Data management at ISS
Information is available here about how you can manage data during your Master’s project.
GDPR (General Data Protection Regulation) is a privacy regulation which has been adopted by the EU and enacted in Norway under an annex to the EEA Agreement. GDPR is a regulation "relating to the protection of natural persons in connection with the processing of personal data and the free exchange of such information." (Lovdata).
The provisions contained in these regulation affect all research projects that process personal data.
The UiO/Faculty of Educational Sciences/Department have overall responsibility for ensuring that the current rules on handling research data are made known and complied with. Supervisors are responsible for ensuring that students comply with their responsibilities and that they maintain the privacy of respondents or informants engaged in student research at Bachelor’s and Master’s levels. Students are responsible for their projects, and for the privacy of anyone participating in research projects (respondents and informants) when any personal data about them is processed.
Students must familiarise themselves with and comply with the data processing guidelines. This should take place in consultation with their supervisors.
What is personal data and sensitive personal information
Personal data is all data or assessments that can be linked to an individual, either directly or indirectly. For example, this applies to names, addresses, phone numbers, e-mail addresses, IP addresses, dates of birth, photos, audio recordings, video recordings and biometric information. Furthermore, various types of data relating to behaviour could be regarded as being personal data, e.g. shopping habits or online activities. When several data sources are linked, then data which is not in itself personally identifiable data could be regarded as being personal data.
Sensitive personal information is information which can only be collected for specific purposes, e.g. scientific research. This applies to information about racial or ethnic origins, political views, religious or philosophical beliefs, trade union membership, genetic information, biometric information, information about health, sexual relations or sexual persuasion, information about convictions or violations of the law.
When you collect and process data, that data will be classified in various ways, depending on what it relates to. The UiO has drawn up a general classification list which identifies four categories: Green – open, Yellow – restricted, Red – confidential, and Black – highly confidential. These classifications also apply to researchers and students at the ISS.
Data Management Plan
A Data Management Plan (DMP) is a document that describes how to handle the research data in a project: from start to finish, and after the project has been completed. A DMP is a document that will follow a research project and clarify what data will be generated, how that data shall be described, where it shall be stored and whether or not and how it can be shared. For students like you it is important that the Plan attempts to answer the following points:
1. What sort of data you are going to collect
2. Define how the data will be analysed and/or coded
3. Explain how the data will be reproduced in your paper
4. What you will do to ensure that all your data is good quality data
5. Where and how you will store and archive the data
6. When, how and what shall be made available to the public
You shall create your own data management plan for your project. Training on and working with your data management plan will be part of the tuition component associated with the Master’s thesis for your programme. You should consult your supervisor about this work.
Simple Data Management Plan (Word, English)
Enkel datahåndteringsplan (Word, norsk)
Reporting projects to NSD
Projects that involve the processing of personal data must be reported to the Norwegian Centre for Research Data (NSD)
As the formal project manager for your Master's thesis, your supervisor must ensure that this obligation to report projects is complied with when relevant. The practice at the ISS is for you to discuss this with your supervisor before you report your project to the NSD.
Reporting completed projects to the NSD
If you have processed/obtained personal data which needs to be reported to the NSD, it is important that you report that the project in question has been completed once your Master’s thesis has been handed in, and report what will happen to the personal data in question.
Data storage, deletion and archiving.
When you collect and process data, it is important that this takes place within a safe framework and that you use technical devices that are secure. This limits the chances of such data becoming lost, or prevents unauthorised persons from gaining access to it.
Once you have classified the data in your project, you can see what you will need to do in order to process it securely. There are various solutions available, depending on the type of classification which applies to the data in your project. Please see the ISS’s storage guide (Norwegian). You can also see the UiO’s general storage guide, which covers all platforms. UiO’s storage guide.
Processing, de-identifying and anonymising data
When you process data, you shall ensure that all personal data is de-identified or anonymised before it is removed from its storage location in the form of transcriptions and written data extracts, etc. After transcription it is common practice to delete raw data, but there are some exceptions (cf. under “Project Completion”).
■ De-identification: personally identifiable information is removed, but indirect personally identifiable information exists, e.g. in the form of scrambling keys.
■ Anonymisation: all personally identifiable information is deleted (including scrambling keys). NB: it will then no longer be possible for informants to withdraw from the survey in question.
Project completion – archiving/deletion
When a project has been completed the data should usually be deleted or anonymised.
If data is to be archived for further use, it will be necessary to obtain consent in advance. For further information about future use, please see the NSD’s documentation guide on archiving research data (PDF).
When you collect data, you must be able to provide documentary proof to show that you have provided information and obtained consent from the people whose data you have registered, unless you use aggression level data (e.g. registry data). As a general rule the NSD recommends the provision of written information and written consent.
You must prepare an information circular requesting participation and providing information about the study. The information you provide shall be brief, easy to understand and in an easily accessible form. The NSD has drawn up a template for information circulars and declarations of consent which you can use for your project. Both English and Norwegian versions of the template are available at the NSD website.
Audio recordings and using Nettskjema dictaphones
Audio recordings will always be classified as being red data, since a person’s voice is personally sensitive and recognisable. This generates a certain amount of guidance on how you can make audio recordings and process them securely.
A secure solution based on Nettskjema has been developed, and you have your own recording app on your mobile phone. You should use this solution for all audio recordings in connection with your Master’s thesis, and avoid using dictaphones and other recording solutions.
Separate guidelines have been drawn up on setting up and using Nettskjema dictaphones, please see the guidelines (also available in Norwegian).
Other matters relating to GDPR
Data Protection Impact Assessments (DPIA) will apply to highly sensitive projects. The NSD shall be notified if such are to be carried out. If you are notified that your project requires a DPIA, please contact the Data Management Section at the ISS.
A collective duty to provide information will apply if your project does not obtain specific consent from the study participants. The NSD shall be notified if this is necessary. If you are notified that your project is subject to a collective obligation to provide information, please contact
the Data Management Section at the ISS.
If you have any questions which have not been answered here, please contact the Data Management Section at the ISS.
GDPR and Master’s theses – a crash-course for ISS students
With effect from the spring of 2020, the ISS will be organising an information meeting – a lightening course – about GDPR and Master’s theses. This is an offer available for ALL Master’s students at the ISS: Master’s in Sociology, Master’s in Human Geography and the OLA Programme.
Next course: Wednesday 27.1.2021 10:00-12:00. The course will be held in Zoom. Link to follow.
This course will provide general information about GDPR and its implications for planning and implementing your Master’s thesis. The course is not compulsory, but we would encourage all students who are in the initial stages of their Master’s projects to attend.
Powerpoint from course
Here you can view slides from the first course, held in January 2020, held by Anne Bergsaker and Annika Rockenberger. PDF
"How do I proceed with GDPR?"
This is a chronological checklist which you can use when you are about to start your Master’s thesis.
- Design and submit a draft for your Master’s thesis
- Design and submit a Data Management Plan.
- Report your project to the NSD. You may be asked to enclose the following:
- Draft interview guide, if you wish to use qualitative interviews
- Draft info circular (information about your project for potential informants)
- Draft consent form
- When collecting data, ensure that your informants provide you with good information and give their consent, where relevant.
- If relevant, conduct interviews with a secure recording solution using Nettskjema’s dictaphone.
- Store all data securely throughout your project.
- During the project, use your Data Management Plan and revise it if necessary.
- When processing data, de-identify data which is obtained from your area in the UiO’s storage hotel. Please see the ISS’s storage guide for more information about storage hotels.
- Upon completion of your project, delete, anonymise and archive data in accordance with any agreements entered into.
- Report your project as having been completed to the NSD.
- Send your completed Data Management Plan to your supervisor.
The UiO’s “Checklist for processing personal information in a Bachelor’s or Master’s thesis" (word) may also be useful. It will enable you to easily keep tabs on and cross off the privacy items which apply at the start of your project, while writing your thesis and when you have submitted your thesis.