Handling discrepanices in the processing of personal data
Routine in the event of suspicion or confirmation of discrepancy
I) Anyone who processes personal data on behalf of UiO shall, immediately when there is a suspicion that personal data has gone astray, report this to his or her immediate superior. The immediate superior or manager of the unit is responsible for contacting UiO-CERT by filling out the form for alerting of incorrect processing of personal data: breach of internal routine or legislation. UiO-CERT ensures that the incident is handled and that damage limitation measures are implemented.
II) The data controller will review the incident and if necessary contact:
- the Data Protection Officer
- the University Director and possibly other academic directors
- the Norwegian Data Protection Authority
In most cases, the IT director shall follow up the case.
Standard procedure for handling discrepancy with regard to unauthorised distribution of personal data
Applies to: Anyone who processes personal data on behalf of UiO.
When a discrepancy is detected, the follow-up shall be logged continuously and the case is handled as follows:
Map out what information has been available to whom
Investigate what type of information the discrepancy is regarding, who the data subjects are and where the information originated.
Remove access to the document/service in question
Unauthorised access to the data shall be removed. Information there is no need for, or copies of such, whether physical or digital, shall be erased immediately.
Map out who has accessed the information
Available logs shall be used to investigate who has accessed the data.
When sharing has occurred via the web:
- Check access logs and investigate who has read the information
- If search engines have indexed the data, these shall be contacted and requested to re-index the data.
- This also applies even if data is not visible through the search service, only indexed.
- Consider on the basis of access logs whether others should be contacted.
- For a period of time afterward, check manually whether the data is made available again via search engines:
- week 1: check daily
- weeks 2-8: check weekly
- months 3-12: check monthly
Information to the data subjects
As a general rule, all shall be notified about the incident. If practical or other reasons make this difficult, the data controller shall make a concrete assessment of the type of notification necessary.
Information to others
The IT director can, in consultation with the communications director, consider whether any of the following should be informed:
- Employees of UiO
- Students at UiO
After the incident, the department in question, together with the data controller, shall write a report documenting what has occurred and what actions have been taken. The report shall be sent to the Data Protection Officer. The Data Protection Officer considers whether to forward it to the Norwegian Data Protection Authority.
Report any discrepancies
Discrepancies are reported to UiO-CERT and the data controller.