Responsibility for privacy protection in student projects
Supervisors have the responsibility to ensure and verify the integrity of privacy protection in student projects on the master level, but you as a student also have an independent responsibility to maintain the privacy of participants or informants in your research project. The contract between you and your supervisor clarifies the responsibility to ensure privacy protection and the use of personal data in your project.
At IKOS, it is mandatory for both master students and supervisors to complete a course on privacy protection in Canvas (external supervisors are required to obtain necessary information, which may be done by completing an open course). For master students, the privacy protection course is an obligatory component of one of your master's courses, and you will be informed about the privacy protection course when you take the master's course in question.
You may read more about your duties and responsibilities to maintain privacy protection on UiO's webpages.
Privacy Protection and Research Papers
What is personal information?
Personal information includes all kinds of information that may be connected to a person, either directly or indirectly.
Examples of personal information include names, social security numbers, e-mail addresses, photos, sound and video recordings, health data, behaviour data and numerous other details of a person.
It is important to consider whether you can complete the project without gathering personal data. For help, please see the guidelines from SIKT (previously NSD).
For more information, see UiO's general guidelines on privacy.
Anonymous data
Anonymous data is information which in no way can identify private persons in a data set, either directly through name or social security number, or indirectly through periphery information. Indirect identification can happen as a result of data that can be connected to names through other registers and such. Examples include telephone numbers, addresses or combinations of data such as gender, age, address and number of siblings.
Anonymous data is not personal data since they cannot be connected to identifiable persons. In the case that you only use anonymous data in your project, you are not obligated to report your project to the Privacy Protection Service at SIKT (formerly NSD).
Use of personal data
If you plan on using personal data in your project, it is important to ensure that the data are treated well and safely. You are obligated to follow UiO rules and routines for research using personal data. You must also consider whether your project adheres to the Guidelines for Research Ethics.
At UiO, all research project which will use personal data must be registered with the Privacy Protection Service at Sikt for assessment of the protection of privacy in the project. You may not initiate data collection before your project has been approved by Sikt. If you are to gather data abroad (outside of EU/EEA), you must be aware of not just the ordinary rules, guidelines and regulations for data collection, but also potentially of local rules, guidelines and regulations. Ask your supervisor about this.
Before you can register your project with Sikt, you have to clarify a few things, and it may be helpful to consult the Notification form for personal data. Processing time at the Privacy Protection Service at Sikt may vary from a few days to a month depending on the project's complexity. You should therefore register the project at least 30 days ahead of data collection.
Please contact your supervisor if you have questions regarding the use of personal data in your master thesis project.
Consider the following if you are going to use personal data in your project
What are you researching and whom will you gather data about?
Define as precisely as possible what you are researching, from whom you need to gather personal data, and which personal data you need to answer your thesis question.
What sorts of personal data are you using?
Together with your supervisor, you must classify the personal data you will be using in your project in accordance with UiO's Data Classification Guide. Are the data green, yellow or red? The classification of personal data will impact their use. Certain categories of personal data are classified as red data and shall be treated as sensitive and in need of extra protection.
How will you gather data?
The data must be collected within secure environments and using approved equipment. Your data gathering methods must be planned and cleared with you supervisor.
You must ensure that the data can be stored securely and be deleted from temporary storage units.
You may use UiO-Nettskjema for data collection. Nettskjema also has a dictaphone-app.
Where and how do you store your data?
When you have classified your data, you must verify that they are stored using approved methods in accordance with UiO's data storage guidelines. It should be stored in a way where no irrelevant persons may access information which may compromise the identity of your research subjects.
Ensure that all temporary storages are deleted. Ensure also that the main data and, if relevant, back-up are stored in a secure way.
Storage of red data in UiO's data storage guidelines
If you plan on gathering red data for your project, you are obligated to store the data in a personal folder specifically created for you. The department has routines for this, and you will be provided a link from the IT-section of the Faculty when the folder has been created. This e-mail is not a clearance to initiate data collection, as the project must be approved by Sikt first. The folder is only a technical solution to ensure the secure storage of red data, if relevant, and is automatically created for all students in relevant fields.
How to obtain consent?
When you gather personal data, you must be able to document that you have provided information and obtained the consent of the subject whose personal data you will be using, unless you are using aggregated data (i.e. data from a census). The information you provide your subjects with should be concise, comprehensible and easily accessible. Please see the checklist from Sikt on what you should inform your subjects about.
The Privacy Protection Service at Sikt recommends written information and written consent as a rule of thumb, and has prepared a template for information letters and consent forms which you may use in your project. It is also possible to use Nettskjema to gain consent.
When you have clarified the points above, you are ready to submit your project to the Privacy Protection Service at Sikt for assessment.
Submitting your project to the Privacy Protection Service at Sikt
You submit your project to the Privacy Protection Service at Sikt using a notification form. It is you as a student who will submit the project, but your supervisor may help you. The Privacy Protection Service at Sikr also has a chat function you may use if you have any questions while filling out the form.
When you submit your project, you will be asked to designate a project supervisor. Fill in your Master's supervisor here.
Submit your project at the Privacy Protection Service's homepage.
Remember to fill in your private e-mail and cellphone number in the notification form so that the Privacy Protection Service may contact you when the project nears termination.
If you must make changes in your project after the notification form has been submitted and the changes may impact the use of personal data, you must report these changes to the Privacy Protection Service and await a reassessment. You will find more information about changing the contents of your notification form here.
Do you have any questions or are in need of guidance or technical equipment?
Contact your supervisor if you have questions about privacy protection.
Your supervisor can if needed reach out to the privacy protection advisors at the departments.
The Faculty IT service provides technical guidance regarding data storage and borrowing of equipment.
You as a student may also directly contact the Privacy Protection Services at Sikt.
Would you like to know more about protection of privacy?
You will find lots of useful information on the homepage of the Privacy Protection Service at Sikt.