Behandling av personopplysninger i studieoppgaver - Student

Web Content Display

Data privacy in bachelor’s and master’s theses

Are you going to do an interview or send a survey in connection with your bachelor’s or master’s thesis? Then you are probably working with personal information from your informants. Read more to find out how you handle personal information.

Handling personal data in the context of assignments must be done in certain ways. Here you will find an overview of important things to do and links to relevant guidelines.

  • What is my responsibility? 

    When conducting a survey, it is important that someone takes responsibility for the survey being carried out and that it is carried out in a responsible manner. For this, you must have a “project manager” for the survey. You as a student cannot be responsible for this project management, therefore you must have someone with you who can take this responsibility – normally this is your supervisor. 

    The supervisor shall, together with you, in quality assurance, assess, among other things, whether it is necessary to collect personal information, what personal information it is necessary to collect based on the purpose of the project/student assignment, which electronic solutions should be used and whether the project/student assignment should be reported to Data Protection Services (Sikt) ( 

    Although supervisors are always responsible for data privacy in student research at bachelor’s and master’s level, you as a student still carry an independent responsibility for ensuring that data privacy is taken care of. 

  • Training

    At the website you can take short e-learning sessions about Privacy (GDPR) and ethics in research. It takes 3-5 minutes per lesson. The 7 lessons in data privacy in research are also adapted to OsloMet, see links in the box OsloMet. 

    OsloMet offers the Privacy Game 2021 (Personvernspillet 2021) on to all employees and students who will be writing an assignment, because most of us process personal information through research, teaching or administration. 

  • Planning

    Assess whether it is necessary to use personal information, see website about anonymous, anonymised or deidentified data ( and clarify roles and whether it is necessary with Data Protection Services (Sikt)’s assessment ( 

    Notification to Privacy Protection Services (Sikt) and possibly REK (Regionale komiteer for medisinsk og helsefaglig forskningsetikk, eng. REC, Regional committees for Medical and Health Research Ethics) 

  • The supervisor's role and responsibility 

    The role of the supervisor 

    The supervisor specified in the registration form automatically receives an invitation to the project when the registration form is submitted. The supervisor must respond to the invitation by clicking on the link and logging in. If the supervisor has not responded to the information within 5 days, Data Protection Services (Sikt) will send out a reminder. 

    The supervisor acquires administrative rights to the project, i.e., access to edit and send the registration form, write in the message dialog, create new registration forms and data management plans, share the project and more.  

    Everyone with whom a project is shared (project members) receives an e-mail notification when someone in the project sends messages, or when Data Protection Services (Sikt)’s advisers send messages or assess the registration forms. 

    Anyone who has access to manage or edit a project can write and read the message dialog for associated message forms. 

    The responsibilities of the supervisor 

    When conducting a survey, it is important that someone takes responsibility for the survey being carried out in a responsible manner. You cannot take all this responsibility yourself and stand as “project manager”. The supervisor has this responsibility and must be the “project manager” for the survey. 

    The supervisor is responsible for ensuring that you as a student who processes personal data on behalf of OsloMet are provided with information, training and access to the necessary infrastructure – in order to be able to carry out the processing of personal data in a secure manner. 

    The supervisor shall, together with you as a student, when quality assuring, assess, whether it is necessary to collect personal information, what personal information it is necessary to collect based on the purpose of the project/student assignment and whether the project/student assignment is to be assessed by Data Protection Services (Sikt). 

  • Planning storage 

    Look up in the classification guide ( and decide whether your data should be categorized as open (green), limited (yellow) or confidential (red). Note that red data is referred to as sensitive personal information ( and has strict requirements for protection. 

    Once you have clarified the information class for your data, you must check OsloMet’s guidelines for the type of equipment you can work on with this data. This can be found in the storage guide ( for OsloMet. 

    The storage guide applies when you work with data that is not owned by you, but which is owned by OsloMet or for which OsloMet is responsible. Examples of such data can be work on a bachelor’s thesis or master’s projects that process personal data. 

    If there is something you are wondering about or have problems with when it comes to the type of personal information and which electronic solutions are secure enough, contact the supervisor and privacy adviser at your faculty as early as possible. If you need further assistance to answer your questions, contact FoU-IT by contacting with a supervisor and privacy adviser on a copy. Mark the inquiry with what it concerns, for example: 

    • Questions for FoU-IT regarding classification 
    • Wish assessment of FoU-IT of project 

    More about storage and computing 

  • Implementation

    How to process your data?

    Where should the data be analysed? Is it safe enough? See the storage guide (

    In case of changes in the project/student assignment: 


    Report any problems and deviations ( that arise when processing personal information about research participants or informants in the project/student assignment. 

  • Conclusion


    Personal information must normally be deleted or anonymised at the end of the project ( See also e-learning prepared by, "When you are done" (3-5 minutes length). 

    An example of anonymization is that the connection key for de-identified/pseudonymised personal information is destroyed. 

    You must, together with the supervisor, decide which personal information about research participants or informants is to be deleted and which is to be stored after the end of the project. 

    Requirements/information about storage may follow from: 

    • Consent 
    • Information letter to research participant/informant 
    • The assessment of REC or 
    • The assessment of NSD 

    If you have had your student project evaluated by REC, then you have to submit a final report to REC at the end of the project (no)(rekportal no).

    If you have had your student project evaluated by Data Protection Services (Sikt), you have to notify data Protection Services (Sikt) once the project has been completed and anonymized (

    Long-term storage? 

    Together with the supervisor, you must ensure that the personal information is properly stored (

  • More about privacy concerns and data protection for students