Docs and Info Privacy Policy Terms of Service Contact Us About

Oslo University Hospital Researcher Guide

This guide document attempts at providing a generic overview of General Data Protection Regulation (GDPR)-related concepts that you as a Submitter to FEGA Norway need to be aware of in relation to function/policies in your own institution and the GDPR.

In the submission process, there are two main steps to be aware of:

Data Processing Agreement between your institution and UiO as the FEGA Norway Service provider

  • FEGA Norway provides a generic template for a Data Processing Agreement (DPA) available here.
  • Check if your legal basis (often linked to an ethical approval) prohibits processing of the data outside your own organisation, if so you may need to apply to get the approval adjusted through a change request.
  • Get approval for the use of the template in your own organisation (ROS and DPIA, involve DPO, security and legal)
    • From “scratch”
    • Pre-approved general agreement with project specific attachment
  • File internally a signed copy of the DPA related to your project containing sensitive data, using the standard policy for registering documents in your institution.

Appointing a Data Access Committee to process and authorize any access to your dataset on behalf of your organisation

As part of the submission process you need to

  • nominate a list of names to take part in the Data Access Committee (DAC).
  • provide a general Data Access policy to be publicly available that is compliant with the regulations pertaining to your dataset.

Research institutions usually delegate the responsibility of appointing a DAC to the PI of a research project holding sensitive data. It most often contains the PI as the main contact and two to three other persons either having collaborative or participating roles in the project.

The Data Access policy of your dataset may be influenced by the policy of your own organisation. Here is a general example of a Data Access policy that can be used or modified for your project’s needs (link).

Whenever a substantial change in data processing pertaining to a project with sensitive data happens that is not explicitly included in a Data Management Plan (DMP) already, internal policies usually mandate a notification in internal systems. This allows transparent overview for your organisation’s responsibility as a Data Controller according to GDPR.

  • File the necessary notification that your dataset with a given EGA Study identifier is submitted to FEGA Norway, with information on the appointed DAC and the Data Access policy.