4. Storage of active research data
As the data controller, HVL is responsible for keeping records of processing activities that include personal data so that data is processed and stored properly and is only available for the period necessary for the purpose. NSD's application form is a protocol for research and student purposes.
- 4.a Storage of active research data for research projects
- 4.b Storage of active research data on private devices for students (master/bachelor)
- 4.c Long-term storage, publication, and reuse of research data
4.a Storage of active research data for research projects
- If the project has received external funding from the EU or NFR, it is a requirement that the project manager provides a data management plan (DMP) where the data processing in the project is described. The plan must describe how the obligation for "open data" and FAIR principles will be met. HVL recommend using the NSD template for the DMP.
- For projects that process Special categories of personal information, the project manager must create a storage area on HVL's research server after processing personal data has been pre-assessed by NSD /pre-approved by REK. See the storage guide for further information about the categorisation of data.
- For student projects that do not have special categories of personal information and have a low privacy risk, private devices can be used (see section 4.b).
- The data material shall, as far as possible, be stored and processed deidentified on HVL's research server or following the storage guide. This means that research data and personally identifiable elements (link key) are stored separately.
- Through the registration on HVL's research server, the project manager authorises project members who will have access to research data through the research server. The project manager is responsible for ensuring that this is done following consent, notification to NSD / REK and any data handling plan.
- If an external research member is to have access to the research data, an agreement must be signed with a non-employee (template can be found in Vestibylen).
- Access to the link key should normally be restricted to the project manager. Exceptions can be made in special situations where it is crucial for the implementation of the project.
- The project manager must ensure that temporary storage and transport of personal data (between companies or for storage in the research server) via mobile storage media securely takes place:
- Paper-based research data is stored in locked archives. Scanning and storing documents on the research server is recommended whenever possible.
- Audio and video recordings are temporarily stored on a password-protected device. Audio and video files must be stored on the research server or following the storage guide as soon as possible and immediately deleted from the external device.
- USB sticks should only be used for temporary storage, such as when transferring data from one device to another or when handing over data to another company. The files are encrypted and password protected. When the data is transferred to the research server, the data should be deleted from the memory stick.
- Personal information can be temporarily stored in OneDrive or Box, according to the storage guide.
- The project manager is responsible for ensuring a data processor agreement with external companies that process personal data in the project when HVL does not already have a data processor agreement with the company.
- For storage of data after the end of the project, see 4.c. Long-term storage of research data.
4.b Storage of active research data on private devices for students (master/bachelor)
Private devices can be used in student assignments if the conditions below are met. Prerequisite for the use of private devices in student assignments:
- The use of private devices must be clarified with a supervisor or subject teacher. The supervisor or subject teacher must know the prerequisites below and be able to guide the individual points.
- Private devices may only be used by student projects with a low privacy risk where no special categories of information [1] are obtained.
- Student projects cannot start until there is an assessment from NSD and possibly REK.
- The student must ensure that information security is maintained during the period when personal data is processed. Measures must be implemented to safeguard confidentiality, i.e., prevent personal data from going astray through, for example, encryption.
- The student must ensure that the project participant's integrity is ensured and that no unauthorised persons have access to the processed personal data.
- The student must ensure that the devices are never left without password protection.
- The student must ensure that personal information is not stored in cloud solutions where it is impossible to ensure who has access to the data and control where servers are located geographically or otherwise spread this information without control.
- The student must ensure security around the use of private sound recorders. Audio recordings must be encrypted after recording and not retained longer than necessary for transcription. Audio recordings are deleted at the latest at the end of the project.
- The student must ensure that personal information collected for processing in master's theses is deleted or anonymised when the thesis has been submitted and found approved. This also applies to audio recordings, videos, and photos. This applies if there is no legal basis for further storage
- The student must report to NSD that deletion/anonymisation has been performed at the end of the project. This applies to all originals and any copies of personal information. The supervisor is responsible for checking that the student notifies about deletion/anonymisation to NSD at the end of the project.
4.c Long-term storage, publication, and reuse of research data
Personal data shall be stored in a way in which it is impossible to identify the research participants for longer periods than necessary for the project. Long-term storage is particularly relevant for anonymous data so that these can be shared and utilised further in scientific research or in a personally identifiable form where there is a duty to keep or a desire for follow-up studies.
- The project manager must ensure that storage after the end of the project follows the information and consent letter, data handling plan, contract with the client and an agreement on shared processing responsibility where applicable.
- The project manager must ensure that the data is prepared, anonymised, or otherwise processed for long-term storage in good time before the project ends.
- Data material that contains personal information can also be published/archived for reuse when there is a valid basis for processing [2].
- Researchers at HVL can publish / archive research data in our institutional research data archive, HVL Open Research Data. Contact the library for guidance on how to process research data for archiving.
- Projects funded by the Research Council of Norway (NFR) must archive their research data in an approved research data archive [3].
- Some personal information may be subject to storage following the Journal Regulations and/or the Archives Act. Continued storage according to this criterion requires that the information is only stored in the patient record system and/or the university college's research server, respectively.
- The project manager shall not delete source data or other research data and documents if the supervisory authorities have open cases related to the research project or if the project participant (s) are suspected of dishonesty in research.
[1] According to regulations, the following information is considered as sensitive personal data: data about race or ethnicity, political orientation, religion, philosophical beliefs, union membership, genetic information, biometric information with the purpose of uniquely identify an individual, health information, sexuality, sexual orientation, legal- convictions and offences. (article 9 and 10 in GDPR).
[2] NSD and/or HVL's data controller may, in consultation with the Data Protection Officer, assess whether there is a valid basis for processing data in the General Data Protection Regulation for the publication of personal data for archival purposes.
[3] Examples of approved archive-solutions are Dataverse, NSD and CLARINO.