Checklist for processing personal data in research

Each research and student project that processes personal data must have a researcher/supervisor in the role of project manager. The project manager is responsible for ensuring that the project meets the requirements of the privacy regulations.

The project manager has an independent responsibility for privacy in research and student projects, see project manager's responsibility. PhD students can be considered project managers for their PhD projects. You must check this with your faculty.

Student supervisors are always responsible for privacy in student research at bachelor's and master's level. Students still have an independent responsibility for ensuring that privacy is safeguarded.

See also: The role and tasks of research leaders.

When planning a research project that processes personal data, you must assess whether the project is in line with the research ethics guidelines. If this is not the case, adjustments must be made so that the project is in line with these guidelines.

Furthermore, in the planning of the research project, you must map out which approvals and assessments are necessary for your project and assess what should be the project's legal basis. If the legal basis is consent, check out the consent and information letter website.

Other legal grounds can be found on the data inspectorate's (No. Datatilsynet) website. In research, it is most relevant to use "in the public interest" (datatilsynet.no, in Norwegian).

Regardless of the legal basis, the committee shall have information about the project and its rights, such as access, correction, restriction, possible deletion, appeal possibilities, contact person, etc.

The Norwegian Agency for Shared Services in Education and Research (SIKT), formerly NSD, is OsloMet's privacy advisor in research. Student and research projects that process personal data must be reported to SIKT.

This also applies to projects in medical and health research, which must also be considered whether it is mandatory to submit them to REC.

See the website about student projects (student.oslomet.no) if you are going to supervise students.

The project must be reported to SIKT no later than 30 days before the data collection is to start. To reduce the case processing time at SIKT, we recommend that you read what you must have ready beforhand to reducing the assessement time (sikt.no).

If changes are made to the project plan regarding to the information on w reduhich SIKT's assessments are based, a separat changes form must be submittet (sikt.no).

Medical and health research projects can apply for SIKT in parallel with an application for ethical pre-assessment (due diligence assessment) at regional ethics committees (REC).

If you process fully anonymous information in your project, you do not need to report the project to SIKT. Anonymous information is information that in no can way identify individuals - neither directly through name or national ID number, indirectly through background variables, or through name list/scrambling key, encryption formula and code.

On SIKT's website, you can also check if you need to register your project (sikt.no) (norwegian).

If you are still in doubt about whether the research project processes personal data, you can contact SIKT or the research privacy contact at your faculty/centre.

See also the webpage about anonymous, anonymized or deidentified data.

SIKT has prepared a form to be used when notifying research and student projects. It is important that they are notified about all projects processing personal data, and that you provide as many details as possible about your project.

The notification form is posted on SIKTs website (sikt.no). Here you will find useful guidance and answers to frequently asked questions. SIKT also has a chat function that you can use if you have questions while filling out the form.

The notification form must be filled in by the person who is to carry out the project.

What should be attached to the notification form?

Attach a copy of the questionnaire, interview guide, registration form, information letter, consent form, application/recommendation from the Regional Committee for Medical and Health Research Ethics (if applicable) and decision on exemption from the duty of confidentiality. If the notification form is submitted before other decisions are available, a copy of the decision must be sent.

When you notify SIKT, they will assess the project's privacy consequences. If the project is not considered to carry high risks in terms of privacy, SIKT will give you feedback that you can start the project and the data collection. If the project is considered to carry a high risk to the data subjects' privacy, SIKT will carry out an in-depth data protection impact assessment in which risks and measures to reduce the risks are mapped. This is also called a DPIA.

SIKT's final assessment is then sent to the data controller officer for comments and assessment. The DPIA with the data controller officer's assessment is then sent back to SIKT with a signed approval letter. The person responsible for processing, normally the head of department or department director, approves SIKT's assessment in general by signing a letter of approval. You will be continuously informed about the case process. Communication in connection with the project should preferably take place between you and SIKT.

When a student or research project is approved by SIKT, it will be registered in SIKT's report archive. The notification archive is continuously updated and contains all information about your project.

If you want to share personal data with other persons, institutions, organizations or companies outside OsloMet, you must clarify whether you are allowed to share the personal information.

Check out websites about

• three different agreement templates within privacy to find out which contractual relationship may be relevant in your project

• transfer of personal data between data controllers

If you are going to transfer data to countries outside the EU/EEA, you must also check out the website about transferring personal data abroad

Personal data shall be processed in a manner that provides adequate security and protection against unauthorized access and damage. At OsloMet, recommendations have been made for storing data based on classification that addresses these considerations. Read more about the choice of electronic tools in OsloMet's storage guide and on the storage of research data website.

Restricted access

Access to personal information shall be limited to research staff in the research project. To further restrict access to sensitive personal information, pseudonymization can be used. This means that directly identifying information is removed so that the personal information can no longer be linked to a specific person without the use of additional information.

Make sure that research staff have signed the necessary duty of confidentiality.

For questions in the notification form about storage

If you select "storage on a private device" when filling in SIKT's notification form, you will be asked to upload guidelines for storage on a private device, or approval from OsloMet. This may be relevant in student projects, see website on the processing of personal data in student assignments on the use of a private PC. Guidelines for storage can be found in OsloMet's storage guide. See also website for Storing research data. Where you can store different types of data depends on the type of information you are including in your research. You can read about the different categories of data (green, yellow, red, black) in OsloMet's guidelines for classification. Only green data can be stored freely on private devices. You are responsible for following the storage procedures.

At the start of the project, and before you start collecting, analyzing and storing data, you must carry out a risk assessment and establish routines for how the personal data is to be processed. The risk assessment is archived in P360 as soon as it has been completed.

The personal data shall not be stored longer than necessary for achieving the purposes of the processing. When the research project is completed, the data must either be deleted or anonymized. In some cases, it may be desirable/required that the data be stored longer than until the end of the project period. In those cases they can be transferred to an archive for further storage. NSD can give a recommendation on handling data at the end of the project. Read more about long-term storage.

At the end of the project, NSD will contact the project manager with an offer to archive project data.

If you discover a discrepancy from these routines or the privacy regulations in connection with the processing of personal data in the research project, you must fill in a form for notification of discrepancies and send it to sikkerhet@oslomet.no.

The research database is an internal database where you must register meta-information about the research. In this way, the research becomes searchable and accessible to other employees at OsloMet, and it becomes easier to find out about relevant research projects. The research database is considered a protocol for personal data in research in accordance with the privacy ordinance (No. Personvernforordningen), and the information is used for statutory internal control.

The first version of the Research Database was launched in June 2020.

You can read more about the research database in the guide for the research database, which projects are to be registered there, what is to be registered and how.

• Ongoing medical and health professional projects that were started before 2018 and which have previously received an assessment/approval of privacy, will typically not need to apply to SIKT.
• Ongoing medical and health projects that get project changes approved by REC after July 2018, must also apply for SIKT if the changes in the project entail changed consequences for the privacy of the research participants, see SIKT's website for change notifications (sikt.no). If you are still in doubt as to whether these changes will have consequences for privacy or are of such a nature that a change notification should be sent to SIKT, contact SIKT on telephone 47 55 58 21 17 (press 1), email personverntjenester@sikt.no or via chat.
• Please consider sending a change notification to REC.
• Remember to report to TSD, if the change entails an extension of the project period, so that data is not deleted on the originally approved date. New assessment/recommendation from SIKT must be attached to the notification to TSD.

If you have questions related to filling in the notification form, SIKT can be contacted on telephone: 47 55 58 21 17 (press 1), email: personverntjenester@sikt.no or via chat. At OsloMet, questions can be directed to the privacy contact for R&D at your faculty or center.