networks.   
    • incorrectly sent e-mails and attachments, especially where there is personal data 
    • collection of data in forms that make the information searchable on the internet, or in form tools where NIH does not have a data processing agreement  
    • wrong disclosure or wrong publication of information
    • errors in access, equipment or software which mean that the availability of the information is impaired, and which in turn may impair security 
    • procedures that are missing, do not work, or are not followed 
    • information with a classification level that requires access control is open and accessible to unauthorized persons
    • lack of grounds or assessment of grounds for processing personal data 
    • national identity number that has been sent unencrypted by e-mail to external parties

    Closing, final announcements and archiving

    In the closing phase, collected personal data must be deleted, anonymised or stored for further storage. NIH has decided that data from research projects must be stored for 5 years for possible inspection and control. For master students' projects, data must be stored until final exam.

    End of project - privacy

    Master's students must work in collaboration with their supervisor

    • ensure that all personal information about respondents or informants that is not to be kept after the end of the project is properly deleted.
    • ensure that personal data to be stored after the end of the project is anonymised, for example by destroying the connection key for de-identified data
    • ensure that personal data that must be taken care of after the end of the project is properly stored.

    Closing messages

    At the end of a research project, a notification must be sent to NSD and possibly to REK.

    Access to NSD's message portal requires access to the @student.nih.no e-mail.

    In accordance with the guidance agreement, the connection key must not, as a general rule, be deleted before censorship has taken place. The supervisor must send a termination notice to NSD when the connection key has been deleted.

    Archiving of data

    Archiving must not be confused with active storage of data that is in use during the project period.

    NIH requires that data from research projects should be kept for five years after the end of the project (for control and verifiability). The requirement does not apply to master student's projects. After the prescribed storage periode, the project manager must ensure that personal data is anonymised or deleted.