I am a researcher or a PhD student

The researcher is responsible for ensuring that the project complies with the requirements in the data protection regulation. A researcher who is project manager is responsible for ensuring that everyone working on the project has sufficient knowledge of privacy and data protection. PhD students must comply with special rules.

    The researcher/project manager is responsible for ensuring that all parts of personal data processing is carried out according to rules and regulations. Different types of personal information must be stored in different ways. Which and what kind of personal data is planned to be collected is also important for which approvals must be obtained before the project starts.

    PhD Students - privacy

    PhD students do not, by definition, have research competence. The supervisor thus has formal responsibility for the PhD student's research project.

    PhD students have their own responsibility for familiarizing themselves with and following rules and routines for privacy and personal data protection in their research project.

    PhD studentss can report their project with NSD for assessment of planned privacy and personal data protection in the project. Report to NSD and any attachments, including any applications to REK and NIH's Ethics Committee, must be quality checked by the supervisor.

    For practical reasons, the PhD students can register their projects in Prosjektweb directlly/assume the role as project manager in Prosjektweb. The supervisor and PhD student must together clarify who is responsible for the archiving of agreements and other archive-worthy project documents.


    Approvals and assessments before start-up

    NIH expects researchers to clarify with the head of department before the project starts and before other approvals are sought. For PhD students' and master students' projects, the supervisor must ensure such clarification.

    Research protocol

    For most research projects, a project description alternatively a research protocol will be the basis for applying for approvals/assessments.

    Requirements research protocol

    The research protocol must contain:

    • Information about the research supervisor and project manager
    • Information on responsibilities and division of labor for the project manager and project participants
    • A description of the project given in a generally comprehensible way and a scientifically designed project plan with the project's purpose, justification, material, methods, probability that the chosen study design can answer the research question and estimated timeframes for the project.
    • Information on which criteria the project uses as a basis for selecting research participants and how these are recruited
    • Information about information to the research participants, privacy and consent, how consent should be obtained, possibly justification for why consent should not be obtained. 
    • Assessment of research ethical challenges in the project, particularly the benefit-risk aspect for research participants
    • Assessment of measures to ensure data quality
    • Data management plan. This must describe how data will be handled during the project period and after the project has ended. The purpose is to assess various aspects of handling research data, from collection/generation, processing, analyses, documentation, to storage and future sharing of data. 
    • How health information is to be processed, from which sources health information is to be obtained and whether the information is to be disclosed to others or transferred to countries outside the EU/EEA area.
    • From which sources human biological material is to be taken and whether such material is handed over to others or transferred abroad
    • Funding sources, interests and dependencies, researchers and research participants' possible financial conditions related to the research project in question 
    • Plan for publication of results and information on possible extended use, including commercial use, of research results, data or biological material. 

    NSD notification

    All research projects that include personal data or research on human biological material must be reported to NSD. NSD gives its assessment of whether privacy is safeguarded in the project. The responsibility still lies with the researcher/NIH. Report the project via nsd.no/MinSide.

    Re notification form NSD

    See additional information from NSD regarding the notification form.

    Important documents that must be attached for assessment by NSD:

    • Questionnaire
    • Interview guide
    • Declaration of consent
    • Project description

    If the notificatioin form is submitted before other decisions have been made (for example, approval from REK or from NIH's Ethics committee), a copy of these must be included.

    Health research - REK

    All research projects that fall within the scope of the Health Research Act must be sent to the Regional Committee for Medical and Health Research Ethics (REK) for prior approval. 

    This includes research on human biological material, creation of a health register linked to a research project and collection of health information when the purpose is to gain new knowledge about health and disease. 

    Go to REK's website for more information on which projects to apply for and how. Researchers who have doubts about whether a project needs prior approval from REK can submit a so-called submission assessment to clarify whether the project is accepted for assessment.

    For drug testing or clinical testing of medical equipment, you must apply to  the Norwegian Medicines Agency  and  the Directorate of Health.

    Ethical considerations

    The ethics committee at NIH assesses the soundness of research projects and whether research projects on humans are planned in accordance with research ethics norms. 

    Critereia Ethical committee NIH

    Research projects must have approval from NIH's ethics committee if the research project:

    • Involves people directly in the form of interventions (psychological and/or physical);
    • Has significant potential for injury and strain beyond what can be considered normal risk and strain for the participant;
    • Not required to submit to REK - falls outside the scope of the Health Research Act.

    Research projects involving vulnerable groups, including children and young people under the age of 16, must always be approved by NIH's ethics committee - unless it is covered by the scope of the Health Research Act.

    The same restriction applies to research projects with the collection of human biological material. 

    See additional information about the Ethics Committee at NIH.

    In addition to privacy assessments, the researcher must assess whether the project is in line with the research ethics guidelines that apply to the research area. See the National Research Ethics Committees' research ethics guidelines for various disciplines.

    Registration Projectweb

    All research projects carried out by NIH employees must be registered in Prosjektweb. Project web is available via Innersvingen. If personal data is collected, select project type "research on people externally funded" or "research on people internally funded". In Prosjektweb, the project manager and project members have access to checklists/remember lists for project administration. By uploading project documents such as agreements, budgets and reports, you also fulfill the archiving obligation (automatic transfer to P360). See guidelines at Innersvingen.

    Prosjektweb is only available to staff and to students at NIH via @nih.no-mail.


    Legal basis for processing

    The project manager is responsible for ensuring that there is a legal basis for processing of personal data. The most important bases for research is the consent of the participants, but other grounds may be relevant. In the case of special categories of personal data ("sensitive data"), express consent is required, usually a signature. 

    Read more about the basis of treatment on the page about routines 


    Collection of data 

    Only when all approvals are available - including confirmation of consent from the participants/subjects - can the collection of data begin. The project manager is responsible for how data that is collected and processed. Personal data shall not be stored longer than is necessary for the purpose for which it was collected. 

    Read more about collection on the routines page.

    Storage - classification of data

    The project manager is responsible for ensuring data protection during the process and must make an assessment of how to store the data material. The level of security will depend on the type of personal data that is processed. The strictest storage requirements are for data in categories black and red.

    Information about how data is to be stored must be included in the notification to NSD and in the application to REK.

    Read more about storage and classification on the routines page

    Access, Transfer or Sharing

    The project manager must also consider who should have access to active research data.

    The institutions/researchers/students or employees who will have access to personal data must be specified in the report to NSD and in the application to REK. The research participants must also be informed about and have consented to such sharing of personal information.

    Read more about access and sharing on the routines page


    Follow-up participants' privacy

    Anyone who has agreed to participate in a research project can, as a general rule, require access to and correction of incorrectly registered information. They can also withdraw from further participation without justification/revoke given consent. Requests from participants must be replied to within 30 days.


    Amendment reports 

    In the event of significant changes to the project, the researcher/project manager must send an amendment report to the same institutions that originally granted approval. It may also be necessary to obtain new consent from the participants.

    Examples project change

    • Change in design and analysis
    • New knowledge about risk, disadvantage or benefit for the research participants
    • Change of project manager, research manager, research biobank or project employee.
    • Postponement or extension of the project period
    • Increase in the number of research participants
    • Change in recruitment procedure
    • Change in inclusion and exclusion criteria
    • Content-related change of information letter and request for participation
    • Change in given conditions for dispensation from confidentiality
    • Change in who has access to personally sensitive information
    • Change of storage and processing of health information or biological material.

    The project leader fills in the form for changing the research project - see the websites of NSD/REK/Etisk Komte. Contact the relevant institution(s) if there is any doubt as to whether the changes in the project require an application.


    Breach of privacy

    Report undesired incidents

    An undesired incident is referred to as a nonconformance in that the processing of personal data does not confirm with legislation or NIH's routines for processing personal data. 

    As soon as you suspect that personal data have gone astray or been processed in breach of legislation or routines, you should report this to your immediate superior.

    Your superior should send a notification to sikkerhetssavvik@nih.no. Describe the event/what happened.

    The institution/NIH must assess the severity of the nonconformance and report the undesired incident to the Norwegian Data Protection Authority (Datatilsynet) within 72 hours.

    Examples undesired incidents

    • personal information, passwords or the like fall into the wrong hands as a result of "phishing" or fake networks.   
    • incorrectly sent e-mails and attachments, especially where there is personal data 
    • collection of data in forms that make the information searchable on the internet, or in form tools where NIH does not have a data processing agreement  
    • wrong disclosure or wrong publication of information
    • errors in access, equipment or software which mean that the availability of the information is impaired, and which in turn may impair security 
    • procedures that are missing, do not work, or are not followed 
    • information with a classification level that requires access control is open and accessible to unauthorized persons
    • lack of grounds or assessment of grounds for processing personal data 
    • national identity number that has been sent unencrypted by e-mail to external parties


    Closing, final announcements and archiving

    In the closing phase, collected personal data must be deleted, anonymised or stored for further storage. NIH has decided that data from research projects must be stored for 5 years for possible inspection and control. For the same reason, data for master students' project must be stored until approval of exam.

    Closing - personal information

    Researcher must

    • ensure that all personal information about respondents or informants that is not to be kept after the end of the project is properly deleted.
    • ensure that personal data to be stored after the end of the project is anonymised, for example by destroying the connection key for de-identified data
    • ensure that personal data that must be taken care of after the end of the project is properly stored.

    Final announcements

    Researcher must

    • send a final report to NSD and possibly to REK.
    • update project web 

    Archiving of data

    Archiving must not be confused with active storage of data that is in use during the project period.

    NIH requires that data from research projects should be kept for five years after the end of the project (for control and verifiability). The requirement does not apply to master student's projects. After the prescribed storage periode, the project manager must ensure that personal data is anonymised or deleted.