2. The start-up of student- or research project

Chapter 2 describes the routines for the start-up of student and research projects.

Part 2.a describes the projects that come under the Personal Data Act, while part 2.b deals with projects within health research. In both parts, the routines for student and research projects are described separately.

2.a Projects under the Personal Data Act


The purpose of the routine is to ensure that the start of the student and research project safeguards privacy following the Personal Data Processing Act (the Personal Data Act implemented the Privacy Regulation (EU) 2016/679) and general research ethics considerations in line with the Research Ethics Work Act (Research Ethics Act). All projects that process personal data must be pre-assessed by NSD. Some projects also require pre-approval from a research ethics committee (REK or other).

Research projects (including PhD)

  • The project manager prepares a project description and a data management plan when this is a requirement. All projects that receive funding from NFR or the EU must prepare a data management plan.
  • The project manager informs the faculty about the project. The faculty is informed when R&D time has been allocated to the project, or the rector has in other ways approved the project.
  • The project manager must ensure that he/she, and the project's other employees, are familiar with privacy and research ethics guidelines.
  • If the project collects personal information, the project manager sends a notification form with project description and attachments to NSD, which is HVL's privacy adviser for research. The notification must be sent no later than 30 days before collecting personal information is to start.
  • The project manager awaits an assessment from NSD before initiating the data collection.
  • Data containing special categories of personal data [1] shall be stored on HVL's research server. Before start-up, the project manager must order storage space on HVL's research server (guideline 4.a Storage of active research data) and register which type (s) of personal data is processed.
  • The project manager must ensure a valid data processor agreement if external data processors are used.
  • The project manager registers the project in the CRIStin project database.
  • The project can start processing personal data, including collection, registration, analysis, extradition, and storage, when this is in place.
  • If the project has members not employed at HVL, all parties must sign a Cooperation Agreement. The vice-rector must also sign an Agreement with a non-employee to grant access to the HVL research server.
  • In projects that collaborate with others, there will often be joint responsibility for processing the data according to privacy regulations [2]. This occurs when the parties jointly determine the purpose and means. Joint processing responsibilities can take different forms and divide responsibility in different ways. It is not a requirement that the responsibility is evenly distributed.
  • If this is relevant for the project, an agreement on joint responsibility must be signed.

Student projects (master)

  • Project description must be prepared and approved by the supervisor before start-up.
  • The supervisor and student assess the necessity of processing personal data in the project.
  • The supervisor must have completed basic training in research ethics. The supervisor is responsible for the student complying with the necessary research ethics guidelines and norms.
  • It is the student him/herself who reports the project to NSD, but the supervisor is responsible for the notification form and project description being sent to NSD. The notification must be sent no later than 30 days before collecting personal information is to start.
  • The supervisor must ensure a valid data processor agreement if external data processors are used.
  • The student awaits an assessment from NSD before initiating the data collection.
  • The supervisor must ensure secure storage and order storage space on HVL's research server if the student collects special categories of personal information (guideline 4.a Storage of active research data). When applying for storage space, the type (s) of processed personal data is also registered.
  • Once the above points have been completed, the processing of personal data, including collection, registration, compilation, analysis, extradition and storage on the research server, can begin.

2.b The start-up of projects under the Health Research Act

The purpose of the routine is to ensure that the start-up of the research project is ethically sound following the Health Research Act, safeguards privacy following the privacy regulations and is carried out in line with recognized ethical norms for research. All health research projects must be pre-approved by the Regional Ethics Committees (REK) and NSD.

Research projects (including PhD)

  • The project manager prepares a project description and a data management plan when this is a requirement. All projects that receive funding from NFR or the EU must prepare a data management plan.
  • The project manager informs the faculty about the project. The faculty is informed when R&D time has been allocated to the project or the dean has approved the project in other ways.
  • The project manager must check and ensure that he/she, and the project's other employees, are familiar with the guidelines for privacy and research ethics.
  • The project manager assesses whether the project processes personal data and is covered by the Health Research Act. REK must approve health research projects. In addition, the project manager must notify the project to NSD to have the project assessed following the privacy regulations and fulfil HVL's requirement for a protocol for the processing of personal data. HVL has an agreement with NSD that the project manager can have parallel application processes with REK and NSD.
  • The project manager fills in and sends the application form with the project description and attachments to REK and NSD. Please note that REK has application deadlines. If the project manager is unsure whether the project needs to be pre-approved by REK, a presentation assessment can be requested, REK's secretariat or a research adviser at HVL can be contacted.
  • The project manager awaits pre-approval from REK and assessment from NSD before data collection is initiated.
  • The project manager must ensure a valid data processor agreement if external data processors are used.
  • The project manager orders storage space on HVL's research server (guideline 4.a Storage of active research data) and registers through this the type (s) of personal and health information that is processed.
  • The project manager registers the project in the CRIStin project database.
  • Once the above points have been completed, the processing of personal data and health research data, including collection, registration, compilation, analysis, extradition and storage on the research server, can begin.
  • If the project has members who are not employed at HVL, a Cooperation Agreement must be signed. For access to data on the research server, an Agreement with a non-employee must be signed.
  • In collaboration with others, there will often be shared processing responsibility according to the privacy regulations [2]. This occurs when the companies jointly determine the purpose and means. Joint processing responsibilities can have different forms and different divisions of responsibilities. It is not a requirement that the responsibility is evenly distributed
  • If this is relevant for the project, an agreement on shared processing responsibility must be signed.

Student projects

  • Project description must be prepared and approved by the supervisor in advance.
  • The supervisor must have completed basic training in research ethics. The supervisor is responsible for the student complying with the necessary research ethics guidelines and norms.
  • The supervisor and student assess the necessity of processing personal- and health research data in the project.
  • When health information is collected in the project, the supervisor is responsible for sending an application with project description and attachments to REK [3]. Please note that REK has application deadlines. If there is any doubt about whether the project should be approved in advance by REK, a presentation assessment can be requested, contact REK's secretariat or a research adviser.
  • In addition, the student must report the project to NSD to have the project assessed following the privacy regulations and fulfil HVL's requirement for a protocol for the processing of personal data. HVL has an agreement with NSD that projects can have parallel application processes with REK and NSD
  • The supervisor must ensure a valid data processor agreement if external data processors are used.
  • The student awaits prior approval from REK and assessment from NSD before data collection is initiated.
  • The supervisor must ensure that special categories of personal data are stored on HVL's research server (guideline 4.a Storage of active research data). When applying for storage space, the type (s) of personal data and health research data that are processed are also registered.
  • Once the above points have been completed, personal and health research data processing, including collection, registration, compilation, analysis, extradition and storage on the research server, can begin.
    When students or researchers at HVL participate in projects where other institutions are responsible for processing, they must ensure that the same considerations are taken care of at the institution responsible for the processing.

[1] According to regulations, the following information is considered as sensitive personal data: data about race or ethnicity, political orientation, religion, philosophical beliefs, union membership, genetic information, biometric information with the purpose of uniquely identify an individual, health information, sexuality, sexual orientation, legal- convictions and offences. (article 9 and 10 in GDPR).


[2] GDPR, article 26


[3] When applying for pre-approval from REK, it is required that the applicant must hold a PhD or equal.