Information for participants in research projects

When you collect personal data for a research project, you generally have a duty to provide information to the people whose personal data you are collecting. On this side you will find everything you need to know on providing information in research projects.

The right to receive information about who is processing your personal data is a fundamental right in the General Data Protection Regulation (GDPR).

This right applies regardless of whether personal data is collected from the person themself, or whether personal data is obtained another way.

Concise and easily understandable information

The information you provide must be concise, easy to understand and written in an easily accessible form. This means that the language must be clear, understandable and tailored to the people who will be reading it. We generally recommend that you avoid academic and technical terms, and use everyday language instead.

As a general rule, the information must be given in writing. Oral information is only relevant in certain cases, or as a supplement to written information. You must be able to document the information you provide.

Template for information letter

The GDPR contains clear requirements for what the information must include.

Because there are different types of legal bases for processing, we have prepared templates that you can use as a starting point for some of the most common bases in research.

How to provide information

If possible, you must provide information directly to the person whose data is being processed, for example via letter, e-mail or providing the information in-person. In some instances this is not possible, for example if you are collecting personal data from other sources and it would be unreasonably time-consuming to contact each individual in the data set. In these situations it may be appropriate to make the information publicly available.

Examples of public information are notices in a newspaper or members' magazine, a statement in a comment field, or a notice in a place where you are carrying out observation.

When should you provide information?

As a general rule, you must provide information to the participants before you start collecting personal data.

If you are not in direct contact with the people whose personal data you are processing, for example during registry studies or when the personal data is provided by others, you must provide information to them within a reasonable amount of time.

Requirements for the information

If you do not want to use Sikt's template as a starting point, you can write your own letter.

At a minimum, the information must include:

  • The purpose of the project and what the personal data will be used for.
  • Which institution is responsible for processing personal data ("data controller"), i.e. the university, university college, hospital trust or research institute at which the research takes place.
  • The methods and data sources you will use to collect personal data, what these mean for the participant, and which personal data will be collected.
  • The legal basis for processing personal data, e.g. a task in the public interest or consent.
  • That participation is voluntary and that participants can withdraw or opt out as long as the study lasts, without having to give any reason for doing so.
  • The date when the project is scheduled to end, and what will happen to the personal data at that time (whether data will be deleted, anonymised or archived/stored for future research).
  • Whether the participants will be identifiable in publications or not, and what type of information may be published.
  • The rights of the participants, i.e. the right to request access, that personal data is corrected or deleteted, in addition to the right to data portability/copy (applicable only in consent-based projects) or object (applicable only in non-consent-based projects).
  • The right to lodge a complaint with the Norwegian Data Protection Authority.
  • Contact details for both the project leader and the institution's Data Protection Officer.

In addition, it may be relevant to provide information about:

  • That the information will be handled confidentially.
  • Who is contacting the sample/participants, for example if a hospital makes contact on your behalf, or you have received the contact information from a data registry.
  • That refusing to participate will not lead to negative consequences. This is particularly relevant if you are going to include patients, pupils or others who have a special relationship with or are dependent on the person who collects the information.
  • The types of sources information is to be collected from, if the information is to be obtained from sources other than the participant themselves, for example from registries or newspapers.
  • If the personal data is to be disclosed to external parties, information must be provided as to what information is to be disclosed, why and to whom. If information is to be transferred outside the EU/EEA, the legal basis for transfer must also be clearly stated.
  • Who is funding the project, if the project receives external funding.

Exemption from the duty to provide information

The most common exception is that it will be impossible or disproportionately difficult to provide information.

The following points are relevant for the assessment:

  • The size of the sample (a large number is several thousand people).
  • To what extent the sample can be identified.
  • Whether the project team has access to the contact details of the data subjects.
  • The risk to personal data, including the amount of personal data and how sensitive the data are. .
  • Ethical considerations.

If you claim an exception from the duty to provide information, it must be well-founded in the notification form for personal data.

Contact Sikt's Data Protection Services

Message: Log in to and contact your adviser by sending a message.

Chat: Open weekdays from 12 to 14. Closed on Wednesdays.

Phone: +47 73 98 40 40 weekdays from 10-12. Closed on Wednesdays.