Privacy and research routines NIH

In 2018, the EU came up with a new regulation on personal protection called the General Data Protection Regulation (GDPR). The GDPR applies as Norwegian law and sets out rules on the handling of personal data and what rights you have when someone processes personal data. The rules in the GDPR are intended to give those who process personal data greater responsibility for the handling and to give those who have their data processed greater control over their data.

The GDPR only applies to the processing of personal data and not to other forms of data. The term personal data must be interpreted broadly. This means that very many types of information about people are protected under the GDPR.

Legal provisions in the GDPR are divided into different parts. Each piece is called an article. An article constitutes the same thing as a paragraph (§) in Norwegian legislative technique. This means that references to specific provisions in the law refer to a specific article

The CEO is responsible for research at the NIH. This includes responsibility for NIH having updated guidelines for data security and privacy in research, and responsibility for establishing IT solutions for secure processing of research data.

Responsible implementation of research projects is a line responsibility - the tasks are delegated to the various departments.

Personal data is information that makes it possible to identify a natural person. The identification can be done directly or indirectly. The information is owned by the individual. Assessments or information are considered personal data regardless of whether they are available as text, images, audio or video recordings.

The information is de-identified (pseudonymized) if the name, social security number or other personally identifiable characteristics have been replaced with a number, a code, fictitious names or the like, which refers to a separate list/link key with the direct personal data.

 In order for the data material to be considered de-identified, indirect personally identifying information must also be categorized into broad categories or removed completely. Broad categories mean, for example, parts of the country instead of specified municipalities or cities, age intervals (10-19 years, 20-29 years, etc.) instead of precise ages and the like. The only way to identify individuals in a de-identified data material shall be through the name list/link key.

The link key must always be stored separately from data. De-identified information is still considered personal data as long as a connection key exists.

Anonymization of data requires that the connection key be deleted.

Image and sound recordings must be transcribed to pseudonymise the personal data. Avoid using names or writing down information that can identify a person. For anonymization, audio recordings must be deleted.

Personal data cannot be collected or processed without a legal basis. The project manager is responsible for ensuring that this is the case. The most common basis for research is the consent of the participants, but there are also other bases.

NIH's routines relating to approvals and assessments before commencement are linked to whether you are a researcher or PhD student or whether you are a master student:

About approvals before commencement for researchers and PhD students

About approvals before starting for master students

All collection must be carried out on NIH-set up equipment and data must be transferred as quickly as possible to a controlled area or to the Safe Zone. Data containing personal data must not be stored on telephones, recorders or other types of mobile equipment but in NIH's Safe Zone for possible control and verifiability. 

«Strictly in confidence» is used if NIH, its partners, public interest, or individuals may be subject to considerable harm if the information is exposed to third parties.

Black research data should be stored in NIHs Secure zone.

«In confidence» is used if NIH, its partners, public interests, or individuals may be subject to harm if the information is exposed to third parties.

Red research data can be stored in NIHs Secure Zone, in crypted laptop set up by NIH or in a crypted memory stick. Researcher is responsible for safeguarding of equipment.

If in doubt whether research data belong to red or black category, you should consider the data as black.

The information must have a certain level of protection. Can be accessible to external and internal, with controlled access rights. May cause some damage to the institution if the information becomes known to unauthorized persons.

This class is used if it concerns research data that can or should be available to everyone without special access rights. This essentially means data that is anonymised/does not contain personal data.

The integrity of the data must be ensured by ensuring that only persons with the correct rights have access to change the information. Although the data may be open, it is not free to choose what is done with it.

The table below is an abbreviated version. See NIH 's storage guide and classification guide for additional information on what kind of information can be stored where.

It is a fundamental principle that human biological material in a research biobank must be stored and treated properly, and that this is done with respect for the donor. The regulations apply regardless of whether material can be linked to the donor by directly identifiable characteristics; by using a code key or without any kind of connection option.

REK must have pre-approved the establishment of general research biobanks.

Head of Department must have an updated register of the department's biobanks, which shows who is responsible, and the routine for storage, destruction by end date and internal control.

REK has tightened the requirements for applications for a general biobank and requires that a protocol describing the biobank be attached. The requirement does not apply to general biobanks that were already approved, but if you are to submit a change application for a general biobank, you will be asked to attach a (revised) protocol.

Archiving must not be confused with active storage of data that is in use during the project period.

NIH requires that data from research projects should be kept for five years after the end of the project (for control and verifiability). The requirement does not apply to master student's projects. After the prescribed storage periode, the project manager must ensure that personal data is anonymised or deleted.

The project manager can give project staff access to personal data stored in the Safe zone via Prosjektweb.

The same registration form is used to indicate external and internal project employees will be involved. For external researchers, a mobile phone number must be provided (for two-factor login).

Safe zone can also be used for sharing data with researchers from countries that do not have similar privacy legislation such as the EU/EEA/Canada/Australia.

If project staff not employed by NIH will have access to personal data, a separate agreement must be drawn up. See confidentiality statement for project employees.

If the cooperation will be with a public enterprise/institution,  a non-disclosure agreement is not necessary. Master students sign the confidentiality declaration in connection with the supervision agreement for their project.

If external employees are to have access to NIH's IT system, a separate access agreement must be drawn up.

The project manager can give external researchers access to research data that is stored in NIH's Secure Zone. In this case, no data processor agreement will be needed. See more about Safe Zone in the Storage Guide.

f identifiable personal data is to be transferred to or stored at a collaborating institution, an agreement must be entered into which sets out the responsibilities and tasks for each institution. For the agreement, it is important to know what role and what tasks each institution must have:

If NIH allows an external party to process personal information only for NIH's own purposes, NIH is the data controller and instructs the data processor on how data should be processed. The data processor cannot use this data for its own purposes. 

Joint processing responsibility arises when two or more separate data controllers decide on the purpose and the decisive means of processing. There is no requirement that the responsibility be equally distributed, but both parties must have a legal right to process the information.

See the Norwegian Data Protection Authority's pages/guidelines on Data processing agreements and what is included in the terms data controller and data processor.

Transfer of personal data to countries outside the EU/EEA area requires special assessments and agreements. See more at the Norwegian Data Protection Authority. 

The IT manager at NIH must sign data processing agreements, but the project manager is responsible for preparing proposals for the agreement. 

Agreements on the transfer of physical material ((Material Transfer Agreement /MTA) can in most cases be signed by the head of department. Relevant examples are agreements on blood samples and muscle tissue to be analyzed in other laboratories.

An undesired incident is referred to as a nonconformance in that the processing of personal data does not confirm with legislation or NIH's routines for processing personal data. 

As soon as you suspect that personal data have gone astray or been processed in breach of legislation or routines, you should report this to your immediate superior.

Your superior should send a notification to sikkerhetssavvik@nih.no. Describe the event/what happened.

The institution/NIH must assess the severity of the nonconformance and report the undesired incident to the Norwegian Data Protection Authority (Datatilsynet) within 72 hours.