Notifying the processing of personal data
All administrative processing of personal data and bachelor and master thesis and research projects that process personal data shall be notified to the respective data protection officers.
Administrative processing of personal data
When processing personal data in administrative systems (for example in payroll systems, use of cloud solutions, archives or newsletters), this must be registered in UiO's notification app (Meldeappen).
Why register in Meldeappen?
Meldeappen is an overview of administrative processing of personal data at UiO. We have a legal obligation to keep records of all processing activities.
The Norwegian Center for Research Data (NSD) maintains a protocol on our behalf for processing in research. For administrative processing, we keep records ourselves in Meldeappen.
We need to make sure we have control over where we process personal data, who we process personal data about and for what purposes we process personal data.
What should be registered in Meldeappen?
Administrative processing activities must be registered in Meldeappen. It involves administrative processing that are of a lasting nature, are repetitive or done as a routine or according to a guideline. If, for example, this is processing that is repeated every semester and which is thus repetitive, the processing should be registered. However, if this is a small-scale single ad hoc processing activity, it is not necessary to register this.
In addition, processing that take place in the larger systems owned by units in LOS and that are within the central purposes for which these systems are used are already registered. This includes, for example, FS, financial systems, SAP, Canvas, TP, Forskpro and Zoom. Therefore, processing that fall within the central systems and purposes does not have to be be registered.
However, if central systems are used for processing that fall outside the central purposes, these must be registered. If, for example, you must record digital teaching through Zoom at an institute or faculty, this must be registered in Meldeappen. In addition, processing that are of a lasting nature, recurrent or routine performed outside the central systems must be registered.
The message app is searchable, so it's easy to see if a processing activity is already logged.
More information on when bachelor and master thesis and research projects must be notified, guidance on how to notify and a link to the notification form may be found here:
- Processing of personal data in research (in Norwegian)
- When should a research project be notified? (nsd.no)
- Technical guidance on notification form (nsd.no)
- Notification form (nsd.no)
Data Protection Impact Assessment (DPIA)
With the expiry of the Norwegian Data Protection Authority's (DPA) licensing, most of the privacy responsibilities falls on the data controller themselves. This means that, in some cases, one must assess the privacy consequenses (conduct a DPIA) of data processing before you go ahead with the project. Both administrative and research processing of personal data are subject to these new rules.
This page will soon be updated with DPIA templates for both research and administrative processing.
Medical and health research
Are you going to write a bachelor or master thesis or start a research project in the field of medicine and health?
The quality system for medical and health research gives you the information you need about current regulations, guidelines, roles and responsibilities and quality policy (in Norwegian).