Guidelines for handling personal data on uio.no

Guidelines for publishing personal data on uio.no

1. As a fundamental principle, we never publish personal data on uio.no unless it is necessary.
2. On uio.no, we will never publish personal data that is subject to privacy protection. Example: a person’s bank account details along with their name.
3. If we deem it necessary to publish personal data, the person publishing must always check whether it is legal to make the information accessible on uio.no.
4. Names, telephone numbers and account numbers may in many instances be published, but the person publishing must always consider whether it is necessary and legal to do so. See the Data Protection Official’s web pages for further details of privacy protection and how the University of Oslo handles personal data.
5. If you intend to publish data about someone, always check first whether they have opted out of this. Check via UiO’s people search whether a University employee’s information is freely accessible. Permission must be sought from students and others.
6. If you are uncertain as to whether publishing of personal data is legal, you should contact the University’s Data Protection Official. E-mail: personvernombud@uio.no

Procedure for deleting personal data that has been illegally published on uio.no

If you receive notification or discover that personal data has been illegally published on www.uio.no, you should do the following:

1. If you're a web editor, remove access to the data for anyone with unauthorised access. If you're not a web editor, go straight to step 2.
2. Send an e-mail to cert@uio.no immediately, with a list of all affected URLs. They have procedures for deleting unwanted content on uio.no if you are unable to delete it yourself. They also take further steps to delete the data from search engines etc.
3. Check that the personal data is not available in any published copies of files, or in files other than those you were notified of or became aware of.
4. Follow this up with a phone call to USIT’s on-call team if you do not get a rapid response: 22 84 09 11
5. If you are not the editor of the web area: give details of the event to the editor. You or the web editor must also notify the manager of the unit who is responsible for the web area.
6. Send an e-mail to the Data Protection Official at the University of Oslo and the Controller: personvernombud@uio.no and behandlingsansvarlig@uio.no. The e-mail must be sent as quickly as possible, and must stipulate:
   1. what web pages on uio.no contain personal data
   2. the unit responsible and the contact person
   3. description of the adverse event
   4. the reason for the adverse event
   5. information on extension of time
   6. measures taken to prevent damage
   7. measures taken to prevent the adverse event from reoccurring

USIT has procedures for deleting unwanted online content. They follow up with the necessary measures for deleting the data/files, including from search engines, and verify that they work as intended. USIT also notifies the affected parties. The Data Protection Official informs the Norwegian Data Protection Authority of the adverse event.

Cases of uncertainty

Always check whether the publishing of personal data is legal. Ask the Data Protection Official for advice if you are in doubt.

Examples of illegal publishing of personal data

• Travel expenses forms containing personal ID numbers