Information for participants in research projects

How to provide information

If possible, you must provide information directly to the person whose data is being processed, for example via letter, e-mail or providing the information in-person.

In some instances this is not possible, for example if you are collecting personal data from other sources and it would be unreasonably time-consuming to contact each individual in the data set. In these situations it may be appropriate to make the information publicly available.

Examples of public information are notices in a newspaper or members' magazine, a statement in a comment field, or a notice in a place where you are carrying out observation.

When should you provide information?

As a general rule, you must provide information to the participants before you start collecting personal data.

If you are not in direct contact with the people whose personal data you are processing, for example during registry studies or when the personal data is provided by others, you must provide information to them within a reasonable amount of time.

Requirements for the information

If you do not want to use Sikt's template as a starting point, you can write your own letter.

At a minimum, the information must include:

• The purpose of the project and what the personal data will be used for.
• Which institution is responsible for processing personal data ("data controller"), i.e. the university, university college, hospital trust or research institute at which the research takes place.
• The methods and data sources you will use to collect personal data, what these mean for the participant, and which personal data will be collected.
• The legal basis for processing personal data, e.g. a task in the public interest or consent.
• That participation is voluntary and that participants can withdraw or opt out as long as the study lasts, without having to give any reason for doing so.
• The date when the project is scheduled to end, and what will happen to the personal data at that time (whether data will be deleted, anonymised or archived/stored for future research).
• Whether the participants will be identifiable in publications or not, and what type of information may be published.
• The rights of the participants, i.e. the right to request access, that personal data is corrected or deleted, in addition to the right to data portability/copy (applicable only in consent-based projects) or object (applicable only in non-consent-based projects).
• The right to lodge a complaint with the Norwegian Data Protection Authority.
• Contact details for both the project leader and the institution's Data Protection Officer.

In addition, it may be relevant to provide information about:

• That the information will be handled confidentially.
• Who is contacting the sample/participants, for example if a hospital makes contact on your behalf, or you have received the contact information from a data registry.
• That refusing to participate will not lead to negative consequences. This is particularly relevant if you are going to include patients, pupils or others who have a special relationship with or are dependent on the person who collects the information.
• The types of sources information is to be collected from, if the information is to be obtained from sources other than the participant themselves, for example from registries or newspapers.
• If the personal data is to be disclosed to external parties, information must be provided as to what information is to be disclosed, why and to whom. If information is to be transferred outside the EU/EEA, the legal basis for transfer must also be clearly stated.
• Who is funding the project, if the project receives external funding.

Exemption from the duty to provide information

The most common exception is that it will be impossible or disproportionately difficult to provide information.

The following points are relevant for the assessment:

• The size of the sample (a large number is several thousand people).
• To what extent the sample can be identified.
• Whether the project team has access to the contact details of the data subjects.
• The risk to personal data, including the amount of personal data and how sensitive the data are. .
• Ethical considerations.

If you claim an exception from the duty to provide information, it must be well-founded in the notification form for personal data.