9. Internal control and handling of breaches or discrepancies from legal obligations, regulations, and research ethics
As the data processor, HVL is obliged to carry out internal control in the form of planned and systematic measures necessary to ensure that the processing of persons and health information in research follows the privacy regulations, the Health Research Act, research ethics norms and HVL's guidelines. If breaches or breaches occur, appropriate technical and organizational measures must be implemented.
9.a Internal control of research projects
The research administration carries out internal control. The control includes:
- Regular sampling of projects registered on the research server.
- Annual inspection of a random sample of research projects. The controlled projects must include all types of projects from all faculties, including researchers and student projects, projects with different forms of funding and represent different project phases (start-up, under implementation and completed).
- Based on the protocol/project description, conversation with the project manager and any registration form for the research server, the research administration considers the project in particular:
- Processes personal and health information and whether this has been assessed and recommended by NSD / REK before start-up.
- Whether the processing and storage of personal and health information are in line with HVL's guidelines, and whether there is a correspondence between registered and stored information.
- If projects with personal information and health research data have been completed correctly, stored following other agreements on long-term storage at the end of the project, see 4.c Long-term storage of research data.
- If the internal control reveals discrepancies, the research administration shall immediately implement appropriate technical and organizational measures to ensure that personal and health information is processed following the regulations, see also 9.b To handle breaches and discrepancies in data protection
- Anyone who discovers or is made aware of breaches or discrepancies regarding the security of personal data, either through participation in the project, internal control or otherwise, must immediately report this to HVL through the vice-rector for research. Breaches or discrepancies can be lack of permits, permits that are not comprehensive, processing of personal data after permits have expired, poor information security and in the worst case that unauthorized persons or companies have gained access to personally identifiable research data.
- The research administration and management at HVL immediately follow up and limit the breach's consequences by implementing necessary immediate measures.
- The research administration maps the incident, assesses whether the parties involved should be notified and introduces measures to limit and repair the damage. If necessary, the project manager, NSD / REK, the IT department, the Data Inspectorate, the Norwegian Board of Health and possibly the police will be notified.
- As soon as HVL becomes aware that a breach of personal data security has occurred, the said breach should be reported to the supervisory authority without undue delay and, if possible, within 72 hours after becoming aware of it. This is unless one can demonstrate, following the principle of liability, that the said breach of personal data security is not likely to entail a risk to the rights and freedoms of natural persons. If the said notification cannot be given within 72 hours, the reason for the delay should be stated in the notification, and the information can be provided step by step without further undue delay.
- The notification to the Norwegian Data Protection Authority is preferably given by the vice-rector for research, the Privacy Ombudsman or the management at AFII.
- To prevent a recurrence, the research administration, together with HVL's management and privacy representative, makes a thorough analysis of why the breach occurred and assesses the risk of recurrence. If necessary, existing guidelines shall be revised and any new ones developed. It must also be considered whether further training of project managers, project staff, partners or data processors is necessary.
- The breach is documented and closed.