What is personal data and what does it mean to process personal data? How does GDPR apply research projects at HINN? When and in what way must a project be notified to SIKT Personal Protection Services?
Step-by-step guidance on data classification and data protection
Step 1: Determine what data you need to collect and whether permission is required
Categories of data that may be collected for your research project. The list is not exhaustive.
Permissions
You will be subject to the notification requirement to the Data Protection Services at Sikt (previous name: NSD) if you collect personal data. You need to read all of the information available on this page. Make sure to set plenty of time aside! The processing time at Sikt is ca 30 days and you cannot start before you have received a decision. Notifications to the Personal Data Services at Sikt are required for research projects and bachelor’s and master’s theses are considered to fall under this. Other student assignments that involve the collection of personal data, as well as non-anonymous evaluations and student surveys, must be authorised by the local INN University Data Protection Officer.
If you will be collecting personal data among groups belonging to an institution, for example interviews or surveys issued to employees at a healthcare institution, school or police station, you generally need to obtain permission from the institution management. The same applies if you will be collecting data from students and employees at INN University. The notification requirement for Sikt Personal Data Services has exceptions for anonymous surveys, see step 3.
You will be solely responsible for considering the need for any other permissions for data collection and need to discuss this with your academic supervisor. You also need to be careful not to come into conflict with the copyrights of others.
Non-disclosure agreement
If bachelor’s or master’s project is part of a larger research project at INN University (or elsewhere), the student will most likely gain access to more confidential information than that which relates to the student's project alone. The student must sign a non-disclosure agreement.
Step 2: Understanding what personal data is. What can you collect?
Personal data is divided into three categories: anonymous, general and sensitive data. Legally speaking, anonymous data is not considered personal data and is therefore not covered by the General Data Protection Regulation (GDPR). However, it is a good idea to consider all three categories as a whole in order to understand the context.
The GDPR refers to all forms of collection and processing of data as “processing of personal data”. It is possible to process data relating to people even if you do not actively use the data for anything.
INN University is defined as the data controller for personal data in research and student projects and is obliged to provide students and academic supervisors with guidelines and information, ensure secure data solutions and keep an overview/control.
Personal data is information or assessments that can be linked to an individual. Such information could, for example, be linked to an individual via their national identity number, name, e-mail address, IP address or reference number referencing a list of names or registry, a compilation of background data (indirect identity), biometrics, etc. Voice data is also considered personal data and interview recordings therefore constitute processing of personal data.
Sensitive personal data, also labeled special category, refers to information about your informants that relates to racial or ethnic origin, political opinion, religion, philosophical beliefs or trade union membership, as well as the processing of genetic data and biometric data for the purpose of unambiguously identifying a natural person, health data or data relating to the sexual relationships or sexual orientation of a natural person (Article 9 of the GDPR). Criminal convictions are also considered sensitive/special personal data in this context.
Health data refers to information about an individual’s physical or mental health in a broad sense, including use of health services or social circumstances.
When collecting data from children and other vulnerable groups, such data collection may be classified as sensitive personal data.
Generally speaking, no-one is permitted to process sensitive personal data. In order to allow for the processing of sensitive personal data, there must be a well-justified purpose and data collection must be in the best interests of society. Informants must also provide explicit consent for such processing (Article 9-2 of the GDPR).
The general rule at INN University is that all students should avoid processing personal data and that such processing can only be justified in situations in which there are no good alternatives available.
The rules relating to the processing of personal data for bachelor’s and master’s theses respectively:
| Category/Student | Bachelor's | Master's |
| Anonymous | YES | YES |
| General | Preferably not | Yes |
| Special category (sensitive) | NO | Preferably not |
Carefully consider whether you can reduce the personal data burden/disadvantages in your project, do you even need to process personal data? And if you find that you do need to, remember to restrain yourself in order to limit data collection. Only request information that clearly serves the purpose of your research.
Step 3: Establish whether you can avoid collecting personal data
As mentioned in step 2, any enterprise, including the INN University, must aim to process as little personal data as possible. This is also an individual responsibility you need to take on. You can choose to base your project on information that does not directly relate to people (see step 1). You can collect anonymous data.
Step 4: For supervisor and student: Clarify the allocation of responsibilities
The academic supervisor will be the project manager for a bachelor’s or master’s thesis. Nevertheless, the student has an independent responsibility to familiarise and comply with any requirements that apply if the student chooses to process personal data. Together, you need to start by considering whether the student project can be completed without processing personal data. If this is not possible, the student needs to notify the project to SIKT Data Protection Services (see step 8). During the registration process, the student needs to list you as the academic supervisor as the project manager and the student must share the notification form with you.
Sensitive personal data cannot be collected as part of bachelor’s projects and should be avoided to the extent possible in master’s projects and must always be subject to discussion between the student and academic supervisor.
The academic supervisor and student need to set aside sufficient time to discuss information letters and consent forms.
Use this checklist to ensure that your duties are/will be fulfilled.
In consultation with the academic supervisor, students should draw up a data management plan (see final section).
Step 5: Understanding the GDPR and the requirements that must be met
The General Data Protection Regulation (GDPR) entered into force in 2018 with the main purpose of strengthening data protection in EU/EEA member states. The private sector, public sector and research sector are all subject to the GDPR. If you need to process personal data as part of your bachelor’s or master’s thesis, the GDPR will also apply to you and below you can find some of the most relevant aspects:
- Research data must be collected only for specific, explicitly stated and legitimate purposes and cannot be processed further in a manner that is incompatible with these purposes.
- The researcher/student can only process data that is necessary for the research purpose.
- The processing of personal data can be accepted if there are no good alternatives and the processing has a justified purpose and (some) benefit to society.
- The processing of personal data may only take place after obtaining documented consent from persons who are capable of giving consent.
- It must be possible to withdraw consent and all data relating to the individual must be deleted immediately if consent is withdrawn.
- Personal data must be stored securely and not for longer than is necessary for the purpose.
You need to ensure that you can fulfil the rights of your informants (research subjects). This means that, as long as an individual can be identified through data, the individual shall be entitled to:
- withdraw their consent without justification at any time,
- access the personal data recorded about them,
- request correction of their personal data if anything is incorrect or incomplete,
- request the erasure of their personal data,
- request a copy of their personal data and
- lodge a complaint with the Data Protection Officer or the Norwegian Data Protection Authority (Datatilsynet) concerning the processing of their personal data.
You need to provide information about rights in the information letter and consent letter you will draw up before recruiting informants. No-one can be included in your bachelor’s or master’s project until a declaration of consent has been signed. Read more about consent in step 7.
The right to complain
If any informants/research subjects believe that the processing of personal data has not taken place in a correct and lawful manner in your student project or they believe that you/the academic supervisor and/or INN University have failed or refused to fulfil their rights, they will have the opportunity to complain to the INN Data Protection Officer about the processing.
If INN University does not take the complaint into account, the informant/research subject will have the opportunity to lodge the complaint with the Norwegian Data Protection Authority.
The Norwegian Data Protection Authority is responsible for ensuring that Norwegian enterprises comply with the provisions set out in the Personal Data Act/GDPR when processing personal data.
Step 6: Choosing data solutions for secure collection and storage
Information security is important regardless of whether or not your student thesis is based on personal data. It would be bad if the data you have collected was lost or manipulated!
Guide to the collection and storage of data in your project.
First you need to read about the principles for secure data management below:
INN University has the main responsibility for information security by preventing, detecting and managing three situations that may arise:
- Unauthorised parties gaining access to confidential data (=confidentiality).
- Information and systems being modified, damaged or deleted in unauthorised or unintended ways. (=integrity).
- Information and systems being lost or unavailable when needed (=availability).
The student will be responsible for:
- Adhering to the guidelines for student projects (this website).
- Always using the University’s data solutions based on Feide logins when processing personal data or other data that should be protected.
- Never using private cloud services or private file folders for the collection and storage of project data. This applies to Google Drive, iCloud, Dropbox, personal Office 365 services, Filr, Slack and more. This means that data ends up outside of the ownership and protection of INN University and constitutes an information security breach.
- Do not exchange data via e-mail, Messenger, SMS or memory devices.
- Researchers and students are permitted to: Use their personal equipment/devices, such as PCs, Macs, smartphones or tablets. The ownership of the device is irrelevant. The important aspect is what cloud service account you log into, you always need to log in using Feide-login as a minimum.
Why you can only use INN University data services
- The data services that INN University and/or the University sector have entered into data processing agreements with, are all based on Feide logins as a minimum to ensure that you can get started correctly. These services have been developed with privacy by design, greatly reducing the likelihood of security breaches.
- INN University owns the data and will be the data controller for personal data while your student project is ongoing. If data is released to personal cloud service accounts, INN University will lose ownership and can no longer act as the data controller.
Your data must be in one place! You must not duplicate data via e-mail attachments, copies in personal folders, memory sticks, external hard drives, etc. If you want to share data with others, you must assign access to the INN University One Drive folders (or the Educloud folders). This is necessary in order to comply with the data protection principles set out in the GDPR (see step 5) concerning data security, access, correction and erasure. For example, if one of your informants exercises their right to control of their own data and wishes to correct or erase data, this would not be possible if data is spread across multiple locations and several partners.
Step 7: Create an information letter with a consent form and assess capacity to consent
Informed consent is the communication and information that allows each participant, regardless of age and mental capacity, to make a qualified decision to participate in your student project. In order for consent to be called informed consent, you need to take your time to draw up information about your project. Test the text on people you know that may be similar to the informant group you will recruit from. Any doubts about the wording or any missing information must be taken into account and revised. Please be prepared to provide verbal information as well.
It must be clear to each individual what they are consenting to. This means that they need to be able to consent to a clear and precisely formulated purpose. Personal data can only be used for the purpose for which consent has been given. Further details about consent and information letters.
Sikt Data Protection Services has a guidance template for information letters. You do not need to follow the template to the letter but you need to ensure that all mandatory topics highlighted in the template are addressed in your letter and preferably using customised language. The Sik-template is formalistic and can be difficult to read and understand without adjustments. You should therefore adapt/simplify the text for your target group, feel free to include images as well. You can also create an informational video to provide together with written information.
At the end of the letter, you need to include contact details for the local Data Protection Officer at INN University, you can find up-to-date details here.
Information and template for designing information and consent letters.
Capacity to consent
As a student, you need to be extremely aware of “reduced or lack of capacity to consent”. This means that your informant(s) may be unable to understand what the consent entails. This could relate to “vulnerable groups”, such as people with vintellectually disabled, children and people with dementia. Or it could relate to asking for consent from informants in “vulnerable situations” such as stress, accidents, acute illness, etc.
To the extent possible, incapacitated persons should provide independent consent. The person’s guardian must provide consent if this is not possible.
Age limits
Depending on the nature and scope of the project, an age limit of 15 years is usually applied for children to consent to their own participation in research. The age limit is 16-18 years if it involves sensitive personal data. For anyone younger, parents/guardians must consent on behalf of the child.
Health research: Minors between the age of 16 and 18 can consent unless otherwise set out by special legal provision or the nature of the initiative. Consent from parents/guardians will be required if the research involves bodily intervention or pharmaceutical trials.
Section 17 of the Health Research Act contains further provisions on the capacity to consent.
Step 8: Fulfil the notification requirement at Sikt Data Protection Services
Will you be processing electronic data relating to individuals as part of your research or student project? You will need documentation from Sikt Data Protection Services showing that your project processes personal data in a lawful manner. The notification requirement applies regardless of whether the project is a research, master’s or bachelor’s project.
Sikt is aThe service provider for the knowledge sector”, which provides common infrastructure to universities and university colleges.
The notification requirement applies regardless of the collection method you have chosen, including interviews. Anonymous data collection is not subject to the notification requirement, but you need to be entirely certain that the data collection is anonymous, see step 3.
What will Sikt Data Protection Services consider?
When considering the notification form, NSD Data Protection Services will conduct a comprehensive assessment of how the notifier plans to process personal data by looking at:
- whether the personal data that will be collected is relevant to the purpose of the project.
- how the information will be collected, registered, stored and, if applicable, compiled or disclosed
- whether the sample selection needs to be informed and consent obtained
- whether information letters and declarations of consent comply with legal requirements
- how long personal data will be stored for and whether the data will be anonymised or stored further after the completion of the project
How do Data Protection Services at Sikt (NSD) consider notification forms?
- When a notification form has been submitted for pre-assessment, the form will be reviewed by a Data Protection Officer.
- The notification form will be returned to the notifier if it has been incorrectly completed or any attachments are missing.
- If the notification form is returned to the notifier, the notifier will be able to find the comments from the Data Protection Officer on My Page. The notifier will then need to make any necessary changes to the notification form and resubmit the form.
- The notifier must complete the notification and provide argumentation as to what is correct for the project. Sikt’s Data Protection Officers cannot change or update the notification form on behalf of the notifier.
When the notification form has been considered, it will act as documentation that the project processes personal data in a lawful manner.
Supplementary information: Under the ‘Processing’ section of the notification form, you will be asked to upload guidelines/permissions to process data on personal devices (PCs). Here, it will be sufficient for you to reference this website (copy and paste the URL) and step 6.
Step 9: In the event of changes during the project.
If you make any changes during your project that could have consequences on the assessment of whether the project meets the requirements set out in data protection legislation, you need to notify the Data Protection Services at Sikt (NSD) of the changes.
Click here to read more about changes that must be reported and how to submit change notifications.
Step 10: Final notification, erasure and archiving after the thesis has been submitted.
The Sikt Data Protection Services at Sikt will follow up on the scheduled completion date (the date you have entered as the project end date) to clarify whether the processing of personal data has concluded. You will be notified if you are required to provide a response. The same message will also be sent to your academic supervisor. If you realise on the notification date that the end date needs to be postponed, please follow the instructions set out in step 9.
Erasure of personal data upon project completion
Be aware of the following:
- Personal data must be erased or anonymised upon project completion. Exceptions may be made in rare cases if you have agreed with your informants and your academic supervisor in advance that personal data can be retained.
- Anonymisation means that the link key is deleted, as well as direct personal data such as names and/or national identification numbers being erased. In addition, indirect personal data (identifying compilations of background data such as occupation, age, gender) must also be removed or assigned to broad categories so that no individuals can be recognised from the materials. However, the dataset must be erased if you are unable to remove indirect personal data.
- In addition to deleting the link key itself, you also need to remember to delete any address lists and other contact details.
- Data anonymisation is considered equal to erasure and an anonymised version of the dataset can be retained.
- If anyone has set out requirements concerning erasure, such as REC (health/medicine) or the enterprise you have collected research data from or if information about this has been issued in connection with obtaining consent, you need to ensure that the erasure of research data is carried out in an appropriate, complete and secure manner. Please contact the IT department in the event of any doubts.
- Hard copies containing personal data must be shredded.
- Consent forms/declarations must be deleted (digital) or shredded (paper).
- Audio recordings must be deleted while transcripts can be retained, provided that all direct and indirect personal data has been removed completely.
- For the erasure or editing/censoring of images or film/video recordings, you should obtain advice from your academic supervisor, the IT department and/or NSD.
Human biological materials must also be destroyed at the expiration of the storage period. Discuss this with your academic supervisor!!
Special information relating to medical and health research
Some master’s projects at INN University may fall under the category of medical and health research projects. No bachelor’s projects are relevant here, as bachelor’s students do not have any opportunity to collect sensitive personal data. Medical and health research projects involve health data by definition, which therefore constitutes sensitive personal data.
Together with your academic supervisor, you need to submit an application for prior approval to the Regional Committee for Medical and Health Research Ethics. Carefully adhere to the information available via the REC portal and the Guidelines relating to health research at INN University.
If you and your academic supervisor are unsure about whether the project requires prior approval from the REC, you can submit an assessment proposal (Find the form under “New application”). This will provide the REC with grounds to provide further guidance. Master’s students also have the opportunity to present their project to the local ethics committee for research at INN University if the project relates to health-related research in people or human biological materials but falls (just) outside the REC mandate. This is something you need to raise with your academic supervisor and together you can read the information about local ethics assessments at INN University.
The notification requirement relating to NSD Data Protection Services (see step 8) must also be taken into account in health research projects. Ethics assessments conducted by the regional committee or local comittee do not include any auditing of data protection or data security.
If you envisage the opportunity to publish an academic article based on your master’s thesis, you should consider registering your project in the international ClinicalTrials.gov database prior to starting. A number of journals require studies to be registered here in order to be published.
Data management plan
The data management plan is a recommended tool for anyone working on a thesis. It helps you obtain an overview of what you need to collect, how to collect it, how to describe data, where to store data, how to work with data, whether anyone else requires access to your data, what you need to do when you have finished using the data, etc.