Data management at ISS

Information is available here about how you can manage data during your Master’s project.

General information

GDPR (General Data Protection Regulation) is a privacy regulation which has been adopted by the EU and enacted in Norway under an annex to the EEA Agreement. GDPR is a regulation "relating to the protection of natural persons in connection with the processing of personal data and the free exchange of such information." (Lovdata).

The provisions contained in these regulation affect all research projects that process personal data.

The UiO/Faculty of Educational Sciences/Department have overall responsibility for ensuring that the current rules on handling research data are made known and complied with. Supervisors are responsible for ensuring that students comply with their responsibilities and that they maintain the privacy of respondents or informants engaged in student research at Bachelor’s and Master’s levels. Students are responsible for their projects, and for the privacy of anyone participating in research projects (respondents and informants) when any personal data about them is processed.

Students must familiarise themselves with and comply with the data processing guidelines. This should take place in consultation with their supervisors.

Please see the UiO’s page about privacy protection for students and supervisors.

What is personal data and sensitive personal information

Personal data is all data or assessments that can be linked to an individual, either directly or indirectly. For example, this applies to names, addresses, phone numbers, e-mail addresses, IP addresses, dates of birth, photos, audio recordings, video recordings and biometric information. Furthermore, various types of data relating to behaviour could be regarded as being personal data, e.g. shopping habits or online activities. When several data sources are linked, then data which is not in itself personally identifiable data could be regarded as being personal data.

Sensitive personal information is information which can only be collected for specific purposes, e.g. scientific research. This applies to information about racial or ethnic origins, political views, religious or philosophical beliefs, trade union membership, genetic information, biometric information, information about health, sexual relations or sexual persuasion, information about convictions or violations of the law.

Data classification

When you collect and process data, that data will be classified in various ways, depending on what it relates to. The UiO has drawn up a general classification list which identifies four categories: Green – open, Yellow – restricted, Red – confidential, and Black – highly confidential.  These classifications also apply to researchers and students at the ISS.

It is you, as a master's student, who is the project leader for your project. That means you are responsible for the data in the project. In consultation with your supervisor, you should have an overview of the data, assess that they are correctly classified, and ensure that you collect, process, and store data in a regulatory manner. SIKT will also be able to provide some recommendations on classification in their response letter, but ultimately, you have the final responsibility.

Data Management Plan

A Data Management Plan (DMP) is a document that describes how to handle the research data in a project: from start to finish, and after the project has been completed. A DMP is a document that will follow a research project and clarify what data will be generated, how that data shall be described, where it shall be stored and whether or not and how it can be shared. For students like you it is important that the Plan attempts to answer the following points:

1.    What sort of data you are going to collect
2.    Define how the data will be analysed and/or coded
3.    Explain how the data will be reproduced in your paper
4.    What you will do to ensure that all your data is good quality data
5.    Where and how you will store and archive the data
6.    When, how and what shall be made available to the public

You shall create your own data management plan for your project. Training on and working with your data management plan will be part of the tuition component associated with the Master’s thesis for your programme. You should consult your supervisor about this work.

Reporting projects to SIKT (previously NSD)

Projects involving the processing of personal data must be reported to the Norwegian Center for Research Data (SIKT).

SIKT's guidelines for research and whether you have an obligation to report you research.

As the formal project leader for the Master's thesis, the supervisor shall ensure that the reporting obligations are complied with where applicable. The practice at ISS is that you discuss this with your supervisor before reporting the project to SIKT.

In cases where you have two supervisors, the internal supervisor (employee at ISS) shall be listed as the project leader in the reporting form to SIKT.

Research Projects at ISS

All Master's projects at ISS that are reported to SIKT will automatically be reported in Forskpro. Forskpro is UiO's own tool for keeping track of ongoing and completed research projects. Forskpro is not publicly available online and is accessible to the research administration.

Report to SIKT about completed project

If you have processed/collected personal data that are subject to reporting to SIKT, it is important that you report when the project is completed upon submission of the Master's thesis, and what should happen to the personal data.

Data storage, deletion and archiving.

When you collect and process data, it is important that this takes place within a safe framework and that you use technical devices that are secure. This limits the chances of such data becoming lost, or prevents unauthorized persons from gaining access to it.
 
Once you have classified the data in your project, you can see what you will need to do in order to process it securely. There are various solutions available, depending on the type of classification which applies to the data in your project.

Please see the ISS’s storage guide for identifying the best solution for your project.

Processing, de-identifying and anonymising data

When you process data, you shall ensure that all personal data is de-identified or anonymised before it is removed from its storage location in the form of transcriptions and written data extracts, etc. After transcription it is common practice to delete raw data, but there are some exceptions (cf. under “Project Completion”).

■    De-identification: personally identifiable information is removed, but indirect personally identifiable information exists, e.g. in the form of scrambling keys.
■    Anonymisation: all personally identifiable information is deleted (including scrambling keys). NB: it will then no longer be possible for informants to withdraw from the survey in question.

Project completion – archiving/deletion

When a project has been completed the data should usually be deleted or anonymised.

If data is to be archived for further use, it will be necessary to obtain consent in advance. For further information about future use, please see the SIKT's documentation guide on archiving research data (PDF).

Consent form

When you collect data, you must be able to provide documentary proof to show that you have provided information and obtained consent from the people whose data you have registered, unless you use aggression level data (e.g. registry data). As a general rule the SIKT recommends the provision of written information and written consent.
You must prepare an information circular requesting participation and providing information about the study. The information you provide shall be brief, easy to understand and in an easily accessible form. SIKT has drawn up a template for information circulars and declarations of consent which you can use for your project. Both English and Norwegian versions of the template are available at the SIKT website.

Audio recordings and using Nettskjema dictaphones

Audio recordings will always be classified as being red data, since a person’s voice is personally sensitive and recognisable. This generates a certain amount of guidance on how you can make audio recordings and process them securely.
A secure solution based on Nettskjema has been developed, and you have your own recording app on your mobile phone. You should use this solution for all audio recordings in connection with your Master’s thesis, and avoid using dictaphones and other recording solutions.
Separate guidelines have been drawn up on setting up and using Nettskjema dictaphones, please see the guidelines.

Transcription

We would like to highlight two different tools for transcribing interviews that are available for you as a UiO student.

  • F4 transcript (in Norwegian). Manual transcription tool, with a lot of useful functionality. Can also be used to improve auto-generated transcriptions.
  • Autotext (in Norwegian). Autotext is a UiO-developed program that relies on OpenAI technology and is an automatic transcription program.

It is important to note that both solutions must be used through UiO Desktop, and files containing personal information should not be stored outside of suitable storage media (e.g. storage hotels).

Other matters relating to GDPR

Data Protection Impact Assessments (DPIA) will apply to highly sensitive projects. SIKT shall be notified if such are to be carried out. If you are notified that your project requires a DPIA, please contact the Data Management Section at the ISS.
A collective duty to provide information will apply if your project does not obtain specific consent from the study participants. SIKT shall be notified if this is necessary. If you are notified that your project is subject to a collective obligation to provide information, please contact
the Data Management Section at the ISS.

If you have any questions which have not been answered here, please contact the Data Management Section at the ISS.

GDPR and Master’s theses – a crash-course for ISS students

With effect from the spring of 2020, the ISS will be organising an information meeting – a lightening course – about GDPR and Master’s theses. This is an offer available for ALL Master’s students at the ISS: Master’s in Sociology, Master’s in Human Geography and the OLA Programme.

Information about courses will be given through your relevant master project course and Canvas.

This course will provide general information about GDPR and its implications for planning and implementing your Master’s thesis. The course is not compulsory, but  we would encourage all students who are in the initial stages of their Master’s projects to attend.

Presentations from previous courses

 

"How do I proceed with GDPR?"

This is a chronological checklist which you can use when you are about to start your Master’s thesis.

  1. Design and submit a draft for your Master’s thesis
  2. Design and submit a Data Management Plan.
  3. Report your project to the SIKT. You may be asked to enclose the following:
    1. Draft interview guide, if you wish to use qualitative interviews
    2. Draft info circular (information about your project for potential informants)
    3. Draft consent form
  4. When collecting data, ensure that your informants provide you with good information and give their consent, where relevant.
  5. If relevant, conduct interviews with a secure recording solution using Nettskjema’s dictaphone.
  6. Store all data securely throughout your project.
  7. During the project, use your Data Management Plan and revise it if necessary.
  8. When processing data, de-identify data which is obtained from your area in the UiO’s storage hotel. Please see the ISS’s storage guide for more information about storage hotels.
  9. Upon completion of your project, delete, anonymise and archive data in accordance with any agreements entered into.
  10. Report your project as having been completed to the SIKT.
  11. Send your completed Data Management Plan to your supervisor.

The UiO’s “Checklist for processing personal information in a Bachelor’s or Master’s thesis" (word) may also be useful. It will enable you to easily keep tabs on and cross off the privacy items which apply at the start of your project, while writing your thesis and when you have submitted your thesis.

 

Published Dec. 17, 2019 12:46 PM - Last modified Mar. 25, 2024 3:09 PM