Legal and ethical aspects

Tip: Why is this topic important
» Legal and ethical considerations may affect data handling and sharing
» Become aware of relevant requirements, policies, and guidelines
» Be specific about sensitive data and personal data
» Early approaching of processes that can be time-consuming ensures project progress
» Collect information about relevant policies, guidelines and central documents for later reference

About this chapter

National legislation, institutional guidelines and international norms have implications for the handling of research data. Often there is a need to balance availability and openness with confidentially. Both researchers and research institutions are legally responsible for complying with legal and ethical requirements.

The research-performing organisation(s)

The research institution has an overarching responsibility for following the applicable legislation and ensuring that research ethical norms are followed. In all research collaborations, it is important to define responsibilities and document them in agreements or contracts.

Research organisations commonly have policies or guidelines for data management, sometimes as part of Open Science guidelines. There may also be specific routines or processes to be followed. Identifying such policies, guidelines, or processes will help you recognize research data management requirements and routines to be aware of.

According to the Act relating to the processing of personal data (The Personal Data Act, Norwegian: Personvernloven) the the host organisation usually is the data controller. If responsibility is to be shared between organisations, this must be contractually specified.

In projects that are regulated by the Health Research Act (Norwegian: Helseforskningsloven), the host organisation acts as research-responsible entity (Norwegian: Forskningsansvarlig).

Research Ethical Guidelines and Codes of conduct

The Act on Ethics and Integrity in Research (Norwegian: Forsknigsetikkloven) defines responsibilities of both research institutions and individual researchers. Furthermore, it defines an advisory role of National Research Ethics Committees that provide research area-specific guidance. Health research is handled by Regional Ethics Committees.

The National Research Ethics Committees (FEK):

In addition, subject-specific ethical guidelines and codes of conduct commonly apply.

Ethical considerations may affect how data will be handled and shared, therefore knowledge of generic and subject-specific research ethical guidelines and codes of conduct is important.

Further information:

Institutional resources on research ethics:

Ethical approvals

For certain projects, an ethical pre-approval is needed to execute the project. The approval case numbers should be referred to in the DMP. It is the responsibility of the Researcher to make sure that the project and associated data is in agreement with current legislation.

Research projects conducting medical and health research on human beings, human biological material or personal health data must be pre-approved by the Regional committees for medical and health research ethics (REK):

Research projects conducting animal experiments must seek pre-approval from the Norwegian Food Safety Authority (Norwegian: Mattilsynet), which is handled through the FOTS application portal:

While more common in other countries, in Norway institutional ethical committees currently only have been established at selected organisations and faculties. Contact research advisors or research support staff about local routines.

Personal data and data privacy

As processing of personal data is followed by data management requirements, being specific about personal data is part of the DMP. It is the responsibility of the researcher to make sure that data processing is in agreement with the national legislation and institutional policies and routines.

Personal data is any information that can be linked to an identifiable person. This includes indirect identification. If data can identify a person directly or indirectly at any stage in the research process, the processing of personal data must be in accordance with The Personal Data Act (Norwegian: Lov om behandling av personopplysninger (personopplysningsloven)), which incorporates the EU General Data Protection Regulation (GDPR) in Norway. Any processing of personal data requires a lawful basis. Special precautions must be taken for special categories of personal data (often called personal sensitive data) containing information about racial or ethnic origin, political beliefs, religion, philosophical beliefs, trade union memberships, genetic and biometric information, health information, or sexual information.

It is a common misunderstanding that research ethics and privacy protection is the same thing, yet it is important to remember that complying with privacy legislation and conducting research ethical considerations are independent processes. Read more about the distinction between data protection and privacy by National Research Ethics Committees: The Personal Data Act - Research ethics - far more than privacy

Institutional privacy policies:

Sensitive data

Personal data is only one of many reasons to take precautions when processing and storing data. The guiding principle in research data management and making data accessible is “as open as possible, as closed as necessary”.

Reasons for sensitivity (non-exhaustive):

National security
- National Security Act (Norwegian: Lov om nasjonal sikkerhet(sikkerhetsloven))
Export control regulations
- Export Control Act (Norwegian: Lov om kontroll med eksport av strategiske varer, tjenester og teknologi m.v.(eksportkontrollloven)
- Report Guidelines and tools for responsible international knowledge cooperation (2023)
Intellectual Property Rights (IPR) or confidentiality issues
- Copyright Act (Norwegian: Lov om opphavsrett til åndsverk mv. (åndsverkloven))
- Patent Act (Norwegian: Lov om patenter (patentloven))
- Archive Act (Norwegian: Lov om arkiv (arkivloven))
- Act on Universities and Colleges Act (Norwegian: Lov om universiteter og høyskoler (universitets- og høyskoleloven))
Research on endagered species
- Biodiversity Act (Norwegian: Lov om forvaltning av naturens mangfold (naturmangfoldloven))
Research on protected cultural heritage
- Cultural Heritage Act (Norwegian: Lov om kulturminner (kulturminneloven))
Indigenous Data Governance
- United Nations Declaration on the Rights of Indigenous Peoples (Norwegian: FNs erklæring om urfolks rettigheter)
- GIDA-Sápmi - Sámi Research Data Governance

Further information:

Report How should we share research data? (2021)

Institutional IPR policies:

Question-specific guidance

Involved organisation(s)

Specifying the host institution and possible collaboration partners is important as this defines legal responsibilities and implies which guidelines are to be followed.
Read more about The research-performing organisation(s).

We use an integration with the Research Organization Registry (ROR) to unambigously identify institutions. In case the organisation is not registered, type the name and click outside of the text box and the string will be saved.

Please identify both the host institution (In multi-partner projects: coordinating institution) and possible collaboration partners or external parties/subcontractors contributing to the project. If your project has scientific collaborators or external partners, please indicate any relevant contracts or collaboration agreements for later reference.

We assume that the localization of the host organisation (in multi-partner projects: coordinating organisation) defines the applicable legislation. If this should not apply, make sure to indicate this as a relevant agreement related to the collaboration partner.

For help with contract-related questions contact legal advisors at your institution:

Further information:

The Research Council of Norway: Collaboration agreements

Indicate relevant policies and guidelines for research data management or Open Science

Specifying relevant guidelines, policies or processes will help you recognize research data management requirements and routines to be aware of.

Identify relevant policies, guidelines or processes applicable to your project. In addition to selecting from a list of common policies, you can manually add (additional) references. Investigate for example whether your research unit has defined own guidelines.

You can select from the following list of common policies and guidelines:

Institution: NTNU Policy for Open Science
Institution: UiB Policy for Open Science
Institution: UiO Policies and guidelines for research data management
Institution: UiT Principles and guidelines for managment for research data
Funder: The Research Council of Norway Policy for Open Science
Funder: The Research Council of Norway Policy for open access to research data
Funder: Horizon Europe provisions on Open Science

Further information:

Indicate applicable general research ethical guidelines

All researches are to follow general research ethical guidelines and ethical considerations may affect how data will be handled and shared.

You can select from the following list of general research ethical guidelines, based on resources provided by the National Research Ethics Committees:

Are additional ethical guidelines or codes of conduct relevant?

Being aware of research ethical guidelines and codes of conduct is important as ethical considerations may affect how data will be handled and shared.

Please indicate any additional ethical guidelines or codes of conducts relevant for the project. Examples (non-exhaustive):

Further information:

Does the project require ethical pre-approval?

If the project involves health research, use of human biological material, testing on animals or similar, a pre-approval is likely needed to execute the project. The approval case numbers should be referred to in the DMP.

NB! Registrations of the legal basis of procesing personal data are not the same as a research ethics assessment and should therefore not be included here, but addressed in the next question.

Will any data connected to a person (“personal data”) be collected/processed?

Personal data is any information that can be linked to living person. This includes indirect identification. If data can identify a person directly or indirectly at any stage in the research process, the processing of personal data must be in accordance with The Personal Data Act (Norwegian: Personopplysningsloven), which incorporates the EU General Data Protection Regulation (GDPR) in Norway.

All processing of personal data must be in accordance with The Personal Data Act (Norwegian: Personopplysningsloven), which incorporates the EU General Data Protection Regulation (GDPR) in Norway. The principle of data minimisation should be followed and the collection of personal information should be limited to what is directly relevant and necessary to accomplish a specified purpose.

If personal data are collected/processed, make sure to classify information security and choose storage and backup solutions accordingly. This should be described in the chapter ‘Storage and backup’ and wherever relevant.

Even if data should be truly anonymous and is therefore not considered personal data, i.e. data collected anonymously and not linked to a directly or indirectly person at any stage of the research process, it is worthwile to document research ethical considerations connected to data collection and participant information and how anonymity of the data is ensured. If data is anonymized during the course of the research project, it is considered processing of personal data.

Read more about Personal data and data privacy.

Which institutional privacy routines apply?

Privacy routines at research organisations may differ from each other, it is therefore important to make yourself familiar with the applicable policies and guidelines at your institution.

Norwegian University of Science and Technology (NTNU)

University of Bergen (UiB)

University of Oslo (UiO)

UiT The Arctic University of Norway (UiT)

As data controller, the research-performing organisation is required to maintain a record of processing activities under its responsibility (GDPR article 30). The respective routines differ between institutions and it is the researchers responsibility to make yourself familiar with the requirements at your organisation. Some of the information will overlap with the data managment plan, but unfortunately an automatic information exchange between the systems ist currently not possible.

In accordance with GDPR article 35, the necessity of conducting a Data Protection Impact Assessment (DPIA) must be assessed for each project. Again, routines differ between institutions.

In case you already described the processing of personal data in detail in other systems, you can refer to these registration(s). Specify the system where the respective registration system and identifier of the project registration. Questions regarding lawful processing of personal data and routines at your organisation should be directed to the respective Data Protection Officer (DPO, Norwegian: Personvernombud).

Registration in local systems
- RETTE at UiB
Sikt notification form for personal data (‘Sikt Meldeskjema’)
Data Protection Impact Assessment (DPIA)

These questions will guide you through relevant considerations concerning collecting/processing personal data in accordance with GDPR. Be aware that you may have to register processing of personal data in additional systems as required by your organisation.

Lack of documented permission of study participants to share data is a major obstacle to making research data available and often impossible to obtain in retrospect. It is therefore crucial to include information about planned data sharing in the participant information or consent forms. Ideally, the permission should be requested in a granular way, with distinct permission to making data available. Unfortunately, finding good guidance on this topic and examples of consent forms that are adapted to European legislation is not always easy.

It is important to remember that the ethical requirement to obtain permission to data sharing from study participants is independent of the legal basis (Norwegian: behandlingsgrunnlag) for processing of personal data as required by GDPR. This difference will however not be evident for research participants.

Research regulated by the Health Research Act

For medical and health research projects, the requirement for obtaining informed consent from subjects is described in chapter 4 of the Health Research Act Norwegian: Lov om medisinsk og helsefaglig forskning (helseforskningsloven).

Please note that the specific ‘consent’ under GDPR as a legal basis is not equivalent with ‘informed consent’ in the context of health research. For more information please consult the Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) of the European data protection board.

Consent is a possible legal basis for processing of personal data under GDPR. For processing of certain types of personal data, stricter requirements apply and processing needs to be based on a condition in addition to the legal basis. Explicit consent is one such possible condition, which must be freely given, specific, informed and unambiguous (GDPR article 9, article 7, and recital 32).

If consent is used as legal basis for processing of personal data consider asking for permission to archive the data for the purpose of future research, and possibly also educational purposes as part of both the informed and specific consent. It is advisable to use standard consent clauses, which can be reflected with machine readable metadata.

Research project using ‘public interest’ as legal basis

Applying public interest as legal basis for scientific research projects is advisable. For compliance with ethical guidelines, permission to archive the data for the purpose of future research, and possibly also educational purposes should be collected and documented.

Further information: