Data protection for student assignments

For students who will be conducting a student project (bachelor’s or master’s degree level)

Student projects (at both bachelor’s and master’s level) must adhere to the principles that apply to research projects.

Some key points relating to the responsibilities of students have been listed below and are based on the internal guidelines for the collection of data in student projects (adopted by the Rector Office on 22/11/2021). The student must consider the cases in which these principles will apply.

  1. The student will not collect personal data in connection with student projects, thereby avoiding the duty to notify SIKT.
  2. The student will, subject to supervision from their academic supervisor, learn to collect anonymous data. This means that the student will:
    - Not take audio recordings during interviews. A voice is considered personal data.
    - Be able to conduct interviews by phone or Zoom without recording the conversation or making records of personal data. - Use online forms with anonymous settings.
    - Consider using anonymous data that is available through existing databases (such as Statistics Norway, SIKT, etc.)
  3. Students will never collect health information or other special categories of personal data that require e.g. REC approval and the use of the Service for Storage of Sensitive Data (TSD). This also applies if the materials and data will be subsequently anonymised.
  4. The student will, subject to supervision from their academic supervisor, adhere to the FAIR principles, which state that research data must be findable, accessible and reusable.
  5. The student will, together with their academic supervisor, consider whether the student project can be included as a sub-project in larger research projects that include personal data or health information.

    In exceptional cases, personal data may be collected in connection with master’s theses. Such exceptions must be authorised by the academic supervisor. The following applies in these cases:

    1. The student, supervised by their academic supervisor, must consider which data is adequate and relevant to the purpose of the project and limit the collection of data accordingly (principle on data minimisation).
    2. The student, supervised by their academic supervisor, must prepare a data management plan and conduct a risk assessment on the project’s information security.
    3. The student, supervised by their academic supervisor, must draw up a declaration of consent and an information letter for their student project.
    4. The student, supervised by their academic supervisor, must submit a notification form to SIKTno later than 30 days before processing is scheduled to commence. The student must list their academic supervisor as the point of contact with SIKT.
    5. The student must never process special categories of personal data. It should therefore not be necessary to conduct a data protection impact assessment (DPIA) or report the project to the REC.
    6. The student will be subject to a duty of confidentiality relating to personal data processed in a student project: Please see Section 5 the National Research Ethics Committees’ general research ethics guidelines and Section 4-6 of the University College Act concerning the Student’s Duty of Confidentiality.
      The exception from this duty of confidentiality is cases where you identify matters for which you have a legal duty to avoid serious criminal offences.
    7. When the student project is finished, the student must ask the academic supervisor, who acts as the point of contact with SIKT, to submit a final report if the student project was registered with SIKT.
    8. The student, supervised by their academic supervisor, will consider whether personal data will be anonymised or deleted if there are no requirements for retention beyond the project period.