Data management at ISV

General information

GDPR (General Data Protection Regulation) is a privacy regulation which has been adopted by the EU and enacted in Norway under an annex to the EEA Agreement. GDPR is a regulation "relating to the protection of natural persons in connection with the processing of personal data and the free exchange of such information." (Lovdata).

The provisions contained in this regulation affect all research projects that process personal data.

The UiO/Faculty of Social Sciences/Department have overall responsibility for ensuring that the current rules on handling research data are made known and complied with. Supervisors are responsible for ensuring that students comply with their responsibilities and that they maintain the privacy of respondents or informants engaged in student research at Bachelor’s and Master’s levels. Students are responsible for their projects, and for the privacy of anyone participating in research projects (respondents and informants) when any personal data about them is processed.

Students must familiarise themselves with and comply with the data processing guidelines. This should take place in consultation with their supervisors.

Please see the UiO’s page about privacy protection for students and supervisors.

What is personal data and sensitive personal information?

Personal data is all data or assessments that can be linked to an individual, either directly or indirectly. For example, this applies to names, addresses, phone numbers, e-mail addresses, IP addresses, dates of birth, photos, audio recordings, video recordings and biometric information. Furthermore, various types of data relating to behaviour could be regarded as being personal data, e.g. shopping habits or online activities. When several data sources are linked, then data which is not in itself personally identifiable data could be regarded as being personal data.

Sensitive personal information is information which can only be collected for specific purposes, e.g. scientific research. This applies to information about ethnic origins, political views, religious or philosophical beliefs, trade union membership, genetic information, biometric information, information about health, sexual relations or sexual persuasion, information about convictions or violations of the law.

Data classification 

When you collect and process data, that data will be classified in various ways, depending on what it relates to. The UiO has drawn up a general classification list which identifies four categories: Green – open, Yellow – restricted, Red – confidential, and Black – highly confidential.  These classifications also apply to researchers and students at the ISS.

It is you as a master's student who are the project manager for your master's project. This means you are responsible for the data you collect for your project. In cooperation with your supervisor, you are obligated to have an overview of your data, ensure that they are klassified correctly, and that they are collected, processed and stored in accordance with the regulations for data protection. Sikt will also be able to say something about classification, but these are recommendations and the student has the overall responsibility. 

Data Management Plan

A Data Management Plan (DMP) is a document that describes how to handle the research data in a project: from start to finish, and after the project has been completed. A DMP is a document that will follow a research project and clarify what data will be generated, how that data shall be described, where it shall be stored and whether or not and how it can be shared. For students like you it is important that the plan attempts to answer the following points:

1.    What sort of data you are going to collect?
2.    Define how the data will be analysed and/or coded
3.    Explain how the data will be reproduced in your paper
4.    What you will do to ensure that all your data is good quality data?
5.    Where and how you will store and archive the data?
6.    When, how and what shall be made available to the public?

You shall create your own data management plan for your project. Training on and working with your data management plan will be part of the tuition component associated with the Master’s thesis for your programme. You should consult your supervisor about this work.

Simple Data Management Plan (Word, English)

Enkel datahåndteringsplan (Word, norsk)

Reporting projects to Sikt - Norwegian Agency for Shared Services in Education and Research
 

Projects that involve the processing of personal data must be reported to Sikt 
 

Notification Form for personal data

■    Please see the SIKT’s guidelines for research and whether or not you have an obligation to report projects

Sikt ask that you register your supervisor as the formal project manager. The formal project manager must be an employee at the University of Oslo. If your supervisor is not an employee at UiO you can send an email to post@stv.uio.no.

Reporting completed projects to the Sikt

If you have processed/obtained personal data which needs to be reported to the Sikt, it is important that you report that the project in question has been completed once your Master’s thesis has been handed in, and report what will happen to the personal data in question.

Data storage, deletion and archiving

When you collect and process data, it is important that this takes place within a safe framework and that you use technical devices that are secure. This limits the chances of such data becoming lost, or prevents unauthorised persons from gaining access to it.
 
Once you have classified the data in your project, you can see what you will need to do in order to process it securely. There are various solutions available, depending on the type of classification which applies to the data in your project. Please see the UiO’s general storage guide, which covers all platforms. UiO’s storage guide.

Storage hotel for red data

Send an email to post@stv.uio.no if you have the need for access to storage hotel. 

Storing yellow data on your own PC

You are allowed to store yellow data on your own PC, but it is very important that you follow the rules for storing yellow data on your own computer before you collect and store data. 

Processing, de-identifying and anonymising data

When you process data, you shall ensure that all personal data is de-identified or anonymised before it is removed from its storage location in the form of transcriptions and written data extracts, etc. After transcription it is common practice to delete raw data, but there are some exceptions (cf. under “Project Completion”).

■    De-identification: personally identifiable information is removed, but indirect personally identifiable information exists, e.g. in the form of scrambling keys.
■    Anonymisation: all personally identifiable information is deleted (including scrambling keys). NB: it will then no longer be possible for informants to withdraw from the survey in question.

Project completion – archiving/deletion

When a project has been completed the data should usually be deleted or anonymised.

If data is to be archived for further use, it will be necessary to obtain consent in advance. For further information about future use, please see the Sikt’s documentation guide on archiving research data.

Consent form

When you collect data, you must be able to provide documentary proof to show that you have provided information and obtained consent from the people whose data you have registered, unless you use aggression level data (e.g. registry data). As a general rule the Sikt recommends the provision of written information and written consent.
You must prepare an information circular requesting participation and providing information about the study. The information you provide shall be brief, easy to understand and in an easily accessible form. Sikt has drawn up a template for information circulars and declarations of consent which you can use for your projection. Both English and Norwegian versions of the template are available at the Sikt website.

Audio recordings - Nettskjema Dictaphones and Zoom

It is possible to use Nettskjema Dictaphone for audio recordings. Audio recordings will always be classified as being red data, since a person’s voice is personally sensitive and recognizable. This generates a certain amount of guidance on how you can make audio recordings and process them securely. A secure solution based on Nettskjema has been developed, and you have your own recording app on your mobile phone. You should use this solution for all audio recordings in connection with your Master’s thesis, and avoid using dictaphones and other recording solutions.

Other matters relating to GDPR 

Contact point for GDPR at ISV is post@stv.uio.no

Data Protection Impact Assessments (DPIA) will apply to highly sensitive projects. Sikt shall be notified if such are to be carried out. If you are notified that your project requires a DPIA, please contact ISV. 
A collective duty to provide information will apply if your project does not obtain specific consent from the study participants. Sikt shall be notified if this is necessary. If you are notified that your project is subject to a collective obligation to provide information, please contact ISV.

If you have any questions which have not been answered here, please contact ISV.

GDPR and Master’s theses – a crash-course for ISV students

Starting fall 2023 students will get guidance in data management through STV4911 - Master's Thesis - Research Design and Project Management 

"How do I proceed with GDPR?"

This is a chronological checklist which you can use when you are about to start your Master’s thesis.

1. Design and submit a draft for your Master’s thesis
2. Design and submit a Data Management Plan.
3. Report your project to the Sikt. You may be asked to enclose the following:
   1. Draft interview guide, if you wish to use qualitative interviews
   2. Draft info circular (information about your project for potential informants)
   3. Draft consent form
4. When collecting data, ensure that your informants provide you with good information and give their consent, where relevant.
5. If relevant, conduct interviews with a secure recording solution using Nettskjema’s dictaphone.
6. Store all data securely throughout your project.
7. During the project, use your Data Management Plan and revise it if necessary.
8. When processing data, de-identify data which is obtained from your area in the UiO’s storage hotel. Please contact post@stv.uio.no. 
9. Upon completion of your project, delete, anonymise and archive data in accordance with any agreements entered into.
10. Report your project as having been completed to the Sikt.
11. Send your completed Data Management Plan to your supervisor.

The UiO’s “Checklist for processing personal information in a Bachelor’s or Master’s thesis" (word) may also be useful. It will enable you to easily keep tabs on and cross off the privacy items which apply at the start of your project, while writing your thesis and when you have submitted your thesis.

Services for sensitive data

Read more about services for sensitive data (TSD) here

Collecting sensitive data in Nettskjema

Guidelines for creating a Nettskjema for collecting sensitive data