Implementation and data storage

Data processing

Data processing is carried out in accordance with an approved processing basis. The recommendation from the data protection officer will say something about how the project should process personal data and how data can be stored securely.
 
The project has often planned and described the data processing in a notification to the data protection officer, and either the planned data processing is approved, or another type of data processing is set as a condition for implementing the project.
 
The data protection officer sometimes requests advice from the Information Security Officer.
 
Research projects must be carried out in accordance with the protocol and the consent from the participants. Significant changes from the protocol must be reported to the body that approved the project (usually REK). Changes regarding the storage of personal data must be reported to the data protection officer. The changes must be approved before they can be implemented.
 

Physical storage 

All research data, including questionnaires, data from records, consent documents, linkage lists, and other data containing personal data, must always be stored in a locked cabinet or drawer in a locked room in one of the hospital's buildings. The key to the cabinet/drawer must not be stored in the same room, unless it is stored in a locked key box. This also applies to data stored on memory sticks. Storage of data at home, even under home office arrangements, is not permitted.

Electronic storage 

Within the hospital network
  • Secure storage area (“sensitive area”)
    • O:\Sensitive\Research
      • All project registers for research studies should be stored here, regardless of who formally approves the study.
    • O:\Sensitive\Quality
    • All internal quality registers, as referred to in the Health Personnel Act §26 and the Patient Records Act § 6, should be stored here.
    • MedInsight
      • Can also be used for storing key codes and consents.

Only de-identified/pseudonymized data is stored on O:\Sensitive, i.e. datasets/analysis files that have been cleared of personally identifiable data. This data should be replaced with a constructed ID, such as a running number.

The so-called linkage key, a list that links a constructed ID to directly personally identifiable information, is stored on O:\Sensitive or in MedInsight. The Research Section discourages storing linkage key lists in other ways.

If both data and the linkage key list are stored on O:\Sensitive, they should be stored in separate designated folders, for example O:\Sensitive\Research\Project123456_data and O:\Sensitive\Research\Project123456_linkage_list.

The areas are accessible through the hospital network. For access from other networks, a VPN must be used. It is also possible to access via an external workstation, which does not require a VPN. VPN and external workstation are services that must be ordered fromAccess Portal BAT(internal link). The service for external workstation is called “External portal SSHF”.

To order a storage area on O:\Sensitive, useAccess Portal BAT(internal link). This applies to both ordering a new storage area, access for new people, and removal of people who no longer need access. An issue number from a recommendation from the Data Protection Officer is required when ordering.

Access to MedInsight is ordered from the system administratorEmile van Gelderen

Phase-out of the use of memory sticks or other types of data storage devices 

The Research Section encourages the phase-out of the use of memory sticks/external hard drives. If external drives are used, the data must be stored encrypted. Please note that these external drives are not backed up. Storing data within the hospital network, for example on the sensitive area, will provide good backup routines. This also allows you to roll back to previous versions in the event of data loss.

 Outside the hospital network 
  • Research Portal
  • TSD (Services for Sensitive Data)

Both systems are approved for storing health data. The Research Portal is a solution that provides researchers in our health region access to the ICT services they need in their research projects. This includes, among other things, virtual desktops, virtual servers, data storage areas, collaboration areas for project staff, and a file gateway. The solution does not have an integrated form solution, but data from external form solutions can be imported.

TSD is a secure project area with an integrated form solution (Nettskjema) for collecting sensitive data. When using TSD, "Attachment to data processor agreement for projects where the organization is linked to USIT/TSD with an overarching data processor agreement" must be uploaded in the application. SeeNotification routine to the Data Protection Officer/Research Section.

Storage of consent

Paper-based consents can be scanned and stored on O:\Sensitive or in MedInsight.
If both data and scanned consents are stored on O:\Sensitive, they should be stored in separate designated folders, e.g. O:\Sensitive\Research\Project123456_data and O:\Sensitive\Research\Project123456_consents.
 

Obtaining electronic consent

The Research Section encourages obtaining consents electronically wherever possible. Nettskjema/TSD is a tool that can be used for this purpose.
Through the solution, a consent is signed electronically with BankID.
It is also possible to link a consent form with a questionnaire.


DPIA is mandatory when processing personal data will involve a high risk to the rights and freedoms of natural persons (e.g. students, employees, external contacts, research participants).

If the following 7 statements can be confirmed, further DPIA assessment is not necessary

  1. Data is stored in the company's approved storage areas
  2. Data is stored indirectly identifiable (coded) with a code list stored separately
  3. The project is based on consent or exemption with information to the data subject
  4. The project only uses one type of special (sensitive) categories of personal data
  5. The project does NOT use genetic information
  6. The project does NOT disclose information to organizations outside the EU/EEA
  7. The project does NOT disclose information to international organizations

If not all 7 statements can be confirmed, or you are unsure of any of the points, you will probably need to carry out a data protection impact assessment of your project.

Contactthe data protection officerat Sørlandet Hospital for a further assessment and guidance on implementation.


 
If it is planned to use a storage location/solution that is not mentioned on this page, it is encouraged to contact the Information Security Officer at SSHF as early as possible.

See alsoDigital data collectionandChoice of registry solution - Research Supportfor an updated overview of available and approved systems.

ContactEmile van Gelderenin the Research Section for questions about storage of research data, linkage lists and consents.
Last updated 26.03.2025