Procedures for research that processes personal data at UiB

The project manager has to assess the purpose of the project, and decide which procedures apply based on the decided purpose. 

The project leader must assess whether the project involves medical and health research and falls under the Health Research Act. Research on humans and health data aimed at generating new knowledge about health and disease requires ethical pre-approval from REK. If you are unsure whether your project falls under the Health Research Act, you can request an assessment from REK.

Read more about pre-approval from REK on rekportalen.no

The project manager needs to know about the current research ethics guidelines that apply to the subject area of the project. 

Read the guidelines on forskningsetikk.no

The general rule is that research involving humans must be based on free, informed, and revocable consent to participation. The project manager must assess whether the project's purpose may require an exception to the general rule of consent. If specific consent from participants cannot or should not be obtained, this must be justified based on the research purpose and scientific methods.

• If an exception to the consent requirement involves access to health data, an exemption from healthcare professionals' duty of confidentiality must be applied for, in accordance with the Health Personnel Act § 29.
• If an exception to the consent requirement involves other information covered by administrative confidentiality, permission must be sought from the relevant administrative authority to access the data.

The project manager must ensure that the fundamental principles for processing personal data are upheld. This includes ensuring that the processing has a legal basis under the GDPR and is conducted with transparency and fairness toward research participants.

The legal basis for processing personal data necessary for scientific research purposes is usually of the GDPR. A supplementary legal basis in national legislation is Section 8 of the Norwegian Personal Data Act, which allows processing for scientific research purposes.

The processing of special categories of (sensitive) personal data must meet one of the conditions in Article 9 of the GDPR. For scientific research, this is typically Article 9(2)(j).

Additionally, the project manager must ensure that the research project includes necessary safeguards to protect participants' integrity and well-being, as outlined in Article 89(1) of the GDPR. This includes ensuring that:

• The project is conducted in accordance with recognized research ethics norms and guidelines, with participation generally based on voluntary consent.
• Technical and organizational measures are in place, particularly to uphold the principle of data minimization, including pseudonymization where applicable.
• Information security is maintained, ensuring the secure handling, storage, and sharing of personal data.

The project manager needs to register the research project in RETTE and make sure that the information is updated and correct at all times. 

Register your project in RETTE

Research and student projects where general personal data is processed, health research projects, and projects where a Data Protection Impact Assessment (DPIA) has already been carried out, are registered directly in RETTE.

Officer Processing of special categories of personal data for purposes related to scientific research, has a duty to consult with the Data Protection Officer. The duty to consult also applies when processing information about criminal convictions and offenses. The duty to consult can be fulfilled by the researcher contacting Sikt to seek advice on the processing of personal data.

The privacy services from Sikt do not include assessment of research ethical issues, including methodology, soundness, basis for participation in the research, including information letters and consent forms, as this falls under the university's responsibility according to the Research Ethics Act.

Exempt from the specific duty to consult for scientific research are also research projects carried out as a result of statutory tasks, including quality assurance and quality development projects. Nevertheless, it may be appropriate to conduct a Data Protection Impact Assessment for this type of project and involve the institution's Data Protection Officer in the assessment.

The project manager shall assess whether a project that processes ordinary personal data in connection with scientific research, and is exempt from the duty to consult, should nevertheless consult with the Data Protection Officer, or whether a Data Protection Impact Assessment (DPIA) should be conducted. This may be particularly relevant where the project processes information about vulnerable groups, such as children and other persons with reduced competence to consent to participation.

As a part of planning the research project, the project manager needs to assess if a Data Protection Impact Assessment (DPIA) is required. In this assessment, the project manager shall seek advice from the Data Protection Officer of their department at the university. The Data Protection Officer should also take part in the DPIA. 

We use Draftit as a solution for conducting DPIAs at UiB. You will receive an e-mail with information about how you can log in. 

The project manager needs to assess the need for different agreements with collaborating researchers or institutions, for example:

• agreement with project collaborators without employment at UiB, if they need access to university systems or software
• agreements about data sharing in the project
• agreements about data transfer to other countries

• The supervisor must always be the project manager for student assignments.
• The student must clarify the content and purpose of their project with their supervisor regarding choice of methodology, research ethics, and protection of participants' integrity.
• Students shall follow the project manager's guidance and instructions, sign any confidentiality agreement, and complete necessary training in information security.
• Student assignments where personal data is processed must be registered in the institution's overview of student and research projects, RETTE. In RETTE, the student has the role of project owner and the supervisor who is employed at UiB has the role of project manager.
• For student assignments carried out in collaboration with another institution, e.g., health services or the school system, the student's tasks must be clarified with the project manager and collaborating organization.
• Student projects defined as quality assurance projects in healthcare follow the cooperating institution's provisions for implementing quality assurance projects.
• The project manager shall ensure that general procedures for initiating and implementing research projects are followed as appropriate.

The project manager has many responsibilities in the start of research projects processing personal data. 

The project manager needs to assess which permits the project needs before the processing of personal data can begin.

Take the survey in RETTE to see which permits your project needs

The project leader must independently assess the feasibility of the project in accordance with recognized research ethics norms and guidelines.

Read the recognized research ethics guidelines at forskningsetikk.no.

The project manager must ensure that fundamental principles for research involving humans and personal data are upheld, including:

• Legality
• Duty to inform
• Consent to participation

The project manager must assess whether a Data Protection Impact Assessment (DPIA) is necessary.

Read more about Data Protection Impact Assessments.

The project leader must fulfill any consultation requirements with the Data Protection Officer. For projects requiring consultation, UiB’s Data Protection Officer can assist in the assessment. Use UiBhjelp for inquiries. Health research projects are exempt from the consultation requirement unless they require a DPIA.

Read more about the consultation requirement with the Data Protection Officer.

The project manager must keep the data controller informed about the project by registering it in RETTE and ensuring that the information is up-to-date and accurate. Research projects that do not require consultation are registered directly in RETTE. Research and student projects approved by REK are imported directly into RETTE.

The project manager must ensure that necessary agreements with collaborators are established, regulating researchers’ rights, duties, and responsibilities toward research participants.

In health research projects, the project manager has some tasks in addition to the general guidelines. The project manager's tasks in health research projects also include:

The project leader shall ensure necessary pre-approval from REK (Regional Committees for Medical and Health Research Ethics).

Read more about pre-approval from REK at rekportalen.no

The project manager shall prepare a research protocol and attach necessary documentation, including cooperation agreements and information to research participants.

Read more about privacy in medical and health research

For genetic research projects that have diagnostic or treatment consequences for the participant or where information about the individual can be traced back to the person, the project manager must ensure that there is approval for the disease to be investigated.

The project manager shall keep the research responsible informed about the processing of personal data in the project by completing registration of the project in RETTE and keeping the information updated and correct.

Read more about project registration in RETTE

Research on health information (registry studies)

For research on health information (registry studies), the data controller must be asked for access to the data and, if necessary, exemption from confidentiality.

Clinical studies

For clinical trials of medicines, approval must be sought from the Directorate for Medical Products (DMP). DMP is the supervisory authority for clinical trials of medical equipment. This can be done in parallel with the application to REK.

Read more about application for clinical trials of medicines at the Directorate for Medical Products

Research collaboration with other organizations

If the project is to be carried out in collaboration with other organizations, the project leader shall ensure that necessary agreements are in place. Cooperation agreements must be signed by a representative of the research responsible organization with the authority to commit the organization.

For collaborative projects between UiB and Helse Bergen, the project leader shall:

• clarify responsibilities and tasks in the collaborative project, including which institution has the role of project owner and which are partners
• familiarize themselves with the organizations' procedures for starting research projects, including the processing of research data

Multicenter studies according to the Health Research Act

• There should only be one project manager in multicenter studies. Local project coordinators shall be appointed who have the coordinating responsibility in relation to the project leader, as well as local follow-up of the research responsible's duties.
• The project manager shall ensure that necessary agreement on multicenter study is in place.
• The project manager shall coordinate the activities in the research project and obtain pre-approval from REK and other relevant public authorities. The application should clearly state that the study is a multicenter study and which other research responsible organizations are participating in the study.
• The project manager shall inform the other research responsible organizations about the project and ensure that they have access to information necessary to fulfill their tasks in the project.
• In international multicenter studies, there shall be one Norwegian project leader for the parts that take place in Norway.

The project manager has a duty to inform project participants about how the project will collect, process and store their personal data. 

Projects based on voluntary participation

Participation in research projects, including health research projects, where personal data cannot be processed anonymously, shall as a main rule be based on consent from the participants.

The project manager shall ensure that consent is obtained and documented before data collection begins. Consent to participation must be informed, voluntary, active, explicit, and documented.

The project manager shall prepare an information letter and consent form which shall at minimum include:

• Name, address, and logo of the research responsible organization and its representative, if any
• The purpose of the research project
• That participation in the research project is voluntary
• Possible advantages and disadvantages of participating in the study (health research projects)
• Where the information is obtained from
• How the information will be handled in the study
• Whether the information will be disclosed, and who is the recipient
• Date and version number of the consent and information letter
• Other information that enables the research participant to exercise their rights, e.g., the right to request access, correction, and deletion of information

The project manager shall ensure that any conditions set by REK or other approval authorities such as Norwegian Medical Products Agency (NOMA), regarding the design and content of the information letter and consent form are met before recruitment can begin.

The project manager shall ensure that the information is adapted to the target group and that participants have the competence to consent to participate. The possibility of understanding depends on factors such as age, nature and extent of personal data, and the purpose of collection. For those under guardianship, the guardian must consent.

For research on minors under 18 years, the researcher shall, as a main rule, obtain consent from both guardians and the child themselves. In some cases, children can consent alone. In health research projects, the health-related age of majority is followed.

When including minors, age-appropriate requests must be prepared that take into account the minor's maturity and background experience When including minors in health research, under 16 years or under 18 years for physical interventions or drug trials, age-appropriate requests must be prepared that take into account the minor's maturity and background experience

The project manager shall ensure that research participants are not included in the research project before consent is documented.

Find and download REK's templates for information letters and consent at rekportalen.no

Broad consent 

In certain contexts, it is permissible to obtain broad consent, where participants consent to several different research projects provided they fall within the same defined research purpose.

Exceptions to the consent requirement

If it is impossible or disproportionately difficult to obtain research ethical consent for participation, it may still be ethically justifiable to conduct research on humans and/or personal data without specific consent from each participant. The project manager must nevertheless fulfill the responsibility to inform about the purpose of the project. The Regional Committee for Medical and Health Research Ethics (REK) approves the use of health information and human biological material in research without consent. REK determines how such information can be provided.

If exemption from confidentiality has been granted and REK has determined that information should be given to research participants, this must be done before data collection can begin.

Special forms of consent:

• In research in clinical emergency situations, consent can be obtained afterwards
• In research that cannot be carried out on persons with consent competence

Information obligation 

The project leader has a general duty to ensure that research participants are informed about the processing of their personal data. The information obligation also applies in projects where data collection takes place in a group (e.g., participant observation) and no directly identifiable personal data is collected. If and to the extent it is impossible or disproportionately difficult to provide information directly to research participants, the project leader shall ensure that information about the project is made publicly available, e.g., on a website."

The project manager needs to:

• make sure that personal data and human biological materials are treated responsibly and according to university guidelines
• make sure that the data are only available for the people working on the research project
• make sure that the data are only processed in the timeframe provided in the research protocol and during the time of the approval from REK. Keeping and processing data for longer than this, requires approval.

The processing of personal data in a research project is temporary. When finishing a research project, the personal data needs to be anonymised or deleted, unless the data needs to be kept for control or future research purposes. 

Different situations or incidents kan cause a discrepancy in a research project. Violations of The Personal Data Act, breaches in the research protocol and lack of ethical pre-approval are all examples of situations that might constitute a discrepancy.

The person who discovers the discrepancy, needs to report it. 

Discrepancies need to be reported as soon as possible after discovery. 

Report discrepancies in UiBhjelp. 

When you log in for the first time, the language might be set to Norwegian. To change the language to English, follow these steps:

1. Click the arrow next to your initials in the top right corner
2. Select "personlig profil" from the drowdown menu
3. Find the tab that says "språk" and click it
4. Use the dropdown menu to find and select English as your preferred language
5. Click "lagre endringer" to save
6. Refresh the page to apply the language settings

In UiBhjelp, select Register breach and then select Register breaches of data protection and information security and follow the steps from there.