7. Store and release active research data

The general rule is that health research data must be stored in de-identified form, that is, research data and identifying elements (identifier) must be stored separately, and in such a way that the researchers only have access to research data. Active research data can be stored as long as approval from REK is in effect.

Arrangements have been made for secure electronic storage  that simultaneously enables work on research data during periods away from NTNU.

Storage of research data
The project manager is responsible for secure storage of active research data - personal data and human biological material - and any .

  • Paper-based research data that has not been anonymized must be stored in locked archives to which only staff subject to the instruction authority of the organization have access. If paper-based research data are stored in an office, the office must be locked when you leave it.
  • The identifier must normally be stored on paper and by a trusted third party, such as the person responsible for registration. If both data and the identifier are stored electronically, they must be stored in different areas, and the identifier must be stored especially securely.

How active data will be stored must be determined before data collection begins. Special regulations apply to the storage and safekeeping of human biological material.  

When NTNU's own system (link currently in norwegian) is used for the secure collection, safekeeping, processing and storage of personal data in medical and health research, a number of the requirements specified in the Act relating to Personal Data Filing Systems (Personregisterloven) and the Personal Health Data Filing System Act (Helseregisterloven) for conducting research projects will automatically be fulfilled through the technical data solutions and the security architecture that have been chosen.

If storage in any other way than the solution offered by NTNU is used, the project manager must conduct a risk assessment. The assessment and measures must be documented.

Project team members' access to the research data
The research data must only be available to authorized project team members until completion of the project. The project manager decides which project team members are to have access to de-identified research data and identifiers. The project manager must have a documentable list of who has access to the data. This list must be available to the person/entity responsible for research.

Project team members must normally not have access to the identifier. In cases where they have access to the identifier, the data are no longer regarded as de-identified, but as directly identifiable to the person, which involves more stringent requirements for proper handling and storage.

Release of data to external organizations
The project manager may release health data to an external organization if the individual has consented to participate in the project and REK's approval covers this. If an external organization is to process or operate with data on behalf of the project, an agreement must be signed. The external organization may not process data in any way other than what was agreed.

Release of biobank material follows the same rules, but with some additional provisions.

If the research project is not based on consent, REK must have granted an exemption from the duty of confidentiality, or other legal basis for this must exist.

Release of de-identified data (data files without an identifier file) on CD/DVD or USB flash drive must take place by registered post. If the identifier file is released, the data are not regarded as de-identified. In such cases, the dispatch must take place in two shipments; the identifier file and data are sent separately, preferably encrypted.

Disclosure of data to project participants
Participation in research projects is normally based on voluntariness. A person who has given consent may demand access to and correction of incorrect data; see sections 40-43 of the Health Research Act. The person in question may withdraw from further participation or withdraw his or her consent.

Requests for access to information should be in writing and should be dated and signed by the research participant or guardian. It is not necessary to provide reasons for the request.

The project manager must deal with the requests on an ongoing basis, and they must be answered within 30 days. Access to information may be restricted or refused for medical or other compelling reasons authorized by the Health Research Act. Reasons must be given for the refusal, and the legal basis for the refusal must be stated. An appeal against such refusal can be submitted to REK.


Only digital versions retrieved from this website are valid.

Version 1.0. Date: 1 January 2012