Privacy NIH - Resources

Reference to templates and forms, overview of important institutions and internal systems.

    Project support - internal systems and external partners

    General - Prosjektweb

    All research projects carried out by NIH employees must be registered in Prosjektweb. Prosjekweb is avilable via Innersvingen.

    For master students' projects, the supervisor must register the project and then add the student as a project member (

    PhD students and supervisor can agree on who will classify as project manager in Prosjektweb. This does not alter the supervisor's responsibility for the research project.

    In Prosjektweb, you get access to checklists for project administration. By uploading project documents such as agreements, budgets and reports, you also fulfill the filing obligation - documents are transferred directly to P360. See tutors at Innersvingen.

    Norwegian Centre for Research Data (NSD)

    All research projects at NIH that include personal data must be reported to NSD for assessment of privacy and data protection before initiation. Researchers register the project themselves via NSD's notification portal. For master student projects, the student must give the supervisor access to the project/registration form. The supervisor has formal project management responsibility and must have approved the project/project documents before the notification is submitted. 

    Via the notification portal, researchers and students also get access to templates for information letters to project participants and letters of consent. Any amendments to the project - including delays, extensions, new project staff - must be reported to NSD.

    Although NSD assesses privacy risks for NIH, it is still the NIH/project manager who is responsible for ensuring that the project implementation complies with laws and regulations in the area of ​​privacy.

    In projects with special privacy challenges, an extended assessment (Data Protection Impact Assessment - DPIA) may have to be carried out. NSD can carry out DPIA in consultation with the researcher and the privacy officer at NIH. 

    See more about routines for reporting to NSD/NSD's services here.

    General - REK

    REK assesses ethical aspects of research projects that fall under the purpose clause of the Health Research Act. Such projects must have prior approval from REK .

    This includes research on human biological material, creation of a health register linked to a research project and collection of health information when the purpose is to gain new knowledge about health and disease.

    Researchers who are in doubt as to whether a project should be submitted to REK can submit a so-called submission assessment to clarify whether the project is accepted for assessment by REK or not.  

    See more about the Health Research Act and routine for applications to REK here.

    Gen Ethical committee

    NIH's Ethics Committee assesses the soundness of research projects. Projects that include research on humans - and which either involve a not insignificant risk for the research participants and/or research on vulnerable groups and/or collection of biological material must have an assessment and prior approval from NIH's ethics committee .  Exceptions apply to projects that must be approved by REK.

    Criteria applications Ethical Committee

    Research projects must have approval from NIH's Ethics committee if the research project:

    • Involves people directly in the form of interventions (psychological and/or physical);
    • Has significant potential for injury and strain beyond what can be considered normal risk and strain for the participant;
    • Not required to submit to REK - falls outside the scope of the Health Research Act.

    Research projects involving vulnerable groups, including children and young people under the age of 16, must always be approved by NIH's ethics committee - unless it is covered by the scope of the Health Research Act.

    The same applies to research projects with the collection of human biological material. 

    See supplementary presentation about NIH's Ethics Committee is created by and for Norwegian universities, colleges and research organisations. On, preventive training and advice on what to do in a crisis situation is provided. You must always assess for yourself what is best to do in a specific situation.

    See Information about privacy at

    See also the Information about information security at

    Resources - templates and forms

    PDF-documents - in Norwegian only

    NIH as data controller

    NIH privacy obligations

    In its role as data controller, NIH has a number of privacy obligations. The duties mainly follow from the provisions of the Personal Data Protection Ordinance and the Personal Data Act.

    NIH must ensure that:

    • electronic and manual processing of personal data takes place in a legal and responsible manner in line with the privacy principles
    • the individual is ensured co-determination over and control over how NIH processes his/her personal data
    • NIH has established internal routines, guidelines and implements suitable technical and organizational measures that safeguard the privacy obligations imposed on NIH.

    Read more about the personal data protection regulation (

    Safeguarding the privacy right of individuals

    As data controller, NIH is obliged to safeguard the privacy rights of those to whom the information relates, i.e. employees, students, guest researchers, guests or respondents and informants in research projects.

    The individual's privacy rights apply to all electronic processing of general and special categories of personal data that takes place in research, teaching, administration and dissemination at NIH. The rights also apply to the processing of personal data that is included (or is intended to be included) in manual personal registers.

    The purpose of the privacy rights is that those to whom the information relates must have a say in and control over how NIH processes their personal information.

    To ensure that those registered have a say in and control over how NIH processes their personal data, the individual has, under certain conditions, the following rights:

    • right to information about the controller, the purpose of the processing of personal data and any other recipients of the personal data
    • right of access
    • right to rectification/correction
    • right to deletion
    • right to restriction of treatment
    • right to data portability
    • right to protest

    Electronic aids - use and rules

    The Personal Data Protection Regulation covers all processing of personal data, including where electronic aids are used.

    By electronic aids is meant, for example:

    • computers
    • software
    • computer network
    • portable computing devices (mobile phones, tablets, PCs, etc.)
    • electronic access control
    • camera surveillance systems

    Electronic aids also include computer systems used at NIH, for example FS, SAP / DFØ, P360 or Canvas.

    In addition, online resources, such as websites, cloud services or educational online services, are considered electronic aids.

    What rules apply to the introduction and operation of electronic control measures?

    Electronic control measures may, among other things, have the purpose of protecting NIH's buildings and assets against vandalism, destruction or theft. Such measures include, for example, the use of camera surveillance and systems for access control where passage data about students or employees is recorded and stored.

    Electronic control measures also include, under certain conditions, access to employees' or students' e-mails, personal storage areas, private computer equipment and internet use.

    When introducing electronic control measures at NIH, the rules in the Working Environment Act Chapter 9 apply. The rules in the Working Environment Act include the following:

    • Control measures must not be introduced unless there is a factual reason for it.
    • Control measures must only be introduced if the benefit of the measure clearly exceeds the privacy disadvantage it entails for employees, students, visiting researchers and guests.
    • Control measures must be discussed with representatives of staff and students before the measures are introduced.
    • Information must be given to employees and students about how the introduced control measures are designed and function.
    • Introduced control measures must be regularly evaluated and the need to maintain the measures assessed.

    Read more about the rules in the Working Environment Act that apply when control measures are introduced (

    The Working Environment Act has special rules on access to employees' e-mail, personal storage areas, private computer equipment and internet logs ( Access to students' e-mail, personal storage areas, private computer equipment and internet logs is regulated by the Personal Data Protection Ordinance.

    System or service owners have been appointed for all electronic control measures introduced at NIH. The system or service owners are delegated responsibility for ensuring that the rules on privacy and processing of personal data are followed.

    In addition to complying with the special rules in the Working Environment Act and the Personal Protection Ordinance on the introduction and operation of electronic control measures, the system or service owners for electronic control measures have the same obligations as other system or service owners at NIH.

    External data processors

    Data processors are external actors (often commercial companies or other universities/colleges) who have been commissioned to operate an electronic system or service on behalf of NIH.

    External actors become data processors for NIH when the operation of electronic systems or services means that they gain access to personal data for which NIH is responsible for processing.

    As data controller, NIH is obliged to ensure that only data processors are used that provide sufficient guarantees that they will implement suitable technical and organizational measures that ensure that the processing meets the requirements of the Personal Data Protection Regulation when they process information about employees, students, guest researchers, guests or respondents /informants in research projects.

    This must first be done by carrying out risk assessments of the information security in the external systems or services that NIH is considering using. If the risk assessment shows that information security is satisfactory, written agreements (data processor agreements) must be entered into with the data processors. 

    Relevant Laws

    The Health Research Act

    The Personal Information Act

    Regulations on the processing of personal data

    Regulations on the organization of medical and healthcare research

    Regulations on clinical trials of medicinal products for humans

    Guide to regulations on clinical trials of medicinal products for humans