Data privacy and secure storage in bachelor's and master's theses at UiS

What is personal data?

Personal data includes:

• name, address, age, phone number, email address and social security number.
• Information about habits and behaviour (shopping habits, online searches, where you physically move throughout the day).
• Images, audio and video recordings where individuals can be recognized.

Information is considered personal data regardless of whether they are text, images, audio or video recordings.

What are sensitive (special categories) of personal data?

These categories are regarded as sensitive (special categories):

• health information, genetic information and health-related conditions.
• biometric information for the purpose of identifying someone.
• ethnic origin. political, philosophical or religious beliefs.
• sexual orientation or sexual relations.
• that a person has been suspected, accused, charged or convicted of a criminal offense.
• union membership.

Examples of sensitive data:

• information about students' illness or diagnosis.
• information about cheating or attempts to cheat.
• need for accommodations for exams due to health reasons.
• information about attitudes towards various religious or political issues provided by participants in a survey.

Processing of personal data:

All personal data must be stored securely and in a secure location. Special categories of personal data must be particularly well protected (see more information about secure storage further down on the page).

Processing of personal data must follow current guidelines and regulations (both at UiS and nationally). All processing of personal data must be reported to SIKT Reporting to SIKT should always be done in consultation with your supervisor.

How to conduct a project anonymously?

This is how to process data anonymously:

• For nterviews and observation, you must only take notes (no audio recordings).
• Do not record names or background information that can identify anyone.
• Online surveys must use anonymous solutions (that do not collect email or IP-address linked to the survey). The survey must be without information that can identify the responder.
  • NOTE! Most online surveys record email / IP address. The project must be reported to SIKT, even if only the survey provider has access to the information. It is possible to use Nettskjema for anonymous surveys (NOR).
• Register data can be used without reporting to Sikt when anonymous datasets are used: There are a number of anonymous register data providers available online, for example SSB.
• Write your thesis based on a literature review.

Data must not be traceable back to individual people, either directly, indirectly, or through email/IP address or a connection key (a list or dataset that identifies respondents based on a pseudonym or a code).

Contact your supervisor if you have any questions about anonymization or wish to discuss anonymous data collection in your project.

Information security and data storage

For most students, the tools Nettskjema, UiS OneDrive account, and Microsoft 365 programs (with your UiS account) will be sufficient tools during their studies.

• Use Nettskjema for data collection and audio recording (including red data).
• Use the Microsoft 365 package i.e. Word, Excel (with your UiS account) for data processing.
• Use your OneDrive with your UiS account for data storage - this also gives you backup in the cloud.

Here is more information on how to classify your data correctly (i.e. determine how sensitive the information is).

If you want to use other tools such as SPSS or Nvivo, you can find more information in the UiS storage guide.

If you collect red data (such as health information) in Nettskjema, either through audio recordings or surveys, it is important that you de-identify the data when you export or transcribe from Nettskjema. The same goes for if your audio recording contains red data that you do not need for your research - you should not export such data out of Nettskjema itself.

Find more information on de-identification below, under "definitions, questions and answers."

Tools and equipment

Mobile phones/tablets cannot be used to make audio recordings directly, but it is possible to use the "Nettskjema-Diktafon" app for audio recording. Both video and audio recordings are considered personal data.

If it is not possible to conduct an interview in person, it is possible to use Teams, but remember to apply the right security settings.

Approved use

All computers that are to be used in the processing of personal data should be secured as well as possible (with relevant security mechanisms). This means that you should have:

• Installed antivirus program
• Enabled firewall
• Enabled security updates
• Strong passwords for both devices and systems used

You are responsible for evaluating the need for a backup of your data and ensuring that the backup is stored in accordance with the UiS classification and storage guidelines.

When you process the data, you must also keep outsiders from physically seeing what is on your screen.

When using a laptop and external storage devices (memory sticks, external hard drives, audio recorders, cameras, etc.), storage and transport of the equipment should be done in a way that minimizes the risk of theft and damage.

You should use your UiS email address for communications and correspondence in the project. Your private email address should not be used.

Where can you get more information?

Information security:

• Read the information linked in the fields above or Contact IT-help.

Privacy:

• Contact your supervisor after reading through this site. Ask when in doubt!
• Sikt answers questions about registration forms for processing of personal data.
• Supervisors and researchers at UiS who have questions can contact the privacy contact at their faculty or unit (intranet).
• UiS data protection officer (DPO) Rolf Jegervatn.

Medical and healthcare research projects

This information primarily applies to master's students. But it also applies to bachelor students who send individual message forms.

The Health Research Act (NOR) applies to medical and healthcare research on people, human biological material or health information (including pilot studies and experimental treatment).

Medical and healthcare research projects must be approved in advance by REK (Regional Committees for Medical and Healthcare Research Ethics).

You can find more information about the types of research projects that may need to be pre-approved by REK here (NOR). To get an assessment of whether your project needs approval, you can submit a preliminary assessment form (REK makes a preliminary assessment of whether they have to process the project).

If REK determines that a project requires full application processing and approval, a project application must be submitted to REK. The project application should be submitted by an applicant with a doctoral degree, preferably an employee at UiS. For clarification on who should submit the project application, please contact your supervisor. It’s important to note that students are not authorized to submit project applications to REK; they can only submit preliminary assessments.

NOTE! It can take up to three months before REK pre-approves the project. Authorization must be in place before you can start collecting information.

Definitions, questions and answers

Definitions

De-identified (pseudonymised) personal data

Information is de-identified if the name, social security number or other personal characteristics have been replaced with a number, a code, fictitious names or the like, which refers to a separate list with the direct personal information (connection key).

Indirect personally identifying information must also be categorized into broad categories or removed for the data material to be considered de-identified. Broad categories mean, for example, parts of the country instead of specified municipalities or cities, age intervals (10-19 years, 20-29 years, etc.) rather than precise ages and the like. The only way to identify individuals in a de-identified data material is through a name list or a connection key.

Please note that de-identified information is considered personal data regardless of who stores the name list/connection key and how it is stored.

Connection key​

A connection key is a list of names or file that makes it possible to identify individuals in a data set. Creating a connection key involves replacing a name, social security number, e-mail address or other personally identifiable characteristics in a data set with a code, a number, a fictitious name or the like, which refers to a separate list where each code refers to a name. The link key must be kept separately from the data material itself to ensure that outsiders do not gain access to the link between name and code.

Questions and answers (Q&A)

Guidelines for the Processing of Personal Data in Regular Teaching Subjects at UiS (Exception Clause)

Main Rule

As a main rule, students are not allowed to collect and process personal data as part of or in regular teaching subjects (such as assignments, term papers, exam tasks, etc.).

Exception, only with a written digitally signed agreement between the course instructor and relevant students:

Exceptionally, students may be allowed to collect and process personal data as part of or in regular teaching subjects when it has been explicitly clarified with the course instructor beforehand. The collection and processing of personal data must be academically strictly necessary. The exception applies up to and including yellow data, i.e., only ordinary personal data, (see EU General Data Protection Regulation (GDPR), Chapter 1, Article 4 for definitions). A separate agreement must be signed between the course instructor and relevant students associated with each individual project in the respective course before the collection of personal data commences. The collection must be in accordance with the Personal Data Act and GDPR.

If personal data is to be collected and processed in teaching projects, the course instructor must ensure that the agreement includes a description of why it is necessary to collect personal data, a description of the legal basis for processing, purpose, specification of which personal data will be collected, the information provided to the data subject, how personal data will be secured (storage, access control, anonymization), as well as information about deletion afterwards, etc. The course instructor is responsible for ensuring that all fields in the agreement are correctly filled out, that the agreement is digitally signed, and that it is sent to the faculty for archiving. Please contact the course instructor if you have questions related to this.

No exception is granted for, or permission given to collect or process red or black data (sensitive/special categories of personal data) as part of teaching in regular teaching subjects (according to GDPR, Article 9).