Legal bases for personal data processing in research

All processing of personal data must have a legal basis, also called basis for processing. The most common practice in research is to obtain consent, but there are also other legal bases.

The conditions set in the legislation for lawful processing of personal data are defined in the Personal Data Act. Here we go through some of the bases for processing that are most commonly used in research.

Consent as a legal basis

In research, the most common basis for processing is consent. For a consent to be valid, it must meet certain requirements.

The consent must be:

Voluntary

Participation in research must be voluntary. Consent is not valid if the participant feels pressured to consent, or if not consenting has adverse consequences.

The power relationship between the person who asks the questions and the person who participates should not be disproportionate. For example, it may be difficult for a student to refuse to participate in their own teachers' research.

Specific and informed

What participants agree to must be clear and specific. This means that participants must consent to a clear and precisely formulated purpose. If someone has consented to a purpose, their personal data can only be used for this purpose.

If a project has several purposes, consent must be separately requested for each purpose. It is possible to request consent for broad purposes in research projects.

When asking for consent, you must be consise and use a clear, simple and understandable language that the target audience understands.

We recommend that you use our information letter template to ensure that the participants are sufficiently informed.

Unambiguous and given through an active action

A person who will participate in the research must take an active action for the consent to be valid. An action can be clicking on a button, signing a consent form, or ticking a box.

Inactivity or non-response does not constitute a valid consent.

Documentable

Consent is only valid if it can be documented. The law does not state how it should be done, but it can e.g. be given via signature, verbally on an audio recording, ticking a form or via e-mail.

For example, if you are to collect information via an online questionnaire, it may be sufficient for your sample to press a button that confirms consent. You must not collect signatures.

Tick boxes should be set up so that the participant can choose to consent to some parts of the study without participating in everything (for example questionnaire, but not interview).

Tick boxes are also relevant if you are going to store data with personal information for further research or if it is to be used for several purposes.

Equally easy to opt-in as to opt-out

It should be as easy to give as it is to withdraw consent. If someone withdraws consent, you must usually delete this person's personal data from the collected data.

Reference in the Personal Data Act

In the legislation, you will find the provisions on consent as a basis for processing here:

  • General personal data: Art. 6 1(a)
  • Special categories of personal data: Art. 9 2(a)

Can a consent expire?

When you obtain consent, you must provide information to your sample about how long you will process their personal data. You can keep the sample's information as long as they have consented to it.

There is no given time period for how long a consent is valid, but if the project is long-term, you must provide the sample with supplementary information at regular intervals.

Supplementary information reminds the sample that they are participants in the research and that they can utilise their rights. If the research project changes, it may be necessary to obtain a new consent.

How long should I keep a consent?

You must be able to document that you have obtained valid consent as long as you process personal data in your research.

When you no longer process personal data, you must usually also delete the consent.

If you need to keep the consent for a limited period after the end of the project, due to grading or peer review, you may do so. Remember to plan for this in advance, and that you must inform the sample about saving consent for this purpose.

Things to be aware of when gathering consent

Competence to give consent

The person who consents to participation in a research project must have the competence to give consent. This means that the person must have certain basic personal characteristics.

The person cannot be physically or mentally impaired in such a way that the person concerned no longer has sufficient ability to make a rational decision.

It can be difficult to determine when a person has diminished capacity to be able to say that they do not have the competence to consent. There will be a floating limit that depends on how extensive the research project is.

Specialists must make the decision whether or not persons have the competence to consent.

Parents' responsibility for consent from children

Children and young people can themselves consent to participation in research when they are 15 years of age. If special categories of personal data are to be collected, the young person must be 16 years of age to consent.

For children under 15, parents should consent on behalf of the child. When parents must give consent for their child, it can be challenging to know with certainty that the person giving consent is actually the one with parental responsibility.

In projects with a low privacy disadvantage or low risk, it may be sufficient for parents to consent via e-mail, but if the risk of the processing is greater, it may be appropriate to request additional proof of parental responsibility.

Explicit consent

Explicit consent for special categories

An explicit consent means a consent that is given in an abundantly clear manner.

If the research project is to process special categories (sensitive personal data), there is a requirement that the consent must be explicit - also often called express.

An example of explicit consent is a signature on a declaration of consent or an audio recording of consent.

Explicit consent when you are not in physical contact with the sample

If you are not in physical contact with your sample, you can e.g. obtain explicit consent by:

  • Participants press a button/tick a box that confirms their consent.
  • You receive a scanned signature by e-mail.
  • Electronic signature, for example with BankID. 
  • Two-step verification: The researcher sends an e-mail with good information about the study where consent is requested from the participant. The participant replies by e-mail: "I consent to participate". Once the participant has sent this by e-mail, they receive the actual questionnaire. 

In questionnaires that only process general categories of personal data, consent can be registered by the participants answering the survey.

Public interest as a basis for processing

In some cases it may be difficult to obtain valid consent from the sample, or consent involves a disproportionate collection of personal data.

In such cases, we would recommend that you use "public interest" as the legal basis. You can choose this as an option in the notification form.

You must state why your research is in the public interest and argue for the social benefit of your project.

Registry research is an example of a research method where public interest often becomes a suitable legal basis for the processing.

Information to the sample

Even if the basis for processing is public interest, you must still initially inform the sample about the study.

If it is not possible to provide individual information, you should try to provide collective information by making the information publicly available on a separate website about the project or similar means.

If it is difficult to provide information to the data subjects in accordance with the duty to provide information pursuant to Article 14, exceptions must be made to this obligation.

You yourself must argue why it is difficult to provide information.

Reference in the Personal Data Act

In the legislation, you will find the provision on public interest as a legal basis here:

  • General personal data: Art. 6 (1e), cf. Art. 6 (3b), cf. Section 8 of the Personal Data Act.
  • Special categories of personal data: Art. 9 (2j), cf. Section 9 of the Personal Data Act.

Conditions for public interest as a legal basis

The processing must be necessary for the performance of a task carried out in the public interest or necessary for a purpose related to scientific or historical research.

This means that an assessment of the necessity of the processing operations must be carried out.

Necessary is a strong term and implies strict requirements.

This does not mean that the processing of information will be impossible without using public interest as a basis. But the concept of necessity assumes that it must be very difficult to achieve the research purpose without using public interest as a basis.

Supplementary legal basis

The processing of both general and special categories of personal data must also be authorised by law or regulation, so-called supplementary legal basis.

This means that the basis for processing must be established in a law to which the data controller is subject. In Norway, Sections 8 and 9 of the Personal Data Act lay down detailed rules for public interest as a basis for processing in research, but there may also be other laws that can constitute such a supplementary legal basis.

Section 9 of the Personal Data Act has some stricter conditions than Section 8, as Section 9 applies to special categories of personal data.

Balance of interests

The provision only applies if "society's interest in the processing operation taking place clearly exceeds the disadvantages for the individual", and consequently expresses that a balancing of interests must be carried out in the research project. 

This means that a balance of interests must be made between society's interests in the research and the disadvantages the processing entails for the individual, and further that it must clearly favour the general interest in order to be able to apply the provision in a research project.

When processing special categories, there is also a requirement that the data controller must consult with the data protection officer or another entity, such as Sikt's data protection services. 

Personal data about criminal convictions and offences

Some research projects require processing of information about criminal convictions and offences. Article 10 of the GDPR contains conditions for processing such information. Firstly, the provision states that all processing of such information must have a legal basis in Article 6 (1 ).

This means that there must be a lawful legal basis for access to processing information about criminal convictions and offences.

Need for national provisions

If the legal basis is public interest, there will also be a requirement for a supplementary legal basis in national law, such as Section 8 of the Personal Data Act for research.
In principle, information about criminal convictions and offences can only be processed by public authorities.

If they are to be processed by other parties, such as in research, national provisions must be adopted that safeguard the rights and freedoms of the data subjects.

Section 11 of the Personal Data Act is such a national provision, and the provision therefore supplements Article 10 of the General Data Protection Regulation.

Conditions for processing information about criminal convictions and offences

The data controller can only process information about criminal convictions and offences if the processing:

  • Is based on consent
  • Is necessary to protect the vital interests of the person concerned
  • Is carried out by certain non-profit organisations
  • The data subject has made the information public
  • Is necessary to establish, enforce or defend a legal claim

Legal obligation and preventive or occupational medicine as a basis for processing in quality assurance projects

Quality assurance projects in higher education or in the health sector are examples of projects where this is a suitable basis for processing.

Quality assurance in the health sector is about evaluating a service (procedure, medication, operation), treatment carried out by a unit (team, department, hospital), or treatment linked to a specific diagnosis.

Quality assurance in the education sector involves systematic quality work to ensure the quality of study programmes.

Reference in the Personal Data Act

In the legislation, you will find the provision on legal obligation as a legal basis here:

  • general personal data: Art. 6 (1c), Legal obligation
  • special categories of personal data for quality assurance in health projects: Article 9 (2h), Preventive or occupational medicine

Information that the data subject has manifestly made public

Pursuant to Article 9 (1e), a data controller may lawfully process special categories of personal data if it is manifest that the data subject has made them public.

The condition that the information has been made public means that the data subject has made the information openly available to an indefinite number of people.

This could, for example, be information that a person has published information about their state of health, their political opinions or the like in an authorised biography, in a newspaper, online or other media that is not reserved for a specific number/group of people.

Processing of information about active party politicians or persons who publicly confirm their religious affiliation may take place on the basis of this provision, provided that there is a legal basis pursuant to Article 6.

Processing of information that others make public, and which the data subject later confirms, may also be covered by the basis for processing in Art. 9 (2e).

Contact with Sikt's Data Protection Services

Related information about data protection