We recommend that you upgrade to the latest version of your browser.

Privacy and ethics

Considers the protection of privacy and provides general guidance on research ethics and other requirements applicable to research and quality projects.

Deviations that have occurred in a research project must be reported in EQS, Ahus's own internal system, under the category "research." The area of deviation pertains to unwanted events/deviations that are study-specific; for example, insufficient approvals or privacy assessments, projects that are active without a valid project period, violations of rules regarding the handling of research data, etc.

Read more about deviation reports for quality and research projects:

Handling, closing, and follow-up of research-related unwanted events/deviations

The Data Controller is the one who determines the purpose of processing health information and which tools will be used. A Data Processor is an external party that processes personal data on behalf of the Data Controller, and this must be regulated in writing in an agreement.

Norwegian - data processor agreement (Word)

English - data processor agreement (Word)

A data management plan is a tool for managing research data. The plan describes how data will be handled during the project period and after the project is completed. The purpose is to assess various aspects of the management of research data, from collection/generation, processing, analysis, documentation, to storage and future sharing of data. A data management plan should ensure that research data can be managed legally, structured, and securely, as well as stored, reused, and understood in the future.

Some projects have requirements for a data management plan:

For all projects receiving funding from the Research Council, the responsible institution must assess the need for – and the quality of – a potential data management plan. If the project leader decides that the project will not develop a data management plan, the Research Council must receive a justification for this when the project leader submits a revised application. The Department for Research Support can be contacted for advice and guidance.

EU projects funded by H2020 are required to develop a data management plan within 6 months of receiving funding.

In clinical drug trials, a data management plan must be established.

Template for data management plan for digital research data (PDF)

Useful links

The Research Council (forskningsradet.no)

Data management plan for UiO employees (uio.no)

Regional Committees for Medical and Health Research Ethics (REK)

Regional Committees for Medical and Health Research Ethics (REK) determine whether a project is regulated by the Health Research Act and can be considered health research. All projects that fall under the Health Research Act must receive an ethical assessment from REK before commencement. Ahus also has an independent responsibility to ensure that privacy and information security are maintained in accordance with the Personal Data Act. Therefore, all projects conducted at Ahus must be reported to the Data Protection Officer via eForm, including those projects approved by REK.

Read more about REK

Exemption from REK or the Norwegian Directorate of Health

An exemption from confidentiality is necessary to research health information that has already been collected, without requesting consent. Applications for exemption from confidentiality are processed by:

  • REK if the purpose is research. This applies to both medical and health research (Health Research Act §§ 15, 28, and 35) and for other research.
  • The Norwegian Directorate of Health if the purpose is health analysis, quality assurance, administration, planning, or management of health and care services (Health Personnel Act § 29 b). You can find the link to the form here.

The Norwegian Medicines Agency (SLV)

Read more about SLV

To register projects via the e-form, you must be logged in as an Ahus user and connected to the Ahus network or VPN. It is not possible to register projects via a personal or UiO computer.

Changes to the project must be reported to the data protection officer in the e-form. 

E-form

Guide for registration in eForm (PDF)

​​

Simplified notification form for student/master's projects (Word)

The Joint Committee on Research Integrity shall address cases of possible violations of recognized research ethical norms.

Cooperation Agreement on the Joint Committee on Research Integrity (PDF)

Mandate for the Joint Committee on Research Integrity (PDF)

Procedural Rules for the Joint Committee on Research Integrity (PDF)

Contact: Mariann.Glenna.Davidsen@ahus.no

In both quality and research projects, consent is obtained from project participants. Privacy legislation imposes a number of requirements on what a consent form must contain to be valid. In summary, consent must be voluntarily given, specific, informed, unambiguous, provided through an active action, documentable, and as easy to withdraw as it was to give.

The consent form should be written in clear and simple language tailored to the group from which consent is being obtained. It is recommended to use the templates developed by REK.

Procedure for obtaining consent (PDF)

Procedure for the rights of the registered in quality and research projects (PDF)

Template for information letter and consent (rekportalen.no)​

​Ahus has entered into an agreement with UiO regarding the use of the "Digital Consent Solution".


Research projects at Ahus can now utilize UiO's digital consent solution. 

The solution can be used to send out invitations to participate in research studies, and participants provide digital consent using an e-signature solution with two-factor login.

To access the solution, the research project must have an active project area in Services for Sensitive Data (TSD). The consent itself is created in Nettskjema and then linked to the respective project area in TSD, where the consent is stored. 

The setup and use of the solution are managed and supported exclusively by UiO. 


The Patient Journal Act § 6 and the Health Personnel Act § 26 provide a legal basis for projects and registers established by management to carry out internal control and quality assurance of healthcare services. This requires a management decision and a recommendation from the Data Protection Officer.

The project's objective is to improve the treatment of patients at the hospital, for example, by enhancing diagnostic or treatment methods. The purpose is not to create something new, but to structure available information, which can provide a better basis for decision-making regarding any changes. The purpose is limited to internal activities and needs at Ahus.

Data Protection Officer at AhusProcedure: Internal Control and Quality Assurance of Healthcare Services​ (EQS-id 40880. The link requires you to be on the Ahus network) 

After the introduction of the new data protection regulation, the data controller is required to assess whether a Data Protection Impact Assessment (DPIA) should be conducted for quality and research projects. The purpose of the DPIA is to identify and map privacy risks in the relevant project, as well as to evaluate which risk-reducing measures should be implemented. A specific template for the DPIA has been developed, which should be filled out by the project leader and assessed by the data protection advisor. Note that the template is intended for internal use only.​​

DPIA template (Word)

Guide for filling out the template for Data Protection Impact Assessment

If you have questions or need guidance, data protection advisors and research advisors can be contacted via email: Forskning.personvern@ahus.no

Cooperation projects should, as a general rule, be based on an agreement between the participating institutions.

In projects where two or more partner institutions jointly apply for external funding, and where the parties have a shared responsibility for content, implementation, and results, the cooperation should be regulated by a separate agreement. In such cases, it is also important that, at the time of application, the budget, and the project description, it is clarified:

  • Who the partner institutions are 
  • What each partner will contribute in terms of resources and infrastructure
  • How the funds are planned to be distributed among the partner institutions. That is, specify the costs that each partner will incur in connection with the project that it is assumed the external grant will cover.

Cooperation Agreement for Research Projects (Word document)

Cooperation Agreement for Research Projects - English (Word document)

Consortium Agreement - overarching (Word document)

Consortium Agreement - sub-agreement under overarching agreement (Word document)

Consortium Agreement - without overarching agreement (Word document)

Disclosure of journal information to an external party requires that the recipient has a legal basis and approval to receive the information. Ahus is responsible for ensuring that the disclosure occurs on a legal basis, and therefore, it should be assessed and recommended by the data protection officer. Requests should be sent to the journal archive and must include REK approval and an example of an unsigned consent form or signed consents.

Disclosure that requires resources for active extraction of information from the journal must occur in one of the following ways:

  1. Data can be disclosed provided that an active collaboration with an Ahus employee has been established. This employee can, through their access, assist with data extraction from journal systems and/or recruitment of research participants. Ahus employees will then be credited as co-authors on publications according to Vancouver rules. An agreement between Ahus and the partner should be prepared before the project begins.
  2. If Ahus is only to be a provider of data/recruitment site, the department head of the relevant department should be consulted, and the research responsible in the department should be informed. External project staff can only be observers during journal reviews, as they are not in the line of the managing director at Ahus. This means that externals can only access relevant journals for reading but are not permitted to navigate the journal system or perform data extraction themselves. It is therefore the department head who must decide whether the department wishes to contribute internal resources for data extraction/recruitment. Alternatively, an external project leader can hire an Ahus employee who can perform journal inquiries after approval from the department head. External observers must sign a confidentiality agreement. An agreement between Ahus and the partner should be prepared before the project begins.

Medical and health-related research projects must be described in a research protocol. The guidelines are based on the content requirements for research protocols according to § 8 of the regulations on the organization of medical and health-related research.

See the research protocol guidelines (PDF)

You can take advantage of the following offers related to questions about privacy in research and quality projects:

  • Phone number: 476 82 544. Phone hours: Monday to Thursday from 9:00 AM to 2:00 PM. Remember to leave your name and number if we are not available.
  • On Fridays, we are not available by phone, only by email.
  • Email: forskning.personvern@ahus.no
  • General guidance on privacy in research and quality projects Thursday from 1:30 PM to 3:00 PM (Drop-in), Nye Nord 5th floor, office 081.

You can also contact us if you wish to schedule a time for guidance outside of the set hours.

Warm welcome!​​​


Last updated 9/19/2025