Responsability privacy research
The CEO is responsible for research at the NIH. This includes responsibility for NIH having updated guidelines for data security and privacy in research, and responsibility for establishing IT solutions for secure processing of research data.
Responsible implementation of research projects is a line responsibility - the tasks are delegated to the various departments.
Responsability privacy at Dept. level
The head of department is delegated responsibility by the managing director for the follow-up of projects. Department managers are responsible for ensuring that employees, as well as external researchers working at the department, are made aware of this document.
Department heads are also responsible for following up and checking that employees, external researchers and students comply with NIH's guidelines for data security and privacy.
On leave/termination of employment, the head of department must ensure that all research data is stored in accordance with the guidelines and that all necessary change notices are sent to external partners.
Responsability privacy project level
The project manager is responsible for ensuring that research ethics norms and privacy rules are followed in the project. The supervisor has project management responsibility for projects carried out by research fellows or master's students.
Supervisors are responsible for ensuring that PhD, Master's and Bachelor's students are made aware of this document.
On leave/termination of study/work, the supervisor must ensure that all research data is stored in accordance with guidelines and that all necessary change notifications have been sent to external partners.
Each individual research worker and student has an independent responsibility for familiarizing themselves with and following the routines described in this document.
What is personal information
Personal data is information that makes it possible to identify a natural person. The identification can be done directly or indirectly. The information is owned by the individual. Assessments or information are considered personal data regardless of whether they are available as text, images, audio or video recordings.
Eksempler personopplysninger
General personal data
General personal data refers to all types of assessments and information that may be associated with a particular individual, an identified or identifiable person, but which the General Data Protection Regulations (GDPR) does not define as special category of personal data (sensitive personal data).
Note that a national identity number is not considered to be sensitive personal data, but because the national identity number is often used to identify individuals, The Personal Data Act contains special conditions for processing this type of information.
The conditions in the Act are that the national identity number can only be used when:
- there is an objective need for secure identification of individuals
- secure identification cannot be achieved in other ways, for example by use of employee or student numbers.
Read more about rules regarding national identy number at Datatilsynet.no
Special categories of personal data
Special categories of personal data, often called sensitive personal data, refers to all types of assessments and information that can be linked to specific individuals and that relate to:
- health information and health related conditions
- genetic or biometric information which can be used to identify a physical person
- ethnic or racial origin
- political, philosophical or religious perceptions and beliefs
- sexual orientation or sexual relationships
- trade-union membership
Examples of sensitive personal data may include:
- information on students' illness or diagnoses
- health information registered in connection with an employee’s sickness absence
- information about cheating or attempted cheating in exams
- need for a facilitated examination due to health reasons
- information about an employee’s alcohol or substance abuse
- information about trade-union activity
- information on attitudes to various religious or political issues that respondents in questionnaires are asked to provide
Sensitive personal data shall be especially well secured against breach of data security.
Direkte og indirekte
Tredjepersoner
Deidentifying and anonymization
The information is de-identified (pseudonymized) if the name, social security number or other personally identifiable characteristics have been replaced with a number, a code, fictitious names or the like, which refers to a separate list/link key with the direct personal data.
In order for the data material to be considered de-identified, indirect personally identifying information must also be categorized into broad categories or removed completely. Broad categories mean, for example, parts of the country instead of specified municipalities or cities, age intervals (10-19 years, 20-29 years, etc.) instead of precise ages and the like. The only way to identify individuals in a de-identified data material shall be through the name list/link key.
The link key must always be stored separately from data. De-identified information is still considered personal data as long as a connection key exists.
Anonymization of data requires that the connection key be deleted.
Image and sound recordings must be transcribed to pseudonymise the personal data. Avoid using names or writing down information that can identify a person. For anonymization, audio recordings must be deleted.
Legal basis
Details - Consent as legal basis
The consent of the participants must be informed and voluntary. The project manager is responsible for ensuring that the individual participant understands what they agree to participate in. It may be necessary to create separate information letters for different participant groups.
If the research project is to process special categories of (sensitive) personal data, the consent must be express.
See NSD regarding requirements for consent and templates for information letters.
Broad consent
In some cases, it is possible to obtain broad consent where the participants consent to several different research projects. The participant must be informed about what it means to give broad consent. This assumes that they fall under the same defined research objective. REK can set conditions for the use of broad consent.
Persons without consent competence
Research that includes minors and people without consent can only take place if:
- Any risk or inconvenience to the person is negligible
- The person himself does not oppose it.
- There is reason to assume that the results of the research may be of benefit to the person in question or to other people with the same age-specific disorder, disease, injury or condition.
For minors, it is required that similar research cannot be carried out on persons who are not minors.
As a general rule, children and young people can themselves consent to participation in research when they are 15 years old. For children under this age, parents should consent on behalf of the child. If special categories of personal data are to be collected, the young person must be 16 years of age to consent.
Parents or others with parental responsibility must consent if the research participant is under 16 years of age. The same applies if the participant is between 16 and 18 years of age and the research involves physical intervention or drug testing. Age-appropriate information letters must be drawn up that take into account the minor's maturity and experience and information letters to the person who consents on behalf of the participant.
Participation in research must always be voluntary, regardless of who has the competence to consent.
For medical and healthcare research, there is a separate regulation which determines that children between the ages of 12 and 16 can themselves consent to the processing of personal data for certain types of research - see reference.
See more about consent from minors at the Norwegian Data Protection Authority and at NSD.
For persons without the competence to consent due to health conditions, mental retardation or incapacitation, it is required that there is no reason to believe that the person concerned would object to participation in research projects if the person concerned had the competence to consent, and that similar research cannot be carried out on persons with the competence to consent. Special rules apply to who must give consent, see § 17 and 18 of the Health Research Act.
Exceptions for consent
Deviations from consent must be particularly well justified. See more for the prerequisites:
- Exceptions for projects covered by the Health Research Act. Exceptions for projects that process personal data.
Other legal basis
Other relevant legal grounds for research may be
- Legitimate interest
- The public interest
- Legal authority
Legitimate interest: Sometimes the business' or a third party's interest may be greater than the privacy disadvantage for the data subject. An example could be sending out registration for a seminar or streaming.
Public interest: In some cases, for various reasons, it may be difficult to obtain valid consent from the committee, or consent involves a disproportionate collection of personal data. In such cases, the legal basis may be public interest. There must be a balancing of interests between society's interests in the research and the disadvantages the treatment entails for the individual.
The processing must be necessary - to perform a task or for a purpose. It must therefore be very difficult to achieve the purpose without using the public interest as a basis.
In addition to public interest, there must be a basis in law or regulation. Often this will be Section 8 of the Personal Data Act for processing ordinary personal data and Section 9 for special categories of personal data. In the latter case, society's interest in the treatment taking place must clearly outweigh the disadvantages for the individual.
Here are some examples of different legal grounds when sending a non-anonymous survey - the grounds vary depending on the processing carried out during the process:
- Sending out a survey to a wide selection (not asked in advance) - the institution has a legitimate interest
- Obtaining answers - the participant gives their consent by answering
- Obtaining information about health (e.g. mapping of Covid-19) - public interest
Other examples of legal basis for processing personal data:
- Obtaining health information in an emergency situation - protection of life and health
- Salary payment - agreement/contract
Collection of data
Mer om innsamling
Classification and storage
Information and research data are classified in different categories (colours) - according to how much damage it may cause to individuals or institutions if data goes astray. The strictest requirements are made for data in the categories black and red.
Category black - strictly in confidence
«Strictly in confidence» is used if NIH, its partners, public interest, or individuals may be subject to considerable harm if the information is exposed to third parties.
Black research data should be stored in NIHs Secure zone.
Category red - in confidence
«In confidence» is used if NIH, its partners, public interests, or individuals may be subject to harm if the information is exposed to third parties.
Red research data can be stored in NIHs Secure Zone, in crypted laptop set up by NIH or in a crypted memory stick. Researcher is responsible for safeguarding of equipment.
If in doubt whether research data belong to red or black category, you should consider the data as black.
Category yellow - limited
The information must have a certain level of protection. Can be accessible to external and internal, with controlled access rights. May cause some damage to the institution if the information becomes known to unauthorized persons.
Category green - open
This class is used if it concerns research data that can or should be available to everyone without special access rights. This essentially means data that is anonymised/does not contain personal data.
The integrity of the data must be ensured by ensuring that only persons with the correct rights have access to change the information. Although the data may be open, it is not free to choose what is done with it.
Oversikt lagringsmuligheter
Storage of biological material
It is a fundamental principle that human biological material in a research biobank must be stored and treated properly, and that this is done with respect for the donor. The regulations apply regardless of whether material can be linked to the donor by directly identifiable characteristics; by using a code key or without any kind of connection option.
REK must have pre-approved the establishment of general research biobanks.
Head of Department must have an updated register of the department's biobanks, which shows who is responsible, and the routine for storage, destruction by end date and internal control.
REK has tightened the requirements for applications for a general biobank and requires that a protocol describing the biobank be attached. The requirement does not apply to general biobanks that were already approved, but if you are to submit a change application for a general biobank, you will be asked to attach a (revised) protocol.
Archiving of data
Archiving must not be confused with active storage of data that is in use during the project period.
NIH requires that data from research projects should be kept for five years after the end of the project (for control and verifiability). The requirement does not apply to master student's projects. After the prescribed storage periode, the project manager must ensure that personal data is anonymised or deleted.
Access to, sharing and transfer of data
The business/researchers/students or employees who are to have access to personal data must be mentioned in the notification form to NSD and possibly in the application to REK. The research participants must also be informed about and have consented to such sharing of personal information.
Tilgang Sikker sone via Prosjektweb
Avtaler for tilgang ikke-ansatte
Overføring eller deling av data
Report violations
Gen - Varsle informasjonssikkerhet