These procedures apply to all research projects and student projects at the University of Agder which involve collecting, processing and storing of personal data. The procedures apply to both electronically and manually collected data. All researchers, supervisors and students have an obligation to understand the meaning of the term ‘personal data’.
Researchers, supervisors and students must familiarize themselves with the responsibility they have for secure processing of personal data in the project (see Part 2 on Responsibility).
In addition, the following questions should be considered prior to starting a project which involves collecting personal data:
If the project involves collecting personal data, you are obliged to notify NSD (the Norwegian Centre for Research Data). Be aware that the obligation to notify applies even though all output of your research is subsequently made anonymous. The obligation to notify relates to the data you collect.
There is a statutory obligation to notify processing of personal data. The University has appointed NSD to handle all reports.
It is the responsibility of the project manager to submit the notification to the NSD no later than 30 days prior to the start of the data collection phase. Data collection must not take place before the NSD assessment has been received/returned. The task of filling in the form may be delegated to a project participant or a student, but the project manager must take part in the assessment of whether the project should be notified or not.
Any subsequent changes to the project plan must be notified to the NSD and feedback form the NSD must be received before any changes are implemented.
If the project comprises medical research or health research, formal approval from the Regional Research Ethical Committee (REK) must be obtained. It is the purpose of the project which decides if processing of personal data falls within the jurisdiction of ACT 2008-06-20 no. 44: Act on medical and health research (the Health Research Act). ‘Medical research and health research’ is defined as ‘activity conducted using scientific methods to generate new knowledge about health and disease’ (see Health Research Act, §4).
UiA is under the authority of REK South-East.
If the research project or student project is to be conducted in cooperation with another institution, the cooperating partners need to decide who has formal processing responsibility. The cooperation must be formalized through a written agreement which specifies the distribution of responsibility, the structure of responsibility, (who is) the initiator of the project, data use and possible ownership issues.
Main rule: consent must be obtained from the registered person if personal data relating to this individual will be collected for research purposes. This applies even if the data are collected from other sources. Personal data that are made public on the Internet and that may identify an individual may trigger an obligation to report, and the main rule on consent applies also in this case (see item 2 in NESH’s ethical guidelines for internet research and NSD’s webpage on internet research). One needs to be careful, therefore, when doing research on data found on the internet, and students, supervisors and /or researchers should study the information in the links above.
Consent must be given voluntarily, explicitly and based on adequate and secure information (Personal data act, article 4). Consent may be withdrawn at any time during the project and participants need not give reasons for their withdrawal of consent. Note that consent must be based on specific information about a concrete research project. An information letter must be formulated which includes a declaration of consent to be signed by the participant (see NSD concerning guideline template for information/consent letter)
Exemptions: if the research project is not to be based on consent from registered persons, the notification form to NSD must include an explanation as to why it is necessary to undertake the project without consent.
Students, supervisors and/or researchers who process personal data bound by a duty of confidentiality, see Public Administration Act, §13. Any publication or sharing with others of personal data must be based on the consent of the registered person.
The recording of sounds or videos in which individuals can be identified is only permitted on devices which do not have internet connections. The use of mobile telephones etc. is not allowed. Recordings shall, as soon as is possible, be transferred to UiA’s own OneDrive area, or TSD 2.0, in accordance with the paragraphs below, and must then be deleted from the external device in question. UiAs University Library has dictaphones for students to loan. Please note that you need to provide your NSD acceptance before you can receive a dictaphone.
Saving personal data is detailed in the Personal Data Act section 5. The general requirement is that personal data shall not be stored longer than is necessary for carrying out the objective of the process in question. During work with the project, the individual responsible must ensure that the data containing personal data has been saved in accordance with the management system for information security at UiA.
In both research and student assignments, all documents or files containing personal data shall be secured in the sense that they are only saved on UiA’s own password-protected servers (Office 365 – OneDrive) or with a third party that UiA has a sufficiently suitable data handling agreement with. PCs must have user and password limited access, and access to these documents shall be limited to those who have a need for this information only.
If it's necessary to send documents with pesonal data the document needs to be encrypted before sending.
When handling sensive research data, the service TSD 2.0 from UiO shall be utilised. Alternatively, a local, dedicated computer without access to the internet can be used. Contact the IT department (firstname.lastname@example.org) for more information and advice about the handling of sensitive data.
Physical material, such as sound recordings, pictures, films and the like shall be saved in locked cupboards inside locked offices or other locked rooms.
If personal data is to be saved after a project has been completed, information pertaining to this shall be provided when the project is reported to NSD. The project leader is responsible for explaining the purpose of continued storage, and what potential disadvantages this might lead to for the individual registered. The data shall be saved in accordance with UiA’s guidelines and the applicable assessments/authorisations.
All requests for access to and inspection of the kind of processing that has been undertaken about personal data in the research – or student project must be handled by the project manager or supervisor in accordance with Personal Data Act article 15.
Requests for access must be answered without undue delay, the latest within 30 days.
Personal data in research and student project must not be disclosed to outsiders/third parties. Disclosure may still be allowed if the registered persons give their consent, if the NSD has examined the case for disclosure and if the receiver of the information has been formally accepted prior to project start (i.e. been included in the notification to NSD). Disclosure of personal data must also be approved by the University of Agder.
If an external person or an agency is to process personal data on behalf of the university (e.g. collecting/processing of electronic questionnaires, transcription etc.), the task is to be formalized by entering into a data processing agreement.
When a project is completed, all personal data must be anonymized or deleted in accordance with the original notification to NSD. NSD contacts the researcher or student after the end of the project and requests feedback on the status of the processing of personal data. The student/researcher has an obligation to respond to this request and a failure to reply will be reported to the university. Please note that there is a distinction between de-identification and anonymization, and that at the end of the project anonymization or deletion is required.
Responsibilities of the project manager/researcher: the project manager of each individual research project, including PhD candidates, is responsible for ensuring that project activities take place in accordance with procedures and regulations. In the case of student projects, the appointed supervisor is responsible. The area of responsibility includes, among other things, assessment of the obligation to notify, notification to NSD (Norwegian Centre of Research Data), securing information and consent, securing personal data and processing of requests for access. Deletion/anonymization of personal data at the end of a project is also the responsibility of the project manager. In student projects, it is the responsibility of the supervisor to ensure that the student has deleted/anonymized data in accordance with the notification to NSD.
Responsibilities of the student: the student has a duty of discretion and has a responsibility to follow the procedures adopted by UIA for securing personal data as well as a responsibility to undertake to complete the project as it is notified to NSD.
Responsibilities of the Faculty: The Faculty Director must ensure that all researchers or supervisors have been informed about UIA procedures for processing of personal data in research. In cases of deviation from standard procedures the faculty is to report the deviation by using the webpage ‘Si fra’, thus minimizing the damages caused by the deviation. See deviation procedures for more information.
Overall responsibility for data processing at UIA, including processing of personal data both administrative and research – related, lies with the University Director.
Day – to – day responsibilities regarding personal data issues lies with the Division of Research Management (FAA). FAA answers questions concerning privacy protection and deals with situations involving deviations in cooperation with the IT – office and the Faculties. FAA is responsible for internal control procedures for processing of personal data in research.
If registered personal data turn out to contain errors, it is the person responsible for everyday running of the project (usually the project manager) who is to ensure that the necessary corrections are made as soon as possible. If there has been a failure to obtain the necessary permission to process personal data, the person responsible for everyday running of the project must ensure that the situation is corrected and that the immediate supervisor is informed. The immediate supervisor is to report the deviation on the webpage ‘si ifra’: http://www.uia.no/om-uia/si-ifra.
Anyone who is involved in processing personal data on behalf of the University of Agder, must, as soon as there is suspicion that personal data has been misplaced, notify his/her immediate supervisor. For students, this is their academic supervisor. The immediate supervisor is responsible for notifying the ICT Department and the Division of Research Management. The notification is registered on the webpage ‘si ifra’: http://www.uia.no/om-uia/si-ifra
The ICT Department will ensure that damage-limiting measures are implemented and will, in cooperation with the current Faculty, ensure that the standard procedure for dealing with misplaced personal data is followed. The Division of Research Management will assess the incident and, if needed, contact the NSD or The Norwegian Data Protection Authority.
Standard procedure regarding incidents involving misplaced personal data:
This procedure applies to everyone who is processing personal data on behalf of the University of Agder. When a deviation has been revealed, the follow-up is to be logged consecutively and the case dealt with according to the procedure described below. Responsibilities are indicated in parenthesis:
With its function as data protection official for UiA, it is the responsibility of NSD to ensure that projects are completed as set out in the submitted notification. If NSD does not receive a notification from the project manager confirming that the project is completed, NSD leaves the responsibility for further follow-up to UiA. Follow-up should be conducted as follows:
According to the Personal Data Act, section 14, the University Director should establish and maintain planned and systematical measures with the purpose of fulfilling the requirements of the act. These measures must be documented. The University Director is responsible for internal control at UiA. The Division of Research Management will, on behalf of the university director, ensure that internal control of processing of personal data is implemented at the institution. The Faculty Directors are responsible for implementing internal control at their own faculties. The internal control must be based on annual risk assessments and will be changed according to needs.
Responsible for this page: email@example.com
Personal data is information and assessments that may be linked to individuals: