Skip to content Skip to footer

Legal and ethical requirements, codes of conduct

(If legal/ethical aspects are relevant, make sure data security is sufficiently addressed under 3 - Storage and backup)

4a - If personal data are processed, how will compliance with legislation on personal data and on data security be ensured?

Science Europe DMP Guidance License: CC BY 4.0 - annotated

Personal privacy is here addressed purely from a legal perspective, if working with personal data this should also be addressed under 4c ethical issues. Processing of personal data and or health data affects the need for data security in the project, make sure this is appropriately addressed under 3b - How will data security and protection of sensitive data be taken care of during the research?.

For the legal details in Norway, please consult:

If conducting health research, consult the Health Research Act and the Health Registry Act.

In this context also the following laws and regulations might be relevant:

4a.1
Ensure that when dealing with personal data data protection laws (for example GDPR) are complied with:

According to GDPR there are two options for legal bases for processing of personal data in research, consent and p interest in research purposes, if the later is used consent is collected for compliance with ethical guidelines.

4a.2

  • Gain informed consent for preservation and/or sharing of personal data.

Please note that the specific ‘consent’ under GDPR as a legal basis is not equivalent with ‘informed consent’ in the context of health research. For more information please consult the Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) of the European data protection board.

If consent is used as legal basis for processing of personal data consider asking for permission to archive the data for the purpose of future research, and possibly also educational purposes as part of both the informed and specific consent. It is advisable to use standard consent clauses, which can be reflected with machine readable metadata (See e.g. the GA4GH ethical toolkit as an example for human genetic data)

4a.3

  • Consider anonymisation of personal data for preservation and/or sharing (truly anonymous data are no longer considered personal data).

The relevance of anonymisation will depend on the data type and other available information.

4a.4

  • Consider pseudonymisation of personal data (the main difference with anonymisation is that pseudonymisation is reversible).

Pseudonymisation is removal of names and other directly identifiable information, and follows the principle of data minimisation which is removing or not collecting more personal information than strictly necessary for the purpose. This includes the storage of information for re-identifaction in a separate system, which is not accessible for the researchers.

4a.5

  • Consider encryption which is seen as a special case of pseudonymisation (the encryption key must be stored separately from the data, for instance by a trusted third party).

Ignore this, encryption should be addressed under 3 - Storage and backup.

4a.6

  • Explain whether there is a managed access procedure in place for authorised users of personal data.

Make sure this is addressed under 3 - Storage and backup, in addition consider who should have and manage access at and archiving stage.

If the data should be available for future research contact the archive you wish to deposit the data in and make sure that you collect the correct consents at data collection, so that the data can be archived and used for future research when the project period is over. If data should be archived later under controlled access, the data access committee should be defined as early as possible and should be independent from the researcher.

Science Europe DMP Evaluation Rubric: sufficiently addressed

  • Clearly indicates if personal data will be collected/used as part of the project, and, if applicable, how compliance with applicable legislation will be ensured (for example by gaining informed consent, considering encryption, anonymisation, or pseudonymisation).
  • Describes the procedure to manage access to only authorised users.

Coverage in RDA Common Standard for maDMP License: Unlicense

[Properties in dmp]

[Properties in dataset]

[Properties in security and privacy]

Missing:

  • Description of legal issues
  • Identification of ethical/legal issues at dmp level

Other DMP guidance

Guidance from NFR

  • How are GDPR and the Personal Data Act complied with when handling/ processing personal data?
  • Is informed consent for long-term preservation and possibly sharing of personal data used?
  • Is anonymization, pseudonymization or encryption of personal data being considered for long-term preservation and/or sharing?
  • Should a managed procedure be used for authorized access to personal data? (Rights and legal requirements and codes of conduct)

Horizon Europe DMP Template

[6. Ethics]

  • Are there, or could there be, any ethics or legal issues that can have an impact on data sharing? These can also be discussed in the context of the ethics review. If relevant, include references to ethics deliverables and ethics chapter in the Description of the Action (DoA).
  • Will informed consent for data sharing and long term preservation be included in questionnaires dealing with personal data?

FAIRsFAIR FAIR-Aware Additional Guidance License: CC BY 4.0

Knowledge for support staff

  • NB! encryption is problematic for long-term preservation (e.g. NFR guidance)
  • What is personal data & special category personal data, which laws & guidelines apply, responsibilities (e.g. DPO)
  • If personal data is processed, which legal bases for data processing is used (usually relevant: public intrest or consent)?
  • If research is legal basis for data processing, then consent is is part of 4c below.
  • Use data minimisation as a strategy to avoid unwanted privacy breaches.
  • Explain whether there is a managed access procedure in place for authorised users of personal data. Ensure that this aspect is covered under storage 3b - How will data security and protection of sensitive data be taken care of during the research?.

Institutional privacy policies

National regulations of potential relevance

Data privacy
Health research data
Other laws of potential relevance

Data Minimization

Data Anonymization

Knowledge for users

  • National regulations
  • Personal data, special categories of personal data
  • GDPR legal basis (behandlingsgrunnlag)
  • Data minimization principle
  • Informed consent, granular consent
  • Health data
  • De-identification - pseudonymisation
  • Anonymization

Existing sources that can be reused

NTNU - DMP Guidance

If your project includes personal data (any information relating to an identified or identifiable person), consider using the NSD DMP tool. To ensure compliance with GDPR, all projects with personal data are required to send a notification form describing all relevant elements of the planned data processing to Norwegian Centre for Research Data (NSD)/SIKT for an assessment. (The only exception: health research projects at the Faculty of Medicine and Health Sciences.)

All projects with personal data must perform a risk assessment before data collection begins. Relevant documents: Collection of personal data for research projects (NTNU)

UiT - DMP guidance

Which data will be preserved, and which will be destroyed at the end of the project?

Will (a selection of) the data be long-term preserved, and how is this decided? (According to section 4.2 in the UiT guidelines, researchers have to assess the long-term value of their data, and describe how they will be managed.)

Will the data be made openly available? If only a selection of the data will be openly available, specify which data. (According to section 1 in the UiT guidelines, research data shall be made openly available, unless considerations regarding security, personal privacy, commercial or legal issues demand limitation of access.)

Does the material contain confidential information (e.g. personal data and data with security classification) that requires special treatment and/or limits the access to the material during/after the project?] Why is this important? If the material contains confidential information, you must guarantee that it’s protected from unauthorised access. Contact your organization’s IT security office to make sure that data are handled correctly for their information classification level (see the paragraph above).

SIKT DMP License: CC BY 4.0

Each research institution must ensure that research at their institution is in accordance with recognised research ethical norms. It is therefore important that researchers are familiar with, and comply with, relevant and recognised research ethical guidelines. Note that in interdisciplinary projects it may be relevant to refer to guidelines for several subject areas. For more information about the ethical responsibilities of research and research institutions, see the Research Ethics Act.

EasyDMP License: CC0-1.0

Legal and ethical requirements, codes of conduct – covers the steps that you will take to ensure the legal and ethical requirements for your data are followed.

If your project uses personal data, describe how you will ensure compliance with legislation on personal data and security - you should include how you plan to obtain consent, how you will manage the data (e.g. anonymisation of the data, access, transfer - if applicable, and destruction). You should include documentation on approved procedures that you plan to adopt.

SND - Checklist DMP License: CC BY 4.0

Does the material contain confidential information (e.g. personal data and data with security classification) that requires special treatment and/or limits the access to the material during/after the project? Why is this important? If the material contains confidential information, you must guarantee that it’s protected from unauthorised access. Contact your organisation’s IT security office to make sure that data are handled correctly for their information classification level (see the paragraph above).

If the research project will include processing of personal data, the research subjects need to receive thorough and transparent information about the data processing. The legal basis for processing personal data for research purposes is, for the most part, public interest. This means that the researcher can process personal data, but that a data controller is required to supply thorough information about how the data are processed. Why is this important? The General Data Protection Regulation (GDPR) regulates on which legal grounds personal data can be lawfully processed. One requirement is that the research subjects receive thorough information about which personal data will be processed and how they will be processed in the project. This means that the research subjects are informed about for what purpose and on what legal grounds the processing will be made. By giving the research subjects information about the personal data processing, they gain insight into and control over what information about them is processed.

How will the research subjects’ identities be protected? Why is this important? Protecting the personal integrity of research subjects (see the General Data Protection Regulation, GDPR) is a fundamental principle in research and an important ethical responsibility to the participants in a research project. During the project, data that contain personal information need to be securely stored, in compliance with the guidelines at your university/organization. Research material may also contain special category personal data that need to be classified to protect the integrity of research subjects. Therefore, it’s important to have routines for how to handle requests to access personal data in accordance with the principle of public access to information. When the project is finished and the data material shall be made accessible, it’s also important to guarantee that the individuals in the study cannot be re-identified (i.e. identified through indirect identifiers in the data material). This can be done by de-identification measures or pseudonymisation of the data, such as coding or encryption.

Has the personal data processing been reported to the data protection officer, in compliance with the research principal’s policies? Why is this important? Research material that will contain personal data has to be reported to the data protection officer. The research principal is legally obligated (GDPR, Article 30) to keep a record of all projects where personal data are processed.

10 steps towards privacy compliance in research License: CC BY 4.0

  1. Keep the GDPR in mind when designing your research: Do you need to collect personal data, why, and how much?
  2. Make sure you have a legal basis to use personal data, e.g., public interest or consent
  3. Document privacy risks and privacy-related decisions, e.g., in a Data Management Plan, privacy scan, or Data Protection Impact Assessment
  4. Arrange ethics review. Ethics review makes sure that you have also taken ethical implications into account
  5. Inform participants properly, e.g., in an information letter, oral script, privacy statement
  6. Protect your data with organisational measures, e.g., access control, agreements with external parties, data protection policies, researcher training
  7. Protect your data with technical measures, e.g., anonymise, pseudonymise, encrypt your data, use safe storage
  8. Enable participants to exercise their rights, e.g., right to data access, correction, objection, erasure
  9. FAIR data: balance risks and Open Science principles, e.g., share under restricted access, or only share metadata and materials
  10. Ask for help when you need it! Contact your privacy officer or data steward for support

4b - How will other legal issues, such as intellectual property rights and ownership, be managed? What legislation is applicable?

Science Europe Guidance License: CC BY 4.0 - annotated

If relevant also export control, protection of cultural heritage (Kulturminneloven), commercial interests. etc. should be discussed here.

4b.1
Explain who will be the owner of the data, meaning who will have the rights to control access:

The data owner will differe depending on how the data are assembled. For data generated or collected as part of the reseach, the data owner is ususally the researcher(s). For data from different sources the data owner with be the custodian holding the rights to and providing you with access to the data. If personal data involved: owner of the data is “data controller” as defined in GDPR. Awareness of who have the rights to controll access is essential to plan for futhre sharing of data.

4b.2

  • Explain what access conditions will apply to the data? Will the data be openly accessible, or will there be access restrictions? In the latter case, which? Consider the use of data access and re-use licenses.

Applies to both access control in the active phase and restricted access after data publication. Re-use can be limited by licenses or other reuse terms (e.g. data use ontology, informed consent ontology, data privacy vocabulary, Data Tags Suite)

4b.3

  • Make sure to cover these matters of rights to control access to data for multi-partner projects and multiple data owners, in the consortium agreement.

Important to cover this in collaborative agreements. Legal requirements for data processor and joint data controller agreements.

4b.4
Indicate whether intellectual property rights (for example Database Directive, sui generis rights) are affected. If so, explain which and how will they be dealt with.

Much research data can be protected as databases. Inform yourself about to what extent copyright applies to the data you create or collect, agreements you have with your employer regarding ownership. Intellectual property might affect how open the data can be shared with others.

Consult:

  • Funders requirements regarding licencing.
  • National recommendations for licencing of research data; How should we share research data?
  • Institutional policies for intellectual property (IPR).
  • Institutional recommendations for licensing.

4b.5
Indicate whether there are any restrictions on the re-use of third-party data?

Is there restrictionst to re-use in the active phase of the project? Is there restrictions to sharing project results? Data from external parties, can have restrictions on sharing. Some research data will be covered by copyright, this is relevant for reuse of copyrighted material for research purposes.

Science Europe DMP Evaluation Rubric: sufficiently addressed

Clearly explains, if applicable:

  • Who will have the rights to control access to which part of the data.
  • What access conditions and re-use licenses will apply to the data.
  • Clearly explains, if applicable, how intellectual property rights will be managed.
  • Explains for multi-partner projects and multiple data owners how these matters are addressed in the consortium agreement.
  • Alternatively, there is a clear statement that there are no such restrictions on the data.
  • Indicates, if applicable, whether there are any restrictions on the re-use of thirdparty data.

Coverage in RDA Common Standard for maDMP License: Unlicense

[Properties in dataset]

Missing:

  • legal issues such as IPR are hardly covered?

Other DMP guidance

Guidance from NFR

  • Which legal entities have rights to and/or rights to determine the use of the research data?
  • Will the data be openly accessible or with access restrictions, if so, what access restrictions? One example is that access to data is only granted via an authentication service.
  • Will there be any purpose restrictions, such as that the data can only be used for non-commercial purposes, and if so, why?
  • Which dedications to public domain or licenses should be applied to the research data?
  • Where the project involves several partners and/or several legal or natural persons with rights to research data; How should rights to control data access be managed in the project?
  • Where the research data falls under copyright or database protection under the Copyright Act; What rights apply and how will this be managed in the project? When using data from a third party; What access and purpose restrictions, if any, apply to this data? (Rights and legal requirements and codes of conduct)

Horizon Europe DMP Template

  • not covered

FAIRsFAIR FAIR-Aware Additional Guidance License: CC BY 4.0

Knowledge for support staff

Relevant legislation and documents

Institutional IPR policies:

Knowledge for users

  • legislation, legal challenges (e.g. different legislations)
  • possible restrictions, where to find information
  • ethics resources at their institutions (list with links)
  • IPR at their institutions (list with links)
  • commercial interests, patent applications and implications
  • licensing

Existing sources that can be reused

NTNU - DMP guidance

Consider who will have ownership and/or rights to the data (including copyright), meaning who will have the rights or responsibility to control access, and later decide publishing. In general, if the research project is conducted by NTNU employees, NTNU will have ownership to results and IPR (see the IPR policy, part 4.3), The Policy for Open Science at NTNU states that results from research at NTNU should made publicly available if possible (for Licensing principles see part 3.1 in Guidelines for Open Science). Therefore, consider what data (and other results, like code, models, simulations etc) be openly accessible after the project is finalized, or will there be access restrictions? In the latter case, what restrictions and why?

If there are external partners, how will this affect ownership and sharing of data and other intellectual property rights (IPR)? Make sure to cover these matters of rights to control access to data for multi-partner projects and multiple data owners, in the consortium agreement. See wiki for more information on templates and agreements.

Note that in some cases, export control regulations will apply to the project results. See Control of knowledge transfer at Innsida for more information.

UiT - DMP guidance

Who has ownership of the data? (Normally UiT, unless ownership has been agreed on differently e.g. with external collaborators.)

How will the data be licensed for reuse? (According to section 4.5 in the UiT guidelines, research data shall be equipped with licenses for access, reuse, and dissemination. These licenses should be internationally recognised and set as few limitations on the data as possible. The researcher must ensure that licenses and applicable conditions for the use or sharing of third party data are complied with.)

SIKT DMP License: CC BY 4.0

Generally, the rights to project results should be transferred from the researchers (and possibly others who have helped create such results) to the institution(s) where the researchers are employed. This is in accordance with the Employees’ Inventions Act, and in accordance with the objectives of the Act relating to universities and university colleges (see in particular §1-5, Academic freedom and responsibility). See also the Norwegian Research Council’s Policy on Intellectual Property Rights.

EasyDMP License: CC0-1.0

Describe how you plan to address other legal issues such as intellectual property rights and ownership - you should describe who will own the data (who has access rights) and intellectual property rights and what license you will apply to the data. You should consider an internationally recognised license to maximise data reuse. If you are reusing data, you should describe any restrictions imposed by this data.

SND - Checklist DMP License: CC BY 4.0

[Refer to the information security guidelines and policies in your university/organization and define what implications they have. What information classification level does the data material have and what security measures are needed to protect the material? Who should have access to the project data during the project and how do you plan to protect the data from unauthorised access?]

Why is this important? Access to the data material must be restricted so that authorised people can access it, but it is protected from unauthorised access. Secure work and storage environments can include access restriction (e.g. passwords), encryption, and virus and access protection. You may need to contact your organization’s IT security office to make sure that you have addressed all questions regarding information security before the data collection begins.

[Are there any copyright and/or intellectual property rights to consider? Do you need permission to collect the material that is going to be used?] Why is this important? Copyright is protected in the Swedish constitution (Chapter 2, Article 19) and regulated in the Act (SFS 1960:729) on Copyright in Literary and Artistic Works. Copyright sets out a number of rights for the creator (author) of a work, and a number of limitations for the user. The Swedish Copyright Act regulates when and how the author’s work can be used. Permission to use copyright-protected material includes consent, agreements, licenses, and the permission to use material after the duration of copyright has passed (>70 years).

4c - How will possible ethical issues be taken into account, and codes of conduct followed?

Science Europe Guidance License: CC BY 4.0 - annotated

4c.1
Consider whether ethical issues can affect how data are stored and transferred, who can see or use them, and how long they are kept.

Make sure this is appropriately addressed under 3b - How will data security and protection of sensitive data be taken care of during the research?.

4c.2
Demonstrate awareness of these aspects and respective planning. Follow the national and international codes of conducts and institutional ethical guidelines, and check if ethical review (for example by an ethics committee) is required for data collection in the research project.

Ministry of Education and Research - Research Ethics provides and overview on relevant comittees and commissions.

The National Research Ethics Committees (De nasjonale forskningsetiske komiteene, FEK) are the most important professional bodies for research ethics in Norway. They are adapted to the different areas of research and academically independent:

Ethical review is required for medical and health research and conducted by the different Regional Committees for Medical and Health Research Ethics (Regionale komiteer for medisinsk og helsefaglig forskningsetikk, REK).

It is less common that the institutions have ethics committees.

The guide to institutions responsibility for research ethics, in Norwegian only, Veileder institusjonenens ansvar forskingsetikk

EU/H2020’s guidelines on How to complete your ethics self-assessment.

Be aware of international codes of conduct including but not limited to:

Also reflect on and consulting communities and general Responsible Research and Innovation (RRI) guidelines.

Science Europe DMP Evaluation Rubric: sufficiently addressed

  • Provides details of what ethical issues have been considered that may affect data storage, transfer, use, sharing and/ or preservation, and demonstrates that adequate measures are in place to manage ethical requirements.
  • Mentions, if applicable, whether ethical review is being pursued. If ethical approval has been obtained, refers to the relevant committee and documents.
  • Refers to relevant ethical guidelines and/or codes of conduct or alternatively provides a clear statement that explains why ethical issues have not been considered.

Coverage in RDA Common Standard for maDMP License: Unlicense

[Properties in dmp]

[Properties in dataset]

Missing:

  • ethical approvals
  • references to ethical guidelines

Other DMP guidance

Guidance from NFR

[Rights and legal requirements and codes of conduct]

  • What ethical issues can affect how data is stored and transferred, who has data access to view or use the data, and how long it should be kept?
  • Which institutional, national and/or international guidelines for research ethics apply to the project? Examples may be approval from regional committees for medical and health research ethics (REK) or the Norwegian Food Safety Authority.

Horizon Europe DMP Template

  • not covered

FAIRsFAIR FAIR-Aware Additional Guidance License: CC BY 4.0

Knowledge for support staff

Institutional resources on research ethics:

Knowledge for users

  • Awareness of ethical issues and implications, relevant documents
  • Local ethical resources and boards

Existing sources that can be reused

NTNU - DMP Guidance

Is an ethical review (for example by an ethics committee/REK or approval of use of experimental animals) required for data collection in the research project?

UiT - DMP guidance

Are you going to collect informed consent to store and share the data? If so, how? How are you going to secure confidentiality and identity protection?

SIKT DMP License: CC BY 4.0

Add any comments on issues related to for example: research on human embryos and fetuses, and/or human cells and tissues; collection of personal data and obtaining consent; animal research; research in non-EU countries; unintended effects on the environment, health and safety; and the potential misuse of research results. See also EU/H2020’s guidelines on How to complete your ethics self-assessment.

SND - Checklist DMP License: CC BY 4.0

[Does the project need ethical approval or has it been approved? Enter the reference number here.]

Why is this important? Research that falls under the scope of the Act (2003:460) concerning the Ethical Review of Research Involving Humans (the Ethical Review Act, updated 2020-01-01) can only be carried out after ethical approval, which is applied for by the research principal. Without ethical approval, the research is illegal and subject to legal consequences. Ethical approval is also needed for research that involves animal testing.

DMP Tuuli License: CC BY 4.0

How will you manage the rights of the data you use, produce and share? (2.2) Describe how you will agree upon the rights of use related to your research data – including the collected, produced and (re)used data of your project. Here, you can employ your categorisation in the first question. Each of these categories involves different rights and licenses. Describe the transfer of rights procedures relevant to your project. Describe confidentiality issues if applicable in your project. License your data!

Tips for best practices

  • Agreements on rights of use should be made as early as possible in the project life cycle.
  • Have you gained consent for data preservation and sharing? • Follow the funder’s or publisher’s policies.
  • It is recommended to make all of the research data, code and software created within a research project available for reuse, e.g., under a Creative Commons, GNU or MIT license, or under another relevant license.
Contributors
Jenny Ostrop Lead

University of Bergen (UiB)

Korbinian Bösl Contributor

University of Bergen (UiB), ELIXIR Norway

Live Kvale Contributor

University of Oslo (UiO)