Processing personal data in student papers

When planning an empirical bachelor's or master's thesis, it is absolutely essential to consider what data should be collected, how the data collection should proceed, and how data should be stored. One of the most important decisions is whether to process personal data.

As a student, you can collect data material of three types. It is a requirement that you discuss with your supervisor whether the data material you have is to be considered green, yellow, or red.

Green, yellow, and red data

Green data

Green data: Information that does not contain personal data.

This includes all information where individuals cannot be identified, neither directly nor indirectly. If the informant has consented to it, non-sensitive personal data can be considered green data.

Storage: Green data do not require special protection. Provided that you adhere to general research ethical guidelines, you can handle these more or less "as you wish".

Yellow data

Yellow data: Information that contains personal data.

This refers to all information where a person can be identified directly or indirectly. Indirect identification can, for example, occur through the linking of background information, images, or voice.

Storage: For yellow data, the same rules apply as for red data, but they can additionally be stored on a personal computer provided that you adhere to the guidelines for processing yellow data on a private computer.

Red data

Red data: Information that contains particularly sensitive personal data.

This includes all information containing details about race, ethnic origin, political opinions, religion, philosophical beliefs, trade union membership, genetic and biometric data, health information, sexual relations and sexual orientation.

Information about criminal convictions and offenses should be treated as particularly sensitive personal data in research projects, even if it is not defined under Article 9 of the law.

Storage: Red data can only be stored in Nettskjema and in OneDrive. It is a prerequisite that you have so-called two-factor authentication activated. This means you have an extra layer of protection beyond your password. This is most often done through a code you receive on your mobile phone. You access your files by logging into office.com. The University takes a backup of data stored in OneDrive. Therefore, you do not need to backup the files you have there.

Further processing of personal data

Responsibilities and tasks

You can find an overview of responsibilities and tasks for parties involved in research activities at VUC here.

Student project startup

Implementation:

  • Sign a guidance contract with your supervisor, if applicable.
  • Develop a project outline that clearly states the purpose of the project.
  • In consultation with your supervisor, consider whether it is necessary to collect personal data. Personal data should not be recorded unnecessarily Sikt (prev. NSD) have some tips on how to carry out a project without processing personal data.
  • If you do need to collect personal data, consider what personal data you must collect.
  • If you are unsure whether the project is reportable, take the reporting test or contact Sikt.
  • Establish a legal basis. All processing of personal data must have a legal basis. For most student projects, this will be a consent.
  • Prepare information letters and, if necessary, consent forms.
  • Develop a plan for the secure processing of personal data. This includes collection through secure channels, registration, transfer, processing, storage along the way, and archiving or deletion after the project's completion. The supervisor should help the student classify the information handled in the project and choose approved technical solutions according to VUC's storage guide.
  • The project outline must be approved by the supervisor before the project starts.
  • Report the project with necessary attachments to Sikt at least 30 days before data collection is to begin. The student should share the reporting form with the supervisor. You can do this via "Share the project" at the top left of the reporting form, "Invite user". The supervisor is responsible for ensuring that the project is reported and assessed, but it is the student's responsibility to complete and submit the reporting form.
  • Sikt must have reviewed the project before the collection of research data can begin.
  • If changes are made during the project that could affect Sikt's assessment, the student must report the changes.
  • The Health Research Act covers research aimed at generating new knowledge about health and disease. If a project is to use patient or health information for this purpose, one must seek approval from REK (Regional Committees for Medical and Health Research Ethics).

Click here to read the complete routine for starting student projects at VUC.

Information letters and consent

Implementation:

  • All processing of personal data must have a legal basis. Based on the legal basis of the project, consider whether participants should consent to the processing of personal data or just to participation in the project. If you choose to process personal data on a basis other than consent, you must still obtain consent for participation in the research project.
  • Prepare information letters and consent forms. You can base these on Sikt's template. This should be attached to the Notification Form and sent to Sikt.
  • Consent must be voluntary, informed, unambiguous, given through an active action, documentable, and revocable. The information should be concise, with clear and understandable language. There is no requirement that this must be in writing, but it is recommended since the project leader/student must be able to document that consent has been given.
  • Sikt should assess the project before you start collecting consent.
  • In larger projects, it can be difficult to formulate a precise purpose at the time of collection. The law allows for consent to be obtained for each stage of the research project.
  • In medical and health-related research, the registered can consent to the use of biological material and health information for broadly defined research purposes. Participants who have given broad consent have a right to updated information about the project along the way.
  • Nettskjema can be used to collect electronic consent. Nettskjema also offers solutions for consent with e-signature from Difi, but this is limited to research projects using Services for Sensitive Data (TSD).

Documentation: Consent declarations are stored in a secure storage location in accordance with VUC's storage guide.

The complete routing for information letters and consent can be found here.

Storing active research data

Implementation:

  • The project leader and student, in consultation with the supervisor, are responsible for assessing what type of information the project contains and classifying it according to HVO's Guidelines for the Classification of Data and Information. The classification is crucial for the degree of security imposed on the information.
  • The project leader must ensure that the processing and storage of information and data take place on approved technical solutions in accordance with HVO's Storage Guide.
  • If the project is to process large amounts of special categories of personal data or health research data, the data should be classified as "black/strictly confidential information". The project must then use Services for Sensitive Data (TSD) as a storage location. Contact IT for access to the service.
  • Do not retain directly identifiable data material longer than necessary. Data material can be pseudonymized, and the linkage key or other identifiable elements stored separately from the data material. Access to a possible linkage key should (usually) be limited to the project leader.
  • If the data material consists of audio recordings, consider anonymizing or pseudonymizing it if you choose to transcribe the data material. See Routine for conducting audio recordings.
  • The project leader is responsible for ensuring that no unauthorized persons have access to the registered personal data. If project collaborators or other cooperating parties are to have access to research data with personal data, this must be in accordance with what is outlined in the consent form and reporting form.
  • If the project has collaborators at other institutions, the project leader should enter into a collaboration agreement. If one of the parties is to process data without having processing responsibility, or the project uses an external data processor, the project leader must ensure that a valid data processing agreement is in place. Copies of all agreements entered into should be archived in VUC's archive system with a copy to the dean.

Please find the complete routine for the storage of active research data here.

Routine for the use of audio recordings in student and research projects can be found here.

Guidelines for processing yellow data on your personal computer

Yellow data can be stored on your personal computer under the following conditions:

  • It involves small amounts of yellow data (Data associated with a student assignment is almost always considered to be a small amount of data).
  • You should only keep data that you are working with.
  • Data that you are not working with should be deleted (including from the recycle bin).
  • Only data that you need should be stored locally on your machine. You must make this assessment yourself. VUC does not want data to go astray, and everyone must contribute to limiting the scope if it should happen.
  • Data should only be accessible by you. Other users of the computer should not have access to the data. Family and friends who borrow the machine should have their own accounts.
  • You should not automatically sync yellow data.
  • Your computer should be sufficiently secured
    • Automatic updating of the operating system is turned on.
    • Automatic screen lock (3-5 min) is turned on.
    • Passwords on the machine should be "strong" (long, unique, and include numbers/symbols).
  • Your usage of the machine is secure
    • Be cautious with links in emails and with unknown websites
    • Do not use unknown wireless networks
    •  
  • Your computer is sufficiently secured.
    • Vær varsam med lenker i e-post og med ukjende nettsider
    • Ikkje bruke ukjende trådlause nettverk
    • Make sure that folders with yellow data are not stored in the cloud with other providers such as Apple or Google, or other Microsoft accounts than the one you have at VUC.

Conclusion of student project

  • At the end of the project, personal information must be handled in accordance with the notification form, the respondents' consent, and any data management plan. For most student projects, this means that the student anonymizes or deletes the data material.
  • If personal information is to be stored after the end of the project, this must be done in accordance with relevant legislation and in consultation with the advisor. See the routine for archiving/long-term storage of research data.
  • The student must confirm to Sikt that the personal information has been deleted, anonymized, or archived in line with the data management outlined in the project's notification form. The advisor is responsible for ensuring that the student does this through their access to the notification form.

You can find the complete routine for concluding a student project under the Personal Data Act here.

Advice on the Sikt notification form

If you are going to collect data containing personal information, you must report the project to Sikt (formerly NSD - Norwegian Centre for Research Data). The notification form has good explanations on how to fill it out. There is an explanation behind each question marked with a Image removed.

Skal du samle inn data med personopplysningar må du melde prosjektet til Sikt (tidl. NSD). Meldeskjema har gode forklaringar til korleis fylle ut skjema. Det er forklaring bak spørsmål der det er eit Image removed.. Sikt Privacy Services has created a guide for completing the notification form, and a checklist for what you need to have ready. You can also get help from Privacy Services via phone or chat on weekdays.

Frequently asked questions:

During processing

If you are going to store data in OneDrive, Teams, or Nettskjema, you should check the box for "External service or network (data processor)".

When you have checked the box for Data Processor, you must also check that the "data processor has access to the information". You can find who the data processor is in the table with approved systems for data processing.

Report unwanted incidents (deviations)

Everyone is responsible for reporting unwanted incidents (deviations). Examples of such unwanted incidents may include:

    • Misdirected emails and attachments containing personal information
    • Incorrect disclosure or publication of personal information
    • Lost equipment (mobile phone, laptop, tablet, notes, etc.) containing personal information
    • Errors in access rights, equipment, or software that could weaken security
    • Lack of routine in the processing of personal information, non-functioning, or non-compliance

    The seriousness of an unwanted incident can vary depending on whether it involves information about a few individuals or many, or whether it includes special categories (sensitive personal data) or not.

    Reports of unwanted incidents must be sent to the IT-manager eller Data Protection Officer at VUC.

    Useful links:

    Sikt: Data Protecton Services for research
    Sikt: E-training on notification forms (in Norwegian)