Data protection and the use of personal data in research

Personal data are all information that is connected to a person, for example, personal identification number, name, email address/IP address. A voice recording is also considered personal data. A combination of collected information can also potentially be indirectly identifiable.

All student- and research projects that intend to gather personal information must be assessed by the Norwegian Centre for Research Data (NSD) before the data collection commences. If the project at any time involves personal data, it needs to be assessed, even if the intention is to anonymise personal data in the project or publication. One example of this is the voice recording of an interview for the purpose of transcribing it, regardless of the collection of additional personal data.

Fully anonymous data does not require an assessment by NSD. Anonymous data is information that in no way can identify a participant, neither through name, email or IP address, indirectly through demographic information, nor through a code or an encryption key.

Categories of particular (sensitive) personal data should only be obtained when it is necessary for conducting the research project. According to regulations, the following information is considered as sensitive personal data: data about race or ethnicity, political orientation, religion, philosophical beliefs, union membership, genetic information, biometric information with the purpose of uniquely identify an individual, health information, sexuality, sexual orientation, legal- convictions and offences. If your research data contains this kind of information, the project must be assessed. Additionally, it is required to store sensitive personal data on HVL’s research server.

NSD provides a form that should be filled out for the assessment of student- and research projects. All projects that process personal data must be assessed, and as many details as possible should be provided.

• NSD’s notification form can be found here. 

On NSD’s web page, you will find helpful information and answers to frequently asked questions. NSD also have a chat function that can be used for any questions you might have while completing the notification form.
The notification form to NSD should be submitted by the person who will conduct the research project. When this is a student, the form should be shared with the supervisor.

A copy of the questionnaire, interview guide, registration form, information to participants, consent, project description and other relevant documents should be included when submitting the notification form to NSD.

Projects that have been pre-approved by REK are required to attach a copy of the evaluation. If the NSD notification form is submitted before a REK evaluation is conducted, these documents need to be forwarded later.

If the research data will be stored on a private unit, HVL’s guidelines for storing data needs to be attached to the notification form. The guidelines can be found here (NB! in Norwegian).

You will find a template for information letter to participants and consent on NSD’s web page.

NSD will assess the research project in terms of data protection and privacy. If they consider the project to not be of particularly high risk, NSD will give you the feedback that you may start your data collection. However, if the project is considered a high risk for the privacy of the participants, NSD will report back to HVL and ask for an additional evaluation of the data protection and privacy, which includes mapping the risks and precautionary measures. This evaluation is called a DPIA and will be conducted in collaboration between the project manager and the Research Integrity Officer at HVL. The DPIA must be approved by the Vice Dean for Research at HVL.

If your research project falls under the Norwegian law of health research, it needs to be pre-approved by Regional committees for medical- and health ethic (REK).

The application form to REK is available at rekportalen.no.

For student projects, it is the supervisor, and not the student, who applies for pre-approval from REK.

Please note that REK has specific deadlines for applications for pre-approval.

Additionally, the research project must be assessed by NSD in terms of data protection and privacy concerns.

To share personal data
Sharing personal data with other researchers, institutions or organisations outside of HVL requires permission. The institution, organisation or researchers that you will share personal data with must be described in the notification form to NSD and, if applicable, in the application to REK. Sharing of personal data also requires a contract describing such collaboration.

Contract for shared responsibility
In some research projects a collaboration with other researchers, institutions or organisations outside of HVL will involve a shared responsibility for processing personal data. Shared responsibility for processing personal data requires a contract.

Data processor contract
If someone outside of HVL will process the research data on your behalf, you are required to have a data processor contract.

• Template: Data processor agreement.

Personal data must be treated in a manner that provides adequate safety and that prevents unauthorised access and damage. At HVL, we have a classification of research data that dictates the way in which they should be stored.

• HVL’s research server
• Private units (students)
• OneDrive with two-factor-login (employees)

HVL’s research server
Sensitive personal data is to be stored on HVL’s research server by students and researchers.

The project must be registered to gain access to the research server at HVL. Registration of new projects are done by the project manager after the project has been assessed by NSD/REK has received positive feedback/approval.

As part of the registration, the project manager authorises co-workers that need access to the research data. For external co-workers that need access to the research server, an agreement needs to be signed.

All sensitive data should immediately be transferred to the research server and deleted from other units. Sensitive data should only be processed on HVL’s research server. If the data is to be processed on other units, the data must be used in such a way that personal data and data that could be indirectly identifiable are omitted.

• The registration form for a new project on HVL’s research server.

Storing research data on private units (students)
Students may store data that does not contain sensitive information on their private units. This includes audio and video recordings.
If the research project contains personal data and needs an assessment from NSD, you will need to attach HVL’s guidelines (NB! in Norwegian) to the assessment form. 

Storing research data on OneDrive (employees)
Researchers can store their data on OneDrive using a two-factor-login or on HVL’s research server. Access to OneDrive with two-factor login is obtained by contacting the Research Integrity Officer.
Please note that sensitive data always should always be stored on HVL’s research server.

Students and researchers may use Zoom to conduct and record interviews, with or without including visuals, in those situations where the interviews do not contain sensitive information. Please make use of HVL-account and end-to-end encryption when using Zoom for this purpose. Thus far, you need a permit from the Vice Dean for Research and the Research Integrity Officer to use Teams.

HVL request that dictaphone or Zoom is used for recording audio. Students may use smartphone for recording audio, as long as such use complies with HVL’s guidelines.

Projects that are financed by the Research Council of Norway (NFR) or the EU are often required to archive the research data in a way that is accessible to others after the project is ended. The research data should be as open as possible and closed as necessary, which generally means that it is anonymised data that is made accessible through archiving.

Information about archiving reserach data at HVL.

When a student or researcher at HVL collect data in other countries, they need to adhere to routines at HVL, Norwegian law and the General Guidelines for Research Ethics (Nasjonale forskningsetiske retningslinjer). The student or researcher must, additionally, comply with local guidelines and laws.

Projects that are financed by the Research Council of Norway (NFR) or the EU are required to have a data management plan (DMP). A DMP is a tool that helps you plan the processing of research data in a project from start to finish.

We recommend the use of NSD’s template for creating a data management plan.

Contact forskningsetikk@hvl.no if you require assistance.

If you discover breaches or discrepancies from routines or regulations in the processing of personal data in a research project, you are obliged to inform your supervisor or leader. You can also contact forskningsetikk@hvl.no, use 'sei ifrå', or send an email to personvernombod@hvl.no.

We offer courses and training for researchers, students and administrative staff. Do you need a course in privacy, use of personal data or research ethics? Please contact us: forskningsetikk@hvl.no