1. What is a privacy declaration?
A privacy declaration describes the personal information that is processed, how it is processed, who is responsible for the processing, what your rights are, and who you can contact about your personal information. This privacy declaration describes how UiO processes your personal data if you are an employee or if you have applied for a position at the University.
2. What is personal information?
Personal information is any form of data, information, identifiers and assessments that can be linked to you as an individual. The key as to whether a piece of information is personal information is whether the information can identify a specific person either directly or indirectly.
3. The processing of employees’ personal data at the University of Oslo
The University of Oslo is an institution with more than 7,000 employees who, in the capacity of their positions, are registered in various IT systems and services that are either operated by the university itself or by external providers. Common to all employees is that they are registered in our central system, such as the payroll and personnel management system, filing system, access control system and various IT systems, in order to provide them with access to basic services such as e-mail, Vortex and the HR Portal. In addition, various employees will be registered in additional systems, which are used in their specific position in order to perform work for UiO.
4. Processing of personal data in the central system
4.1 The purpose of, and the legal basis for, the processing of personal data in the central system
4.1.1 Purpose
The purpose of the processing of personal data in the central system is to safeguard your employment rights, to fulfil UiO’s tasks and obligations as an employer, and to enable you to do the job you are employed to do.
It is necessary for UiO to process your personal data so that UiO can, for example,
- pay our salary
- perform the necessary administration related to the employment relationship
- secure access to IT systems and property management
4.1.2. Legal basis
Processing is based on The Personal Data Privacy Regulation Article 6 No. 1 letters b and e. That is, in order to fulfil the employment contract with you as an employee, and to meet our obligations according to other legislation, such as the Working Environment Act, the State Employment Act, the Archival Act and the University and University College Act, the Accounting Act and the Tax Administration Act.
4.2 Payroll- and human resources administration system
UiO uses the SAP platform as its system for payroll and human resources management. The system is mainly operated by a standard service from the German software company SAP, but some modifications have been made. This custom service solution has been named SAPDFØ and is owned by the Department of Finance and Business Management (ØVA). The self-service portal is SAPDFØ’s self-service solution for employees in various roles.
The system is used primarily for
- human resources administration
- payroll processing
- settlement of travel expenses and reimbursement
- sick pay processing
- internal and external reporting
4.2.1 What kind of personal information is processed in SAPDFØ?
The following personal information may be processed:
- name
- personal identity number
- employee number
- contact information
- payroll information
- payment information
- working hours
- information on sick leave, medical certificates, compensatory time off, holidays and leave of absence
- tax information
- travel expense and reimbursement claims
- information on secondary employment and ownership interests
- information on next of kin.
4.2.2 Your personal information is retrieved in SAPDFØ from:
- yourself via the HR portal
- The Norwegian National Population Register
- The Norwegian Central Coordinating Register for Legal Entities
- former employers
- the secondary employment and owner interest service at UiO
- The Directorate of Taxes
4.2.3 Automatic administrative procedures in SAPDFØ
SAPDFØ carries out automatic processing of your personal information for several purposes. This could be to calculate the number of holiday days you are entitled to and the number of care days you are entitled to based on the number of dependent children.
4.2.4. How long do we store your personal data in SAPDFØ?
Your information is stored in SAP for ten years before it is deleted. This is according to requirements of the Accounting Act.
4.3 Administrative procedure and filing system
ePhorte is UiO’s electronic administrative procedure- and filing system. Personnel files are created in ePhorte, UiO’s filing system. The personnel file should contain documentation that have a bearing on the employee's service and pension conditions.
4.3.1 What kind of personal information is processed in the system?
The personnel file may contain, among other things:
- documents from application processes, such as requests for leave of absence
- employment contract
- CV and job application
- salary processes and negotiations
- work plan
- warnings
- sick notes
- personnel matters
- testimonials
- assessments
- reports from appraisal interviews
See routines for managing personnel files in ePhorte.
4.3.2 How long is personal information stored in the personnel file?
Your personal information in ePhorte will be deleted as soon as there is no longer need to store it. However, this only applies to documents that have no permanent effect on employment or pay conditions. For other documents, UiO is subject to the filing obligation in the Archival Act so that, as a general principle, information in ePhorte cannot be deleted without a statement from the Director General for the National Archives, cf. Archival Act section 9. This applies even after termination of employment.
4.4 University's access control system
The purpose of the access control system at the University is to manage the University's properties and to provide security and authorized access to our areas.
The property department at UiO is responsible for the system.
The system consists of UiO’s card readers and approximately 100 surveillance cameras, which are located both inside and outside UiO’s properties.
4.4.1 What kind of personal information is processed in the system?
- name
- address
- phone number
- e-mail address
- card number
- data from when the card user registers the card in the card reader
- recordings from camera surveillance
4.4.2 How long is personal information stored in the system?
Your contact information will be stored as long as you have a valid access card to access UiO’s properties.
Data from the card reader is deleted after six months.
Recordings from video surveillance are stored for seven days. When they are handed over to the police, recordings can be stored for up to 30 days.
4.5 Cerebrum
Cerebrum is the hub of almost all the IT systems at the University. Cerebrum is an Identity Access Management system (IAM), and is intended to ensure easy and secure user and group administration for UiO.
Cerebrum is the source system for user names, passwords, e-mail addresses and group information, and integrates with other systems. The source system refers to a system from which other systems collect information. For example, Cerebrum enables login to various services with your UiO username. Cerebrum should be experienced as something that merely functions, and should be invisible to the user.
Cerebrum itself collects its base data from SAPDFØ, so if you or your employer change information about you in SAPDFØ, then it will automatically be changed in Cerebrum, and thus in any associated system.
Examples of systems that derive their base data from Cerebrum are cloud storage services, library services, intranet, home areas, crisis alerts, Feide, e-mail system, access control and various login services.
4.5.1 What kind of personal information is processed in the system?
- username
- password
- e-mail address
4.5.2 How long is personal information stored in the system?
Information in Cerebrum is deleted within six months from the termination of your employment relationship. User names will not be deleted because UiO has a rule that user names are not recycled. This is for security reasons.
5. Systems relating to specific roles at the University of Oslo
In the capacity of your own position at UiO, you may be required to use different IT services to carry out your work. These IT services store personal information about you. This depends entirely on what the service does, and what your function is at UiO.
Many of these services have a user profile on you to ensure that you have legitimate access to the system. Some services will also be able to log your activity for various purposes, such as security, operational or service development considerations.
You yourself know best what services you use on a daily basis and can ask your local IT manager how these services/systems process your personal information. You will also be able to search the system/service in UiO’s summary of the processing of personal data.
Personal information on you will be stored where you have logged in as a UiO user or where you may be registered as an UiO employee. Examples of such are:
- invoicing, purchasing, and other financial management systems
- operation and security tools
- HR services
- cloud storage services
- intranet
- research registers, such as CRISTin, Sikt, REK and Helseforsk.
5.1 Zoom
Zoom is UiO's preferred video streaming service. When employees log in with a FEIDE user, the first, last name and UiO email address is sent to Uninett AS, which delivers Zoom to UiO.
When using Zoom for teaching, meeting and conference activities, one must usually participate with the use of image and / or sound during the streaming. This is controlled by the employee with settings when connecting to the stream. This can also be changed by the employee at any time while the stream takes place. This processing is necessary for fulfillment of the employment contract, cf. GDPR art. 6 (1) (b).
In addition, analytics data is collected on the use of Zoom, such as hosts, participants, time, hardware and IP address. Data access is strictly restricted and data collection serves UiO's interest in optimizing, correcting errors, producing statistics for and improving the service, cf. GDPR art. 6 (1) (f).
5.2 Social Media
UiO uses various social media channels to reach out to students, employees and the general public. When these services are used, the service's guidelines apply. When UiO is jointly responsible for processing with the service provider, information about this is provided in the service.
5.3 Canvas
Employees may be required or encouraged to complete courses and / or training in Canvas.
The result of the course / training can be stored in Canvas so that it is registered whether you have completed, passed or failed the course. The purpose of this is to be able to document that you as an employee have completed a course that provides the necessary knowledge in various subject areas that are relevant to your work. This means that the result of the course / training will be linked to you as a person.
What is saved is: your result, whether you pass or fail, time spent, number of points and answers for each attempt.
The legal basis for processing this information is GDPR art. 6 (1) (b). The processing is within UiO's activity as a research and educational institution, and employer.
The information will be stored in Canvas. Results can be moved to and registered in other systems at UiO.
6. Security relating to your personal information
UiO regularly conducts risk and vulnerability analyses (ROS) of the data systems we use in order to safeguard your personal information. We also have several security measures, such as access controls to prevent more employees than necessary being able to gain access to your personal information. Employees have a duty of confidentiality in respect of personal information they receive as part of their work. You can read about how we safeguard your information in LSIS – Information security management system (in Norwegian).
7. Your rights
When UiO processes personal data about you, either in the personnel file, in assessments, in logs or in other registers/systems, you have certain rights under the Personal Data Act.
7.1 The right to access
You are entitled to contact UiO to find out how we are processing your personal information. If we do what you are entitled to know, for example, what kind of personal information this is, where it originated and why we have it. You can also receive a copy of the personal data. You will not have the right to obtain information about whether we process information on others. The University processes personal information in very many areas. We are therefore entitled to ask you to specify the system from which you want the information.
7.2 Right to demand correction
If, after obtaining insight into your personal information, you find out that the information we are holding is incorrect, incomplete or inaccurate, you can ask UiO to correct the information.
7.3 Right of deletion (the right to be forgotten)
UiO already has strict deletion routines, whether it is automatic deletion of logs on a quarterly basis, or automatic deletion when you are no longer registered as an employee. As a general principle, you are entitled to ask us to delete the information we have on you. This is not an automatic right, but it can be done on certain conditions. If we have a legal basis to retain the information, other legislation does not permit us to delete it, or you do not have weighty legitimate grounds for demanding deletion, then we will still be able to process information about you.
7.4 Right to limited processing
This right allows you to require that UiO temporarily suspends the use of your personal information. You may require this if you believe that the information we are holding is inaccurate, or that we do not have sufficient grounds for processing the information. We will then halt the processing until we have looked into your objections.
7.5 The right to portability
If UiO processes your personal information based on your consent or an agreement UiO has with you, and the processing is done automatically (for example, that data is calculated automatically or machines analyse the information), you could require that we transfer your personal information to yourself or to a third party.
7.6 The right to object
If you are in a special situation that means that UiO’s processing of your personal information creates special challenges for you, you can protest against the University's processing. If your interests weigh heavier than those of the University, we will no longer process your personal information.
8. Contact
Data controller
The University Director at UiO is responsible for the personal information we process. The daily follow-up of this responsibility is delegated to the IT Director at UiO.
If you wish to make use of your rights referred to in Point 7 above, you can contact us at behandlingsansvarlig@uio.no. For correction of your information, please contact us here. We will deal with your inquiry without undue delay, and no later than one month from receiving your request.
Data protection officer
UiO has a data protection officer who safeguards the personal privacy interests of both students and employees at UiO. The data protection officer for administrative processing of personal data at UiO can be contacted by e-mail at personvernombud@uio.no.