Use of personal data in your degree thesis
Are you a student and intend to use personal data in your bachelor's or master's thesis? In such cases, personal data must be processed in accordance with the privacy regulations. On this page you will find guidance on how this should be done. The guidance applies to all students at NMBU.
What is personal data?
The rule of thumb is that all information that in one way or another can be linked to a specific person, is personal data. Personal data may, for example, be national identity number, name, e-mail address/IP address, health information, or a picture in which a person can be recognized. Voice on audio recordings is also considered personal data. Whether a piece of information is personal data may depend on whether it can be linked to an individual in the context in question.
Some types of personal data are considered sensitive (so-called special categories of personal data), and then stricter requirements apply, among other things, to information security.
Read more about what personal data is, what is considered sensitive personal data and what it means to process personal data, on this page: What is personal data (sikt.no).
Anonymous data is information that cannot in any way be traced back to identify individuals. If you are not going to process personal data or only process anonymous data, you are not covered by this guide. See information on how to carry out a project without processing personal data: Carrying out a project without processing personal data (sikt.no).
An explanation of various terms can be found here: Privacy dictionary (sikt.no) (Unfortunately this page is not translated to English).
When writing a degree thesis, you may need to process personal data because you will be using information about, or from, one or more persons, as a basis for your thesis. For example, you may collect personal data by interviewing or by sending a questionnaire to a group of people. This also applies where the personal data itself is not the subject of the survey or interview.
Who is responsible for the processing of personal data in a degree thesis?
When personal data is processed in a degree thesis at NMBU, one person will have the role of project manager. For degree theses at bachelor's and master's level, the student's supervisor is the project manager. The Project Manager is responsible for ensuring that the processing of personal data in the work on the thesis complies with the privacy regulations and NMBU's routines. This responsibility encompasses all phases of the project.
The supervisor is also responsible for ensuring that you receive the information and training you need, that you follow the privacy regulations and NMBU's routines, and to guide you in the process.
You also have an independent responsibility to familiarize yourself with the requirements for processing personal data and follow these through the phases of your degree thesis, as well as follow the instructions from your supervisor.NMBU has overall responsibility for all processing of personal data for research purposes at the university (this includes degree theses). NMBU shall provide good routines and guidance to students and employees.
Where can you get guidance and training?
We hope this page helps you a long way with the information you need to process personal data correctly in your degree thesis. Be sure to confer with your supervisor about the details.
Sikt (formerly NSD) is NMBU's advisor for privacy in research. They are experts on the subject, and you can contact them directly if there is something regarding personal data protection you and your supervisor can't figure out.
For questions about NMBU's own guidelines for privacy in research and handling of research data (which also applies to degree theses), please contact the Research Support Office. For questions about IT tools, please contact your IT department.
Contact information Sikt: Please use the chat function, open every day from 12:00-14:00 or contact Sikt via the contact form https://meldeskjema.sikt.no/test
Contact persons at NMBU:
Research Department:
IT Department
Every semester, a 1-day course in data management and privacy in research aimed at students and staff is held. Feel free to ask your supervisor if the course is relevant for you.
NMBU has a data protection officer who will advise NMBU on the obligations NMBU has under the privacy legislation. Employees, students or external participants in research projects can contact the data protection officer to know if and why NMBU processes personal data about oneself, and about the rights under the privacy regulations. You can find more details on a separate page about NMBU's Data Protection Officer (Unfortunately, this page is not translated to English).
How to ensure that personal data is processed in accordance with the regulations?
Sikt is NMBU’ advisor on personal data protection in research and assists NMBU in ensuring that research at the university can be carried out in line with the Personal Data Act.
Researchers or students who will process personal data in a research project or degree thesis need to fill in a notification form and submit it to Sikt. If you are uncertain whether your project falls under the mandate of Sikt, you can ask them directly (see contact information above).
The notification form must be submitted no later than 30 days before the data collection or processing starts. Sikt will then assess whether the planned processing of personal data is in line with privacy legislation. If your project has a low privacy risk and is automatically assessed by Sikt, you can get an answer from Sikt within a day. For projects that are assessed manually, Sikt must provide feedback within 30 days.
Many student assignments at NMBU process personal data in a way that poses a relatively low privacy risk. Low privacy risk is often related to factors such as projects not processing sensitive personal data, informed consent being obtained and participants receiving individual information, the duration is limited in time, few people will have access to the personal data and data security is satisfactory, the number of people from whom information is processed is not very high, and the persons are over 15 years in age. With a few, but necessary, steps, you will be able to meet the requirements of the regulations.
For some research projects, however, there will be greater privacy risks, and Sikt will in some cases recommend that a data protection impact assessment (DPIA) be carried out. The supervisor must then take responsibility for following up. DPIAs must be approved by the management at NMBU and assessed by the data protection officer and follow a specific approval procedure at NMBU.
What do you need to keep in mind during the planning/start-up phase of your degree thesis?
When you prepare the notification form for Sikt and plan your degree thesis, you must, in cooperation with your supervisor, do the following:
- Think through what personal data you need to answer your research question.
- Think through which factors contribute to privacy disadvantage in your project, and whether/what measures you can take to reduce the disadvantage.
- Make a complete overview of what personal data will be used in your degree thesis.
- Prepare an information letter for the participants (unless the collection is to be exempt from the duty of disclosure). More information and template can be found via the link further down the page.
- Clarify the basis for processing. Processing of personal data must have a legal basis, and the most common practice in research is that obtaining consent from the research participants provides the legal basis. The consent form is preferably entered in the information letter. There are also other legal grounds for processing.
- Design an interview guide, questionnaire, variable list, etc. depending on what is relevant for your project.
- Plan how you will ensure secure handling of personal data throughout the project, from collection, storage and processing of the data, to archiving, possible deletion or anonymization. You must design a data management plan and comply with NMBU's guidelines for handling research data (Link coming).
You will find more detailed information about the points and concepts above, as well as templates, on Sikt's and NMBU's websites:
- Information for participants in research projects (sikt.no)
- Legal bases for personal data processing in research
Ready to complete the notification form?
Here you will find the actual notification form https://meldeskjema.sikt.no/test, log in with your Feide user. For degree theses, it is usually the student who fills out the notification form. However, you will need to share the form with your supervisor, who must review it before submitting it. When you share the form, the supervisor gets a link that must be activated within 7 days.
What do you need to keep in mind during the completion phase of your degree thesis?
At the implementation stage, you need to do the following:
- Carry out the processing of personal data as planned and reported to Sikt in the notification form.
- Notify changes to Sikt if there are changes in how the personal data in the project is processed. For example, if you are considering using your personal data for a new purpose, you must have a legal basis for this. Report changes in the notification form Notify changes in the project (sikt.no).
- Respond to inquiries from project participants if they have questions about privacy regarding their participation.
- Report any discrepancies. Notification of breaches of information security or privacy at NMBU (Unfortunately, this page is not translated to English yet).
- Delete or anonymize personal data about participants who withdraw their consent to participate in the project.
What do you need to keep in mind during the final stages of your degree thesis?
In the closing stage, you need to do the following:
- Make sure that personal data is deleted or archived, possibly anonymized, as planned.
- If the project concludes with your thesis, you must send a final report to Sikt. If the project lasts longer, the responsibility for the final notification must be taken by your supervisor. Clarify this with your supervisor.
Classification of personal data and information security
It is very important that research data in bachelor's and master's theses, which contain personal data, is processed in a safe manner regarding collection, storage, archiving and deletion.
How to ensure good information security for the personal data you handle in the project can be found on the page: Research data (Currently only in Norwegian, English translation will be prepared).