Standard Terms and Data Processing Responsibilities

Here you will find information on the standard terms for using PraksisNett, as well as clarification of roles and responsibilities related to the processing of personal data in research projects.

1. Purpose and roles

These terms describe how personal data shall be processed when a General Practitioner practice (“GP Practice”) carries out an assignment in a research project facilitated through PraksisNett.

Commissioning Institution (data controller):
The institution responsible for and conducting the research project (e.g. a university, hospital trust, or research institution).

GP Practice (data processor):
The GP Practice that carries out the specific assignment under agreement with the Commissioning Institution.

PraksisNett:
Facilitates contact between the Commissioning Institution and the GP Practice.
PraksisNett is neither the data controller nor the data processor in the project.

The GP Practice accepts these terms upon accepting an assignment in a project.

2. Nature of the assignment

The GP Practice processes personal data only to the extent necessary to carry out the assignment, which may include:

  • identifying patients who may be eligible participants
  • communicating project information to patients
  • obtaining participant consent where required
  • carrying out simple registrations or completing forms as described in the assignment

The assignment does not involve the GP Practice storing, analysing, structuring, or maintaining research data beyond the limited processing described above.

3. Obligations of the Commissioning Institution

The Commissioning Institution shall:

  1. ensure that all processing is lawful, including having a legal basis and necessary approvals
  2. provide the GP Practice with clear, written instructions on which data to process and how
  3. provide necessary information to participants, including information sheets and consent requirements
  4. give the GP Practice access to necessary systems, forms, or procedures if the project requires registration in specific tools
  5. ensure information security in its own systems, including tools for data collection
  6. receive and handle requests from participants regarding access, rectification, erasure, etc.
  7. receive incident reports from the GP Practice and carry out necessary follow‑up
  8. be responsible for deletion or anonymisation in its own systems at the end of the project

The Commissioning Institution shall not require the GP Practice to carry out processing beyond ordinary clinical activities or the scope of the assignment.

4. Obligations of the GP Practice

The GP Practice shall:

  • process personal data only in accordance with the Commissioning Institution’s documented instructions
  • ensure that only authorised staff have access
  • comply with applicable requirements under the Norwegian Health Personnel Act, the Norwegian Patient Records Act, applicable ICT and information security regulations, and the Code of Conduct for Information Security and Data Protection in the Health Care Sector (“Normen”)
  • not enter research data into the medical record unless necessary for healthcare
  • not store research data locally beyond what is necessary to carry out the assignment
  • not use sub‑processors
  • notify the Commissioning Institution of incidents, errors, irregularities or personal data breaches
  • forward participant inquiries to the Commissioning Institution

5. Systems and use of internal GP Practice solutions

The GP Practice uses its own medical record systems and internal procedures to identify and contact patients, but:

  • research data must not be stored in the medical record system unless necessary for healthcare
  • research data must only be registered in the tools specified by the Commissioning Institution
  • the GP Practice must not retain copies of research data after the assignment is completed

6. Personal data breaches, incidents and participant inquiries

The GP Practice must notify the Commissioning Institution without undue delay if any of the following occurs:

  • a personal data breach or suspected personal data breach
  • errors, incidents or irregularities in the processing
  • inquiries from participants regarding their rights under the data protection regulations

The Commissioning Institution is responsible for further handling in relation to participants and the Norwegian Data Protection Authority (Datatilsynet).

7. Deletion upon completion

When the assignment is completed, the GP Practice shall:

  • delete temporary notes and any locally stored personal data related to the project
  • not retain research data
  • confirm deletion if requested by the Commissioning Institution

The Commissioning Institution is responsible for deletion or anonymisation within its own systems and research tools.

8. Allocation of responsibilities

The Commissioning Institution has overall responsibility for ensuring that personal data processing complies with applicable legislation.
The GP Practice is responsible for secure and proper processing of data in accordance with these terms and the Commissioning Institution’s instructions.
PraksisNett only facilitates contact and is not a party to the data processing relationship.

9. Acceptance of terms

By using PraksisNett to establish and carry out a research assignment, the Commissioning Institution and the GP Practice are deemed to have accepted, and are legally bound by, these data processing terms for the personal data processing carried out as part of the assignment.

 

Last updated: 29.06.2026