Research ethics
The Norwegian National Research Ethics Committee (NESH) is an impartial advisory body providing guidance and advice on research ethics. The Guidelines for Research Ethics in the Social Sciences, Humanities, Law and Theology are important tools for promoting good scientific practice in the Norwegian research system, and should be well known to all of ARENA's researchers. Please read the guidelines when planning your research design and preparing your data collection.
The University of Oslo has created a work support page with one section targeting reseachers: Privacy and data protection - for researchers. As UiO employees, the university owns 'your' data and is responsble for any breach of data protection laws.
See also the European Commission's guidelines Ethics and data protection (14 November 2018).
The NSD has a very detailed and useful website, which provides you with much of the information needed in planning your data collection, privacy protection and data management: https://nsd.no/nsd/english/index.html
Their FAQ: https://nsd.no/personvernombud/en/help/faq.html
What is personal data?
Personal data means any information, private or professional, which relates to an identified or identifiable natural person. See the full definition in GDPR Art. 4(1).
Personal data is anything that discloses someone's identity, that is unique to this person, such as name, birth date, photo, e-mail address, social media posts, or work place.
For an overview of the different types of personal data, see what is personal data?
Notify NSD before data collection
If you will be processing personal data in your project, you must submit a Notification Form to the Norwegian Centre for Research Data (NSD) at least 30 days prior to commencing data collection. You must await their assessment before you start collecting data.
GDPR
The full GDPR is available as a neatly arranged website at gdpr-info.eu
Principles of data protection law
The key principles related to the processing of personal data are listed and further described in GDPR Art. 5:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
If you understand them and know them, you have understood the essence of the GDPR and of data protection law.
Of particular relevance for you as researchers is GDRP Art. 13: Information to be provided where personal data are collected from the data subject (to be addressed in participant information sheet and consent form).
Read more
- Presentation by Asbjørn Tingulstad Hem, Legal advisor USIT, University of Oslo, Research Bazaar 2018: Introduction to privacy law: Better safe than sorry (pdf)
Processing personal data in research
In line with the GDPR, you need a legal basis for processing personal data, which you may be collecting i.e. through surveys, questionnaires, focus groups and/or interviews, or retrieving from public and/or restricted secondary sources (surveys, media debates, official documents, legal documents, speeches, etc.).
The GDPR introduces two alternative legal bases for processing personal data, which are relevant for ARENA's staff: (1) Informed consent; (2) research in the public interest.
Legal basis 1: Informed consent
'The data subject has given consent to the processing of his or her personal data for one or more specific purposes' (Art. 6(1)(a)
An ARENA template of a participant information sheet and consent form has been created to assist researchers in complying with the GDPR. Each researcher must adapt the template to suit the audience and nature of the research. The document must be written in plain language using simplified terms to comply with the GDPR. Signed consent forms must be kept on file with the researcher.
More on consent, and the NSD consent form template: https://nsd.no/personvernombud/en/help/information_consent/
Legal basis 2: Public interest
'Processing is necessary for the performance of a task carried out in the public interest' (Art. 6(1)(e)
However, you are still required to inform the data subjects of the nature of the processing activities and their rights (Art. 12(1)). A researcher may be exempt from the notice requirement if data is retrieved from a publicly available source if it 'would involve a disproportionate effort' or if it would be 'likely to render impossible or seriously impair the achievement of the [research] objectives' (Art. 14(5)(b), see also Recital 62).
Moreover, Art. 5(1)(b) states, 'further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes'. Art. 89 sets out the safeguards that controllers must implement in order to further process personal data for research.
Example
You are collecting statements by a number of Norwegian politicians in parliamentary debates, public speeches, media interviews etc. in a defined time period. By referring to the public interest of the research you are not required to obtain consent from the research subjects to process the data.
Depending i.e. on the number of politicians studied (5 or 50?) and the time aspect (how far back in time, are they hard to track down, have people retired?), and thus whether informing them would constitute a 'disproportionate effort' or not, you may also be exempt from the notice requirement.
Read more
- How GDPR changes the rules for research, Gabe Maldoff, The Privacy Advisor, 19 April 2016
- Guidelines from the Article 29 Working Party (WP29) with practical guidance and interpretative assistance on the new obligation of transparency concerning the processing of personal data under the GDPR: Guidelines on Transparency under Regulation 2016/679
Not applicable to anonymous data
By rendering data pseudonymous, i.e. making it impossible or impractical to connect personal data to an identifiable person, you can benefit from new, relaxed standards under the GDPR.
If you are anonymising data, you will only have to inform about how the data is handled before anonymisation. Once the data is anonymised, it is not covered by the GDPR.
Pseudonymisation
Pseudonymisation, or de-identification, is 'the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information' (Art. 4(5)).
GDPR only partially applies to pseudonymous data. For instance, GDPR Art. 6(4)(e) permits the processing of pseudonymised data for uses beyond the purpose for which the data was originally collected. Also, data subjects' rights to data access, rectification, or erasure no longer apply if it is not possible to identify individuals in the data set. Participants must be informed that such rights will be annulled upon pseudonymisation.
Anonymisation
Data is anonymous if it is no longer possible, with the tools that can reasonably be expected to be used, to identify individuals in a data set, even by the party responsible for the anonymisation. Note that determining whether data is anonymous is a fact-specific inquiry, and must undergo quality control.
If you are anonymising data, you will still have to inform about how the data is handled before anonymisation.
Read more
- Norwegian Data Protection Authority Guide: Anonymisation and personal data
- Matt Wes, International Association of Privacy Professionals: Looking to comply with GDPR? Here's a primer on anonymization and pseudonymization