Legal and ethical aspects

About this chapter

National legislation, institutional guidelines and international norms have implications for the handling of research data. Often there is a need to balance availability and openness with confidentially. Both researchers and research institutions are legally responsible for complying with legal and ethical requirements.

The research-performing institution(s)

The research institution has an overarching responsibility for following the applicable legislation and ensuring that research ethical norms are followed. In all research collaborations, it is important to define roles and responsibilities and document them in agreements or contracts.

Research institution commonly have policies or guidelines for data management, sometimes as part of Open Science guidelines. There may also be specific routines or processes to be followed. Identifying such policies, guidelines, or processes will help you recognize research data management requirements and routines to be aware of.

According to the Act relating to the processing of personal data (The Personal Data Act, Norwegian: Personvernloven) the host institution usually is the data controller. If responsibility is to be shared between institution, this must be contractually specified.

In projects that are regulated by the Health Research Act (Norwegian: Helseforskningsloven), the host institution acts as research-responsible entity (Norwegian: Forskningsansvarlig).

Research Ethical Guidelines and Codes of conduct

Ethical considerations may affect how data will be handled and shared, therefore knowledge of generic and subject-specific research ethical guidelines and codes of conduct is important. The Act on Ethics and Integrity in Research (Norwegian: Forskningsetikkloven) defines responsibilities of both research institutions and individual researchers. Furthermore, it defines an advisory role of National Research Ethics Committees that provide research area-specific guidance. Health research is handled by the Regional Ethics Committees (REK).

The National Research Ethics Committees (FEK):

• National Committee for Medical and Health Research Ethics (NEM)
• National Committee for Research Ethics in the Social Sciences and the Humanities (NESH)
• National Committee for Research Ethics in Science and Technology (NENT)
• National Commission for the Investigation of Research Misconduct (GRU)
• National Committee for Research Ethics on Human Remains, interdisciplinary (SKJ)

In addition, subject-specific ethical guidelines and codes of conduct commonly apply.

Further information:

• Ethical aspects (RDMkit): Which aspects of RDM might raise ethical issues?
• Protect (CESSDA DMEG): Ethics and data protection

Ethical approvals

For certain projects, an ethical pre-approval is needed to execute the project. The approval case numbers should be referred to in the DMP. It is the responsibility of the Researcher to make sure that the project and associated data is managed in agreement with current legislation and research ethical norms.

Research projects conducting medical and health research on human beings, human biological material or personal health data must be pre-approved by the Regional committees for medical and health research ethics (REK):

• Regional Committees for Medical and Health Research Ethics
• REK-portalen

Research projects conducting animal experiments must seek pre-approval from the Norwegian Food Safety Authority (Norwegian: Mattilsynet), which is handled through the FOTS application portal:

• Mattilsynet on experimental animals Norwegian only
• FOTS (Forsøksdyrforvaltningens tilsyns- og søknadssystem) application portal
• Animal use for scientific purposes Norwegian only

While institutional ethical committees are common in many countries, in Norway these have only have been established at selected institution and faculties. For most domains the researchers themselves will make an ethical assessment of the research project with reference to relevant guidelines and regulations. As part of this assessment, it is necessary to consider the potential harm and risk that may arise from the research. Here consequences of sharing research data should be considered according to the principle of “as open as possible, as closed as necessary”. For international projects it is advisable to consider research ethics issues before entering collaborations as perceptions and legislation may differ between countries.

Contact research advisors or research support staff about local routines.

Personal data and data privacy

As processing of personal data entails data management requirements, being specific about personal data is part of the DMP. It is the responsibility of the researcher to make sure that data processing is in agreement with the national legislation and institutional policies and routines. If personal data is to be FAIR, and available for future research or shared openly, considerations on how this can be done must be made prior to data collection.

Personal data is any information that can be linked to an identifiable person. This includes indirect identification. If data can identify a person directly or indirectly at any stage in the research process, the processing of personal data must be in accordance with The Personal Data Act (Norwegian: Personopplysningsloven), which incorporates the EU General Data Protection Regulation (GDPR) in Norway. Any processing of personal data requires a lawful basis.

Extra care must be taken when processing special categories of personal data (often called sensitive personal data). Special categories include information about: Race or ethnic background; Political, philosophical, or religious beliefs; Health information and health related conditions; Sexual orientation or behaviour; Membership in trade unions; Genetic and biometric information intended to identify a physical person.

The principle of data minimization entails limiting the amount of personal data collected and processed, to include only what is necessary to achieve the purpose of the data processing. This should be considered whenever collection of personal data is planned.

• The Personal Data Act (Norwegian: Lov om behandling av personopplysninger (personopplysningsloven)
• Forskrift om behandling av personopplysninger
• The Norwegian Data Protection Authority (Datatilsynet) on the Personal Data Act Norwegian only
• National Research Ethics Comittees: Q&A: New legislation on personal data - what does it mean for research? Norwegian only

If data is completely anonymous, it is not considered personal data. This means that data has been collected anonymously and not linked to a directly or indirectly person at any stage of the research process. As long as a link exists or can be re-created the data is only de-identified or pseudonymised and considered personal data. If data is anonymized during the course of the research project, the project is processing personal data.

It is a common misunderstanding that research ethics and privacy protection is the same thing. It is important to remember that complying with privacy legislation and conducting research ethical considerations are independent, although related, processes. Read more about the distinction between data protection and privacy by National Research Ethics Committees: The Personal Data Act - Research ethics - far more than privacy

Sensitive data

Sensitive data is data that must be protected against unwanted disclosure. Personal data is one of many reasons to take precautions when processing and storing data. The guiding principle in research data management and making data accessible is “as open as possible, as closed as necessary”.

Reasons for sensitivity (non-exhaustive):

• National security
  • National Security Act (Norwegian: Lov om nasjonal sikkerhet(sikkerhetsloven))
• Export control regulations
  • Export Control Act (Norwegian: Lov om kontroll med eksport av strategiske varer, tjenester og teknologi m.v.(eksportkontrollloven)
  • Report Guidelines and tools for responsible international knowledge cooperation (2023)
• Intellectual Property Rights (IPR), commercial issues, trade secrets or confidentiality issues
  • Copyright Act (Norwegian: Lov om opphavsrett til åndsverk mv. (åndsverkloven))
  • Patent Act (Norwegian: Lov om patenter (patentloven))
  • Archive Act (Norwegian: Lov om arkiv (arkivloven))
  • Act on Universities and Colleges Act (Norwegian: Lov om universiteter og høyskoler (universitets- og høyskoleloven))
• Research on endagered species
  • Biodiversity Act (Norwegian: Lov om forvaltning av naturens mangfold (naturmangfoldloven))
• Research on protected cultural heritage
  • Cultural Heritage Act (Norwegian: Lov om kulturminner (kulturminneloven))
• Indigenous Data Governance
  • United Nations Declaration on the Rights of Indigenous Peoples (Norwegian: FNs erklæring om urfolks rettigheter)

Further information:

• Report How should we share research data? (2021)

Question-specific guidance

Involved institution(s)/partner(s)

Specifying the host institution and possible collaboration partners is important as this defines legal responsibilities and implies which guidelines are to be followed.
Read more about The research-performing institution(s).

The questionnaire is integrated with the Research Organization Registry (ROR) to unambiguously identify institutions. In case the organisation is not registered, type the name and click outside of the text box and the string will be saved.

Please identify both the host institution (In multi-partner projects: coordinating institution) and possible collaboration partners or external parties/subcontractors contributing to the project. If your project has scientific collaborators or external partners, please indicate any relevant contracts or collaboration agreements for later reference. If documents to not have an unique identifier, refer e.g. to the document number in the institutional archival system.
Formalising collaboration in an agreement/contract is recommended. It can include who has access to and/or controls what data, assign responsibilities to project partners, and define under what license data and other projects results will be published.

We assume that the localization of the host institution (in multi-partner projects: coordinating institution) defines the applicable legislation. If this should not apply, make sure to indicate this as a relevant agreement related to the collaboration partner.

For help with contract-related questions contact legal advisors at your institution:

• NTNU: Kontraksmaler og signeringsfullmakt Norwegian only
• UiB: Contracts and legal counselling Norwegian only
• UiO: Collaboration agreements
• UiT: Agreements for research

Further information:

• The Research Council of Norway: Collaboration agreements

Indicate relevant policies and guidelines for research data management or Open Science

Specifying relevant guidelines, policies or processes will help you recognize research data management requirements and routines to be aware of.

Identify relevant policies, guidelines or processes applicable to your project. If your research unit has defined own guidelines, these should be consulted and referred to here. In addition to selecting from a list of common policies, you can manually add additional data management policies or guidelines to be followed.

You can select from the following list of common policies and guidelines:

• Institution: NTNU Policy for Open Science
• Institution: UiB Policy for Open Science
• Institution: UiO Policies and guidelines for research data management
• Institution: UiT Principles and guidelines for management for research data
• Funder: The Research Council of Norway Policy for Open Science
• Funder: The Research Council of Norway Policy for open access to research data
• Funder: Horizon Europe provisions on Open Science

Further information:

• RDM resources in Norway (RDMkit): Institutional policies on research data
• RDM resources in Norway (RDMkit): Funder policies on research data

Indicate applicable general research ethical guidelines

All researches are to follow general research ethical guidelines and ethical considerations may affect how data will be handled and shared.

Institutional resources on research ethics:

• Ethics at NTNU
• UiB Research Ethics
• Research ethics at UiO
• UiT Research Ethics

You can select from the following list of general research ethical guidelines, based on resources provided by the National Research Ethics Committees:

• a. The European Code of Conduct for Research Integrity
• b. National Research Ethics Committees (FEK) - General guidelines
• c. Guidelines for Research Ethics in the Social Sciences and the Humanities by the National Committee for Research Ethics in the Social Sciences and the Humanities (NESH)
• d. Guidelines for Research Ethics in Science and Technology by The Norwegian National Committee for Research Ethics in Science and Technology (NENT)
• e. Ethical Principles for Medical Research Involving Human Subjects (Declaration of Helsinki)
• f. Guidelines by The Norwegian National Research Ethics Committee for medical and health research (NEM)
• g. Guidelines for Ethical Research on Human Remains by The Human Remains Committee
• h. Convention on Human Rights and Biomedicine (Oviedo Convention)
• i. Ethical Guidelines for the Use of Animals in Research

Read more about Research Ethical Guidelines and Codes of conduct.

Are additional ethical guidelines or codes of conduct relevant?

Ethical considerations may affect how data will be handled and shared. Investigating if there is subject-specific research ethical guidelines and codes of conduct is therefore important.

Please indicate any additional ethical guidelines or codes of conducts relevant for the project. Examples (non-exhaustive):

• CARE Principles for Indigenous Data Governance
• The TRUST Code – Global Code of Conduct for Equitable Research Partnerships
• Guidelines for Internet Research Ethics
• Ethics Guidelines for Trustworthy AI
• Nagoya Protocol on Access to Genetic Resources and Benefit-Sharing
• Medical and health research in low- and middle-income countries by The National Committee for Medical and Health Research Ethics (NEM)
• Guidelines for the inclusion of adults with impaired or absent capacity to consent Norwegian only
• Payment to participants in medical or health research Norwegian only
• Guidelines for the use of genetic studies of humans Norwegian only
• Ethical guidelines for clinical trial of drugs Norwegian only

Further information:

• Ethical aspects (RDMkit): How can I identify regulations, guidelines and laws connected to ethics in my research context?
• RDM resources in Norway (RDMkit): Relevant ethical guidelines

Read more about Research Ethical Guidelines and Codes of conduct.

Does the project require ethical pre-approval?

Specific to projects with ethical/legal considerations
If the project involves health research, use of human biological material, testing on animals or similar, a pre-approval is likely needed to execute the project. The approval case numbers should be referred to in the DMP.

NB! Registrations of the legal basis of processing personal data are not the same as a research ethics assessment. This should therefore not be included here, but addressed in the next question.

Read more about Ethical approvals.

Will any personal data be collected/processed?

Specific to projects with ethical/legal considerations
If personal data are collected/processed, make sure to classify information security and choose storage and backup solutions accordingly.

Personal data is any information that can be linked to living person. This includes indirect identification. If data can identify a person directly or indirectly at any stage in the research process, the processing of personal data must be in accordance with The Personal Data Act (Norwegian: Personopplysningsloven), which incorporates the EU General Data Protection Regulation (GDPR) in Norway. The principle of data minimisation should be followed and the collection of personal information should be limited to what is directly relevant and necessary to accomplish a specified purpose.

Read more about Personal data and data privacy.

Institutional privacy policies:

• Norwegian University of Science and Technology (NTNU)
• University of Bergen (UiB)
• University of Oslo (UiO)
• UiT The Arctic University of Norway (UiT)

Which institutional privacy routines apply?

Privacy routines at research institutions may differ from each other, it is therefore important to make yourself familiar with the applicable policies and guidelines at your institution.

• Norwegian University of Science and Technology (NTNU)
  • Collection of personal data for research projects at NTNU
  • NTNU privacy policy
• University of Bergen (UiB)
  • Personvern i forskning ved UiB Norwegian only
  • Forskningsrutiner Norwegian only
  • Privacy policy for the University of Bergen
• University of Oslo (UiO)
  • Processing of personal data in research projects at UiO
  • Privacy and data protection at UiO
  • Privacy declarations for UiO
  • UiO Quality assurance system for health and medical research
• UiT The Arctic University of Norway (UiT)
  • Processing of personal data in research projects
  • Data protection/ Privacy at UiT

Privacy considerations

The routines regarding processing of personal data differ between institutions. It is the researchers responsibility to make oneself familiar with the requirements at their institution. If not listed in the previous question, look for similar guidance from your institution.

Processing of personal data affect choice of storage, and how open data can be archived or made available to others, these considerations are part of data management planning. If the data are to be used for future research this must be taken into account when legal basis for data processing is selected. Explicit information about archiving and future use should also be included in the information to study participants.

In this question you refer to the privacy assessment(s) conducted by selecting “Processing of personal data is registered in other system” and adding a reference number to the assessment. If you are not required by your institution to describe the compliance with personal data act in a separate system, you should choose “Privacy considerations step-by-step”.

Processing of personal data is registered in other system

If you already described the processing of personal data in detail in other systems including local registration of personal data processing, the Sikt notification form for personal data, or executing and registering a Data Protection Impact assessment (DPIA), you can refer to these registration(s). Specify the system where the respective registration system and identifier of the project registration. Questions regarding lawful processing of personal data and routines at your institution should be directed to the respective Data Protection Officer (DPO, Norwegian: Personvernombud).

• Institutional routines for privacy assessment:
  • RETTE at UiB
  • NTNU guidance for Data Protection Impact Assessment (DPIA)
  • UiO Quality assurance system for health and medical research
• Sikt notification form for personal data (‘Sikt Meldeskjema’)

Privacy considerations step-by-step

Be aware that you might have to register processing of personal data in additional systems as required by your institution and there is currently no information exchange between systems.

These questions will guide you through relevant considerations concerning collecting/processing personal data in accordance with privacy legislation.

How will you document participants information and/or consent?

Documenting permissions form study participants to share data is crucial to making research data available, and often difficult or impossible to obtain in retrospect. It is therefore essential to include information about planned data sharing in the participant information letter and/or consent forms.

Ideally, the permission should be requested in a granular way, with distinct permission to making data available. Unfortunately, guidance on this topic and examples of consent forms that are adapted to European legislation is not easily found, and the lines of what and when is possible is still being drawn up. Consult your institutional research data management support services if you are uncertain about formulations or need examples of how sharing and reuse of data including information about people can be possible.

Remember that the ethical requirement to obtain permission to data sharing from study participants is independent of the legal basis (Norwegian: behandlingsgrunnlag) for processing of personal data as required by GDPR. This difference will however not be evident for research participants and the term ‘consent’ (Norwegian: samtykke) is often used for both processes. However, the requirements for the two types of consent differ.

Research regulated by the Health Research Act

For medical and health research projects, the requirement for obtaining informed consent from subjects is described in chapter 4 of the Health Research Act Norwegian: Lov om medisinsk og helsefaglig forskning (helseforskningsloven).

Please note that the specific ‘consent’ under GDPR as a legal basis is not equivalent with ‘informed consent’ in the context of health research. For more information please consult the Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) of the European data protection board.

Research project using ‘public interest’ as legal basis

Applying public interest as legal basis for scientific research projects is advisable. For compliance with ethical guidelines, permission to archive the data for the purpose of future research, and possibly also educational purposes should be collected and documented.

Research project using ‘consent’ as legal basis

Consent is a possible legal basis for processing of personal data under GDPR. For processing of certain types of personal data, strict requirements apply and processing needs to be based on a condition in addition to the legal basis. Explicit consent is one such possible condition, which must be freely given, specific, informed and unambiguous (GDPR article 9, article 7, and recital 32).

If consent is used as legal basis for processing of personal data consider asking for permission to archive the data for the purpose of future research, and possibly also educational purposes as part of both the informed and specific consent. Consult the links below, to see if you can use standard consent clauses, which can be reflected with machine readable metadata.

Institutional resources on participant information and consent:

• NTNU - Samtykke for behandling av personopplysninger Norwegian only
• NTNU - Samtykke fra forskningsdeltakere i helseforskning Norwegian only
• UiB - Rutiner ved oppstart av forskningsprosjekter: informasjonsplikt og samtykke Norwegian only
• UiO - Open sharing: Research data and personal information

Further information:

• GA4GH ethical toolkit with examples of granular consent and machine readable metadata (for human genetic data)
• Informed Consent Ontology (ICO)
• W3 Data Privacy Vocabulary (DPV)
• National Research Ethics Committees: Consent
• Sikt guidance for Legal bases for personal data processing in research
• Sikt guidance on participant information in research projects

Will sensitive information (apart from special category personal data) be collected/processed?

Specific to projects with ethical/legal considerations
If sensitive data (apart from special category personal data) are collected/processed, make sure to classify information security and choose storage and backup solutions accordingly.

The guiding principle in research data management and making data accessible is “as open as possible, as closed as necessary”. There can be many reasons why data must be protected. Read more about Sensitive data and legal backgrounds for handling data as sensitive.

Reasons for sensitivity (non-exhaustive) and relevant resources:

• National security
• Export control regulations
  • Investigate routines at your department in addition to institutional guidelines
• Intellectual Property Rights (IPR), commercial issues, or confidentiality issues
  • If you have questions, consult with technology transfer offices or legal advisors at your institution
• Research on endangered species
• Research on protected cultural heritage
• Indigenous Data Governance

Resources on export control:

• Norwegian Directorate for Higher Education and Skills: Export control of knowledge transfer and international sanctions
• NTNU: Control of knowledge transfer
• UiB: Institusjonelle retningslinjer for eksportkontroll ved UiB Norwegian only
• UiO: Export control

Institutional IPR policies:

• Norwegian University of Science and Technology (NTNU)
• University of Bergen (UiB)
• University of Oslo (UiO)
• UiT The Arctic University of Norway (UiT)

Technology transfer and innovation contact points:

• NTNU Technology Transfer as
• UiB: VIS - Innovation and commercialization
• UiO: Inven2 as
• UiT: Norinnova

Resources on Indigenous Data Governance:

• GIDA-Sápmi - Sámi Research Data Governance

Further resources

Links to other resources

View as questionnaire: Legal and ethical aspects

Life science data management guidelines on: Sensitivity

Life science data management guidelines on: Ethical aspects

Life science data management guidelines on: Security

Life science data management guidelines on: GDPR compliance

Life science data management guidelines on: Human data

Social science data management guidelines on: Protect

Data science guidelines on: Ethical Research

Data science guidelines on: Sensitive Data Projects

Ingrid Heggland

Contributor

Norwegian University of Science and Technology (NTNU)

Jenny Ostrop

Lead

University of Bergen (UiB)

Live Kvale

Contributor

University of Oslo (UiO)