Privacy is about each of us being able to decide what happens with all information about ourselves. We have a fundamental right to have a private life and to be able to influence the use and communication of information about ourselves.
What is processing of personal data?
Processing of personal data refers to all types of use of personal data, such as:
Personal data refers to any information about an identified or identifiable person. Assessments or information are considered personal data regardless of whether they exist as text, images, audio or video recordings.
Examples of personal data may include:
- name, address, age, telephone number, e-mail address and national identity number
- the content of examination answers, bachelor or master theses and candidates' grades
- the content of case documents, reports or assessments concerning employees or students
- the content of e-mail communication between employees and students or between two or more students
- video and audio recordings made using a surveillance camera and where individuals can be recognised
- images of employees or students published on the website
- logging of activity in computer systems where logs can be associated with specific employees or students, such as registering who is logged on to different computer systems at any one time
In the Privacy laws individuals are referred to as "data subjects”.
What is general personal data?
General personal data refers to all types of assessments and information that may be associated with a particular individual, an identified or identifiable person, but which the General Data Protection Regulations (GDPR) does not define as special category of personal data (sensitive personal data).
All administrative processing of personal data shall be registered in UiOs protocol for administrative processing of personal data (in Norwegian).
All processing of personal data in research projects shall follow UiOs guidelines for processing personal data in research and be reported to the Norwegian Centre for Research Data (NSD). This also include medical and health research.
Note that a national identity number is not considered to be sensitive personal data, but because the national identity number is often used to identify individuals, The Personal Data Act contains special conditions for processing this type of information.
The conditions in the Act are that the national identity number can only be used when:
- there is an objective need for secure identification of individuals
- secure identification cannot be achieved in other ways, for example by use of employee or student numbers
What are special categories of personal data?
Special categories of personal data, often called sensitive personal data, refers to all types of assessments and information that can be linked to specific individuals and that relate to:
- health information and health related conditions
- genetic or biometric information which can be used to identify a physical person
- ethnic or racial origin
- political, philosophical or religious perceptions and beliefs
- sexual orientation or sexual relationships
- trade-union membership
Examples of sensitive personal data may include:
- information on students' illness or diagnoses
- health information registered in connection with an employee’s sickness absence
- information about cheating or attempted cheating in exams
- need for a facilitated examination due to health reasons
- information about an employee’s alcohol or substance abuse
- information about trade-union activity
- information on attitudes to various religious or political issues that respondents in questionnaires are asked to provide
Sensitive personal data shall be especially well secured against breach of data security.
All processing of special category of personal data in research projects shall follow UiO's guidelines for processing personal data in research and be reported to the Norwegian Centre for Research Data (NSD). At UiO there are also dedicated routines and guidelines for medical and health research (Quality assurance system for health and medical research).
What is de-identified and anonymous data?
De-identified (pseudonymous) data is considered personal data.
De-identification is generally achieved by data that could identify an individual (name, address, telephone number etc.) being either removed or not registered, for example by the candidate number being registered on the exam answer rather than the student's name. Then it will still be possible to find out which individual (student) the information (exam answer) refers to, for example by an employee in administration linking the candidate number and name after the paper has been marked.
De-identified personal data can be anonymised if the link between identifying data and other assessments or information is erased in a proper manner, such as by destructing lists of candidate numbers with the names of exam candidates.
Anonymized data is not counted as personal data. The laws of the GDPR and of The Personal Data Act with regulations does therefore not apply to the processing of such information.
Anonymizing is usually achieved by information that can identify individuals, such as name, address, telephone number, e-mail address and national identity number, being erased in a proper manner. It will then no longer be possible to determine what individual the remaining assessments or information refers to.
What are violations of privacy?
It is the data controller (UiO) that is responsible for ensuring that no violation of privacy occurs through automatic or manual processing of personal data in research, teaching, administration and communication.
Violations of data protection can occur in many ways, such as when:
- unauthorised persons obtain health information about employees or students
- sensitive data about respondents or informants in research goes astray
- data on students or employees that is registered in UiO’s IT systems is outdated, misleading or highly deficient
- data on informants or respondents in research is used for entirely different and irreconcilable purposes than what they consented to
- employees register, change or erase student information in UiO’s IT systems without being allowed to do so
- surveillance cameras are set up in or outside university buildings without UiO having a well-justified need for such surveillance
- managers obtain access to employees’ or students' personal storage areas or private e-mail communications without having the right to do so
- UiO publishes detailed information about employees or students on its website without obtaining consent to the publication
What these (and other) violations of privacy have in common is that the data controller (UiO) processes personal data in such a way that the person to whom the data relates has lost determination and control over what happens to his or her data.
A person who is subjected to privacy violations may claim compensation from the data controller (UiO) if he or she has suffered financial or non-financial injury as a result of this.
The data controller (UiO) can have a fine imposed by the Data Protection Authority or be reported to the police in the event of a severe violation of privacy.
What does it mean that UiO is a data controller?
Data controller is a term used in the GDPR to describe the person, business or institution which alone, or with others, decides the goal of the processing and what means that are used to achieve the goal.
Persons, businesses or institutions become data controllers for processing personal data when they alone or with others decide:
- which means, like electronic control measures, are used to process personal data
- what is the purpose or intention of the processing of personal data
This means, for example, that if UiO decides to acquire a web-based service where students, employees and guest researchers can store and share electronic documents, UiO will be the data controller of these personal data (the documents).
UiO’s data controller responsibilities include all processing of general, sensitive and de-identified/pseudonymized personal data. Processing of anonymised data falls outside the data controller responsibility.
Data controller responsibility includes personal data that is processed using UiO’s own electronic systems and services. This includes the processing of personal data in connection with the introduction and operation of electronic control measures, such as video surveillance or electronic access control to buildings/rooms.
Data controller responsibility also includes personal data that is processed using external data processors.
Finally, data controller responsibility includes personal data that is included (or intended to be included) in manual personal data filing systems. These are paper-based registers that are organised in such a way that assessments or information about specific individuals, such as employees or students, can be easily found.
The privacy obligations of the data controller
In the role of data controller, UiO has a number of privacy obligations. The obligations mainly follow from the provisions of the GDPR and The Personal data Act.
UiO shall ensure that:
- automatic and manual processing of personal data occurs in a lawful and proper manner in accordance with the principles of privacy
- the individual is assured determination and control over how UiO processes his or her personal data
UiO has established internal routines, guidelines and technical measures that safeguard the privacy obligations imposed on UiO.
Read more about the GDPR (lovdata.no, in Norwegian).
The individual's privacy rights
As data controller, UiO is obliged to safeguard the privacy rights of the data subject, i.e. employees, students, guest researchers, guests or respondents and informants in research projects.
The individual's privacy rights apply to all automatic processing of sensitive and general personal data that occurs in research, teaching, administration and communication at UiO. The rights also include the processing of personal data that is included (or intended to be included) in manual personal data filing systems.
The purpose of privacy rights is that the data subjects shall have determination and control over how UiO processes their personal data.
In order to ensure that the registered persons have custody and control of how UiO processes their personal information, the individuals have the following rights, under certain conditions:
- the right to information about the data controller, the purpose of processing personal data and any other recipients of personal data
- right to access
- right to correction
- right to erase
- right to limited processing
- right to data portability
- right to protest
What are electronic aids?
The GDPR include all processing of personal data where electronic aids are used.
Electronic aids refers for example to:
- data networks
- portable computing devices (mobile phones, tablets, laptops etc.)
- electronic access control
- video surveillance systems
Electronic aids also include computer systems used at UiO, such as FS, SAPUiO, ePhorte or Canvas.
In addition, web-based resources, such as websites, cloud services or educational internet services, are considered to be automatic means.
What rules apply for the introduction and operation of electronic control measures?
Among other things, the purpose of electronic control measures can be to protect UiO’s buildings and valuables from vandalism, damage or theft. Such measures include the use of video surveillance and access control systems where access data from students or employees is registered and stored.
Electronic control measures also include, on certain terms, access to information of employees’ or students' e-mail, personal storage areas, private computer equipment and internet use.
When introducing electronic control measures at UiO, the rules of chapter 9 of the Working Environment Act apply. The rules of the Working Environment Act involve the following:
- Control measures shall not be implemented unless there are reasonable grounds for doing so.
- Control measures shall only be implemented if the usefulness of the measure clearly exceeds the privacy drawbacks that it entails for employees, students, guest researchers and guests.
- Control measures shall be discussed with representatives of employees and students before the measures are implemented.
- Information shall be given to employees and students on how control measures that are introduced are adapted and function.
- Implemented control measures shall be evaluated regularly and the need to maintain the measures assessed.
The Working Environment Act has special rules on surveillance of employees’ e-mail, personal storage areas, private computer equipment and internet logs (datatilsynet.no). Audit of student's e-mail, personal storage areas, private computer equipment and Internet logs is governed by GDPR.
System or service owners have been appointed for all electronic control measures introduced at UiO. The system or service owners are responsible for ensuring that the rules on privacy and processing personal data are complied with.
In addition to safeguarding the specific rules of the Working Environment Act and GDPR on the introduction and operation of electronic control measures, the system or service owners for electronic control measures have the same obligations as other system or service owners at UiO.
The data subject whose personal data is registered when using electronic control measures, such as employees or students subject to video surveillance, have the same privacy rights as apply generally for the processing of personal data at UiO.
What are data processors?
Data processors are external bodies (often commercial companies or other universities/colleges) that have been engaged to operate an electronic system or service on behalf of UiO.
External bodies become data processors for UiO when the operation of electronic systems or services means that they can access personal data for which UiO is the data controller.
As data controller, UiO is obliged to ensure that the only data controllers used can provide adequate assurances that they will implement the appropriate technical and organizational measures that ensures that the processing meets the requirements of the GDPR when processing information about employees, students, guest researchers, guests or respondents/informants in reserach projects.
This shall initially be done by performing risk assessments of data security in the external systems or services that UiO is considering using. If the risk assessment shows that data security is satisfactory, written agreements (data processor agreements) shall be entered into with the data processors.
Data processor agreements shall regulate
- the subject and duration of the processing
- the nature and purpose of the processing
- the type of personal data and categories of the registered
- the rights and duties of the data controller
- what the data processors can do with personal data for which UiO is the data controller
- how personal data is safeguarded against unauthorised access, alteration, erasure, loss or damage
After the systems or services operated by external data processors have come into use, UiO is obliged to control that they comply with the terms of the data processor agreements they have entered into. Among other things, this is done by UiO gaining access to and reviewing the data processors’ own audits of data security in the relevant systems or services.
As well as using data processors, UiO is itself a data processor. For example, UiO operates data services for administration and research that is used by other institutions. UiO has routines and guidelines to safeguard the privacy obligations that this entails.