Protection of personal data in research

 
If you intend to process personal data in your research, you must submit a notification form to Sikt. Sikt is HVL’s data protection adviser for research. Sikt’s data protection services will assess whether the planned processing complies with the requirements of data protection regulations.  

• Sikt’s notification form can be found here. 

Instructions for Filling Out the Notification Form

It is important that the information in the notification form is correct. The selections you make in the notification form influence how Sikt assesses it. All notification forms where the information provided indicate a low level of data protection risk will only receive an Automatic assessment from Sikt. This means that no adviser reviews the form or provides guidance. For this reason, it is particularly important that any information suggesting a higher data protection risk is clearly stated in the form. Notification forms that indicate a higher level of data protection risk will be reviewed manually by an adviser, who can provide support and guidance to the project leader.

Indicators of higher data protection risk, which will therefore be subject to a manual assessment:

• Special Categories of Personal Data (high‑risk data requiring enhanced protection). Special categories of personal data are particularly sensitive and therefore require additional safeguards. Such data must be stored with increased protection on HVL’s secure research server, HVL SILAF. Storage space on SILAF is created automatically when special categories of personal data are selected in the notification form. The following types of personal data are considered special categories under GDPR (Articles 9 and 10):
  - Data revealing racial or ethnic origin
  - Political opinions
  - Religious or philosophical beliefs
  - Trade union membership
  - Genetic data
  - Biometric data used for the purpose of uniquely identifying an individual
  - Health data
  - Data concerning a natural person’s sex life
  - Data concerning a natural person’s sexual orientation
  - Criminal convictions and offences
• Health data: GDPR adopts a broad interpretation of what is considered health data. This means that information which may seem marginally sensitive on its own can still qualify as health data if it — alone or in combination with other information — can reveal anything about the health status of an identifiable individual. Examples of less sensitive health data include height, weight, pollen allergies, and farsightedness. Examples of more sensitive health data include information about physical or mental diagnoses, reproductive health, or substance dependence.
• Personal Data Concerning Third persons: This refers to situations where information is collected about individuals who are not direct participants in the research, but whose personal data are provided by another participant. Examples include information about family members, friends, or colleagues.
• Description of the Study Sample: In this section in the notification form, you must describe some characteristics of individuals whose personal data will be processed, which will be important for the assessment of data protection risk. Age must be specified, as it is essential to distinguish whether the processing concerns adults or children. The notification form also requires you to indicate whether any of the following groups are included in the study population:
  - Patients, disabled people, or sick people
  - Vulnerable groups 
  - Persons residing in countries outside the EU/EEA
  - Adults (18 years +) who are not able to give consent
• The sample will not receive information about the processing of personal data: This is also a question under “sample” in the notification form. When the answer to this question is “no”, it will indicate a higher level of data protection risk for the planned processing of personal data.
• Personal data will be stored temporarily or permanently after the project ends: If the plan is that the personal data may be used for similar research projects in the future, or for other purposes, you must provide this information in the notification form under “end of project”.

 Further points to be aware of:

• Purpose: You must specify all purposes for which the personal data will be used. If you plan to use personal data for more than one purpose — for example, both for research and for educational purposes — each purpose must be explicitly stated.
• Legal basis: HVL recommends selecting public interest as the legal basis for all research projects. If the personal data are intended to be used for future projects, consent as the legal basis may create challenges.

Participant information letter

When submitting the notification form to Sikt, you must upload the participant information letter that will be used to inform data subjects about the planned processing of personal data.

HVL has developed its own templates for research projects and student projects. It is recommended that you use this template. You can find the templates here:

Template information letter for researchers

Template information letter for students

Data protection impact assessment (DPIA)

When you submit your project to Sikt, they will assess the project’s potential data protection impacts. If the project is considered likely to pose a high risk to the rights and freedoms of the participants, Sikt will notify HVL that a Data protection impact assessment (DPIA) must be carried out. This assessment identifies the relevant risks and the measures required to reduce them.

Examples of processing activities that may require a DPIA

• Large‑scale processing of special categories of personal data
• Use of new or innovative technologies
• Processing that involves vulnerable groups
• Processing where the data subjects (the individuals whose personal data are being processed) do not receive information about the processing

A DPIA will be carried out in collaboration between the project leader, an adviser at Sikt, and an adviser at AFII. HVL’s Data Protection Officer (DPO) must always be consulted when a DPIA is conducted. The completed DPIA must be approved by the Pro‑Rector for Research.

When a notification to Sikt is not required

If you will not be processing personal data, the study is considered anonymous and does not need to be reported to Sikt. The study is not anonymous if you can answer “yes” to any of the questions below:

• Will you use audio recordings?
• Will you collect background information in a survey that could enable the identification of individuals?
• Can the survey responses be linked to an IP address?
• Can the responses be linked to participants’ identities through a name list or a key file?
• Does the dataset contain any other characteristics that make individuals identifiable or traceable?

If your research project falls under the Norwegian law of health research, it needs to be pre-approved by Regional committees for medical- and health ethic (REK).

The application form to REK is available at rekportalen.no.

For student projects, it is the supervisor, and not the student, who applies for pre-approval from REK.

Please note that REK has specific deadlines for applications for pre-approval.

Additionally, the research project must be assessed by NSD in terms of data protection and privacy concerns.

To share personal data
Sharing personal data with other researchers, institutions or organisations outside of HVL requires permission. The institution, organisation or researchers that you will share personal data with must be described in the notification form to NSD and, if applicable, in the application to REK. Sharing of personal data also requires a contract describing such collaboration.

Contract for shared responsibility
In some research projects a collaboration with other researchers, institutions or organisations outside of HVL will involve a shared responsibility for processing personal data. Shared responsibility for processing personal data requires a contract.

Data processor contract
If someone outside of HVL will process the research data on your behalf, you are required to have a data processor contract.

• Template: Data processor agreement.

Personal data must be treated in a manner that provides adequate safety and that prevents unauthorised access and damage. At HVL, we have a classification of research data that dictates the way in which they should be stored.

• HVL’s research server
• Private units (students)
• OneDrive with two-factor-login (employees)

HVL’s research server
Sensitive personal data is to be stored on HVL’s research server by students and researchers.

The project must be registered to gain access to the research server at HVL. Registration of new projects are done by the project manager after the project has been assessed by NSD/REK has received positive feedback/approval.

As part of the registration, the project manager authorises co-workers that need access to the research data. For external co-workers that need access to the research server, an agreement needs to be signed.

All sensitive data should immediately be transferred to the research server and deleted from other units. Sensitive data should only be processed on HVL’s research server. If the data is to be processed on other units, the data must be used in such a way that personal data and data that could be indirectly identifiable are omitted.

• The registration form for a new project on HVL’s research server.

Storing research data on private units (students)
Students may store data that does not contain sensitive information on their private units. This includes audio and video recordings.
If the research project contains personal data and needs an assessment from NSD, you will need to attach HVL’s guidelines (NB! in Norwegian) to the assessment form. 

Storing research data on OneDrive (employees)
Researchers can store their data on OneDrive using a two-factor-login or on HVL’s research server. Access to OneDrive with two-factor login is obtained by contacting the Research Integrity Officer.
Please note that sensitive data always should always be stored on HVL’s research server.

Students and researchers may use Zoom to conduct and record interviews, with or without including visuals, in those situations where the interviews do not contain sensitive information. Please make use of HVL-account and end-to-end encryption when using Zoom for this purpose. Thus far, you need a permit from the Vice Dean for Research and the Research Integrity Officer to use Teams.

HVL request that dictaphone or Zoom is used for recording audio. Students may use smartphone for recording audio, as long as such use complies with HVL’s guidelines.

When a student or researcher at HVL collect data in other countries, they need to adhere to routines at HVL, Norwegian law and the General Guidelines for Research Ethics (Nasjonale forskningsetiske retningslinjer). The student or researcher must, additionally, comply with local guidelines and laws.

If you discover breaches or discrepancies from routines or regulations in the processing of personal data in a research project, you are obliged to inform your supervisor or leader. You can also contact forskningsetikk@hvl.no, use 'sei ifrå', or send an email to personvernombod@hvl.no.

Agreement to access HVL’s research server (non-employees)
Template for a non-disclosure agreement
Template for a data processor agreement
Template for a data management plan (DMP)
Template for a contract describing collaboration
Template for a contract describing shared responsibility