NESH's guidelines have been drawn up to cover the social sciences, humanities, law and theology, but they may also have a wider area of application, including fields like pedagogy and psychology. The text uses «humanities and social sciences» as an umbrella term to cover the scope of the guidelines.
The guidelines for research ethics are binding on both individuals and institutions. Both researchers and research institutions have independent responsibilities for ensuring that their research is good and responsible. It is important that the institutions clarify their roles and responsibilities for research ethics at every level. All institutions must have procedures for funding, administration and management that ensure that their research complies with recognized ethical norms and guidelines.
The term research ethics refers to a wide variety of values, norms, and institutional arrangements that help constitute and regulate scientific activities. Research ethics is a codification of scientific morality in practice. Guidelines for research ethics specify the basic norms and values of the research community. They are based on general ethics of science, just as general ethics is based on the morality of society at large.
The guidelines for research ethics mainly cover research, but they also deal with other research-related activities such as teaching, dissemination of research, experts advice and management of institutions. The term research also covers the work of students at all levels and doctoral research fellows, and the institutions are responsible for providing relevant training in research ethics. The guidelines apply to all public and private research, whether this means basic, applied or commissioned research. They also govern activities at consulting firms to the extent that they perform research-related tasks, for example systematic acquisition and processing of information about persons, groups or organisations in order to develop new knowledge on a specific matter.
The guidelines are based on recognized norms for research ethics, regulating research in different areas and in different relationships:
- norms that constitute good scientific practice, related to the quest for accurate, adequate and relevant knowledge (academic freedom, originality, openness, trustworthiness etc.)
- norms that regulate the research community (integrity, accountability, impartiality, criticism etc.)
- the relationship to people who take part in the research (respect, human dignity, confidentiality, free and informed consent etc.)
- the relationship to the rest of society (independence, conflicts of interest, social responsibility, dissemination of research etc.)
The first two groups of ethical norms are internal, linked to the self-regulation of the re-search community, while the latter two groups are external, linked to the relationship between research and society. Sometimes the lines between these norms are blurred; for example, accountability is a requirement for trustworthiness. In other cases, norms are in opposition to each other, making it necessary to balance different considerations; for example weighing society's need for new knowledge against the possible strain imposed on people involved and other parties affected. In some projects, the research also raises completely new questions, for example associated with research using the internet, where the recognised norms and guidelines are not always adequate. In such cases, researchers and the research community have a particular responsibility to clarify ethical dilemmas and exercise good judgement.
Ethical guidelines and legislation
Universities and university colleges have a statutory responsibility for ensuring that research, education and academic and artistic development are of high quality «and conducted in accordance with recognised scientific, artistic, pedagogical and ethical principles». There is also an Act relating to ethics and integrity in research (the Research Ethics Act), which «seeks to ensure that all research carried out by public and private institutions is conducted in accordance with recognised ethical standards».
The guidelines for research ethics do not serve the same role or function as legislation. The guidelines primarily serve as tools for researchers and the research community. They identify relevant factors that researchers should take into account, while acknowledging that researchers often have to weigh such factors against each other, as well as against other requirements and obligations.
Even though the distinction between law and ethics is often unclear, they are fundamentally different. They are both normative, but ethical norms are formulated as guidelines rather than prescriptions and prohibitions. The guidelines for research ethics are intended to serve an advisory, guiding and preventive function. They state what researchers should take into consideration and do for their research to be responsible. Accordingly, research ethics is in accordance with the principle of academic freedom self-regulation. This is why the primary responsibility for research ethics lies with researchers and research institutions. Without this freedom and responsibility, research ethics loses much of its moral value.
Some of the ethical norms laid down in the guidelines for research ethics can also be found in the legislation. For example, the requirement of privacy and the consideration of human dignity has a legal basis in the Personal Data Act and is also covered by the guidelines for research ethics (Part B). If researchers fail to observe the statutory requirements, they may be subject to penalties and other sanctions. Such reactions will then ensue because the researchers have broken the law, not because they have acted in conflict with the guidelines for research ethics.
NESH thus issues guidelines for research ethics, but it is not a supervisory or controlling body, nor does it have a judicial function or power to impose sanctions. Neither does NESH give prior approval of research projects. NESH's role in following up the guidelines is primarily to respond to inquires about specific research plans and to provide assessments and advice when researchers have to weigh and balance different research ethics considerations. Secondly, NESH makes statements on individual cases that raise questions of principle regarding research ethics. Thirdly, NESH may address current and important matters of research ethics on its own initiative. Finally, NESH will also contribute to the efforts to prevent scientific misconduct.
Other institutions and authorities
In cases that not only deal with research ethics, but also legislation and rights, there is an overlap between NESH and several other authorities that deal with special considerations and requirements. Even though others deal with the legal aspects of such cases, research ethics is always a supplementary consideration.
a) The National Commission for the Investigation of Research Misconduct oversees integrity in research. The Commission [Granskningsutvalget] assesses and handles specific cases where serious breaches of good scientific practice are suspected, as defined in the Research Ethics Act. 
b) Medical and health-related research projects intended to develop new knowledge about illness and health must be reviewed in accordance with the Health Research Act. Such projects require prior approval by a Regional Committee for Medical and Health Research Ethics (REK). 
c) Personal data collected by the public administration is normally subject to confidentiality. The Public Administration Act allows exemption from the duty of confidentiality regarding information for use in research under certain circumstances, and within the Act's field of application. The individual ministry may grant an exemption from the duty of confidentiality, but the authority to grant exemption is often delegated to underlying agencies. A statement confirming an exemption must be obtained from the Council for Confidentiality and Research [Rådet for taushetsplikt], pursuant to the Public Administration Regulations. Such a statement is nevertheless unnecessary if the administrative body that reviews the matter of an exemption finds it clear that the application should be granted or denied, or if the researcher plans to directly contact the persons who are entitled to confidentiality.
d) The Personal Data Act requires that persons who process personal data protect personal integrity and privacy. Personal data consists of information and assessments that either directly or indirectly are linkable to a person, for example names, national identification numbers or e-mail addresses, or by compiling background data. Electronic processing of such information is subject to an obligation to notify and in general, this processing must be based on free and informed consent. When an institution has a data protection officer, the obligation to notify the Data Protection Authority is replaced by an obligation to notify a data protection officer. Some research institutions have local data protection officers, but the Data Protection Official for Research [Personvernombudet for forskning] at the Norwegian Centre for Research Data (formerly NSD) performs this task for many research institutions in Norway.
The main task of the data protection officer is to ensure that institutions are able to perform their statutory obligations related to internal control and quality assurance of own research. The data protection officer may also offer guidance and advice on matters regarding privacy. Projects that involve processing personal data may not begin until a data protection officer has reviewed the project.
e) According to the Personal Data Act, it is a general rule that the Data Protection Authority [Datatilsynet] must grant a licence for the processing of sensitive personal data, but research projects are exempt from this obligation to obtain a licence if a data protection officer has recommended the project.  Sensitive personal data include information about a person's health, race or ethnic background, sexuality, and their political, philosophical or religious beliefs. Some projects that process sensitive personal data are not covered by the exemption in the Personal Data Regulations, nor do they require a license from the Data Protection Authority. 
If the project is subject to an obligation to obtain a licence, the Data Protection Official for Research may assist with the writing of the application for a license and help send it to the Data Protection Authority. The Authority's responsibilities include assessing whether society's interest in new knowledge clearly outweighs the burdens the research may impose on individuals. The Data Protection Authority may issue a license under the assumption that specific conditions are met. Such conditions will be legally binding on researchers. Projects that are subject to an obligation to obtain a licence cannot be initiated until the Data Protection Authority has given such a licence.
 Internationally the first two are usually linked to the term Research Integrity (RI), while the latter two are linked to the wider term Responsible Research and Innovation (RRI).
 NESH, Ethical Guidelines for Internet Research, Oslo (2003) 2016. See also Ethical Guidelines for Research on Human Remains, Oslo, 2013, drawn up by the National Committee for Research Ethics on Human Remains, which is a subordinate committee to NESH.
 Section 1-5 of the Universities and Colleges Act.
 Section 1 of the Research Ethics Act.
 The Personal Data Act.
 Section 5 of the Research Ethics Act.
 Section 9 of the Health Research Act.
 Section 13 d of the Public Administration Act; see the Public Administration Regulations.
 Section 1 of the Personal Data Act.
 Section 31 of the Personal Data Act; Section 7-12 of the Personal Data Regulations.
 Section 33 subsection 1 of the Personal Data Act; Section 7-27 of the Personal Data Regulations.
 Projects that trigger an obligation to obtain a licence include projects that process sensitive personal data and
- Are of a large scale (over 5 000 persons) and of a long duration (over 15 years), and/or
- Use large data sets that have not been adequately anonymized or pseudonymised, and/or
- Make non-response analyses not based on consent, and/or
- Use data from the pseudonymous health registers (IPLOS and NorPD [Reseptregisteret]).