What do I have to give information about?
The law does not set requirements as to whether information and consent are to be given in writing (including electronically) or orally. However, you must be able to demonstrate/document that you have given information and gained consent from project participants i.e. from the people whose personal data you will be processing (data subjects). As a rule, we recommend written information and written consent.
We strongly recommend that you use our template for the information letter.
The information given should at least include:
- an introduction including a request for participation
- the purpose of the project and what the collected personal data will be used for
- which methods will be used for collecting data, and what these methods will entail for the participant
- what types of information will be collected
- what the legal basis is for processing the personal data (e.g. consent)
- who will have access to personal data, e.g. the project group, student/supervisor, data processor etc.
- describe how confidentiality will be maintained, what secrity measures will be put in place to ensure that unauthorized persons cannot get acess to the collected data
- describe what form the collected data will be stored in; in a form where participants are directly identifiable, in a form where participants may be indirectly identified through a combination of their background information, or where collected data has been de-identified etc.
- that participation is voluntary and that the participants may withdraw their consent as long as their personal data is being processed, without giving a reason
- the date for project completion and information about what is going to happen with the collected data at that point; whether it will be erased, anonymised or stored for future use (follow-up studies, verification etc)
- the right to request access to, deletion/correction/limitation of one's personal data, as well as the right to data portability (only if consent-based) and the right to protest (only if non consent-based)
- the right to send a complaint to the Data Protection Officer or The Norwegian Data Protection Authority
- which institution is responsible for the project (the data controller)
- contact information for the project leader (or both the supervisor and student)
- contact information for the Data Protection Officer for the institution responsible for the project
It may also be relevant to provide the following information:
- that the project has been notified to The Data Protection Official for Research at NSD - Norwegian Centre for Research Data AS (firstname.lastname@example.org, +47 55 58 21 17)
- if an institution (hospital, school, NAV, etc.) has made contact with the sample on behalf of the project, this should be made explicit, and it should be emphasized that the researcher/student does not know the identity of the persons invited until they agree to participate
- for patients, clients and persons with impaired consent capacity it must be stated that if they decide not to participate in the project, or if they later decide to withdraw, this will not affect their relationship with their doctors/therapists or others
- if the information is obtained from sources other than the research participants themselves (registers, records, etc.), they must be informed about what information is collected and from where
- that parents/guardians have the right to see questionnaires/interview guides before they are handed to a minor
- if personal data is to be stored after the project is completed, you must indicate: the purpose of further storage (e.g. follow-up studies), for how long personal data will be stored, and the date for when the data will be anonymised or deleted
- that personal data will be accessed by/shared with other researchers at other institutions and with whom
- if personal data will be transfered to an external entity you must describe where and why. The legal basis for transfering the data must also be indicated.
- if personal data will be transferred outside the EU, you must explain where, why, and that the country may not have data protection laws that are considered satisfactory in the European context.
- that the project is receiving external funding and from whom