The organisation that owns the research data decides how the information should be handled by researchers.
It is also this organisation that is responsible for obtaining all approvals for processing of personal data.
The manager of a research project should nevertheless check that these are in place before disclosing data to HiOA.
How to check for approvals
When collecting data from other organisations that have a data protection official, for example a health trust or regional health authority, check with the data protection official. Enquiries to, for example, a municipality (the party from which you need to 'borrow' research data) should be accompanied by an information letter to the data controller stating how the data will be used.
See also NSD's website: What is your area of research? Here you will find an updated and quality assured overview of procedures for collecting data for various areas such as kindergartens, schools, internet, workplaces, prisons, through web forms, observations and vulnerable groups.
Statistics Norway grants microdata to research projects and has data relating to persons, businesses and enterprises.
Data processing agreement
It is normally necessary to enter into agreements with the organisations giving you access to/ disclosing the data. These organisations can be municipal authorities, health trusts, regional health authorities and research institutions.
The R&D terms for use in contracts are marked in bold font and defined in the list with definitions and abbreviations.
The organisation 'lending' out the research data that you wish to use in your research project is the data controller of this information. The data controller decides the purpose of the personal data processing and which tools should be used.
The person in charge of the day-to-day management of the organisation managed by the data controller must be authorised to make decisions and be able to attend to the processing responsibilities pursuant to the Personal Data Act including its regulations.
The condition for 'lending' out personal data to you as a project manager is that the organisation you are affiliated to has a satisfactory information security system. HiOA uses the research platform TSD which satisfies the legal requirements for the processing and storing of sensitive research data.
Services for sensitive data (TSD 2.0)
Services for sensitive data (TSD 2.0) prepared under the auspices of UiO, is used by several Norwegian public research institutions, including HiOA.
TSD is developed and operated by USIT at UiO, and is included in NorStore; the national infrastructure for processing and storing research data.
When describing how you intend to process/store the personal data, you can refer to TSD in order to prove that the processing/storing is secure. See website about TSD and how to proceed in order to gain access.
Preparing the data processing agreement
It is usually the data controller, e.g. a municipality, that should formulate the data processing agreement. The organisation that 'lends' out/grants access to/discloses the data is responsible for the agreement. As the data processor, you are not entitled to process research data in other ways than as agreed upon in the data processing agreement.
The agreement must include a description of responsibilities and authorities. It will often also contain provisions on purpose, disclosure to third parties and deletion. .
Agreement templates and resources
- Data Protection Authority's template
- Routine in Public 360 (in Norwegian only)
- Access to confidential material
Lecture about OUS's collaboration with other organisations - Privacy and data protection in practice.
If you have questions, contact the R&D advisor Ingrid S. Jacobsen.