Privacy and research routines NIH

Privacy concerns that the individual should have their privacy in peace and should have influence over the use and dissemination of the information about themselves. Strict requirements are therefore placed on researchers' use of personal information. NIH has guidelines and routines to ensure that our research complies with the regulations in this area.

    Brief information about GDPR

    In 2018, the EU came up with a new regulation on personal protection called the General Data Protection Regulation (GDPR). The GDPR applies as Norwegian law and sets out rules on the handling of personal data and what rights you have when someone processes personal data. The rules in the GDPR are intended to give those who process personal data greater responsibility for the handling and to give those who have their data processed greater control over their data.

    The GDPR only applies to the processing of personal data and not to other forms of data. The term personal data must be interpreted broadly. This means that very many types of information about people are protected under the GDPR.

    Legal provisions in the GDPR are divided into different parts. Each piece is called an article. An article constitutes the same thing as a paragraph (§) in Norwegian legislative technique. This means that references to specific provisions in the law refer to a specific article

    Responsability privacy research

    The CEO is responsible for research at the NIH. This includes responsibility for NIH having updated guidelines for privacy and data protection in research, and responsibility for establishing IT solutions for secure processing of research data.

    Responsible implementation of research projects is a line responsibility - the tasks are delegated to the various departments.

    Responsability privacy at Dept. level

    The Head of department is delegated responsibility by the managing director for the follow-up of projects. Head of departmens are responsible for ensuring that employees, as well as external researchers working at the department, are familiar with the routines presented here.

    Department heads are also responsible for following up and checking that employees, external researchers and students comply with NIH's guidelines for privacy and data protection.

    On leave/termination of employment, the Head of department must ensure that all research data is stored in accordance with the guidelines and that all necessary amenmend reports are sent to external partners - including NSD and REK.

    Responsability privacy project level

    The project manager is responsible for ensuring that research ethics norms and privacy rules are followed in the project. The supervisor has project management responsibility for projects carried out by PhD or master students.

    Supervisors are responsible for ensuring that PhD, master and bachelor students are familiar with these routines.

    On leave/termination of study/work, the supervisor must ensure that all research data is stored in accordance with guidelines and that all necessary amendment reports have been sent to external partners including NSD and REK.

    Each individual research worker and student has an independent responsibility for familiarizing themselves with and following the routines presented here.

    What is personal information

    Personal data is information that makes it possible to identify a natural person. The identification can be done directly or indirectly. The information is owned by the individual. Assessments or information are considered personal data regardless of whether they are available as text, images, audio or video recordings.

    Regular personal data

    Regular personal data refers to all types of assessments and information that may be associated with a particular individual, an identified or identifiable person, but which the General Data Protection Regulations (GDPR) does not define as special category of personal data (sensitive personal data).

    Note that a national identity number is not considered to be sensitive personal data. However, because the national identity number is often used to identify individuals, The Personal Data Act contains special conditions for processing this type of information. <p">The conditions in the Act are that the national identity number can only be used when: <ul">

    • there is an objective need for secure identification of individuals
    • secure identification cannot be achieved in other ways, for example by use of employee or student numbers.

    Read more about rules regarding national identy number at Datatilsynet.no

    Special categories of personal data

    Special categories of personal data, often called sensitive personal data, refers to all types of assessments and information that can be linked to specific individuals and relate to:

    • health information and health related conditions
    • genetic or biometric information which can be used to identify a physical person
    • ethnic or racial origin
    • political, philosophical or religious perceptions and beliefs
    • sexual orientation or sexual relationships
    • trade-union membership

    Examples of sensitive personal data may include:

    • information on students' illness or diagnoses
    • health information registered in connection with an employee’s sickness absence
    • information about cheating or attempted cheating in exams
    • need for a facilitated examination due to health reasons
    • information about an employee’s alcohol or substance abuse
    • information about trade-union activity
    • information on attitudes to various religious or political issues that respondents in questionnaires are asked to provide

    Sensitive personal data shall be especially well secured against breach of privacy and data protection.

    Pseudonymization and anonymization

    The information is de-identified (pseudonymized) if the name, social security number or other personally identifiable characteristics have been replaced with a number, a code, fictitious names or the like, which refers to a separate list/link key with the direct personal data.

     In order for the data material to be considered de-identified, indirect personally identifying information must also be categorized into broad categories or removed completely. Broad categories mean, for example, parts of the country instead of specified municipalities or cities, age intervals (10-19 years, 20-29 years, etc.) instead of precise ages and the like. The only way to identify individuals in a de-identified data material shall be through the name list/link key.

    The link key must always be stored separately from data. De-identified information is still considered personal data as long as a connection key exists.

    Anonymization of data requires that the connection key be deleted.

    Image and sound recordings must be transcribed to pseudonymise the personal data. Avoid using names or writing down information that can identify a person. For anonymization, audio recordings must be deleted.


    Legal basis

    Re legal basis

    Personal data cannot be collected or processed without a legal basis. The project manager is responsible for ensuring that this is the case. The most common basis for research is the consent of the participants, but there are also other bases.

    Details - Consent as legal basis

    The consent of the participants must be informed and voluntary. The project manager is responsible for ensuring that the individual participant understands what they agree to participate in. It may be necessary to create separate information documents for different groups of participants. For example - one document for parents and another for the children.

    If the research project is to process special categories of (sensitive) personal data, the consent of the participants must be express - often by a signature.

    See NSD regarding requirements for consent and templates for information letters.

    Broad consent

    In some cases, it is possible to obtain broad consent where the participants consent to several different research projects. The participant must be informed about what it means to give broad consent. This assumes that they fall under the same defined research objective. REK can set conditions for the use of broad consent. 

    Persons without consent competence

    Research that includes minors and people without consent capacity can only take place if:

    • Any risk or inconvenience to the person is negligible
    • The person does not oppose participating.
    • There is reason to assume that the results of the research may be of benefit to the person in question or to other people with the same age-specific disorder, disease, injury or condition.

    For minors, it is required that similar research cannot be carried out on persons who are not minors.

    As a general rule, children and young people can themselves consent to participation in research when they are 15 years old. For children under this age, parents should consent on behalf of the child. If special categories of personal data are to be collected, the young person must be 16 years of age to consent.

    Parents or others with parental responsibility must consent if the research participant is under 16 years of age. The same applies if the participant is between 16 and 18 years of age and the research involves physical intervention or drug testing. Age-appropriate information letters must take into account the minor's maturity and experience. The same goes for information letters to the person who consents on behalf of the participant.

    Participation in research must always be voluntary, regardless of who has the competence to consent.

    For medical and healthcare research, there is a separate regulation which determines that children between the ages of 12 and 16 can themselves consent to the processing of personal data for certain types of research - see reference.

    See more about consent from minors at the Norwegian Data Protection Authority (Datatilsynet) and at NSD.

    For persons without the competence to consent due to health conditions, mental retardation or incapacitation, it is required that there is no reason to believe that the person concerned would object to participation in research projects if the person concerned had the competence to consent, and that similar research cannot be carried out on persons with the competence to consent. Special rules apply to who must give consent, see § 17 and 18 of the Health Research Act.

    Right to withdraw consent

    The data subject/participant must have the opportunity to withdraw their consent as easily as it was given. The data subject does not need to state any reason for withdrawing.

    Withdrawing consent means, firstly, that research participants no longer wish to take part in the project. Secondly, this means that we no longer have a legal basis for the processing. The personal data we hold about the person in question must therefore be deleted.

    The right to withdraw consent is valid as long as it is possible to identify the person concerned in the data material. In projects with many participants, this means until the information is deleted or anonymised. For projects with few participants, it will technically be possible to withdraw consent and have information deleted even after anonymisation because the researcher knows the identity of the few participants.

    When we publish research results, these will normally not include identifying information. The fact that a research participant withdraws his or her consent after publication does not mean that  a published article must be withdrawn.

    Other legal bases

    Other relevant legal grounds for research may be

    • Legitimate interest
    • The public interest
    • Legal authority

    Legitimate interest: Sometimes the business' or a third party's interest may be greater than the privacy disadvantage for the data subject. An example could be sending out registration for a seminar or streaming 

    Public interest: In some cases, for various reasons, it may be difficult to obtain valid consent from the committee, or consent involves a disproportionate collection of personal data. In such cases, the legal basis may be public interest. There must be a balancing of interests between society's interests in the research and the disadvantages the treatment entails for the individual. 

    The processing must be necessary - to perform a task or for a purpose. It must therefore be very difficult to achieve the purpose without using the public interest as a basis. 

    In addition to public interest, there must be a basis in law or regulation. Often this will be Section 8 of the Personal Data Act for processing ordinary personal data and Section 9 for special categories of personal data. In the latter case, society's interest in the treatment taking place must clearly outweigh the disadvantages for the individual. 

    The project manager must ensure documentation of the assessments that have been made/the balance between the privacy disadvantage for the individual and the institution's or the public's interest in the research.

    Examples - legal basis different processing objective

    Sending non-anonymous surveys - the basis varies depending on the processing carried out during the process:

    • Sending out a survey to a wide selection (which has not been asked in advance) - the institution has a legitimate interest and the privacy disadvantage for the individual is low 
    • Obtaining answers - the participant gives their consent by answering 
    • Obtaining information about health (e.g. mapping of Covid-19) - public interest 

    Other examples of legal basis for processing personal data (not research):

    • Obtaining health information in an emergency situation - protection of life and health 
    • Salary payment - agreement/contract

    Approvals and assessments

    Re approvals and assessments before start-up

    NIH's routines relating to approvals and assessments before commencement are linked to whether you are a researcher or PhD student or whether you are a master student:

    About approvals before commencement for researchers and PhD students

    About approvals before starting for master students


    Collection of data

    Re collection of data

    All collection must be carried out on NIH-set up equipment and data must be transferred as quickly as possible to a controlled area or to the Safe Zone. Data containing personal data must not be stored on telephones, recorders or other types of mobile equipment but in NIH's Safe Zone for possible control and verifiability. 

    See specific routines for master students.

    Classification and storage

    Information and research data are classified in different color-coded categories - according to how much damage it may cause to individuals or institutions if data goes astray. The strictest requirements are made for data in the categories black and red.

    Category black - strictly in confidence

    «Strictly in confidence» is used if NIH, its partners, public interest, or individuals may be subject to considerable harm if the information is exposed to third parties.

    Black research data should be stored in NIHs Secure zone.

    Category red - in confidence

    «In confidence» is used if NIH, its partners, public interests, or individuals may be subject to harm if the information is exposed to third parties.

    Red research data can be stored in NIHs Secure Zone, in crypted laptop set up by NIH or in a crypted memory stick. Researcher is responsible for safeguarding of equipment.

    If in doubt whether research data belong to red or black category, you should consider the data as black.

    Category yellow - limited

    The information must have a certain level of protection. Can be accessible to external and internal, with controlled access rights. May cause some damage to the institution if the information becomes known to unauthorized persons.

    Category green - open

    This class is used if it concerns research data that can or should be available to everyone without special access rights. This essentially means data that is anonymised/does not contain personal data.

    The integrity of the data must be ensured by ensuring that only persons with the correct rights have access to change the information. Although the data may be open, it is not free to choose what is done with it.

    Overview storage

    The table below is an abbreviated version. See NIH 's storage guide and classification guide for additional information on what kind of information can be stored where.

    Category/Where Black Red Yellow Green
    NIH operated laptop no Yes Yes Yes
    Private laptop no no Yes Yes
    Memory stick - encrypted no Yes Yes Yes
    Private memory stick no no no Yes
    OneDrive no no Yes Yes
    File server no Yes Yes Yes
    Safe zone Yes Yes Yes Yes

    Storage of biological material

    It is a fundamental principle that human biological material in a research biobank must be stored and treated properly, and that this is done with respect for the donor. The regulations apply regardless of whether material can be linked to the donor by directly identifiable characteristics; by using a code key or without any kind of connection option.

    REK must have pre-approved the establishment of general research biobanks.

    Head of Department must have an updated register of the department's biobanks, which shows who is responsible, and the routine for storage, destruction by end date and internal control.

    REK has tightened the requirements for applications for a general biobank and requires that a protocol describing the biobank be attached. The requirement does not apply to general biobanks that were already approved, but if you are to submit a change application for a general biobank, you will be asked to attach a (revised) protocol.

    Archiving of data

    Archiving must not be confused with active storage of data that is in use during the project period.

    NIH requires that data from research projects should be kept for five years after the end of the project (for control and verifiability). The requirement does not apply to master student's projects. After the prescribed storage periode, the project manager must ensure that personal data is anonymised or deleted.


    Access to, sharing and transfer of data

    The institutions/researchers/students or employees who will have access to personal data must be mentioned in the report to NSD and possibly in the application to REK. The research participants must also be informed about and have consented to such sharing of personal information.

    Access Safe zone via Prosjektweb

    The project manager can give project staff access to personal data stored in the Safe zone via Prosjektweb.

    The same registration form is used to indicate external and internal project employees will be involved. For external researchers, a mobile phone number must be provided (for two-factor login).

    Safe zone can also be used for sharing data with researchers from countries that do not have similar privacy legislation such as the EU/EEA/Canada/Australia.

    Access non-employees

    If project staff not employed by NIH will have access to personal data, a separate agreement must be drawn up. See confidentiality statement for project employees.

    If the cooperation will be with a public enterprise/institution,  a non-disclosure agreement is not necessary. Master students sign the confidentiality declaration in connection with the supervision agreement for their project.

    If external employees are to have access to NIH's IT system, a separate access agreement must be drawn up.

    The project manager can give external researchers access to research data that is stored in NIH's Secure Zone. In this case, no data processor agreement will be needed. See more about Safe Zone in the Storage Guide.

    Transfer - sharing with other institutions

    If identifiable personal data is to be transferred to or stored at a collaborating institution, an agreement must be entered into which sets out the responsibilities and tasks for each institution. For the agreement, it is important to know what role and what tasks each institution must have:

    If NIH allows an external party to process personal information only for NIH's own purposes, NIH is the data controller and instructs the data processor on how data should be processed. The data processor cannot use this data for its own purposes. 

    Joint processing responsibility arises when two or more separate data controllers decide on the purpose and the decisive means of processing. There is no requirement that the responsibility be equally distributed, but both parties must have a legal right to process the information.

    See the Norwegian Data Protection Authority's pages/guidelines on Data processing agreements and what is included in the terms data controller and data processor.

    Transfer of personal data to countries outside the EU/EEA area requires special assessments and agreements. See more at the Norwegian Data Protection Authority. 

    The IT manager at NIH must sign data processing agreements, but the project manager is responsible for preparing proposals for the agreement. 

    Agreements on the transfer of physical material ((Material Transfer Agreement /MTA) can in most cases be signed by the head of department. Relevant examples are agreements on blood samples and muscle tissue to be analyzed in other laboratories.

     

    Report undesired incidents

    Report undesired incidents

    An undesired incident is referred to as a nonconformance in that the processing of personal data does not confirm with legislation or NIH's routines for processing personal data. 

    As soon as you suspect that personal data have gone astray or been processed in breach of legislation or routines, you should report this to your immediate superior.

    Your superior should send a notification to sikkerhetssavvik@nih.no. Describe the event/what happened.

    The institution/NIH must assess the severity of the nonconformance and report the undesired incident to the Norwegian Data Protection Authority (Datatilsynet) within 72 hours.

    Examples undesired incidents

    • personal information, passwords or the like fall into the wrong hands as a result of "phishing" or fake networks.   
    • incorrectly sent e-mails and attachments, especially where there is personal data 
    • collection of data in forms that make the information searchable on the internet, or in form tools where NIH does not have a data processing agreement  
    • wrong disclosure or wrong publication of information
    • errors in access, equipment or software which mean that the availability of the information is impaired, and which in turn may impair security 
    • procedures that are missing, do not work, or are not followed 
    • information with a classification level that requires access control is open and accessible to unauthorized persons
    • lack of grounds or assessment of grounds for processing personal data 
    • national identity number that has been sent unencrypted by e-mail to external parties