I am a researcher or a PhD student

The researcher is responsible for ensuring that the project complies with the requirements in the data protection regulation. A researcher who is project manager is responsible for ensuring that everyone working on the project has sufficient knowledge of privacy and data protection. PhD students must comply with special rules.

    The researcher/project manager is responsible for ensuring that all parts of personal data processing is carried out according to rules and regulations. Different types of personal information must be stored in different ways. Which and what kind of personal data is planned to be collected is also important for which approvals must be obtained before the project starts.

    PhD Students - privacy

    PhD students do not, by definition, have research competence. The supervisor thus has formal responsibility for the PhD student's research project.

    PhD students have their own responsibility for familiarizing themselves with and following rules and routines for privacy and personal data protection in their research project.

    PhD studentss can report their project with NSD for assessment of planned privacy and personal data protection in the project. Report to NSD and any attachments, including any applications to REK and NIH's Ethics Committee, must be quality checked by the supervisor.

    For practical reasons, the PhD students can register their projects in Prosjektweb directlly/assume the role as project manager in Prosjektweb. The supervisor and PhD student must together clarify who is responsible for the archiving of agreements and other archive-worthy project documents.

    Responsability supervisor master student

    Supervisor's responsibilities:

    The supervisor must ensure that the master student has sufficient knowledge of routines and rules. The supervisor is responsible for ensuring that conditions for approvals are followed and must ensure that data is collected and stored in accordance with regulations.

    Specification of tasks - supervisor must:

    • Quality check messages/applications to NSD, REK and NIH's Ethics Committee before they are submitted.
    • Check whether access to the master's thesis must be restricted for a shorter or longer period.
    • Store the link key and delete it in accordance with the conditions from NSD. As a general rule, the link key cannot be deleted before the master exam is finished.
    • Inform NSD when the link key has been deleted/all personnel data has been anonymized.

    Supervisor must also ensure that the project is registered in Prosjektweb if the project includes personal data. The master student can possibly be added as a project member in Prosjektweb (the student's @student.nih.no email must be used for this).

    Responsability supervisor PhD student

    Supervisor's responsibilities:

    The supervisor must ensure that the PhD student has sufficient knowledge of routines and rules. The supervisor is responsible for ensuring that conditions for approvals are followed and must ensure that data is collected and stored in accordance with regulations.

    Specification of tasks - supervisor must:

    • Quality check messages/applications to NSD, REK and Ethics Committee before they are submitted.
    • Contact the data protection representative if this is relevant - for example if there is a need to prepare a Data Processing Impact Assessment (DPIA).

    Supervisor must also ensure that the project is registered in Prosjektweb if the project includes personal data. The supervisor must clarify with the PhD student who is responsible for archiving project documents via Prosjektweb.

    Approvals and assessments before start-up

    NIH expects researchers to clarify with the head of department before the project starts and before other approvals are sought. For PhD students' and master students' projects, the supervisor must ensure such clarification.

    Different kind of research projects require different kind of approvals. All research projects involving collection of/treatment of personnel information, must be notified Sikt - personverntjenester (previously NSD). For projects that fall within the scope of the Health Research Act or will require the approval of NIH's Ethical committee, see links below.

    NSD notification

    All research projects that include personal data or research on human biological material must be reported to NSD. NSD gives its assessment of whether privacy is safeguarded in the project. The responsibility still lies with the researcher/NIH. Report the project via nsd.no/MinSide.

    Re notification form NSD

    See additional information from NSD regarding the notification form.

    Important documents that must be attached for assessment by NSD:

    • Questionnaire
    • Interview guide
    • Declaration of consent
    • Project description

    If the notificatioin form is submitted before other decisions have been made (for example, approval from REK or from NIH's Ethics committee), a copy of these must be included.

    Registration Projectweb

    All research projects carried out by NIH employees must be registered in Prosjektweb. Project web is available via Innersvingen. If personal data is collected, select project type "research on people externally funded" or "research on people internally funded". In Prosjektweb, the project manager and project members have access to checklists/remember lists for project administration. By uploading project documents such as agreements, budgets and reports, you also fulfill the archiving obligation (automatic transfer to P360). See guidelines at Innersvingen.

    Prosjektweb is only available to staff and to students at NIH via @nih.no-mail.

    REK- approval

    NIHs Ethical committee

    Legal basis for processing

    The project manager is responsible for ensuring that there is a legal basis for processing of personal data. The most important bases for research is the consent of the participants, but other grounds may be relevant. In the case of special categories of personal data ("sensitive data"), express consent is required, usually a signature. 

    Read more about the basis of treatment on the page about routines 

    Collection of data 

    Only when all approvals are available - including confirmation of consent from the participants/subjects - can the collection of data begin. The project manager is responsible for how data that is collected and processed. Personal data shall not be stored longer than is necessary for the purpose for which it was collected. 

    Read more about collection on the routines page.

    Storage - classification of data

    The project manager is responsible for ensuring data protection during the process and must make an assessment of how to store the data material. The level of security will depend on the type of personal data that is processed. The strictest storage requirements are for data in categories black and red.

    Information about how data is to be stored must be included in the notification to NSD and in the application to REK.

    Read more about storage and classification on the routines page

    Access, Transfer or Sharing

    The project manager must also consider who should have access to active research data.

    The institutions/researchers/students or employees who will have access to personal data must be specified in the report to NSD and in the application to REK. The research participants must also be informed about and have consented to such sharing of personal information.

    Read more about access and sharing on the routines page

    Follow-up participants' privacy

    Anyone who has agreed to participate in a research project can, as a general rule, require access to and correction of incorrectly registered information. They can also withdraw from further participation without justification/revoke given consent. Requests from participants must be replied to within 30 days.

    Amendment reports 

    In the event of significant changes to the project, the researcher/project manager must send an amendment report to the same institutions that originally granted approval. It may also be necessary to obtain new consent from the participants.

    Examples project change

    • Change in design and analysis
    • New knowledge about risk, disadvantage or benefit for the research participants
    • Change of project manager, research manager, research biobank or project employee.
    • Postponement or extension of the project period
    • Increase in the number of research participants
    • Change in recruitment procedure
    • Change in inclusion and exclusion criteria
    • Content-related change of information letter and request for participation
    • Change in given conditions for dispensation from confidentiality
    • Change in who has access to personally sensitive information
    • Change of storage and processing of health information or biological material.

    The project leader fills in the form for changing the research project - see the websites of NSD/REK/Etisk Komte. Contact the relevant institution(s) if there is any doubt as to whether the changes in the project require an application.

    Breach of privacy

    Report undesired incidents

    An undesired incident is referred to as a nonconformance in that the processing of personal data does not confirm with legislation or NIH's routines for processing personal data. 

    As soon as you suspect that personal data have gone astray or been processed in breach of legislation or routines, you should report this to your immediate superior.

    Your superior should send a notification to sikkerhetssavvik@nih.no. Describe the event/what happened.

    The institution/NIH must assess the severity of the nonconformance and report the undesired incident to the Norwegian Data Protection Authority (Datatilsynet) within 72 hours.

    Examples undesired incidents

    • personal information, passwords or the like fall into the wrong hands as a result of "phishing" or fake networks.   
    • incorrectly sent e-mails and attachments, especially where there is personal data 
    • collection of data in forms that make the information searchable on the internet, or in form tools where NIH does not have a data processing agreement  
    • wrong disclosure or wrong publication of information
    • errors in access, equipment or software which mean that the availability of the information is impaired, and which in turn may impair security 
    • procedures that are missing, do not work, or are not followed 
    • information with a classification level that requires access control is open and accessible to unauthorized persons
    • lack of grounds or assessment of grounds for processing personal data 
    • national identity number that has been sent unencrypted by e-mail to external parties

    Closing, final announcements and archiving

    In the closing phase, collected personal data must be deleted, anonymised or stored for further storage. NIH has decided that data from research projects must be stored for 5 years for possible inspection and control. For the same reason, data for master students' project must be stored until approval of exam.

    Closing - personal information

    Researcher must

    • ensure that all personal information about respondents or informants that is not to be kept after the end of the project is properly deleted.
    • ensure that personal data to be stored after the end of the project is anonymised, for example by destroying the connection key for de-identified data
    • ensure that personal data that must be taken care of after the end of the project is properly stored.

    Final announcements

    Researcher must

    • send a final report to NSD and possibly to REK.
    • update project web 

    Archiving of data

    Archiving must not be confused with active storage of data that is in use during the project period.

    NIH requires that data from research projects should be kept for five years after the end of the project (for control and verifiability). The requirement does not apply to master student's projects. After the prescribed storage periode, the project manager must ensure that personal data is anonymised or deleted.