Guidelines for research data at INN University

1. Purpose

The purpose of INN University’s guidelines for research data is to clarify responsibilities, obligations and tasks for safeguarding research data generated at INN University, as well as ownership and sharing of research data.

Research data means registrations, records, reports, etc. that are generated or occur during the research process. For example, this may include numbers, texts, images, sound, etc. generated through new analysis, compilation of existing data, or data generated through new data collection.
The guidelines do not apply to artistic research.

2. Relationship with other steering documents

INN University’s principles and guidelines for the management of research data must be in accordance at all times with other, more general steering documents. In addition, data management requirements in connection with acquisition, primarily EU-Horizon 2020 and the Research Council of Norway, must be included as a premise.

• The Norwegian Ministry of Education and Research: ‘Strategy for digital transformation in the higher education sector 2021-25’ (revision of strategy for 2017-2020)
• The Norwegian Ministry of Education and Research: National strategy on access to and sharing of research data, published in December 2017.
• Policy and Regulations for Intellectual Property Rights (IPR) – approved by the University Board Nov. 2019.

3. Division of responsibility

3.1 Inland Norway University of Applied Sciences - top organisational level

• Responsible for all research carried out at the institution.
• Responsible for processing personal data in research at the institution. 
• Responsible for information security.

3.2 Research administration and library

• Responsible for the development of secure, relevant and user-friendly research support services and infrastructure as a basis for research activities, in close collaboration with the IT service.  
• Contribute to ensuring that updated research support systems are included in the actual development of methods in research.
• Ensure that services and infrastructure are developed in accordance with research data cycles.
• Develop and maintain an internal control system regarding the processing of personal data in research and to advise students and researchers accordingly. 

3.3 IT service

Contributes to development, implementation and support related to

• Storage resources: Data storage and archiving infrastructure
• Software resources: Collection and analysis of data.
• Guidance resources: Technical staff operating networks, computers, and storage resources. General user support, including courses/training. Advanced internal or external user support for the development of software etc. for calculations of specific scientific problems.

3.4 Independent responsibility of researchers

INN University employees must follow international FAIR principles to facilitate the further use of research data.
Researchers, including PhD candidates, are obligated to use the IT infrastructure that INN University has established and maintains for the processing of personal data and other classified information.

3.5 Project manager’s responsibilities 

The project manager is responsible for the data that the project collects and uses, and that necessary permissions/permits have been obtained and that a data management plan has been established and is maintained.  The project manager must have access to all research data covered by the project.  The project manager assigns access rights and keeps track of who has access to the data. The project manager is also responsible for the management of active research data, for de-identification of data at the end of the project and for transfer to appropriate archives. The project manager can delegate the responsibility to a qualified employee (data curator). 

3.6 Supervisor and student responsibilities

The supervisor is formally the project manager in student projects, while the student is the one who carries out the tasks agreed with the supervisor. This does not apply to doctoral candidates (PhD), they have an independent responsibility based on necessary training from the supervisor in particular and INN University in general.

Students can participate in research projects at INN University provided that necessary agreements have been entered into in advance (e.g. confidentiality agreements, restrictions on use and ownership of data, etc.).

4. Ownership of research data

Reference is made to Section 2 of INN University’s policy on copyright/intellectual property rights (IPR). Beneficial rights.

4.1 Active research data

Employed researchers

Active research data is owned by INN University as the data controller.  As a general rule, employees who leave or discontinue their employment at INN University must transfer their active data to the research group they are part of.
Independent research work, independent of a research group, may not be transferred to a new place of work or kept in private care without an agreement with the institution (INN University) c/o the dean and in consultation with the central R&D administration. 
As a general rule, processing and/or ownership of research data cannot be transferred to an external partner or external data processor without a data processing agreement.  For research based on personal data, this is an explicit requirement without exception.
In commissioned research, active research data must be in INN University’s care until the end of the project, and transfer or duplication after the conclusion of the project may take place if this is agreed upon with the client.

Students

Students own their own de-identified data when a project is concluded, unless otherwise agreed in joint projects. In student projects that process personal data, the active data must be in INN University’s care until the project concludes, and then anonymised before the student has full rights of use.
Students cannot use an external data processor when processing personal data.

4.2 Open access publishing

All researchers must comply with the national strategy stating that research data resulting from publicly funded research must be available and shareable at the end of the project (Ministry of Education, 2017).
Data that form the basis for scientific articles should preferably be made available at the time of publication. Other data that may be of interest to other research should be made available within a reasonable amount of time and never later than three years after the project has ended. Researchers may be given an embargo (postponed open publication) for the content, and may refrain from publishing data if it is not possible to remove personally identifiable or other confidential information from the material.
If the researcher publishes the data openly via a publisher, the publisher must also grant INN University the right to publish this material openly.
With regard to commissioned research, the client owns the data unless otherwise agreed.
Questions of rights and ownership must be clarified and agreed upon in cases where data is used for commercialisation and patenting purposes. Agreements may also be required in situations where INN University’s own researchers make use of external data.

5. Data management plan

Research data management is described as a research data lifecycle with a number of measures that will vary from different projects and academic orientation.

A data management plan (DMP) helps the researcher to maintain an overview and structure throughout the cycle.

Researchers/research groups are obligated to assess the need for preparation of a data management plan, and are obligated, without exception, to prepare a data management plan for projects funded by the Research Council of Norway and the EU.

In consultation with their academic supervisor, students should prepare a data management plan. Likewise, programmes of study should expect master’s students to prepare a plan and also include it as part of the teaching of methods.
INN University will contribute infrastructure, expertise and supervisory resources to support researchers/research groups in designing, revising and complying with a data management plan for a given project, including for master’s theses.

Information and recommended data management templates can be found on the University’s website.

6. Processing of personal data in research

When planning and implementing researcher and student projects, one is obligated to comply with the following

1. All processing of personal data in student and research projects triggers a duty to report to NSD’s Data Protection Service. An approved notification is documentation of lawful processing of personal data in accordance with the Personal Data Act (GDPR). 
2. All medical and health-related research projects must also receive prior ethical approval from the Regional Committees for Medical and Health Research Ethics (REK). 
3. A project cannot begin until approval has been obtained from NSD Data Protection Service and possibly from REK. 
4. Included research participants (informants) have the right to control their own information and can, among other things, request access, correction and deletion (Article 5 of GDPR).
5. When researchers/students process personal data, it is only permitted to use the data services with which INN University has a data processing agreement. These are characterised by the fact that they require FEIDE login as a minimum. 
6. Private cloud services or file folders may not be used to collect and store research data containing personal data.
7. Private devices (PC, desktop computer, smartphone, tablet, etc.) can be used as a medium for FEIDE login in INN University’s data services for research.  
8. The researcher/project manager/student assigns access rights to the storage area (OneDrive, Feide or TSD). Researchers/students with access rights can log in to the data. Active research data containing personal data may not be shared with others via email or other sharing services. 
9. Projects involving sensitive/special categories of personal data or classified information must use the ‘Services for sensitive data’ (TSD) for collection, processing and storage. 

Specifically for bachelor’s and master’s theses

Students must have completed the necessary training in information security and data protection and fulfilled the duty to report to the NSD Data Protection Officer before the processing of personal data in a student project can take place. 
Together with their supervisor, students must, as a first alternative, consider completing bachelor’s and master’s theses without collecting personal data. If personal data is collected, it must be done with the lowest possible detriment to data protection.