About ethics and data protection in research at UiB

Research involving humans and processing personal data has both ethical and legal aspects. Here you’ll find information about how to comply with ethical requirements and data protection regulations at UiB, such as ethics self-assessments and ethics review, when to seek advice from the data protection officer, data management planning and recording the processing in your project in RETTE

Internal control system for processing personal data in research at UiB

The internal control system consists of:

Governing part: overall framework and goals, management system for information security and privacy (SIP) and ICT regulations and overall guidelines for processing of personal data

Implementing part: our routines for planning, implementation, completion and control of research projects constitute the implementing part of the internal control system for research.

Read our guidelines for data processing in research

Controlling part: routines for follow-up and control

Legal basis for processing personal data in research

All processing of personal data must have a legal basis in the EU General Data Protection Regulation (GDPR). A legal basis is the authority for the processing. The legal basis for processing personal data in connection with scientific research conducted by UiB will, as a general rule, be that the processing is necessary for the performance of a task carried out in the public interest (General Data Protection Regulation Article 6 no. 1 e). This provision requires reference to supplementary legal basis in national provisions, cf. General Data Protection Regulation Article 6 no. 3.

Read the entire Personal Data Act on lovdata.no

Supplementary legal basis for processing personal data for purposes related to scientific research is the Personal Data Act § 8. According to the Personal Data Act § 8, personal data may be processed on the basis of the General Data Protection Regulation Article 6 no. 1 letter e) if it is necessary for purposes related to scientific research. The processing shall be covered by necessary guarantees in accordance with the General Data Protection Regulation Article 89 no. 1.

Duty to consult in scientific research processing special categories of personal data

Processing of special categories (sensitive) personal data for purposes related to scientific research has a consultation duty with the data protection officer, cf. Personal Data Act §§ 9 and 10. Before the processing of personal data begins, the researcher shall consult with UiB's data protection officer or privacy advisor at Sikt.

During the consultation, it shall be assessed whether the processing will fulfill the requirements of the General Data Protection Regulation and other provisions established in or pursuant to the Personal Data Act. It is a condition that the processing of personal data for scientific research purposes is covered by necessary guarantees to ensure the rights and freedoms of the data subject, cf. General Data Protection Regulation Article 89 no. 1, including that technical and organisational measures have been implemented to particularly ensure that the principle of data minimization is observed. The aforementioned measures may include pseudonymization, provided that the purpose of the research can be fulfilled in this way.

The consultation duty is considered fulfilled upon completed assessment by UiB's data protection officer or Sikt. Projects that are consulted with the institution's data protection officer are registered directly in RETTE. After completed assessment by Sikt, information about the project is transferred to RETTE.

It is a fundamental condition that the research is conducted in accordance with recognised research ethical norms. Assessment of whether the project is in line with research ethical norms and guidelines, including whether conditions for participation in the research are met, falls outside the assessment with the data protection officer or privacy advisor, as such assessment falls under the research responsible's duties according to the Research Ethics Act.

Exceptions from the duty to consult

if a data protection impact assessment (DPIA) has already been carried out for the project cf. Personal Data Act § 9, 2nd paragraph
if a data protection impact assessment has been carried out covering several similar processing activities that involve corresponding risk, and the project is considered to be such a similar processing, cf. GDPR Article 35 (1). It must be documented in RETTE which data protection impact assessment the project is connected to.
medical and health research that has approval from REC, cf. Health Research Act § 33, 3rd paragraph

If the researcher is to collect data in countries outside the EEA, the consultation duty applies in the same way as for data collection in Norway.

Last updated: 17.06.2025

Satisfied with the content on this page?

When you answer yes or no, a text field will appear where you can add feedback. This will be anonymous, and you will not receive a response to your feedback.

Yes