Consent and obligation to provide information in case of exemption from consent
Many projects that, for example apply artificial intelligence, use so much data that it is not practically possible to obtain consent from the participants whose data is included. These types of projects can only be executed if there is a legal basis for the project (see [clarify purpose] and [application for approvals]).
However, it is the case that for certain project types it is natural that consent is obtained. For example, the main rule for medical and healthcare research is that inclusion must be based on informed, voluntary, express and documentable consent. More about this can be read on Helsefak's research pages and on REK's websites.
Note that even if an exemption from consent is granted, all projects are nonetheless required to give information about the project to the data subjects. You can read more about this in the following:
Obligation to provide information to data subjects
The obligation to process personal data in a transparent manner means that the organization must provide brief and understandable information to the data subjects on how this will be done. The law states that information must be provided, but it does not say much about how it should be provided. Therefore, within reasonable limits, the organization must find a suitable way to provide the information.
To help provide information in an appropriate way, the Norwegian Data Protection Authority has produced a guide that describes how businesses can go about fulfilling the obligation to provide information to the data subjects when processing personal data. This includes:
- General requirements
- What is the business required to provide information about?
- When is the business required to provide information?
- How should the business provide information?
We recommend using the Norwegian Data Protection Authority's manual [Datatilsynet] to ensure that the obligation to provide information and the principle of transparency can be safeguarded.
Further information and guidance can be found in the joint European guidance on the obligation to provide information and the principle of transparency (ec.europa.eu).
How to include in information letters?
As a general rule, consent must be based on information about the project and what it means for the person to consent to participation. Since informed consent must be documentable, it almost always involves written information in the form of an information letter. The information must also be adapted to the group to be informed (e.g., children or adults).
Information letters must include the following:
- Statement of the purpose of the project
- Statement of the responsible institution
- Explanation of which methods will be used, and which data will be collected
- Clarification that participation is voluntary and that one can withdraw at any time without the necessity to provide a reason
- Information on the project period
- Statement on what will happen to the data after the project ends (e.g., they will be deleted, anonymized or stored further until...?)
- Clarify whether it will be possible to be recognized in an eventual publication and what types of information may be published
- The participants' right to access, correct and delete their data.
- Information regarding the individual's right right to complain to the Norwegian Data Protection Authority (Datatilsynet)
- Contact details for the project manager and the institutions' data protection officer.
In addition, the information letter should contain:
- A confirmation that the information is treated confidentially
- A list of who has access to personally identifiable data
- Where the project has been registered/by whom it has been approved (e.g., PVO, REK...).
When preparing an information letter, REK's template for information letters and consent can be used. It is also recommended to look at Normen's guide for rights when processing health and personal data .
Individual/collective duty to provide information to data subjects
Information should be individual in principle, meaning it should be directed to each registered individual / data subject. If this is not possible, it may be appropriate to notify collectively through advertising. The following information must then be provided:
- Name and address of the data controller.
- The purpose of the processing.
- Whether the information will be disclosed and, if so, who is the recipient.
- That it is voluntary to provide the information.
- Other things that enable the registered person to safeguard their rights.
- The opportunity to opt-out of research.
The project manager must assess in each individual project whether there is an independent duty to inform the registered individuals, in accordance with Articles 12-14 of the General Data Protection Regulation (GDPR). In projects where the reuse of health information obtained on the basis of consent is allowed, the registered individuals must at least be informed.
General information obligation in case of broad consent
Research participants can consent to the use of human biological material and health information for broadly defined research purposes. This may, for example, be relevant when establishing general research biobanks without a specific research project. The duty to inform also applies to other projects that do not require consent.
Participants who have given broad consent are entitled to regular information about the project. The general obligation to provide information means that the project manager is obliged to inform donors about current use. The recipient should be informed about where this information will be given (e.g., regular information may be provided through websites, newspapers or other notices). REK must approve the use of broad consent and can stipulate the conditions for its use.
Exemption from the obligation to provide information
In certain cases, exemptions from the obligation to provide information can be made. This may, for example, be relevant if:
- the personal data must be kept confidential as a result of the requirement of confidentiality
- it is impossible to provide information
- it will involve a disproportionately large effort to provide information
- Providing information will likely make it impossible to achieve the purpose of the processing of personal data in the project.
For more information, the Norwegian Data Protection Authority's manual.