Processing of personal data in bachelor's and master's theses at UiS

If you as a student are going to write a bachelor's or master's thesis and need to use personal information and / or health related information as part of the work, you must be aware that several requirements and expectations are met before you start.

Published 22. Oct. 2020. Updated on 07. Aug. 2023

The most important thing you need to do is consult with your supervisor (veileder) before planning and starting up the data collection. The student and supervisor must together ensure that research data is managed in a planned and documented manner at the start of the project. Personal data must always be processed in accordance with laws and regulations.

Student research projects that process personal data must be reported to NSD: Norwegian Center for Research Data. NSD provides privacy services for UiS. The project must be reported to NSD no later than 30 days before the data collection is to start. Medical and health related research projects must also be reported to NSD, this can be done in parallel with the application for ethical prior-approval within the Regional Committees for Medical and Health Research Ethics (REK). Do not start the project until you have received acceptance from NSD (and approval from REK for medical and health related research projects).

Requirements for processing personal data in student projects

The requirements for processing personal data in student projects correspond to the requirements that apply to researchers / PhD candidates at UiS. In addition, the following applies to student projects:

All students processing personal data in student assignments are obliged to read information about this on NSD's website, and to investigate whether the project must be reported to NSD.
Bachelor students are recommended to carry out student projects without processing personal data, with the exception of joint registration of projects, or as part of a researcher-led project. It is recommended to use anonymous register data or journal data, or other anonymized data. If the student and supervisor wish to carry out student projects with the processing of personal data, NSD's guide "How to carry out a project without processing personal data?" must be reviewed before the final decision.
The student can only submit a notification form to NSD in consultation with the supervisor, and share the form with the supervisor. All dialogue with NSD shall take place in consultation with the supervisor. The student is responsible for following up all feedback from NSD and shall not start processing personal data until there is permission from NSD.
The student must send a message / feedback to NSD at the end of the project, and confirm that all data has been deleted / anonymized. All steps in the process are confirmed in writing to the supervisor.

If you have questions related to NSD's notification form, contact the supervisor or NSD: Telephone (10–12): +47 55 58 21 17 (press 1). E-mail: personverntjenester@nsd.no.

Your responsibility for privacy covers all phases of a research project:

When planning or starting up

The planning or start-up phase is the part of the research project that extends from the preparation of the project sketch until the data collection process begins.

In this phase, you are responsible for the following tasks:

In the initial phase, it is especially important to decide what type of data you are going to collect and carefully consider whether there is a need to collect personal information. This is done in consultation with your supervisor.
If you are to collect and process personal information, you must make an overview of the types of personal information you are to collect, and together with the supervisor check whether the research project must be reported to NSD, and possibly REK if it concerns health information. You must calculate a good amount of time in advance because data collection cannot start until you have received an assessment from NSD, and a response from REK if applicable to your project.
You should set up a Data Management Plan (DMP) that describes how data will be handled during the project period and after the project is completed. You can, together with the supervisor, assess whether it is necessary to use a Data Management Plan tool (DMP) for the project. It is highly recommended as the Data Management Plan helps organizing the process. UiS recommends using NSD's template for Data Management Plan.
UiS has published a Classification- and Data Storage guide to facilitate defining what type of data you are handling and how this data can be securely stored.
If the project is subject to notification, you must, together with your supervisor, submit the project to NSD. Your supervisor is responsible for the notification form, and the form must be shared with your supervisor on "my page" at NSD. As an appendix to the notification form, information letters to respondents / informants and consent forms must usually be prepared. Medical and health research projects can apply for NSD in parallel with an application for ethical prior approval with regional ethics committees (REK).
You are responsible for securing your data and ensuring that technical solutions for the collection, storage, transfer and analysis of research data (personal data) are in line with the guidelines at UiS, see below under information security.
You are responsible for safeguarding the privacy of participants in research projects (respondents and informants) when processing personal data about them.

During project execution

The execution phase is the part of the project that includes data collection and analyzes of collected data (personal data).

In this phase you are responsible for:

respond to inquiries from respondents or informants in the project about how their privacy rights are safeguarded in the project.
ensure proper deletion of research data / personal data if respondents or informants withdraw their consent to participate in the project.
check that personal data processed in the project is not used for other purposes than what the respondents or informants have agreed to.
check that terms in agreements with any external information providers, such as register holders, or partners at other institutions are actually complied with.
report deviations that occur when processing information about respondents or informants in the project, see notification of deviations below.

In case of changes

If changes are made to the project plan in relation to the information on which NSD's assessments are based, a separate change form must be submitted. You will then have to wait for a new assessment from NSD. Changes in the project may mean that a new information letter must be sent and new consent must be obtained from respondents / informants.

Project completion

The closure phase includes the part of the research project where the data analysis has been completed and collected data (personal information) is to be deleted, anonymized, or possibly archived. This must always be done as you have described it in the message to NSD, and you must notify NSD that the project has been completed and data has been deleted / anonymized.

In this phase, you are responsible for the following tasks, in line with what you have reported to NSD:

ensure that all personal information about respondents or informants that is not to be stored after the end of the project is properly deleted.
ensure that personal information that is to be stored after the end of the project is anonymized, for example by destroying the connection key for deidentified information.
ensure that personal data that is to be taken care of after the end of the project is properly stored (if an agreement has been made on secure storage and in consultation with the supervisor).
Report to NSD that the project has been completed and data handled in accordance with the registration.

Information security - storage and processing of personal data

The most important thing is that you store, process, share files and data correctly. It is the content and degree of sensitivity of the data that determines where the information can be processed and stored. This is information security. When writing an assignment that requires the processing of sensitive personal data, you must:

Think carefully about the types of information, files and data you should store and process
Find out which information classes apply to this information. Understand what is meant by green, yellow, red and black data. You do this by looking up in the classification guide.

You should note in particular that red data is referred to as sensitive personal data and that such data has strict requirements for protection. Health research data and personally identifiable information should not be stored unsecured!

What kind of tools can I use?

After you have clarified which information class is applicable to your data, you should use UiS's guidelines for what equipment you can use when working with your data. You do this by looking up in UiS's storage guide. This storage guide gives you an overview of what are accepted places to store data. Here you should especially note that you are not allowed to work with anything other than green data on your private PC or Mac. UiS recommends students and researchers to use Nettskjema and Nettskjema-Dictaphone for the collection and processing of “yellow” and “red” data. Nettskjema can be used to create surveys, to make audio recordings of interviews and to process sensitive data. It is important to note that inactive information in Nettskjema is automatically deleted after 6 months from the last collected data.

In most cases, this will be an adequate and safe choice of tools for collecting and processing sensitive data.

If Nettskjema turns out not to be a sufficient solution for storage in connection with your task, you must ensure that the information is stored in other secure ways. Alternative storage areas are described in the storage guide and in Guidelines for processing and storage of research data with personal data in student projects at the University of Stavanger.

Deviations and incidents

If you discover discrepancies or incidents in connection with the protection of personal data, it is very important that you notify this so that UiS can help assess, limit and repair the extent of the damage.

Deviations and incidents may be that you discover that someone has gained unauthorized access to a user account or PC, that you lose a memory stick with data, that you classify data incorrectly and store it in the wrong place, that you discover breaches of confidentiality, errors in anonymization and deletion and similar. In such cases, it is very important that you as a student and / or your supervisor report any deviations immediately.

Notification of breaches or possible breaches of privacy goes to the Privacy Representative at personvernombud@uis.no

Notification of breaches or possible breaches of information security goes to it-hjelp@uis.no

Links and resources

NSD: Reference for privacy in research
NSD: How to carry out a project without processing personal data?
NSD: What is personal information?
REK website
UiS's guidelines for the processing of personal data in student assignments
Classification of information
Storage guide
Nettskjema
Guidelines for using video for interviews for student assignments
UiS: IT regulations

VeraCrypt: This is a free encryption software for both PC and Mac, recommended by UiS-IT if you do not use Nettskjema.All machines, including home and portable machines, to be used in the processing of personal data shall be protected by relevant security mechanisms, including antivirus software, firewall and system for regular updates of operating system and security mechanisms.