I am a researcher

The requirements described here apply to all internally and externally financed research at UiO where personal data is processed, in the form of either quantitative or qualitative data. The researcher also follow routines for processing personal data in research projects.

Limitations: Personal data that is processed in medical and health research is not covered by the instructions in this guideline. This type of research has its own routines and guidelines for the processing of personal data.

What privacy responsibilities do deans and heads of departments have when personal data is processed in research projects?

Deans and heads of departments have privacy responsibility for all processing of personal data related to research projects carried out at their units.

This responsibility includes the following tasks:

• ensuring the establishment of routines and guidelines for processing personal data in research projects (if these do not already exist)
• ensuring adequate resources for training project managers and project staff in the routines and guidelines that apply to the processing of personal data in research projects
• controlling that adapted routines and guidelines that apply to the processing of personal data in research projects are followed by project managers and project staff
• assisting in an annual internal control (audit) and local controls performed by the University Director via employees in the IT director's staff; see guidelines for performing annual internal control (in Norwegian).

What privacy responsibilities do project managers have for research participants (informants or respondents)?

Project managers are responsible for the privacy of the participants when personal data about them is processed.

The responsibility of the project managers includes all phases in a research project:

1. When planning/starting up

The planning or start-up phase is the part of the research project that extends from the preparation of the project outline/application until the data collection process begins.

During this phase, the project manager is responsible for the following tasks:

• determine and maintain an overview of what types of personal data shall be processed in the research project
• prepare a consent form to be presented to and signed by respondents or informants
• prepare information to respondents or informants about their privacy rights
• register your research project with SIKT, i.e. the Norwegian Centre for Research Data. 
• enter into agreements with any external information providers, such as registry owners or partners at other institutions about how responsibility for personal data is to be distributed and safeguarded. See UiO¡¯s template for data processor agreements.
• ensure that secure technical solutions for the collection, storage, transmission and analysis of research data (personal data) available at UiO are used in the project.
• ensure there is a risk assessment of data security of research data (personal data) not processed using UiO¡¯s technical solutions for the secure collection, storage, transmission and analysis of such data.
• ensure that project staff have satisfactory expertise in the secure processing of research data (personal data)

2. When implementing

The implementation phase is the part of the research project that includes data collection and analysis of the data collected (personal data).

During this phase, the project manager is responsible for the following tasks:

• ensure satisfactory securing of link keys when processing de-identified personal data
• reply to enquiries from respondents or informants in the project about how to safeguard their privacy rights
• ensure proper erasure  or anonymising of research data (personal data) if respondents or informants withdraw their consent to participate in the project
• control that personal data processed in the project is not used for any other purpose or in any way other than the respondents or informants have consented to
• ask respondents or informants for new consent if information collected is to be processed for other purposes or in other ways, for example stored longer or used in a new project, than what they have originally consented to
• control that terms in agreements with any external information providers, such as registry owners, or partners at other institutions are actually being complied with
• report any discrepancy  that occurs when processing information about respondents or informants in the project. See routine for reporting discrepancies here.
• assist in an annual internal control (audit) and local controls performed by the data controller via employees in the IT director's staff. See guidelines for performing annual internal control (Norwegian).

3. When concluding

The concluding phase includes the part of the research project where the data analysis is completed and collected data (personal data) shall be erased, anonymised or transferred to others for further storage.

During this phase, the project manager is responsible for the following tasks:

• determine what personal data about respondents or informants shall be erased  and what shall be kept after the project ends (archived)
• ensure that all personal data about respondents or informants that is not to be kept after the project ends is properly erased
• ensure that personal data to be retained after the project ends is anonymised, for example by destroying the link key for de-identified data
• ensure that personal data that is to be kept after the project ends will be properly stored

Contact us if you have any questions.

Checklist

• Checklist for processing personal data as a researcher (word) (Norwegian)

Guidelines for processing of personal data in:

• Medical and health research
• Bachelor and master thesis

Useful links

• Notification Form for projects processing personal data SIKT
• Data management plan
• Research support
• Research data management
• E-learning course at HF
• E-learning course at SV