Privacy considerations are central to research ethics and are recognized as a fundamental human right. In today's digital society, upholding privacy in all research activities is essential to ensure that individual rights and freedoms are protected.
Read the European Commission’s Guide on Ethics and Data Protection (external link)
In all research projects, privacy protection requires that researchers inform participants about how their personal data will be processed. Institutions handling personal data must also ensure adequate protection of data, no unnecessary data collection and limited retention periods. Meaning you should only collect what you need to achieve the purpose of your project, and that you should not keep the data longer than necessary.
Extra caution is required when research involves special categories of personal data, also called sensitive data, profiling and automated decision-making, big data analysis, and artificial intelligence. Such processing may pose higher risks to individual rights and freedoms. These concerns are reflected in the EU’s General Data Protection Regulation (GDPR), which provides a legal framework for handling personal data in the context of emerging technologies.
GDPR
GDPR
Legal basis for processing personal data in research
General personal data
For all processing of personal data, a legal basis is required in the General Data Protection Regulation Article 6. This also applies to medical and health research. The requirement for a legal basis means that at least one of the conditions under the General Data Protection Regulation Article 6 no. 1 must be present.
Processing of personal data in connection with scientific research or educational purposes is considered a task in the public interest. The legal basis in Article 6 will therefore, as a general rule, be Article 6 no. 1 letter e):
- "processing is necessary for the performance of a task carried out in the public interest".
For processing of personal data in the public interest, supplementary legal basis is required in national legislation (law, regulation or decision in law or regulation). The supplementary legal basis is:
- The Personal Data Act § 8, which stipulates that general personal data may be processed on the basis of the General Data Protection Regulation Article 6 no. 1 letter e) if it is necessary for purposes related to scientific research, and provided that the processing is covered by necessary guarantees in accordance with the General Data Protection Regulation Article 89 no. 1.
Special categories of personal data
For processing of special categories of personal data, one of the conditions in Article 9 no. 2 must also be fulfilled. Special categories of personal data include health information, information on ethnic origin, sexual relations or other sensitive personal data.
For scientific research purposes, the legal basis will, as a general rule, be Article 9 no. 2 letter j):
- "processing is necessary for scientific or historical research purposes or statistical purposes"
The processing must be in accordance with Article 89 no. 1 and in accordance with national legislation:
- According to the Personal Data Act § 9, special personal data may be processed without the consent of the data subject, if the processing is necessary for scientific research purposes and society's interest in the processing taking place clearly outweighs the disadvantages for the data subject. The processing shall be covered by necessary guarantees in accordance with Article 89 no. 1. Before the processing takes place, the controller has a duty to consult with the data protection officer. During the consultation, it shall be assessed whether the processing fulfils the requirements of the General Data Protection Regulation and other provisions established in the Personal Data Act or pursuant to the Personal Data Act. The specific consultation duty in the Personal Data Act § 9 does not apply if a data protection impact assessment (DPIA) has already been carried out.
- According to the Personal Data Act § 10, a similar consultation duty with the data protection officer applies when special personal data are processed for research purposes on the basis of the data subject's consent.
- There is an exception from the consultation duty for medical and health research, cf. the Health Research Act § 33 third paragraph. However, there is still a duty to involve and consult with the data protection officer if the research is covered by the requirement for a data protection impact assessment (DPIA).
Supplementary legal basis for non-consent-based processing of information covered by statutory confidentiality
Health legislation provides the necessary supplementary legal basis for non-consent-based processing of health information in research. The Regional Committee for Medical and Health Research Ethics' (REC) decision on dispensation from healthcare professionals' confidentiality will constitute the supplementary legal basis according to GDPR Article 6 and Article 9.
Personal data on criminal convictions and offences
According to the Personal Data Act § 11, a similar consultation duty with the data protection officer applies under the Personal Data Act § 9 when personal data on criminal convictions and offences are to be processed for research purposes.
If the processing is to take place without consent, the same applies as for special categories of personal data, i.e., that society's interest in the processing taking place clearly outweighs the disadvantages for the individual. In this balancing of interests, it shall be emphasised that the processing takes place without the data subject's consent. The assessment must be documented.
The significance of consent
According to the research ethical principles, consent is the main rule for research on information that can be linked to individuals. According to point 33 in the preamble to the General Data Protection Regulation, research participants should be able to give consent to certain areas within scientific research when this is in accordance with recognised ethical standards for scientific research. Research participants should have the opportunity to give their consent only to certain research areas or parts of the research project to the extent that the intended purpose allows it. See further about information to research participants and consent in the Routine for obtaining consent and information to research participants.
That the research is based on voluntary participation is a guarantee that the research takes place in accordance with research ethical principles, and constitutes such a necessary guarantee as mentioned in GDPR Article 89 no. 1.
The researcher has a duty to ensure that the consent is informed, voluntarily given and revocable, in accordance with the research ethical guidelines.
Consent to participation, however, is not the same as consent constituting the legal basis for processing personal data, when the processing is necessary to carry out a task in the public interest.
Medical and health research – requirements of ethical pre-approval
Medical and health research must have ethical pre-approval from Regional committees for medical and health research ethics (REK).
Exception from consultation duty with data protection officer for medical and health research
Medical and health research is exempt from the consultation duty in the Personal Data Act § 10, cf. the Health Research Act § 33 third paragraph, but may be covered by the requirement for DPIA which applies to non-consent-based processing of personal data in research.
Data protection impact assessment (DPIA) in research
When planning any processing of personal data for research purposes, it should be assessed whether there is a requirement to carry out a data protection impact assessment, in accordance with the requirements in GDPR Article 35. A data protection impact assessment shall be carried out when it is likely that the processing will result in a high risk to the rights and freedoms of the data subjects, particularly when using new technology, and taking into account the nature, scope, purpose and context in which it is carried out. An assessment may cover several similar processing activities that involve correspondingly high risks.
The Norwegian Data Protection Authority has the power to determine that certain processing activities shall be covered by the requirement for DPIA, and has determined that there is a requirement to carry out a data protection impact assessment for non-consent-based processing of special categories of personal data for purposes related to scientific research.
Data protection impact assessment may be necessary for individual projects and for processing that has general research purposes, for example the establishment of registers for research purposes.
If the research project is covered by the requirement for DPIA, it should be clarified with the institution's data protection officer whether a data protection impact assessment should be carried out. The data protection officer shall be involved, and can, among other things, assist in assessing whether privacy concerns are adequately addressed. In the event that Sikt assists with the data protection impact assessment, Sikt can assist in assessing whether privacy concerns are adequately addressed. It is always the controller who is responsible for carrying out the data protection impact assessment.
In the case of continued high risk, the Data Protection Authority shall be contacted for prior assessment. Before prior assessment begins, controllers shall first consider whether additional measures can be implemented to reduce the privacy risk for the data subjects.