Procedure 6: Storage and handling of research data (data quality and information security)

Version 5, approved by the University Director 01/02/2022

Medical and health research: Research activity carried out using scientific methodology to acquire new knowledge about health and diseases.

1. Purpose

The purpose of this procedure is to ensure that health research data is:

Collected
Registered
Managed
Processed
Stored

in such a way that the requirements and provisions of the Personal Data Act are fulfilled in research projects that are also covered by the Health Research Act and that intermediate storage and quality control of

Source data
Metadata
Result data

allow for the reconstruction of data and management.

2. Scope

This procedure applies to data from all research projects covered by the Health Research Act, including clinical trials of medicinal products and medical devices. The procedure doesn't apply to projects that were completed when previous versions of this procedure were implemented. If data from completed projects is retrieved for repeated use, the data will be covered by the requirements set down in this procedure.

If data is stored in agreement with the information provider, such as hospitals, health management and primary care, the procedures and systems for processing, storage and transfer must be described in an agreement for the specific project or in a separate data processing agreement.

If UiO research data is going be stored/processed by a third party, an agreement on data processing must be entered into, see Appendix 6.4. The agreement must include requirements concerning quality control and a description of the methods used for processing.

3. Responsibilities

IT Director

is responsible for establishing and maintaining the internal control system for information
is data handler officer
may on behalf of research administrators consider and decide the exemptions from the requirements of this procedure
is responsible for the maintenance and development of TSD

The person who in writing has been delegated responsibility for research or Sponsor Representative (Cf Procedure 1, 3, 4)

is responsible for ensuring that all projects have a plan for the proper collection, quality control, intermediate storage, processing/analysis, final storage and other data management
is responsible for ensuring that the department/unit has satisfactory systems in place for the secure storage of link keys from ongoing and completed projects
must ensure that the necessary software for statistical analysis and other processing is available in UiO systems

Individual Project Manager/Principal Investigator

is responsible for ensuring that the personal data included in a medical and health research project is processed properly (registered, managed, quality controlled and stored in accordance with applicable legislation and approvals) with the possibility of reconstructing the source data and for ensuring that the necessary agreements are in place and documented, cf. Appendix 6.1 Checklist for handling and storage of data in each project.

4. Description of tasks

UiO does not have a uniform system for processing and storage of research data. Data can be stored into different systems, in different formats and in different media. However, the following guidelines must be fulfilled:

4.1. Restrictions

The data which is handled and stored should be relevant and necessary for the purposes of the research project and for required reconstruction, as approved by REK and other relevant authorities, and recommended by Sikt (formerly NSD, Norwegian Centre for Research Data). Any changes in the collection and processing of data should not be implemented without a new application and approval/recommendation of the described changes from the same authority who gave the original approval/recommendation.

4.2 Storage and processing of research data

All processing and storage of research data should be conducted within the approved systems of UiO and in compliance with decisions from REK.

Research data should only be stored and processed in accordance with the Data Storage Guide of the UiO: /www.uio.no/english/services/it/security/lsis/storage-guide.html

Research data should be classified in accordance with UiO��s procedure for the classification of data and information: /www.uio.no/english/services/it/security/lsis/data-classes.html

Research data in medical or health research projects is classified as red or black data. Only Sensitive Data Services �C TSD 2.0 is authorised for the storage and management of data in projects covered by the Health Research Act.

4.3 Personal identification

The degree of personal identification should not be higher than necessary to fulfill the purpose of the research (Ref. Veiledning til helseforskningsloven pkt. 4.3. og 4.5).

4.4 Transfer of health data

Any transfer to or from a cooperating institution should not occur without an approval from REK and a signed data transfer agreement.

4.5 Personally identifiable health data

Health data that is directly identifiable must not be stored and processed in other systems belonging to the UiO than the TSD 2.0.

4.6 Disclosure of pseudonymized health data

Health data that is pseudonymized must not be disclosed to other institutions together with the subject identity list. Even if the recipient does not have access to the subject identity list, the data are not considered as anonymized as long as the subject identity list is intact.

At the transfer of any health idata, the Principal Investigator must also, in addition to submitting an application to the REK, obtain written assurance regarding GDPR compliance from the data controller that the data is transferred to, see Attachment 6.3 Data transfer agreement.

When transferring health data to countries outside the EEA, the Principal Investigator shall, in addition to applying to REK, obtain a written confirmation that the data controller and/or the data processor in the receiving country can warrant the same level of protection as the GDPR requires, and also that the research participants have given their informed consent to and are informed about the transfer of information to countries outside the EEA. The Principal Investigator has to make certain that a valid transfer tool is available pursuant to Chapter 5 ��Transfers of personal data to third countries or international organisations�� of the GDPR.

4.7 The subject identity list

The subject identity list must be stored with limited and controlled access and be held separate from the health information, see Appendix 6.2 Form for the subject identity list. After completing the project, it must be ensured at department, institute or unit level that the subject identity list must be securely stored. This may be done in the TSD system. The subject identity list should be classified in accordance with the Data Storage Guide of the UiO. The subject identity list shall be classified using the same colour as the research data.

See also:

5. Legal basis

LOV-2008-06-20 no 44 Act on medical and health research (Health Research Act)
FOR-2009-07-01-955 Regulations of the organization of medical and health research
ACT-2018-06-15-38 Act on the Processing of Personal Data

6. Appendices

6.1. Checklist for processing and storage data (Word)
6.2. Form for subject identity list and list of trial subjects (Word)
6.3 Data Transfer Agreement (Word)
6.4 Data Processing Agreement (Word)

Published July 19, 2022 7:34 PM - Last modified Feb. 7, 2023 5:39 AM

Frontpage

Work support

Employment conditions

Operational and office support

Competence development

UiO networks and management meetings

Internal unit pages