Notification to the Data Protection Officer / Chief Information Security Officer

Fill in the online form "Melding til personvernombud og informasjonssikkerhetsleder". You need to upload the study protocol, a copy of the REK application and the subject information/informed consent form, as well as other relevant attachments. You will also be asked to provide login links to any electronic questionnaires/ eCRF solutions, if applicable, in order to test whether the web solutions meet information security requirements.

The following applies to data capture solutions and other technical solutions for the collection of health related and personal data:

  1. Sponsor is data controller for their studies in accordance with GDPR art. 24. This means that the sponsor is responsible for assessing data security in their own projects, cf. GDPR art. 32.
  2. According to GDPR, it is the responsibility of the sponsor to assess the need for a Data Protection Impact Assessment (DPIA), cf. GDPR art. 35.
  3. For trials that are to be conducted at OUS on behalf of the sponsor, the sponsor must be able to document the data security assessments that form basis for the choice of IT solutions (art. 32) and document DPIA when necessary (art. 35).
  4. PI must upload the above mentioned documentation to the online notification form, see eHåndboken. You can also find information about the notification process on our website concerning formalisation of health research projects.

To ensure a fast and efficient internal processing of the notification, it is recommended that the sponsor gives PI access to all relevant documentation that confirms that sponsor has fulfilled their responsibilities in accordance with the above provisions. In order to further contribute to efficient case processing - especially in complicated studies with considerable data collection or using several data capture solutions - it is recommended that a plan for data flow is prepared, where data and data capture tools are described in more detail. If a data management plan according to GCP has been prepared for the study, this can be used as a basis together with documentation of data security assessments carried out (GDPR art. 32 and/or art. 35).

The Data Protection Officer and Chief Information Security Officer have a responsibility to report back to PI and/or the sponsor if there is a need for further clarification/documentation.