Collection of personal data for research projects
Please note that this page has not yet been updated after the introduction of the new General Data Protection Regulation in July 2018.
If your research or student project involves the collection of personal data, you need to check whether you have to notify the Data Protection Official for Research. This also applies to student projects at Bachelor and Master level.
Norsk versjon - Behandle personopplysninger i student- og forskningsprosjekt
Which projects should be reported? #
If you are processing personal data electronically and it is not related to medical or health research, you need to report your project to the Norwegian Centre for Research Data (NSD). This applies to both research and student projects. The same applies if you are manually processing personal data to be entered into a personal data register.
The Project Manager or supervisor of a student project is responsible for reporting the project to NSD. The project must be reported 30 days before the collection of data is initiated, at the latest. NSD also offers archiving for project data (in Norwegian) when the project is concluded.
Medical and health research #
Medical and health research must be approved by the Regional Committee for Medical and Health Research Ethics (REK) before the project is initiated. These projects should not be reported to NSD. NTNU has created its own portal for medical and health research with administrative procedures and guidelines to ensure that medical or health research is carried out in a safe way and according to the law .
Medical or health research is defined as research on humans, human biological material or health information, where the objective is to obtain new knowledge about health and disease. The same applies to research that contains pilot studies and experimental treatments. The health research portal contains more information about the lines drawn between medical and health research and other research containing personal data.
What is personal data? #
Personal data is information that directly or indirectly can identify a person. Information that can directly identify a person includes names, personal ID numbers or other personal identification. Information that can indirectly identify a person includes background information that can be traced back to an individual, e.g. place of residence or institutional affiliations combined with information about age, sex, occupation, nationality, and so forth.
The notification requirement applies regardless of whether the personal data contains substitutions designed to hide identities, such as numbers, codes, fictional names or something similar, but that nevertheless is linked to a separate list containing the personal data. Use of video and audio recordings of persons must also be reported if:
- the recording is processed or stored by electronic means (on a computer as an audio or image file)
- transcriptions contain personal data and are processed electronically (computer)
- transcriptions contain sensitive personal data and are systematized in a manual register
Even if all project reports are anonymous, the project may still be notifiable if personal data is processed during work on the project.
If the project contains processing of sensitive personal data (e.g. data on health conditions, sexual conditions, social conditions that affects one's health), NSD will consider whether a licence is necessary and give a recommendation to the Data Inspectorate, which decides whether the licence is given.
Storage of research data #
The project manager is responsible for the data that the project collects and uses, and must have access to all research data included in the project. The project manager assigns access rights and keeps records of who has access to the data. The project manager is also responsible for the management of active research data and for deletion/storage of data in a satisfactory way at the end of the project.
Measures must be taken in connection with the research data in proportion to the actual risk based on a risk assessment. Key factors in the risk assessment are the scope of the project, the sensitivity of the information, the threat profile related to the environment in which the information is processed and stored, and the duration of the project.
In the context of health research, the following examples of an acceptable risk level have been described (in Norwegian).
These examples are also relevant in a risk assessment in which sensitive personal data are involved in research outside the field of health research.
NTNU IT has signed an agreement on behalf of NTNU with the University of Oslo (UiO) for use of the TSD 2.0 services used for secure storage of sensitive personal data, including health data. So far, NTNU has purchased space for 60 projects. The solution includes 1 TB of storage, as well as access to computer power and tools according to the description. If you need more storage or other capacity than the basic package includes, the project must buy this from UiO.
- To order, sign the supplement to the data processor agreement (databehandleravtalen) that NTNU has signed with UiO.
- Questions about the agreement can be sent to Hans Bækken Kulstad (Senior Engineer, IT Division).
Collection of data outside Norway #
If you are a student/researcher at an institution in Norway and you are going to collect data in countries outside Norway, you need to comply with the requirement to notify the Data Protection Officer in connection with recording personal data in the same way as for data collection in Norway.
Data controller institution outside Norway #
If the data controller institution responsible for processing of personal data is established in a EEA country, it is adequate to report the project to the regulatory authorities in that country. If the data controller institution responsible for processing of personal data is in a country outside the EEA, the project must be reported in Norway by a Norwegian institution that undertakes to act as the representative of the data controller.
Internet Research #
Will you be conducting research on information found on the Internet? In that case, your project will be subject to notification if you process personally identifiable information on a computer. Examples of such processing may be saving documents from open or closed discussion forums, containing "nicknames" or names of participants. Furthermore, direct quotations can be searchable, and thus might be considered personally identifiable information.
As a general rule, one should provide information to participants and they should give their consent to the processing of personal data in connection with research projects. However, there may be exceptions from these requirements for information. See more about Internet research on NSD 's website.
See also #
- The Data Protection Official for Research. Here you can find detailed information about video, audio, images etc. NTNU has appointed NSD as their data protection official for research.
- NTNU Health Research Portal (in Norwegian). How to plan, carry out and conclude a research project.
- Norwegian Centre for Research Data (NSD). Instructs researchers and students in collecting and analyzing data, method, protection of privacy and research ethics
- List of projects reported to NSD (in Norwegian)
- Project search (in Norwegian)
- SelectSurvey (in Norwegian)
If you have questions relating to NSD notification requirements or preliminary approval of medical and health projects, please contact:
- Anne Marie Snekvik
- Gjøvik: Stein Runar Olsen
- AD-Faculty: Håvard Wibe
- HF-Faculty: John Kamsvåg
- IE-Faculty: Harald Lenschow
- IV-Faculty: Astrid Vigtil
- MH-Faculty: Randi Kallar Devold
- NV-Faculty: Lars E. Onsøyen
- SU-Faculty: Rune Dahl | Kyrre Svarva
NSD: Phone: 55 58 21 17 or email: firstname.lastname@example.org
REK: Phone: 73 59 75 06 or email: email@example.com