Privacy at UiO
At UiO, extensive amounts of personal data is processed every semester within study administration, research and employment. UiO is a large and complex organisation and it is therefore important that responsibility and the exercise of responsibility for the processing of personal data is well organised. The following is a description of how privacy is handled and how the responsibility is distributed at the University of Oslo.
The organisation of work concerning privacy
Responsibility for work concerning privacy when processing personal data is organised as follows:
The overriding responsibility
The rector, on behalf of the board, has the overriding responsibility for privacy and data protection in all processing of personal data at UiO.
The rector, on behalf of the board, has delegated the overriding responsibility as follows:
- The university director has the daily responsibility for privacy in the processing of personal data in research, teaching, administration and communication
- The IT director is responsible for the practical implementation of the university director's privacy responsibility.
Responsibility for privacy in the administration
The central academic directors and the faculty directors are designated as owners of systems and services within their respective areas of responsibility.
System and service owners are responsible for certain privacy tasks when processing personal data in their systems or services.
Administrative managers for case processing are responsible for certain privacy tasks when processing personal data. This applies to administrative managers both at a central level and at the basic units.
- Case handlers have an independent responsibility for privacy when dealing with personal data electronically or manually. This applies to case handlers both at a central level and at the basic units.
Responsibility for privacy in research
Medical and health research is subject to the Health Research Act or other specific health law legislation, such as the Health Register Act or the Biotechnology Act. Researchers shall follow the special routines and guidelines that apply to privacy and the processing of personal data within these disciplines. See quality system for medical and health research (in Norwegian) (in Norwegian).
All other research at UiO shall be in accordance with the instructions in this guideline.
Responsibility for privacy and processing of personal data in research not considered to be medical or health research is organised as follows:
- deans and heads of departments are responsible for certain privacy tasks when personal data is processed in their units
- research project managers have an independent responsibility for the privacy of respondents or informants in research projects (PhD students are considered project managers for their PhD projects)
- student supervisors are responsible for the privacy of respondents or informants in student research at bachelor and master levels
- students have an independent responsibility for the privacy of respondents or informants in student research at bachelor and master levels
What does it mean when the rector and the university director have the overriding responsibility for work concerning privacy?
It is the board and rector who are ultimately responsible for ensuring that UiO does not violate individuals’ privacy when processing personal data in research, teaching, administration and communication.
According to delegation, this means that the university director – on behalf of the board and rector – shall ensure that:
- work involving privacy and the processing of personal data is appropriately organised
- there are requirements for work involving privacy and the processing of personal data
- work involving privacy and the processing of personal data is prioritised and given adequate resources
- work involving privacy and the processing of personal data is followed up and controlled
The Personal Data Act with regulations imposes on management (the rector on behalf of the board and the university director) a particular responsibility for data security for personal data processed at UiO.
What does it mean that the IT director exercises the daily responsibility for work concerning privacy?
The IT director – on behalf of the university director – follows up and controls work concerning privacy and the processing of personal data in central administration and at the basic units.
The IT director shall ensure and facilitate that central administration and the basic units safeguard:
- the laws and regulations applying to privacy and the processing of personal data
- the requirements set by the board and rector for work concerning privacy and the processing of personal data
The IT director's follow-up and control responsibilities are exercised as follows:
- through annual internal control (audit) of the processing of personal data.
- through local controls in central administration and at the basic units of the processing of personal data
- through the preparation of routines and rules for the processing of personal data
- through information about which routines and rules apply for processing personal data
- through training of managers/employees and competence building (seminars and courses)
- through legal advice (handling specific enquiries from employees, students, guest researchers or guests)
- through handling discrepancies
- through the safeguarding of UiO’s obligations as data processor for other universities and colleges
- through the reporting of findings from annual internal controls, local controls and serious discrepancies to the university director
The day to day follow-up is delegated to legal advisors on the IT director's staff.
Statutory internal control
Following the GDPR (General Data Protection Regulation), the processing of personal data at UiO shall include internal control. Internal control at UiO shall be conducted according to the provisions of UiO’s regulations on privacy. Section 12.7 "Internal control" states:
"Once per year the units, with the aid of a template for self-inspection (see guideline in Norwegian), shall report from the basic units to the faculty director/academic director. At the faculty/department, the information collected shall be summarised using the above template. The data controller’s representative prepares a conclusion based on this which is sent to the university director."
As an element in further securing the area, local inspections are also performed at each basic unit at the university, the target for which is to have visited all basic units over a five year period. The local inspection is conducted in collaboration with the Data Protection Officer.
Data security at UiO
Data security is about UiO ensuring that personal data that is processed in research, education, management and communication is sufficiently protected against three types of unwanted incidents:
- personal data falling into the hands of an unauthorised person (violation of confidentiality)
- an unauthorised person erasing, changing or manipulating personal data (violation of integrity)
- personal data is not available to those who require access when the need arises (violation of availability)
The university director is legally responsible for ensuring that personal data that is processed at UiO is adequately secured against such undesirable incidents.
Risk assessments are used to determine whether the personal data is satisfactorily secured against undesirable incidents (violation of confidentiality, integrity, and availability).
Risk assessments shall be conducted (i) prior to the first use of internal or external systems and services (ii) if the structure and mode of operation of systems and services change significantly and (iii) at regular intervals (every two years).
Risk assessments of the data security of personal data that is processed in internal or external systems and services concerns two factors:
- identifying actual and potential undesirable incidents that may occur in connection with the use of the system or service
- assessing the probability and damaging effects (consequence) of every single undesirable incident
If the risk assessment shows that data security is not satisfactory, for example that certain unwanted incidents are very probable and have great damage potential (consequence), UiO is obligated to take steps that reduce the risk of these incidents occurring.
The measures can include many of those mentioned in the description of what discrepancy is above.
It is the owners of electronic systems or services that UiO operates itself who are responsible for conducting risk assessments of these systems or services.
Owners have also been appointed for systems or services operated by external data processors. The owners of such systems or services are responsible for conducting risk assessments of the data security of the external data processors.
UiO is obligated to have a dedicated management system for safeguarding the data security of personal data. UiO’s management system has more detailed descriptions of the requirements that top management (rector and educational director) sets for work involving data security and how the work is organised.
Personal Data Security
If it is likely that the kind of processing UiO wishes to implement will entail a high risk of a persons' rights and freedoms pursuant to the GDPR, UiO is required to assess the consequenes of the planned processing and what consequences it will have for the protection of personal data. Such an assessment must be made before the processing has started.
The data protection impact assessment has, amongst other things, replaced the previous licensing scheme by The Norwegian Data Protection Authority (DPA), and will be implemented if new technology is used in the processing.
What is proper erasure of personal data?
Personal data, including research data, is properly erased when it can no longer be recreated and retrieved.
For example, proper erasure means that there shall no longer be copies of personal data stored in private storage areas, USB memory or mobile data devices.
This also means that all back-up copies of the data shall be erased.
The same applies to personal data included in manual personal data filing systems, such as datasets (registers) that contain data about respondents in research projects obtained using paper-based questionnaires.
The alternative to erasure is anonymising, i.e. all identifying information (name, address, personal ID number etc.) is erased. Other data (data that does not identify the persons in question) can then be retained for later use.