Routines for processing personal data in research?projects

Responsibility  

A research project that process personal data must have a researcher who is responsible for ensuring that the project meets the requirements of the privacy regulations.  

Project managers have an independent responsibility for the privacy of research projects. PhD students are considered project managers for their PhD project when it is not a medical and health research project. In medical and health research project, the responsibility is governed by procedure 2 "Project managers' responsibility" in the Quality System for Medical and Health Research.  

Student supervisors are responsible for the privacy of student research at the bachelor and master's level. However, students also have an independent responsibility for ensuring that privacy is safeguarded. 

Ethics assessment  

When planning a research project that processes personal data, you must consider whether the project is in line with the research ethics guidelines. If this is not the case, adjustments must be made so that the project is in line with these guidelines.  

Furthermore, in the planning of the research project, you must identify which approvals are necessary for your project, and consider what should be the project's legal basis for processing personal data. 

Processing of personal data in student or research projects  

Sikt conducts privacy assessments on behalf of UiO. If you will be processing personal data in your project, you must apply to Sikt.

This rule also applies to projects within medical and health research from 01.01.2020. For supplementary rules on medical and health research see the Quality System for medical and health research and information on transitional rules.

The project must apply to Sikt at least 30 days before data collection starts. To reduce the assessment time at Sikt, we recommend that you read Tips to reduce the assessment time (Sikt). If changes are made to the project plan after Sikt has completed their assessment, a separate change form must be submitted.

Medical and health research projects can apply for Sikt in parallel with the application for ethical pre-approval by regional ethics committees (REK). 

Anonymous data 

If you process fully anonymous data in your project, you do not need to apply to Sikt. Anonymous data is data that cannot in anyway identify individuals - either directly through name or birth number, indirectly through background variables, or through the name/link key, encryption formula and code. If you are unsure whether the research project is processing personal data, please contact Sikt. 

How to report a research project? 

Sikt has compiled a form to be used for reporting research and student projects. It is important that all projects that process personal data are reported and that you provide as much details as possible about your project. 

Sikt also has a chat feature you can use if you have questions while filling out the form. The person who will carry out the project must completed the form.

In medical and health research projects the project manager must complete the form, according to procedure 2 "Project managers' responsibility" in the Quality System for Medical and Health Research. 

What should be attached to the form? 

A copy of the questionnaire, interview guide, registration form, information letter, statement of consent, application / recommendation from the Regional Committee for Medicine and Health Research Ethics (if applicable), decision on exemption from the duty of confidentiality, etc. must be attached to the form. If the form is submitted before other decisions are made, a copy of these decisions must be later forwarded. 

If you select "private device storage" when completing Sikt`s message form, you will be prompted to upload private storage policies, or UiO approval. You will find storage guidelines in UiO's Data storage guide. Where you can store different types of data depends on the type of information in your research project. You can read about the different categories of data (green, yellow, red, black) in UiO's data classification. Only green data can be stored freely on a private device. Yellow data can be stored on a private device under certain conditions that you can read about here. You are responsible for following the storage routines. 

Administrative procedures 

When you report your project to Sikt, they will make an assessment of the project's privacy impact. If the project is not considered to result in a high risk to the data subjects` privacy, Sikt will give you feedback that you can start the project and the data collection. If the project is assumed to pose a high risk to the data subjects' privacy, Sikt will conduct an in-depth privacy impact assessment where risks and measures to mitigate the risks are mapped. This is called a DPIA. Sikt's final assessment will then be submitted to the data handling officers at UiO, who will evaluate and approve Sikt's overall assessment. UiO evaluation and decision  is sent back to Sikt. Sikt will  then contact you with the result. All communication, in connection with the project, will be between you and NSD.  

When a student or research project is approved by Sikt, it will be registered in Sikt's project archive. The project archive is constantly updated, and contains all information about your project. 

Sharing personal data 

If you are going to share personal data with other people, institutions, organizations or businesses outside UiO, you must clarify whether you are allowed to share said data.  

If others are to process personal data on your behalf, a data processing agreement is required. You can read more about data processing agreements here (Norwegian only).

Ensure safe storage 

Personal data must be processed in a manner that provides adequate security and protection against unauthorized access and damage. At UiO, recommendations have been made for storing data based on a classification that safeguards these considerations.  

Read more about UiO's storage guide for personal data and information. 

Access to information should be limited  to only those persons who are participating in the research project have access to personal data. A pseudonym  can be used to further restrict access to sensitive information. This means that directly identifying information has been removed so that personal data can no longer be associated with a specific person without the use of additional information. 

Archiving project data 

Personal data shall not be stored for longer than is necessary to achieve the purposes for which the personal data is collected. When the research project is completed, the data shall either be deleted or anonymized. In some cases, the data may be archival-worthy and can then be transferred to an archive for further storage. NSD can recommend how to handle personal data at the end of the project. 

Upon completion of the project, Sikt will contact the project manager with an offer to archive project data. 

Deviation 

Any deviations from these routines, or privacy regulations in connection with the processing of personal data in the research project, is to  be reported to UiO-CERT.  

Read more about deviations and how to report deviations here. 

Forskpro 

Forskpro (formerly Helsforsk) is a system used for keeping track of medical and health research projects at UiO. The purpose of the system is to contribute to compliance with the Health Research Act's requirements for continuous review and follow-ups. All medical and health research projects must be registered in Forskpro. Additionally, some institutes at UiO require that all research projects at the institute  are also registered in Forskpro. This applies regardless of whether it is a medical and health research project or not. Ask your research advisor about the routine of your institute.   

Transitional rules for the new routine for medical and health research 

• Ongoing medical and health research projects that have previously received an assessment/approval of the project`s privacy risks do not, in principle, need to apply to Sikt. 

• Ongoing medical and health research projects that implement project changes approved by REK after 01.01.2020 must also apply to Sikt if the changes in the project have altered consequences for the privacy of the research participants. If you are in doubt whether the changes will have any privacy related consequences, please contact behandlingsansvarlig@uio.no. 

• Medical and health research projects that have applied to REK before 20.12.2019 can still obtain an internal approval of privacy if the data handling officers are notified of this at behandlingsansvarlig@uio.no. 

Questions? 

If you have any questions related to the completion of the Sikt form, Sikt can be contacted on tel: 555 82 117, e-mail: personverntjenester@sikt.no, or by chat. At UiO, questions can be addressed to behandlingsansvarlig@uio.no. 

On Sikt's website you can also check if you have to report your project.