In many of the research projects we handle, personal data is utilized. All handling of personal data must always comply with the Personal Data Act (Personopplysningsloven). The act lists the requirements on how personal data must be handled.
The following procedures constitute the framework for Møreforskings internal control system on handling personal data:
1. Any project that has personal information relating to them, must be reported to the Norwegian Social Science Data Services - NSD (both qualitative and quantitative research).
2. Message must be sent at least 30 days before data collection begins. This means that:
- Once a researcher has a project, we need to start thinking about a message to the NSD.
- The Principal must be informed of this when we get / are about to get a project with a short deadline.
- The project will not commence until we have received a reply from NSD
3. Electronic notification form is located on NSD's web site.
4. A license from the Data Protection Authority to process sensitive data information is required. In case sensitive data is included, this must be reported to the NSD.
5. Consent for participation needs to be given.
6. For all quantitative studies there should be made of a letter, which provides information on what the respondent consents to. The letter must contain information about the following:
- Purpose of processing
- Who is responsible
- That it is voluntary
- How data is stored (time and access)
- Rights the participant has re. rectification and deletion of data.
Read more about the information letter and download example here.
7. Only the necessary personal data can be collected.
8. Personal data can not be available for others than is necessary on the basis of the purpose of the collection.
9. All data must be deleted when it is no longer necessary to save them to the project. They should not be used for any purpose other than that specified in the message to NSD without sending notification of change. It will in some cases be necessary to inform the respondents of changes.
10. If an external party processes the data on behalf of Møreforsking, the standard data processing agreement will be used. This requires that the cooperating party operates under equally strict requirements for treatment of personal data as Møreforsking.