Internal control of research at UiB

The Norwegian Data Protection Authority does not expect the institutional supremo (data controller) to have a thorough knowledge of information security. However, it is expected that the data controller oversees that personal data is secured in a sound manner through planned and systematic measures. The institution must have sufficient overview of how personal data is processed and secured and the institution must ensure that all routines related to these activities are approved and carried out by all employees.

Internal control can therefore to be understood as a decree upon the institution to have a quality assurance system safeguarding that the regulations on privacy and personal data are obeyed.

With regards to internal control under the Personal Data Act, UiB has developed a separate internal control system for processing personal data in research.

With regards to internal control under the Health Research Act, UiB cooperates with local health trust Helse Bergen on an internal control system for research projects. There is a special web portal for this (Norwegian only), where the internal control system for medical and health research activities is presented together with other relevant information.

At UiB the responsibility of processing personal data correctly is delegated to subordinate organizational units (faculties and departments). Reporting and notification of projects shall be done by the project leader (researcher) to Head of Department and PVO/NSD or REC.

The delegated organizational responsibility means that both department and faculty must be kept informed on the processing of personal data in research projects. The department and faculty will perform internal control regarding these projects.