Faculty of Medicine

Target and strategy document

General framework for health research and the use of personal information in research at the University of Bergen

General framework for health research and treatment of personal data in research at the University of Bergen was adopted in the University Board 09/27/2012.

 In Norwegian Her kan du lese dokumentet.



General framework for health research and the use of personal information in research at the University of Bergen

Internal control system for health research and the use of personal information at the UiB.


Activities which are conducted using scientific methodology in order to obtain new knowledge about health and disease.

Medical and professional health research should be planned, implemented and reported in order to ensure compliance with ethical, medical, professional health, scientific and personal protection circumstances, as well as proper professional standards.

The use of personal information by researchers, students and others engaged in research. Personal information is defined by Section 2 no. 1 of the Norwegian Data Protection Act. Personal information means information and assessments which can be linked either directly or indirectly to an individual.

The use of personal information conducted during research activities should only take place as an essential part of research, presentation or teaching.

The university shall not use personal information in research over and above the dictates of research ethics. As regards individual students and society in general, university use of personal information shall constitute the least possible practical, technical and financial encroachment on the personal protection interests of individuals.

University employees and students shall comply with the following guidelines in respect of all their research activities:

Authorities and Regulations
The university's research activities shall comply with current legislation and guidelines. The university shall do its best to ensure that any principals, subcontractors and joint venture partners similarly comply with current regulations. Any applications and other documents sent to the Personal Protection Ombudsman at the NSD (the Norwegian Social Sciences Data Services), the REK (the Regional Committee for Medical and Health Research Ethics) and other authorities shall be complete and shall have been thoroughly prepared in accordance with the requirements and standards specified in the regulations.

Confidentiality and security
Documents and other information associated with research projects shall be secured against access by unauthorised persons. Documents which are no longer required for project documentation purposes shall be destroyed and/or deleted. All original documents shall be locked away. Access control shall be considered by each individual unit. Any electronic systems and premises used for research activities shall satisfy the requirements which apply to the storage of personally identifiable information as specified in the Norwegian Data Protection Act and its appurtenant regulations. Research data shall not be retrieved from such systems without a written agreement permitting such.

The university's project workers shall possess adequate training and experience for the research work for which they are responsible, and they shall receive continuous guidance and follow-up. Limited experience can be compensated for by the provision of extended guidance and follow-up. The university's researchers are encouraged to participate in professional fora, interest groups and associations where the university's research can be promoted and presented, and simultaneously be subjected to assessment and criticism. The university's management undertakes to ensure provide its researchers with continuous updates and further education.

Working environment
The university's management shall develop and maintain a good working environment with open communications.

Agreements with joint venture partners
When collaborating on research with other institutions a written agreement between the university and its joint venture partner(s) is required. For projects of a longer duration, such agreements should be reviewed on an annual basis with a view to making any necessary amendments or additions.

- relates to working systematically in order to ensure that the university complies with the legislation and regulations which apply to its activities. - is the tool necessary for ensuring the proper implementation of health research and for complying with the requirements contained in the Norwegian Data Protection Act.

Internal control
The university shall have a quality system designed to ensure compliance with the legislation which is relevant to the UiB's health research, including data protection legislation. This quality system shall be kept up to date and be reviewed once every third year as a matter of routine. The university's employees shall be trained to use the quality system when required, and when any amendments are made. The university shall have a system and a plan for undertaking internal quality reviews of its own systems and of research projects which are conducted under the auspices of the university or in cooperation with other institutions or organisations.

The university's current information about health research projects is handled by SPREK (the REK portal) and is recorded when the various regional committees send the university copies of applications received and decisions adopted by the REK (Regional Committee for Medical and Health Research Ethics). Copies of decisions and applications are placed in the university's administrative processing system, ePhorte, or in another suitable system.

The university has entered into an agreement with the NSD (Norwegian Social Sciences Data Services) in its capacity as the UiB's personal protection ombudsman. The university's current information about the use of personal information in research is dealt with by the NSD's internal portal. The university can follow a project from start to finish, via changes, expansions and extensions, including what happens to data at the end of the project in question. Information can also be retrieved about how personal information is being used, what personal information is being used, who is using information, statutory provisions, the Personal Protection Ombudsman's assessments and recommendations and licences from the Norwegian Data Protection Authority. The portal can be used for random sampling of research projects and as an aid when the Data Protection Authority undertakes inspections, either by checking letters or by making on-site inspections.

The Rector has overall responsibility for ensuring that the university complies with the regulations contained in the Norwegian Health Research Act and the Norwegian Data Protection Act and for allocating the necessary resources for undertaking quality and quality improvement work.

The Rector can delegate work to the university director who can then delegate it to the faculties. The individual faculty heads can continue to delegate work to the institutions. The Rector adopts delegatory decisions associated with compliance with the Norwegian Health Research Act and the Norwegian Data Protection Act. These are shown on appendices sent to the joint internal control system for medical and professional research.

The Rector ensure an open policy in respect of the university's research activities.

The individual faculty heads and the directors of museums and centres which are governed by the University Board possess an overall responsibility for ensuring quality and compliance with the regulations at their units, as well as for making any necessary quality improvements.

Institute directors are responsible for ensuring that the necessary procedures, routines and other quality documents are in place for work assignments carried out at their institutions, as well as for ensuring that they are implemented and updated.

The University Director has administrative responsibility for the establishment and maintenance of the university's quality system for medical and professional health research, as well as for the use of personal information. He is also responsible for the quality system's documents.

The IT Director is responsible for the operation of the university's computer systems and for the maintenance of any procedures associated with these systems. 1

Internal reviews
Internal reviews shall be conducted on a regular basis in accordance with the university's Internal Review Guidelines.

All employees and students at the university are responsible for the quality of their own work and for reporting any training and skills development requirements to their line managers. The university shall have written procedures relating to responsibilities and work which stipulate statutory requirements in respect of qualifications and which compel project managers and the biobank manager to comply with such.