Transferring research data to other organisations in Norway
When transferring research data to other organisations, you must make sure that the organisation in question has a satisfactory information security system before stipulating a data processing agreement.
The Personal Data Act’s provisions also apply upon transfer of research data to other organisations. You are therefore obliged to submit an application to REC/ the Data Inspectorate, or to send a notification to NSD when this is required.
The organisation represented by you; i.e. the University College/ faculty/ department, is the data controller when it comes to processing the personal data that is to be transferred. The data controller determines the purpose of the processing as well as which tools should be used.
In addition, you must do the following:
- make sure that the organisation you are transferring data to, for example a municipality, a private firm or another educational institution, has a satisfactory information security system in the form of policies, guidelines, procedures and the like.
- The Personal Data Act’s general requirements for the processing of personal data must be met. There must therefore be a legal basis, see PAD sections 8 and 9 (including for example the consent of the research participants / legal authorities), and the transfer must be in accordance with defined purposes and constitute the smallest possible intervention in privacy.
- Before initiating the processing of personal data, you must make sure that a risk assessment is undertaken, see guidelines about data security; What should be protected? Value and risk assessment, and the Personal Data Act's requirements.
- A data processing agreement describing responsibilities and authority relations must be signed with the ones that you (on behalf of the data controller) give the task of processing (data processor). See the Data Inspectorate's template (only in Norwegian). The agreement will often also contain provisions on purpose, disclosure to third parties and deletion. The organisation that 'lends' out/grants access to/discloses the data is responsible for the agreement. The organisation responsible for processing the information (data processor) cannot process the research data in other ways than as agreed upon in the data processing agreement.
Terms marked in bold are defined in the list of definitions and abbreviations.