Register-based studies include processing of data from registries. Registries are an important source of data for many research projects. Researchers often collect registry data from Statistics Norway, Norwegian Institute of Public Health, The Norwegian directorate for Education and Training and the national health registries, among others.
What approvals do you need?
- To lawfully process personally identifiable data from registries, you need to get a recommendation/assessment from a Data Protection Official, or if it is required, a license from the Norwegian Data Protection Authority. Please note that if a separate code list which links the data to names or other personal data is created, this is regarded as processing of personally identifiable data, even when the researcher does not get access to the list. Research projects which are regulated by the Health Research Act need only an advance approval by the Regional Committees for Medical and Health Research Ethics (REC). If you want access to data from the Norwegian Information System for the Nursing and Care Sector (IPLOS), the Norwegian Prescription Database or the Registry of Pregnancy Termination, a license from the Data Protection Authority is required in addition to an approval by REC.
- If the personal data is under duty of confidentiality and you are not going to collect an informed consent from the data subjects, you must apply for an exemption from the duty of confidentiality from the relevant authority. It is usually the relevant ministry or directorate or REC that can give an exemption from the duty of confidentiality.
- You must also apply for access to data from the owner of the registry.
- Statistics Norway has the authority to give exemption from the duty of confidentiality to most data they provide for research. See Statistics Norway’s step by step guide for access to data.
Writing the applications
In the case that a license from the Data Protection Authority is required, we will assist you in the process of writing the application, and we will submit the application on your behalf. For a quicker process, we recommend that you send applications for exception from the duty of confidentiality simultaneously. In many cases, however, you will have to wait until a license is given before you can apply for access to data from the owner of the register.
In all applications, the following points are important:
- It is crucial that you describe the project in the same manner in the applications you write to different authorities and registers. This includes the purpose, the variables, the procedure for alignment of data and the degree to which the data will be personally identifiable. If the project is described differently in applications to different authorities, you risk having problems in getting access to data.
- The list of variables must be set up in a systematic way with understandable names/labels and categories, and which register they are from.
- We advise that you do not apply for more detailed variables than what is necessary for the data analysis and to fulfil the defined purpose of the study. The set of variables should contain only variables which are necessary, and the categories should not be more detailed than necessary.
- In a data set certain variables increase the chance of identifying individuals, for example date and year of birth, place of residence/work/birth/death, nationality and dates for administrative decisions or treatment in hospitals and institutions. If possible, these variables should be categorized broadly or grouped together to reduce the chance of identifying individuals. If detailed variables are necessary for the analysis, you should explain why they are necessary for the analysis and to fulfil the purpose of the project.
- Your application should be clear on the degree to which individuals can be identifiable in the data set. You must not state that the data will be anonymous or de-identified if the data will contain background information that can indirectly identify individuals.