Are you wondering how you can store your data and thesis safely? Are you a bachelor's or master's student considering processing personal data? Did you know that there are good alternatives, such as collecting and treating information anonymously? These are UiS' guidelines for processing personal data in student projects.
What is personal data?
Personal data is any type of information and assessment that can be linked to an identified or identifiable physical person.
Personal data includes:
- name, address, age, phone number, email address and social security number.
- Information about habits and behaviour (shopping habits, online searches, where you physically move throughout the day).
- Images, audio and video recordings where individuals can be recognized.
Information is considered personal data regardless of whether they are text, images, audio or video recordings.
What are sensitive (special categories) of personal data?
These categories are regarded as sensitive (special categories):
- health information, genetic information and health-related conditions.
- biometric information for the purpose of identifying someone.
- ethnic origin. political, philosophical or religious beliefs.
- sexual orientation or sexual relations.
- that a person has been suspected, accused, charged or convicted of a criminal offense.
- union membership.
Examples of sensitive data:
- information about students' illness or diagnosis.
- information about cheating or attempts to cheat.
- need for accommodations for exams due to health reasons.
- information about attitudes towards various religious or political issues provided by participants in a survey.
Processing of personal data:
All personal data must be stored securely and in a secure location. Special categories of personal data must be particularly well protected (see more information about secure storage further down on the page).
Processing of personal data must follow current guidelines and regulations (both at UiS and nationally). All processing of personal data must be reported to SIKT Reporting to SIKT should always be done in consultation with your supervisor.
How to conduct a project anonymously?
There are many ways to process personal data in order to conduct a project anonymously. Anonymous projects avoid the strict rules that apply to processing of personal data.
This is how to process data anonymously:
- For nterviews and observation, you must only take notes (no audio recordings).
- Do not record names or background information that can identify anyone.
- Online surveys must use anonymous solutions (that do not collect email or IP-address linked to the survey). The survey must be without information that can identify the responder.
- NOTE! Most online surveys record email / IP address. The project must be reported to SIKT, even if only the survey provider has access to the information. It is possible to use Nettskjema for anonymous surveys (NOR).
- Register data can be used without reporting to Sikt when anonymous datasets are used: There are a number of anonymous register data providers available online, for example SSB.
- Write your thesis based on a literature review.
Data must not be traceable back to individual people, either directly, indirectly, or through email/IP address or a connection key (a list or dataset that identifies respondents based on a pseudonym or a code).
Contact your supervisor if you have any questions about anonymization or wish to discuss anonymous data collection in your project.
Information security and data storage
What type of data will you be handling, and how can it be collected and stored securely?
For most students, the tools Nettskjema, UiS OneDrive account, and Microsoft 365 programs (with your UiS account) will be sufficient tools during their studies.
- Use Nettskjema for data collection and audio recording (including red data).
- Use the Microsoft 365 package i.e. Word, Excel (with your UiS account) for data processing.
- Use your OneDrive with your UiS account for data storage - this also gives you backup in the cloud.
Here is more information on how to classify your data correctly (i.e. determine how sensitive the information is).
If you want to use other tools such as SPSS or Nvivo, you can find more information in the UiS storage guide.
If you collect red data (such as health information) in Nettskjema, either through audio recordings or surveys, it is important that you de-identify the data when you export or transcribe from Nettskjema. The same goes for if your audio recording contains red data that you do not need for your research - you should not export such data out of Nettskjema itself.
Find more information on de-identification below, under "definitions, questions and answers."
Tools and equipment
Mobile phones/tablets cannot be used to make audio recordings directly, but it is possible to use the "Nettskjema-Diktafon" app for audio recording. Both video and audio recordings are considered personal data.
If it is not possible to conduct an interview in person, it is possible to use Zoom, but remember to apply the right security settings.
Approved use
All computers that are to be used in the processing of personal data should be secured as well as possible (with relevant security mechanisms). This means that you should have:
- Installed antivirus program
- Enabled firewall
- Enabled security updates
- Strong passwords for both devices and systems used
You are responsible for evaluating the need for a backup of your data and ensuring that the backup is stored in accordance with the UiS classification and storage guidelines.
When you process the data, you must also keep outsiders from physically seeing what is on your screen.
When using a laptop and external storage devices (memory sticks, external hard drives, audio recorders, cameras, etc.), storage and transport of the equipment should be done in a way that minimizes the risk of theft and damage.
You should use your UiS email address for communications and correspondence in the project. Your private email address should not be used.
Where can you get more information?
Do you have more questions about data security, or about the use of personal information in your assignment?
Information security:
- Read the information linked in the fields above or Contact IT-help.
Privacy:
- Contact your supervisor after reading through this site. Ask when in doubt!
- Sikt answers questions about registration forms for processing of personal data.
- Supervisors and researchers at UiS who have questions can contact the privacy contact at their faculty or unit (intranet).
- UiS data protection officer (DPO) Rolf Jegervatn.
We recommend that bachelor students write their thesis without processing personal data.
The exception is when the thesis is written as part of "Joint assessment of bachelor's project".
Contact your supervisor for more information.
Remember!
Your supervisor is always regarded as project manager for student projects at a lower level than a doctorate.
When projects are part of a "Joint assessment of bachelor's project", the one responsible for the joint form (course coordinator etc.) is the project manager.
Have there been deviations or errors in the processing of research data or personal data? The student and/or his supervisor are responsible for reporting any deviations immediately. As a student, you should also notify your supervisor.
Deviations can be reported here:
Data privacy deviations
Information security deviations
Additional information and guidelines
This information applies to everyone who will process personal data in their student project.
The information primarily applies to master's students, but it also applies to bachelor's students who send an individual registration form to NSD/Sikt for processing personal data.
If you are going to process personal data in your student thesis, it is important to follow these guidelines and remember that:
- Your supervisor is always the project manager for student projects at a lower level than a doctorate. Processing of personal data in student projects must always happen in consultation with your supervisor.
- The project must be reported to NSD/Sikt if you are to collect or process personal data at any point in the project, even if the data is de-identified (pseudonymized) or anonymized later in the assignment.
- You must be out in good time! You cannot start processing personal data until you get a final response from SIKT. It can take around 30 days before SIKT gives you feedback.
- Reporting to SIKT must only be done in agreement with the supervisor, and the form you fill out must always be shared with your supervisor.
- You must use your UiS student e-mail address in the message form to SIKT, and in all communication in your project (also with informants and respondents). It is not allowed to use a private email address for this.
- When reporting to SIKT, you get an assessment that the project is in line with the regulations. Lack of registration can lead to the data material having to be deleted. Your supervisor is responsible for ensuring that students are made familiar with UiS' routines, guidelines and overall regulations in information security and the processing of personal data.
- You are responsible for safeguarding the privacy of participants in research projects (respondents/informants) when personal data about them is processed, and answering inquiries from respondents or informants in the project about how their privacy rights are safeguarded in the project.
- Remember to obtain consent. There are separate rules for collecting personal data from children and young people, see rules for this on the Norwegian Data Protection Authority's website (NOR).
Also, be aware that:
- All feedback from Sikt must be followed - personal data cannot be processed until there is a final feedback from SIKT. This will be confirmed, in writing, to your supervisor.
- Send a message/feedback to Sikt at the end of the project when you hand in your assignment, with confirmation that all data has been deleted/anonymized. This must be done before submitting the finished assignment, and confirmed in writing to your supervisor.
- If there is a connection key that connects data and name/other identifying information, this is regarded as personal data, even if the student/research group does not have access to the connection key.
- UiS is required by law to document all processing of personal data. This is fulfilled through registration to SIKT.
- All students who are going to process personal data must read information about this on SIKT's websites.
Medical and healthcare research projects
Is your project going to acquire new knowledge about health and disease? Such projects are considered health research. In that case, both the Personal Data Protection Act and the Health Research Act apply.
This information primarily applies to master's students. But it also applies to bachelor students who send individual message forms.
The Health Research Act (NOR) applies to medical and healthcare research on people, human biological material or health information (including pilot studies and experimental treatment).
Medical and healthcare research projects must be approved in advance by REK (Regional Committees for Medical and Healthcare Research Ethics).
You can find more information about the types of research projects that may need to be pre-approved by REK here (NOR). To get an assessment of whether your project needs approval, you can submit a preliminary assessment form (REK makes a preliminary assessment of whether they have to process the project).
If REK determines that a project requires full application processing and approval, a project application must be submitted to REK. The project application should be submitted by an applicant with a doctoral degree, preferably an employee at UiS. For clarification on who should submit the project application, please contact your supervisor. It’s important to note that students are not authorized to submit project applications to REK; they can only submit preliminary assessments.
NOTE! It can take up to three months before REK pre-approves the project. Authorization must be in place before you can start collecting information.
Definitions, questions and answers
Here you will find some definitions, and common questions and answers.
Definitions
De-identified (pseudonymised) personal data
Information is de-identified if the name, social security number or other personal characteristics have been replaced with a number, a code, fictitious names or the like, which refers to a separate list with the direct personal information (connection key).
Indirect personally identifying information must also be categorized into broad categories or removed for the data material to be considered de-identified. Broad categories mean, for example, parts of the country instead of specified municipalities or cities, age intervals (10-19 years, 20-29 years, etc.) rather than precise ages and the like. The only way to identify individuals in a de-identified data material is through a name list or a connection key.
Please note that de-identified information is considered personal data regardless of who stores the name list/connection key and how it is stored.
Connection key
A connection key is a list of names or file that makes it possible to identify individuals in a data set. Creating a connection key involves replacing a name, social security number, e-mail address or other personally identifiable characteristics in a data set with a code, a number, a fictitious name or the like, which refers to a separate list where each code refers to a name. The link key must be kept separately from the data material itself to ensure that outsiders do not gain access to the link between name and code.
Questions and answers (Q&A)
SIKT requests guidelines from UiS for the processing of personal data in student projects. What should I send? | Share the link to this page. |
Who is the data protection officer (DPO) at UiS? | DPO at UiS is Rolf Jegervatn |
Can I use a digital voice recorder or record an interview on my mobile phone? | No, use Nettskjema's dictaphone app - then you better safeguard the informant's safety. |
Can iCloud be a data processor in the project? | No, UiS does not have a data processing agreement with iCloud. |
Can I use SurveyMonkey or Google Forms to conduct a survey? | No, use Nettskjema or find an approved tool in the UiS storage guide |
Guidelines for the Processing of Personal Data in Regular Teaching Subjects at UiS (Exception Clause)
Main Rule
As a main rule, students are not allowed to collect and process personal data as part of or in regular teaching subjects (such as assignments, term papers, exam tasks, etc.).
Exception, only with a written digitally signed agreement between the course instructor and relevant students:
Exceptionally, students may be allowed to collect and process personal data as part of or in regular teaching subjects when it has been explicitly clarified with the course instructor beforehand. The collection and processing of personal data must be academically strictly necessary. The exception applies up to and including yellow data, i.e., only ordinary personal data, (see EU General Data Protection Regulation (GDPR), Chapter 1, Article 4 for definitions). A separate agreement must be signed between the course instructor and relevant students associated with each individual project in the respective course before the collection of personal data commences. The collection must be in accordance with the Personal Data Act and GDPR.
If personal data is to be collected and processed in teaching projects, the course instructor must ensure that the agreement includes a description of why it is necessary to collect personal data, a description of the legal basis for processing, purpose, specification of which personal data will be collected, the information provided to the data subject, how personal data will be secured (storage, access control, anonymization), as well as information about deletion afterwards, etc. The course instructor is responsible for ensuring that all fields in the agreement are correctly filled out, that the agreement is digitally signed, and that it is sent to the faculty for archiving. Please contact the course instructor if you have questions related to this.
No exception is granted for, or permission given to collect or process red or black data (sensitive/special categories of personal data) as part of teaching in regular teaching subjects (according to GDPR, Article 9).
Guidance at NSD (website):
Notification Form for personal data (sikt.no)
Information about filling in the registration form (e-course at Sikt):
Is there something you are missing, or that you think could be improved, on our information security and privacy pages? Click here to provide feedback
NB! Remember to attach a link to which page this applies to.