The starting point for this provision is that a notification obligation rather than a licensing obligation has been established. The former section 7-27 established criteria for how the initial contact should be stablished, consent, time of project conclusion, anonymisation or deletion at the end of the project, and a ban on electronic alignment of personal data records. The privacy protection elements that these criteria safeguarded are also protected in the present legislation. How the initial contact is established is largely a research ethics issue, albeit such that certain procedures are less problematic in a privacy perspective than others. The Data Protection Authority is confident that the Research Ethics Committee (REK) and Data Protection Officers will safeguard this aspect. That consent is the clear general rule for processing of personal data follows directly from sections 8 and 9 of the Personal Data Act. In so far as the Data Protection Officers can accept deviations from the general rule, it is expected that the researcher has justified his or her need for this in a satisfactory manner. The justification will be a key element in the Data Protection Authority's subsequent review. Additionally, there is the assumption that for a consent to be valid, information must be given about how long the personal data will be stored, cf. section 2 no. 7. This requirement also follows from the information obligation under section 19 and the following sections. Anonymisation or deletion should normally take place at project end. When it comes to electronic alignment, this is not intrinsically problematic from a privacy perspective.
The numbers included, the variables, and whether the material is anonymised (disidentified) immediately after the comparison is made, are all more important considerations. It is a condition for an exemption to apply that the project has been recommended by a Data Protection Officer. It is a further condition for the project that it must be recommended by a Regional Committee on Medical Research Ethics (Research Ethics Committee, REK) if the project includes medical and healthcare research. Thus, this change represents a more limited licensing duty, but an expanded notification duty for researchers at institutions associated with a Data Protection Officer. For institutions not associated with a Data Protection Officer, however, it means an extension of the licensing obligation.
For projects that are not deemed to be medical or healthcare research, it is sufficient to have the support of the Data Protection Officer. Since there is presently only a requirement for referral [to a higher authority] for medical and healthcare research, this assumes researchers in other areas of society must exercise special care. At the same time, it also assumes that the Data Protection Officer is familiar with research ethics and will, on his/her own initiative, refer projects which are deemed ethically dubious to a committee. The Data Protection Officers should also refer cases for which recommendation seems problematic, to the Data Protection Authority, or advise the Data Protection Authority to undertake a prequalification process.
In the second paragraph of the provision, a distinction is made concerning research projects of a large scale and long duration, and research into large data sets that have not been pseudonymised or disidentified in some other secure manner. This also covers the establishment of large collections (records) of personal data intended as the basis for other separate projects. The scope here must be related both to the number of people involved as research subjects and the amount of information recorded for each individual. The exemption from the licensing obligation will not apply to registers of this kind.
When it comes to the point that the exemption does not include research projects of large scale, it is assumed that projects covering 5000 research subjects will qualify as a large scale project. The reason for the figure 5000 is that a large majority of projects comprises a much lower number of participants, at the same time as the large population health studies are always subject to prequalification. Given the duration requirement, this number seems reasonable from a privacy point of view.
As for duration, it is assumed that a typical doctoral thesis will take 3-6 years, and that projects lasting longer than that can be termed "long term". Even so, the assumption here is that only projects with a duration of more than 15 years are considered long term. This time scale implies that if a project which was not initially expected to last more than 15 years, in fact exceeds this duration, then the requirement for prequalification (a licence) will apply.
Research into large data sets is nonetheless exempted from the licensing obligation if the material held by the researcher is pseudonymised or disidentified in some other secure manner. The requirement for pseudonymisation or disidentification in some other secure manner means that the researcher, or the institution for which the researcher works, cannot store the connection key. Also implicit in this is that the number and type of parameters cannot by nature be such that it is possible to re-identify the members of the set.
The large population studies performed by the Norwegian Institute of Public Health (FHI), the JANUS data bank and the so-called twins register/ heredity register at the University of Oslo are typical examples of registers that are not exempt from the licensing duty. These are extensive registers, both in terms of duration, number of data subjects (respondents), and volume of information recorded. It is not a deciding factor for whether or not a study is subject to a licensing requirement that it deals with biological material. Public health surveys which also collect biological material are unlikely to be covered by the exemption. However, this will be on the basis that the studies are of a long-term nature and form the basis for separate projects and studies.
Processing of information in individual projects based on a licensed register must be considered on the merits of the project under the licensing terms and this provision. The licensing duty will not be apply on a general basis for access to data in the large licensed registers regulated by law.
In distinguishing projects exempted from the licensing duty and other projects, it is the individual researcher who, jointly with the Data Protection Officer, is best able to assess the concerns that indicate prequalification of the individual project. This may be because of the number of people involved, the sensitivity of the information, or the duration of the project.
Different types of projects are often involved, at the same time as it is not solely the quantitative factors that will be decisive, but the scope of the personal data to be collected and analysed.
In the second paragraph, it is also pointed out that the exemption does not cover so-called "absentee analyses" unless these are based on consent. Absentee analyses means analyses of the distribution of education, income and benefits and so on, among attending and non-attending people, to determine the importance of the non-attendance. In a privacy perspective, non-consensual absentee analyses have not been granted a special status, and must therefore be subjected to prequalification by the Data Protection Authority. The reason that such analyses entails special privacy issues is that persons who have decided not to take part in a study are still included. The Data Protection Authority understands that in some contexts there may be a need to assess the composition of the selected group, but when these analyses are based on collection of a relatively large number of details about people who have refused to take part, and who presumably expect the researcher to respect their decision, there will be a need for a special assessment if we are to accept inclusion of such non-respondents against their will.
The processing of health data in connection with medical research is often a matter that comes under the scope of the Health Registers Act (Personal Health Data Filing System Act). The provisions in the Personal Data Act and the Personal Data Regulations regarding notification duty will, however, also apply to projects under the scope of the Health Registers Act. It follows from section 5 of the Health Registers Act that health data may only be processed electronically when permitted under section 9 and section 33 of the Personal Data Act, or when it follows from the Act and processing is not prohibited on some other legal ground. Section 33 of the Personal Data Act addresses the licensing obligation. It further follows from section 36 of the Health Registers Act, in so far as no other rule follows from that Act, that the Personal Data Act and the Personal Data Regulations will provide further rules.
The amendment does not affect the licensing or notification duty for studies that have already commenced. The amendment should however be invoked if the nature of the study changes in a manner making it necessary to submit a notice of the change or apply for a change in the licence.
Added by the Regulations of 6 May 2005 No. 408 (in force from 1 July 2005), cf. the Regulations of 24 April 2008 No. 396.