Privacy Policy at UiS

Organisation of privacy work

The responsibilities involved in privacy work when processing personal data are organised as follows:

Overall responsibility 

The University’s Board of Directors, c/o the Chairman, is formally responsible for ensuring that information security and privacy at the UiS comply with current legislation and regulations. The execution of this responsibility is delegated to the Rector. Further delegation is governed by the Delegation Regulations at the UiS.

Responsibility for privacy within the UiS organisation

The decision-making and reporting lines relating to work conducted on information security and privacy adhere to the governance lines which apply to the university as an organisation. The delegation of authority and other tasks relating to information security and privacy are outlined in the Delegation Regulations of the UiS.

UiS-IT has its own ICT security group (Incident Response Team (IRT) which is responsible for technical prevention measures and for dealing with ICT security incidents at the UiS.

Executive officers are independently responsible for privacy when they process personal data either electronically or manually. This applies to executive officers at both central level and other units.

Responsibility for privacy in research

Medical and health research are subject to the Norwegian Health Research Act or other specialist health legislation, e.g. the Norwegian Personal Health Data Filing System Act or the Norwegian Biotechnology Act. Researchers shall comply with the special procedures and guidelines which apply to privacy and the processing of personal data within these specialist fields.

Those responsible for research at the UiS have overall responsibility for research projects and they shall have the conditions necessary for being able to comply with their duties in this respect.

They are responsible for following up and complying with UiS Policy and  regulations on information security and privacy, as well as the current guidelines and procedures which fall within their areas of responsibility. 
Responsibility for privacy and processing personal data in research is subject to UiS specified role descriptions.

What does personal data processing involve? 

Processing personal data means all types of usage of personal data, such as: 

• collection
• registration 
• storage 
• alignment 
• ​​​​​​​use 
• transfer 
• publication 
• deletion 

Personal data means any type of data about an identified or identifiable natural person.

Assessments or data are regarded as being personal data, irrespective of whether or not they appear as text, photos or audiovisual recordings.

Examples of personal data may include the following: 

• name, address, age, telephone number, e-mail address and date of birth and national identity number 
• the contents of examination papers, Bachelor’s or Master’s theses and the grades of candidates 
• the contents of case documents, reports or assessments which relate to employees or students 
• the contents of e-mail correspondence between employees and students or between two or more students 
• video and audio recordings which are made by using surveillance cameras and in which individuals can be recognised 
• photos of employees or students which are published on the university’s website 
• the logging of activities in computer systems where such logs can be linked to specific employees or students, e.g. records showing who is logged onto various computer systems at any given time

Individuals are referred to as “registered persons” in the privacy legislation. 

What is general personal data?

General personal data means all types of assessments and data which can be linked to an identified or identifiable natural person, but which is not defined as constituting special categories of personal data (sensitive personal data) in the General Data Protection Regulation.

All administrative processing of general personal data shall be recorded in the UiS’s register of processing activities.

All processing of general personal data in research projects shall be reported to the Norwegian Centre for Research Data (NSD).

Please note that national identity numbers are not regarded as being a special category of personal data (sensitive personal data), but since such numbers are often used for identifying individuals, the Norwegian Personal Data Act contains special provisions relating to the processing of this type of data.

The provisions contained in this act specify that national identity numbers can only be used when: 

• there is an official need to securely identify individuals 
• secure identification cannot be achieved in any other way, e.g. by using an employee or student number

What are special (sensitive) categories of personal data?

Special categories of personal data, also called sensitive personal data, are assessments and data which can be linked to specific individuals and which require special protection. The dissemination of such data could create significant risks for the people concerned. These categories have been obtained directly from the legislation relating to personal data and cover the following: 

• health data and health-related conditions 
• genetic and biometric information for the purpose of clearly identifying a physical person 
• ethnic or racial background 
• political, philosophical or religious opinions and beliefs 
• sexual orientation or sexual relationships 
• trade union membership 

Examples of sensitive personal data may include the following: 

• information about student illnesses or diagnoses 
• health information registered in connection with employee absence due to sickness 
• information about cheating in examinations or attempted cheating 
• the need for adapting examinations for health reasons 
• information about employee alcohol or drug abuse 
• information about trade union activities 
• information about attitudes to religious or political issues which the respondents of questionnaires have been asked to specify 

Special personal data categories shall be particularly well protected against breaches of information security. 

What is de-identified and anonymous data?

De-identified data

De-identified (pseudonymous) data is regarded as being personal data.

De-identification is normally achieved by removing or not recording information which can identify individuals (name, address and telephone number, etc.), e.g. by recording a candidate number on an examination paper instead of the name of the student concerned. It will then still be possible to find out which individual (student) the information (examination paper) relates to, e.g. when an administrative employee links the candidate number to the student’s name after the paper has been marked.

De-identified personal data can be anonymised if the link between identifiable data and other assessments or data is deleted in an appropriate manner, e.g. by destroying lists showing the numbers and associated names of examination candidates.

Anonymised data

Anonymised data is not regarded as being personal data. Consequently the rules contained in the General Data Protection Regulation and the Norwegian Personal Data Act do not apply to the processing of such data.

Anonymisation is usually achieved by deleting information which can identify individuals, e.g. name, address, telephone number, e-mail address and national identify number, in the appropriate manner. It will then no longer be possible to find out which individual the remaining assessments or data refer to.

What constitutes violation of privacy?

The data controller (the UiS) is responsible for ensuring that no privacy violations occur during the electronic or manual processing of personal data when engaging in research, tuition, administration and dissemination activities.

Violations of privacy can occur in many different ways, e.g. if: 

• any unauthorised persons obtain health information about employees or students 
• special categories of personal data (sensitive data) about respondents or informants in research are lost 
• information about students or employees which is registered in the UiS’s IT systems is outdated, misleading or highly deficient 
• information about informants or respondents in research is used for completely different and incompatible purposes to those which they consented to 
• employees register, amend or delete student data in the UiS’s IT systems without permission to do so 
• surveillance cameras are set up in or outside university buildings without the UiS having a justified requirement for such surveillance 
• managers gain access to employee’s or student’s personal storage areas or private e-mail messages without being entitled to do so 
• the UiS publishes detailed information about employees or students on its website without having their consent to publish such 

Common to these (and other) violations of privacy is that the data controller (the UiS) handles personal data in such a way that the person to whom the data applies has lost co-determination and control over what happens to their data.

Anyone who suffers from a violation of their privacy can claim compensation from the data controller (the UiS) if he/she has suffered as a result of such.

In cases of serious privacy violations, the Norwegian Data Protection Authority may fine the data controller (the UiS) or report them to the police.

What does it mean when the UiS is the data controller?

Data controller is a term which is used in the General Data Protection Regulation about a person, business or institution which either solely or jointly decides the purpose for processing personal data and the methods to be employed.

People, businesses or institutions become data controllers who handle personal data when they either solely or jointly make decisions about the following: 

• which methods, including electronic aids, will be used for processing personal data 
• the aim or purpose for processing personal data 

For example, this means that if the UiS decides to procure an online service where students, employees and guest researchers can store or share electronic documents, the UiS will be the data controller for such personal data (the documents). 

The UiS’s data control responsibilities comprise all processing of general, sensitive and de-identified/pseudonymised personal data. The processing of anonymised data is not covered by such data control responsibilities.

Data processing responsibilities include personal data which is processed by using the UiS’s own electronic systems and services. This includes processing personal data in connection with the introduction and operation of electronic control measures, such as video surveillance or electronic access control systems.

It also comprises personal data which is processed with the help of external data processors.

Finally such responsibilities include personal data which has been entered (or is intended to be entered) on manual personal registers. These registers are paper-based registers which are organised in such a way that assessments or information about specific individuals, e.g. employees or students, can easily be retrieved. 

Privacy obligations of data controllers

In its capacity as a data controller, the UiS has a number of privacy obligations. These obligations are mainly incorporated in the General Data Protection Regulation and the Norwegian Personal Data Act.

The UiS shall ensure that: 

• electronic and manual processing of personal data takes place in a proper and legal manner in line with the principles relating to privacy 
• individuals have co-determination and control over how the UiS processes their personal data 

The UiS has set up internal procedures and guidelines and is implementing suitable technical and organisational measures in order to uphold the privacy obligations imposed on the UiS. 
Read more about the General Data Protection Regulation.

Individual privacy rights 

In its capacity as a data controller, the UiS is obliged to protect the privacy rights of anyone to whom such data applies, i.e. employees, students, guest researchers, guests or respondents and informants in research projects.

The privacy rights of individuals apply in respect of all electronic processing of general and special categories of personal data which takes place during research, tuition, administration and dissemination activities at the UiS. These rights also apply when processing personal data which has been entered (or is intended to be entered) on manual personal registers.

The purpose of privacy rights is to ensure that anyone to whom such data applies shall have co-determination and control over how the UiS processes their personal data.

In order to ensure that anyone registered has co-determination and control over how the UiS processes their personal data, individuals have the following rights, subject to certain conditions: 

• the right to information about the data controller, the purpose which relates to the processing of their personal data and any other recipients of their personal data 
• the right of access 
• the right to rectification/correction 
• the right to deletion 
• the right to restrict processing 
• the right to data portability 
• the right to object 

What are electronic aids?

The General Data Protection Regulation comprise all processing of personal data, including where electronic aids are used.

Electronic aids means, for example, the following: 

• computers 
• software 
• computer networks 
• portable devices (mobile phones, tablets and PCs, etc.) 
• electronic access control 
• video surveillance systems 

Electronic aids also comprise computer systems which are used at the UiS, e.g. FS, SAP, Public360 or Canvas.

Electronic aids also include online resources such as websites, cloud services or educational online services.  

What rules apply to the introduction and operation of electronic control measures?

The purpose of electronic control measures may include protecting UiS buildings and assets from vandalism, destruction or theft. Such measures comprise, for example, the use of video surveillance and access control systems where passing data about students or employees is recorded and stored.

Electronic control measures also comprise, under certain conditions, access to employees’ or students’ e-mail messages, personal storage areas, private computer equipment and Internet usage.

When introducing electronic control measures at the UiS, the following rules contained in Chapter 9 of the Norwegian Working Environment Act apply. These rules include the following: 

• Control measure shall not be introduced without justified cause for such. 
• Control measures shall only be introduced if their use clearly exceeds the privacy disadvantages that such would entail for employees, students, guest researchers and guests. 
• Control measure shall be discussed with employee and student representatives before they are introduced. 
• Information shall be provided to employees and students about how any control measures introduced have been arranged and how they work. 
• Any control measures which have been introduced shall be evaluated on a regular basis and the need for retaining such measures shall be assessed. 

The Norwegian Working Environment Act contains special rules about access to employees’ e-mail messages, personal storage areas, private computer equipment and Internet logs. Access to student e-mail messages, personal storage areas, private computer equipment and Internet logs is regulated by the General Data Protection Regulation.

System or service owners have been appointed for all electronic control measures which have been introduced at the UiS. System or service owners have been delegated with responsibility for ensuring compliance with the rules relating to privacy and the processing of personal data.

In addition to upholding the special rules contained in the Norwegian Working Environment Act about the introduction and operation of electronic control measures, system or service owners of electronic control measures have the same duties as other system or service owners.

Anyone about whom data has been registered in respect of the use of electronic control measures, e.g. employees or students who are filmed by video surveillance cameras, has the same privacy rights as those which apply in general to the processing of personal data at the UiS.

What are data processors?

Data processors are external parties (often commercial companies or other universities/colleges) which have been tasked with operating an electronic system or service on behalf of the UiS.

External parties become data processors for the UiS when the operation of electronic systems or services involves them having access to personal data for which the UiS is the data controller.

In its capacity as a data controller the UiS is obliged to ensure that only data processors will be used who provide adequate guarantees to show that they will implement appropriate technical and organisational measures which will ensure that the processing concerned complies with the GDPR requirements when they process data about employees, students, guest researchers, guests or respondents/informants in research projects.

This will initially take place with the implementation of risk assessments of information security in those external systems or services which the UiS is thinking about using. If such risk assessments show that information security is satisfactory, then written agreements (data processing agreements) will be entered into with the data processors.

Data processing agreements shall regulate the following: 

• the object and duration of processing 
• the nature and purpose of processing 
• the type of personal data and categories which apply to those registered 
• the data controller’s rights and obligations 
• what data processors can do with personal data for which the UiS is the data controller 
• how personal data shall be secured against unauthorised access, changes, deletion, losses or damage 
• how personal data shall be returned to the UiS or deleted once the contract with the external data processor has been terminated. 

After the systems or services which are operated by external data processors come into service, the UiS is obliged to check to ensure that they comply with the conditions specified in the data processing agreements which have been entered into. This takes place when the UiS has access to and reviews the data processor’s own revisions of information security of the relevant systems and services.