The Personal Data Act

The Personal Data Act (Lov 15. juni 2018 om behandling av personopplysninger) incorporates the European Data Protection Regulation (GDPR) to Norwegian law. The Act also contains national special rules in certain areas where the GDPR allows it.

There are national special rules for scientific research. Researchers and research institutions must therefore comply with both the GDPR (main rules) and the Personal Data Act (special rules) when processing personal data.

The Norwegian Data Protection Authority is an advisory and supervisory authority on the privacy regulations. All research institutions must appoint a Data Protection OfficerSome research projects must obtain a recommendation from the Data Protection Officer or from a data protection advisor. The GDPR has no general notification or pre-approval requirements. However, many Norwegian research institutions have voluntarily chosen to report and seek pre-approval of relevant projects with the Norwegian Center for Research Data (NSD).

The Norwegian National Research Ethics Committees (FEK) do not provide guidance on the processing of personal data. If you need guidance, please contact the Data Protection Officer at your institution, the NSD or The Norwegian Data Protection Agency.

Research ethics – far more than privacy

It is a common misunderstanding that research ethics and data protection is the same thing, and that  a legal basis to process personal data in a research project equals to a research ethics assessment. Research ethics is about conducting ethically sound and responsible research. This includes far more than data protection, such as good scientific practice, social responsibility, and dissemination practice, in addition to human dignity / protection of individuals and groups.

The distinction between data protection and research ethics can be exemplified by looking at the concept of consent: A consent to process personal data is not the same as a consent to participate in research. Researchers must ensure that research participants consent to both and are responsible for clarifying what the consents entail.