Are you wondering how to store data and your thesis safely? Are you a bachelor's student considering processing personal data in your thesis? Or are you a master's student wondering about rules for processing personal data? Did you know that there are good alternatives, such as collecting and treating information anonymously? These are the UiS guidelines for processing personal data in student projects.
What are personal data?
Personal data is any type of information and assessment that can be linked to an identified or identifiable physical person.
Personal data includes:
- name, address, age, phone number, email address and social security number.
- Information about habits and behaviour (shopping habits, online searches, where you physically move throughout the day).
- Images, audio and video recordings where individuals can be recognized.
Information are considered personal data regardless of whether they are text, images, audio or video recordings.
What are sensitive (special categories) of personal data?
These categories are regarded as sensitive (special categories):
- health information, genetic information and health-related conditions.
- biometric information for the purpose of identifying someone.
- ethnic origin. political, philosophical or religious beliefs.
- sexual orientation or sexual relations.
- that a person has been suspected, accused, charged or convicted of a criminal offense.
- union membership.
Examples of sensitive data:
- information about students' illness or diagnosis.
- information about cheating or attempts to cheat.
- need for accommodations for exams due to health reasons.
- information about attitudes towards various religious or political issues provided by participants in a survey.
Processing of personal data:
Collection, registration, storage, compilation, use, transfer, publication and deletion.
All personal data must be stored securely and in a secure location. Special categories of personal data must be particularly well protected (see more information about secure storage further down on the page).
Processing of personal data must follow current guidelines and regulations (both at UiS and nationally). All processing of personal data must be reported to NSD (now part of Sikt). Reporting to NSD should always be done in consultation with your supervisor.
How to conduct a project anonymously?
There are many ways to process personal data in order to conduct a project anonymously. If so, you do not need to consider rules that apply to the processing of personal data.
This is how to process data anonymously:
- Interview and observation - take notes only (no audio recordings).
- Do not record names or background information that can identify anyone.
- Online surveys must use anonymous solutions (without email /IP address linked to the survey). The survey must be without information that can identify anyone.
- NOTE! Most online surveys record email / IP address. In that case, the project must be reported to SIKT, even if only the survey provider has access to the information. It is possible to use Nettskjema for anonymous surveys (NOR).
- Register data can be used without reporting to NSD/Sikt when only anonymous data is used: There are a number of anonymous register data available online, for example at SSB.
- Write your thesis based on a literature review.
Data must not be traceable back to individual people, either directly, indirectly, or through email/IP address or linking key.
Contact your supervisor if you have any questions about anonymization or wish to conduct your project with anonymous information.
Information security and secure data storage
What type of data will you be handling? How can they be stored securely?
For most students, tools such as Nettskjema, UiS OneDrive account, and the Office suite (with UiS account) will be sufficient tools during their studies:
- Use Nettskjema for data collection and audio recording (including red data)
- Use the Office package (with your UiS account) for data processing
- Use OneDrive UiS account for storage - this gives you cloud backup
Here is more information on how to classify your data correctly (how sensitive the information is).
If you want to use other tools such as SPSS or Nvivo, you can find more information in the UiS storage guide.
If you collect red data (such as health information) in Nettskjema, either through audio recordings or surveys, it is important that you de-identify the data when you export or transcribe from Nettskjema. The same goes for if your audio recording contains red data that you do not need for your research - you should not export such data out of Nettskjema.
Find more information on de-identification below, under "definitions, questions and answers.
Tools and equipment
Mobile phones/tablets cannot be used to make audio recordings directly, but it is possible to use the "Nettskjema-Diktafon" app for audio recording. Both video and audio recordings are considered personal data.
If it is not possible to conduct an interview in person, it is possible to use Zoom (remember the security settings).
Approved use
All computers that will be used in the processing of personal information should be protected as best as possible (with relevant security mechanisms).
- Antivirus program
- Enabled firewall
- Enabled security updates
- Use strong passwords for both devices and systems used
You are responsible for evaluating the need for a backup of your data and ensuring that the backup is stored in accordance with the UiS classification and storage guidelines.
When you process the data, you must also be aware to keep outsiders from physically seeing what is on your screen.
When using a laptop and external storage devices (memory sticks, external hard drives, audio recorders, cameras, etc.), storage and transport of the equipment should be done in a way that minimizes the risk of theft and damage.
You should use your UiS email address for communication/correspondence in the student and research project (private email address should not be used).
Where and how can you get more information?
Do you have any more questions about data storage and secure storage, or about the use of personal information in your assignment?
Information security:
- Read the information linked in the fields above or Contact IT-help.
Privacy:
- Contact your supervisor after reading through this site. Have a dialogue - ask when in doubt!
- Sikt (of which NSD is a part of) answers questions about registration forms for processing of personal data.
- Supervisors and researchers at UiS who have questions can contact the privacy contact at their faculty.
- UiS data protection officer (DPO) Rolf Jegervatn.
We recommend that bachelor students write their thesis without processing personal data.
The exception is when the thesis is written as part of "Joint assessment of bachelor's project".
Contact your supervisor for more information.
Remember!
Your supervisor is always the project manager for student projects at a lower level than a doctorate.
When projects are part of a "Joint assessment of bachelor's project", the one responsible for the joint form (course coordinator etc.) is the project manager.
Have there been deviations or errors in the processing of research data or personal data? The student and/or your supervisor are responsible for reporting any deviations immediately. As a student, you should also notify your supervisor.
Deviations can be reported here:
Data privacy deviations
Information security deviations
Additional information and guidelines
This information applies to everyone who will process personal data in their student project.
The information primarily applies to master's students, but it also applies to bachelor's students who send an individual registration form to NSD/Sikt for processing personal data.
If you are going to process personal data in the student thesis, it is important to follow these guidelines and remember that:
- The supervisor is always the project manager for student projects at a lower level than a doctorate. Processing of personal data in student projects must always take place in consultation with your supervisor.
- The project must be reported to NSD/Sikt if you are to collect or process personal data at any point in the project, even if the data is de-identified (pseudonymized) or anonymized in the assignment.
- You must be out in good time! You cannot start processing personal data until there is a final response from NSD. It can take around 30 days before NSD gives you feedback.
- Reporting to NSD must only be done in agreement with the supervisor, and the form you fill out must always be shared with the supervisor.
- You must use your UiS student e-mail address in the message form to NSD, and in all communication in your project (also with informants and respondents). It is not allowed to use a private email address for this.
- When reporting to NSD, you get an assessment that the project is in line with the legislation. In the worst case, lack of registration can lead to the data material having to be deleted. The supervisor is responsible for ensuring that students are made familiar with UiS' routines, guidelines and overall regulations in information security and the processing of personal data.
- You are responsible for safeguarding the privacy of participants in research projects (respondents/informants) when personal data about them is processed, and answering inquiries from respondents or informants in the project about how their privacy rights are safeguarded in the project.
- Remember to obtain consent. There are separate rules for collecting personal data from children and young people, see rules for this on the Norwegian Data Protection Authority's website (NOR).
Also, be aware that:
- All feedback from NSD/Sikt must be followed up - personal data cannot be processed until there is a final feedback/clear signal from NSD. This will be confirmed in writing to your supervisor.
- Send a message/feedback to NSD/Sikt at the end of the project/handing in the assignment, with confirmation that all data has been deleted/anonymized. This must be done before submitting the finished assignment, and confirmed in writing to your supervisor.
- If there is a connection key that connects data and name/other identifying information, this is personal data, even if the student/research group does not have access to the connection key.
- UiS is required by law to document all processing of personal data. This is fulfilled through registration.
- All students who are going to process personal data must read information about this on NSD's websites.
Medical and healthcare research projects
Is your project going to acquire new knowledge about health and disease? Such projects are considered health research. In that case, both the Personal Data Protection Act and the Health Research Act apply.
This information primarily applies to master's students. But it also applies to bachelor students who send individual message forms.
The Health Research Act (NOR) applies to medical and healthcare research on people, human biological material or health information (including pilot studies and experimental treatment).
Medical and healthcare research projects must also be approved in advance by REK (Regional Committees for Medical and Healthcare Research Ethics).
You can find more information about the types of research projects that may need to be pre-approved by REK here (NOR). To get an assessment of whether your project needs approval, you can submit a preliminary assessment form (REK makes a preliminary assessment of whether they have to process the project).
If REK determines that a project requires full application processing and approval, a project application must be submitted to REK. The project application should be submitted by an applicant with a doctoral degree, preferably an employee at UiS. For clarification on who should submit the project application, please contact your supervisor. It’s important to note that students are not authorized to submit project applications to REK; they can only submit preliminary assessments.
NOTE! It can take up to three months before REK pre-approves the project. Authorization must be in place before you can start collecting information.
Definitions, questions and answers
Here you will find some definitions, and common questions and answers.
Definitions
De-identified (pseudonymised) personal data
Information is de-identified if the name, social security number or other personal characteristics have been replaced with a number, a code, fictitious names or the like, which refers to a separate list with the direct personal information (connection key).
Indirect personally identifying information must also be categorized into broad categories or removed for the data material to be considered de-identified. Broad categories mean, for example, parts of the country instead of specified municipalities or cities, age intervals (10-19 years, 20-29 years, etc.) rather than precise ages and the like. The only way to identify individuals in a de-identified data material is through a name list or a connection key.
Please note that de-identified information is considered personal data regardless of who stores the name list/connection key and how it is stored.
Connection key
A connection key is a list of names or file that makes it possible to identify individuals in a data set. Creating a connection key involves replacing a name, social security number, e-mail address or other personally identifiable characteristics in a data set with a code, a number, a fictitious name or the like, which refers to a separate list where each code refers to a name. The link key must be kept separately from the data material itself to ensure that outsiders do not gain access to the link between name and code.
Questions and answers (Q&A)
| NSD requests guidelines from UiS for the processing of personal data in student projects. What should I send? | Share the link to this page. |
| Who is the data protection officer (DPO) at UiS? | DPO at UiS is Rolf Jegervatn |
| Can I use a digital voice recorder or record an interview on my mobile phone? | No, use Nettskjema's dictaphone app - then you better safeguard the informant's safety. |
| Can iCloud be a data processor in the project? | No, UiS does not have a data processing agreement with iCloud. |
| Can I use SurveyMonkey or Google Forms to conduct a survey? | No, use Nettskjema or find an approved tool in the UiS storage guide |
Guidelines for the Processing of Personal Data in Regular Teaching Subjects at UiS (Exception Clause)
Main Rule
As a main rule, students are not allowed to collect and process personal data as part of or in regular teaching subjects (such as assignments, term papers, exam tasks, etc.).
Exception, only with a written digitally signed agreement between the course instructor and relevant students:
Exceptionally, students may be allowed to collect and process personal data as part of or in regular teaching subjects when it has been explicitly clarified with the course instructor beforehand. The collection and processing of personal data must be academically strictly necessary. The exception applies up to and including yellow data, i.e., only ordinary personal data, (see EU General Data Protection Regulation (GDPR), Chapter 1, Article 4 for definitions). A separate agreement must be signed between the course instructor and relevant students associated with each individual project in the respective course before the collection of personal data commences. The collection must be in accordance with the Personal Data Act and GDPR.
If personal data is to be collected and processed in teaching projects, the course instructor must ensure that the agreement includes a description of why it is necessary to collect personal data, a description of the legal basis for processing, purpose, specification of which personal data will be collected, the information provided to the data subject, how personal data will be secured (storage, access control, anonymization), as well as information about deletion afterwards, etc. The course instructor is responsible for ensuring that all fields in the agreement are correctly filled out, that the agreement is digitally signed, and that it is sent to the faculty for archiving. Please contact the course instructor if you have questions related to this.
No exception is granted for, or permission given to collect or process red or black data (sensitive/special categories of personal data) as part of teaching in regular teaching subjects (according to GDPR, Article 9).
Guidance at NSD (website):
Notification Form for personal data (sikt.no)
Information about filling in the registration form (e-course at NSD/Sikt):
Is there something you are missing, or that you think could be improved, on our information security and privacy pages? Click here to provide feedback
NB! Remember to attach a link to which page this applies to.
