Personal Data Management Guidelines for Research and Academic Work at MF
The guidelines laid out here apply to all research projects and academic work at MF that involve the processing of personal data. Typical examples would be projects that utilize interviews, questionnaires and the like. The processing of personal data is regulated by law and it is necessary to have grounds for processing that can be referred to. These guidelines give an overview of what this entails:
Privacy and Personal Data
Data protection is about the right to privacy and the right to decide overe one's own personal data. These rights are enshrined in the regulations for data protection, which also impose a number of demands on those who process personal data. The guidelines below have been developed in line with the Norwegian Personal Data Act and EU's General Data Protection Regulation (GDPR).
Privacy rights have their basis in the dignity of human beings and respect for personal integrity. Attentiveness to people is thus an essential portion of research ethics. Privacy regulations therefore will not by themselves answer the challenges we meet when we are dealing with personal data during research. It is also necessary to make research-ethical assessments. The following guidelines are therefore to be read together with and in light of the general research-ethical guidelines for social sciences, humanities, law and theology. The websites belonging to the Norwegian National Research Ethics Committees also contain a collection of questions and comprehensive answers about personal data and research.
Processing Personal Data in Research Projects
1. Personal data is any information that can be related to you as an individual, cf. GDPR art. 4 nr. 1. Examples of such data are name, address, telephone number, e-mail address and identification number, pictures and recordings are also considered personal data.
Sensitive data is under stricter protection than personal data in general. The term sensitive data refers to the special categories of personal data found in GDPR art. 9, in addition to the processing of personal information relating to criminal convictions and offences, cf. GDPR art. 10.
A good description of information considered to be personal data and sensitive data can be found at the Norwegian Data Protection Authority website.
2. The expression processing of personal data refers to any operation which is performed on personal data, such as collection, registration, alignment, storage, use, disclosure and erasure. More examples of what is covered by this expression can be found in GDPR art. 4 nr. 2.
3. GDPR lays out in art. 5 a number of principles for the processing of personal data. Personal data is to be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, and
- processed in a manner that ensures appropriate security of the personal data
4. Processing personal data is only allowed where there are grounds for processing, cf. GDPR art. 6. For most research projects, the grounds for processing will be consent from the data subjects. This consent must be:
- freely given
- specific and informed
- given by a clear affirmative act
For sensitive data, there is an addition requirement that the consent shall be "explicit". The one giving consent must have the capacity to consent, and special conditions apply to consent from children. Project participants have the right to withdraw consent at any time.
5. The data subject (research participant) has certain rights under the GDPR. These include the right to
- access the personal data concerning him or her that is being processed
- have the personal data concerning him- or herself rectified
- have the personal data concerning him- or herself erased
- receive the personal data concerning him or her (data portability)
- lodge a complaint with MF or the Norwegian Data Protection Authority regarding the processing of personal data
6. The research participant is to be informed of the above rights. At the website of the Norwegian Centre for Research Data (NSD), information can be found on what research participants should be notified of. At the same website, a suggested template for an information letter and consent form can be downloaded.
Responsibility and Task Division
Pro-Rector and Advisor for Research Administration
The Rector, via the Pro-Rector, has overall responsibility for all use of personal data in research and academic work at MF. The Pro-Rector has responsibility for ensuring that all researchers, advisors and students are informed of MF's procedures for the use of personal data in research and academic work. The advisor for research administration is NSD's contact at MF and has responsibility for developing procedures and for internal inspection of the use of personal data in these types of projects.
Project Leader and Researchers
Project leaders and researchers are responsible for ensuring that applicable laws, regulations and procedures are followed. A project leader is to be appointed for all research projects with more than one participating academic employee. In PhD projects, the PhD student is the project leader and thus has this responsibility.
In ph.d. projects at MF, the ph.d. student him-/herself is normally the project leader, and therefore has this responsibility. Exception is made for ph.d. projects considered to be medical or health-related research. In such cases, the main advisor must be the project leader (cf. the Health Research Act § 4).
For academic work below the PhD level, the student's main advisor is the project leader and therefore responsible for ensuring that applicable laws, regulations and procedures are followed.
Project Associates and Students
Project associates and students are obliged to comply with applicable laws, regulations and procedures, in addition to the plan for project completion as this has been agreed upon with the project leader and reported to the NSD and possibly a Regional Committee for Medical and Health Research Ethics (REC).
Privacy Contact Person at MF
MF is not obligated to have a data protection officer, but rather has a personal data contact person. The personal data contact person's task is to help the data controller (i.e. the institution MF) follow privacy regulations.
The contact person for personal data management at MF is Berit Widerøe Hillestad. Please use the address: email@example.com.
The project leader is to (in cooperation with any project associates / students)
- carry out a Securiy and Risk Analysis (SRA) for the project
- determine whether the project must be reported to NSD and/or needs pre-approval from a REC.
- make a data management plan for the project (for details, see Standard Procedures for the Storage of Research Data (Storage Guide). Students may use a simplified data management plan.
- ensure that other project associates receive necessary instruction on the use of research data.
Those who collect the data are to
- document the purpose of using personal data.
- compile a complete list of which personal data is to be collected and analyzed.
- determine whether the project must be reported to NSD and/or needs pre-approval from a REC.
- give written information to the informants on their rights (information and consent).
- ensure that they have a legal basis for the processing, i.e. consent from the informant
- conduct a Security and Risk Analysis (SRA) of the external services that are used for storing, transmitting and analyzing data, and make sure that necessary security measures are put into place so that the project can be done with acceptable risk.
Please also consult the Standard Procedures for the Storage of Research Data (Storage Guide).
The term personal data is defined in GDPR article 4 nr. 1. If your data material is going to contain personal data, you are to conduct a security and risk analysis (SRA) and notify the Norwegian Centre for Research Data (NSD), and possibly a Regional Committee for Medical and Health Research Ethics (REC), of your project. If, in the course of your research, you do not process personal data as it is understood by law, you do not have to do this.
Before you process personal data, you must conduct a risk assessment, which means an evaluation of the consequences for personal privacy. If helpful, use MF's tool for security and risk analysis. For the assessment, you state the scope and duration of the project and how sensitive the data you will be processing is. You describe what you see as the risks involved in you processing personal data and what you intend to do in order to reduce risk.
Central concepts of SRA are:
- Confidentiality: preventing unauthorized parties from gaining access to the data
- Integrity: no unintentional or unauthorized processing of data
- Availability: data cannot be lost and is available when access is necessary (for authorized parties)
Both intentional (hacking, virus etc.) and static incidents (techincal and human error) must be included in the RSA.
If laws, regulations or agreements indicate that the person doing the research must limit access to the data, extra protection will be required: Contact the IT office if you have questions about RSA and computer security, or about the storage of research data.
When there is a large amount of sensitive data, such as health data, or information that could cause serious damage, the researcher must go through the RSA with the IT office and prorector. Together you are to determine the proper processing and storage of the information. In projects that are considered particularly invasive, an extended data protection impact assessment (DPIA) will be required.
All student and research projects that deal with personal data are to be reported to the Norwegian Centre for Research Data (NSD). For a definition of what is meant by anonymity in the context of research, see the website of the Norwegian Data Protection Authority.
If you are processing completely anonymous data in your project, you do not need to notify NSD of your project. Collected data is nonetheless to be processed in line with MF's guidelines and Standard Procedures for the Storage of Research Data (Storage Guide).
MF has an Agreement concerning Privacy Services in Research (Avtale om personverntjeneste i forskning) with the NSD. The agreement regulates rights and duties between the two parties: MF is the institution responsible for the use of data when it comes to all research projects, which means that we have a responsibility for complying to all statutory requirements.
Project leaders and researches are required to make themselves acquainted with the content of the agreement with NSD, which is published on MF's internal network (in Norwegian only).
If the goal of the research project is to acquire new knowledge concerning sickness and health, preapproval is to be sought from a Regional Committee for Medical and Health Research Ethics (REC), cf. the Health Research Act. Very few projects at MF have such a goal, but it is possible. In certain cases you will have to apply for a release from the confidentiality obligation for other research. If you are uncertain whether this applies to your research project, contact Hege C. Finholt or MF's research support.
The processing of research data is to be described in a data management plan.
Some research projects employ interpreters,, transcribers etc. who are not formally employed at MF. In order for them to be allowed to handle personal data, they need to sing a non-diclosure argeement for the project.
Whenever a subcontractor handles personal data on behalf of researchers at MF, an Agreement for data management must be signed.
Please use the following MF templates:
The agreement shall ensure that personal data is not used illegally or unlawfully, and that the processing of personal data does not lead to unauthorised access, alteration, deletion, damage, loss or inaccessibility.
The agreement regulates the data processor’s management of personal data on behalf of the data controller, including collection, registration, compilation, storage, disclosure or combinations thereof, in connection with the research project in question.
The project leader is to
- ensure that personal data is properly stored and no longer than necessary, preferably in a de-identified form.
- ensure that an overview of the utilized storage media is kept.
- conduct a running risk evaluation of the consequences the project has for personal privacy and take further measures to meet them when necessary.
The project leader is to
- in cooperation with NSD, delete stored personal data and/or ensure that the data/material is de-identified/anonymized.
- notify NSD that the project is completed.