Go to main content
ENG

Consent or Public Interest as Legal Basis

You must have a legal basis to process personal data. The most common legal bases in research are consent and public interest.

You must establish a legal basis before you begin processing personal data.

There has been a tradition in Norway for using consent as the legal basis when processing personal data in research. However, even if you are in direct contact with participants and ask whether they want to take part, consent is not always the most suitable legal basis.

In many projects, public interest will be a more appropriate basis for processing. Research, as a general rule, is considered to be in the public interest.

Here you can read more about which legal basis you should choose and the specific conditions that apply.

Which legal basis should you choose?

Public interest as an appropriate legal basis

Here are some examples of projects where public interest is typically an appropriate legal basis: 

Large and complex projects may find it challenging to predict all future processing activities. If changes are made to the project then it may be difficult to obtain new consent from all research participants.

If the only reason you are collecting directly identifiable data, such as names, is to document consent, then it may be more appropriate to use a legal basis other than consent.

This typically applies to surveys and observation. You should not process more personal data than is necessary to achieve the purpose of the project.

If the individuals you are researching are in a vulnerable situation, such as asylum seekers or people experiencing a life crisis, some of the requirements for using consent as a legal basis may be difficult to meet.

By documenting the societal benefit of the research and implementing measures to increase data protection, the processing may still be lawful.

If there is an imbalance of power between you as a researcher and your participants, the perceived voluntariness of participation may be compromised.

This applies if you are associated with an institution that participants are dependent on, such as when research is conducted by a hospital, employer, or the Norwegian Labour and Welfare Administration (NAV).

If consent is the legal basis, it must be documented, for instance, through a signature or on a sound recording. In some situations, this may not be practical, feasible or appropriate.

There may be several reasons why participants do not want their consent to be documented, or why this is inappropriate in the cultural context. It could also be logistically challenging to obtain documented consent.

In registry studies, internet studies, and document analyses, you as a researcher will often not be in direct contact with the individuals whose personal data you are processing. Public interest may be an appropriate legal basis in such cases.

The processing must also meet certain conditions depending on the basis you choose.

If you choose public interest as the legal basis, you must demonstrate why the processing is in the public interest and what measures you are taking to reduce the risk to personal data privacy.

What to consider when using public interest as a legal basis

Consent as an appropriate legal basis

Here are some examples of research projects where consent is a suitable legal basis:

Consent can be a good basis if you are conducting interviews with research participants, and the collected personal data will only be used for a specific, limited research purpose.

Student projects are often limited in duration, scope and purpose, and data often collected directly from participants, making consent a suitable basis.

Depending on the basis you choose, certain conditions must be met for the processing to be lawful.

If you choose consent, the law sets clear requirements for how consent must be given in order to be valid. It also specifies who can provide consent and how long it must be retained.

Requirements when using consent as a legal basis

Participants Have the Right to Information

Irrespective of which legal basis you choose, there are certain obligations in data protection legislation that you must meet when processing personal data.

For example, as a general rule, you must provide information to the individuals whose personal data you will be processing.

See Sikt's templates for information letter

The Requirements for Each Legal Basis

Public Interest: What to be Aware of

When public interest is the legal basis, the processing is lawful because it is necessary to perform a task in the public interest. Research, as a general rule, is considered to be in the public interest.

Research in the Public Interest

When you are processing personal data on the basis of research purposes in the public interest, you must demonstrate that the personal data you intend to process is necessary to achieve the research purposes.

The higher the level of risk when processing personal data, the more important it is that the personal data are strictly necessary to meet these purposes, and that the research purposes are clearly defined and legitimate.

Implement Measures to Reduce Risks

Data protection legislation refers to risk to the rights and freedoms of data subjects, such as the right to have personal data protected and to have control over one’s own personal data.

Processing of personal data for research purposes must be subject to necessary safeguards, which reduce the level of risk to these rights and freedoms. This means that you must describe the measures you are taking to reduce the risk for participants whose personal data you will be processing.

Risk reducing measures might include:

  • providing clear and comprehensive information about what processing involves,
  • making it easy for participants to exercise rights over their personal data,
  • minimising the personal data collected (amount of data, how sensitive and identifiable the data are),
  • storing the data securely with limited access, and
  • anonymising data when possible.

For special categories of data and information about criminal offenses, you must additionally justify why the societal benefit of the research outweighs the level of risk for the participants whose personal data you are processing. This applies if you process data such as health information, political opinions, or religious beliefs.  

Consent as a Legal Basis: What to be Aware of

For consent to be used as a legal basis, it must be voluntary, specific and informed, unambiguous and given by a statement or clear affirmative action, documented, and as easy to withdraw as to give.

Participation in research and sharing personal data must be voluntary. Consent is not valid if the participant feels pressured to consent or if there are negative consequences for not consenting.

It is important that there is no power imbalance between the person (and/or institution) asking for consent and the participant. For example, it may be difficult for pupils to decline participation in research conducted by their own teachers.

Consent must be given for something clear and specific. This means the participant must consent to the processing of their personal data for a clearly defined purpose. If someone consents to a specific purpose, their personal data can only be used for that purpose.

If a project has multiple purposes, consent must be obtained for each purpose separately (each purpose must have a legal basis). It is possible to gain consent for broad purposes in research projects.

Before requesting consent, you must provide information in clear, simple, and understandable language that the target audience can understand. The law specifies what information must be provided.

We recommend that you use our templates for the information letter.

The participant must actively confirm their consent for it to be a valid legal basis. Passiveness or lack of response does not constitute valid consent for processing personal data.

If you are going to process special categories of personal data, such as health data, then consent must be explicit. This means that you must inform participants that this type of data will be collected and they must give clear confirmation of consent.

Consent is only valid as a legal basis if it can be documented. The law does not specify how this should be done, but examples of documentation are written consent in the form of a signature or via email, or verbal consent on an audio recording.

It must be clear what the consent applies to. Therefore, it may be helpful to use checkboxes if participants can choose to consent to certain parts of the study without participating in everything (e.g. completing a questionnaire but not participating in an interview or data storage for future use).

It must be just as easy to give consent as it is to withdraw it.

If someone withdraws consent, you must, as a general rule, delete that person's personal data from the dataset.

Other Considerations When Using Consent

There are additional factors to be aware of when using consent as a legal basis.

Duration of Consent

When obtaining consent, you must inform your participants about how long their personal data will be processed. In principle, you can retain their data as long as they have consented to it.

In long-term projects, it may be necessary to provide supplementary information at regular intervals. It might also be necessary to obtain new consent in the event of significant changes.

In extensive research projects, a different legal basis, such as public interest, may be more appropriate than consent.

Storage of Documented Consent

When you use consent as a legal basis you must be able to document that you have obtained valid consent for as long as you are processing personal data in your research.

When you are no longer processing personal data, you should generally delete or destroy documentation of consent.

Capacity to Consent

The person providing consent to participate in a research project must have the capacity to consent. The person cannot be physically or mentally impaired in a way that prevents them from sufficiently understanding what participation entails and making a rational decision.

It can be challenging to determine when a person’s capacity is too limited to provide valid consent to having their personal data processed. Professionals or someone who knows the person well must decide whether the individual has the capacity to consent.

Consent from Children and Adolescents

The general rule is that one must be 18 years old to give consent. However, in some cases, children and adolescents can decide for themselves whether to share their personal data for research. If the data includes special categories (e.g., health data), the individual must usually be at least 16 years old to give consent independently. This age limit is the same as in the Health Research Act.

The Norwegian Data Protection Authority (Datatilsynet) emphasises that age limits must be evaluated based on an overall assessment. A child’s maturity plays a crucial role, and the information provided must be adapted to the child’s age and ability to understand what they are consenting to. It must also be considered whether parents should be informed so they can help the child safeguard their privacy rights.

A general rule of thumb is that the greater the privacy implications of the data processing, the higher the threshold should be for allowing a minor to consent independently without parental involvement.

You can read more about this topic (in Norwegian) on the Norwegian Data Protection Authority's website.

Contact Sikt's Data Protection Services

Message: Log in to minforskning.sikt.no and contact your adviser by sending a message.

Phone: +47 73 98 40 40 Mondays, Tuesdays and Thursdays from 10-12.

Related information about data protection

Information to the participants

When you collect information about people, you have a duty to notify them. See the requirements, and use our templates for the information letter.

Notify changes in the project

Sometimes you will need to make changes to the project after the notification form has been completed and assessed. See which changes you must notify Sikt of.

Guide to processing personal data in research

Get an overview of our information and guidance to the Personal Data Act. Some pages is in English, some will be in Norwegian.