I am a system owner
If you are designated as a system or service owner through your position, you have a responsibility to ensure that privacy is safeguarded in your system or service. Here we provide information on what this responsibility entails and what you need to think about in the various steps, from purchase/development to winding up of the system or service.
The central academic directors and the faculty directors are designated as owners of systems and services within their respective areas of responsibility. The system and service owner is responsible for the specification of functional and quality requirements for the development and operation of the system. This also includes responsibility for certain privacy tasks when processing personal data in their systems or services.
The strategic coordination group for administrative IT systems (SKAIT) has prepared a checklist for administrative IT systems and services in which the requirements for processing personal data are included. See for example how this appears in practice for the analysis tool Kuben (in Norwegian).
What responsibility for privacy do system and service owners (academic directors and faculty directors) have?
System and service owners’ (academic directors and faculty directors) responsibility for privacy in the processing of personal data includes the following tasks:
When purchasing/developing the system or service
- describe and document what personal data that is processed in the system or service shall be used for: what is the purpose/intention of the system or service?
- describe and maintain an overview of what types of personal data shall be processed in the system or service
- describe what legal grounds UiO has for processing personal data in the system or service
- describe the requirements for the necessary protection of personal data that shall be processed in the system or service to ensure that the system or service has sufficient technology and mechanisms to meet the requirements.
Before use of the system or service starts
- conduct a risk assessment of the data security of the personal data in the system or service
- enter into agreements with any data processor that operate the system or service on behalf of UiO
- report the system or service to the Data Protection Officer at UiO
- prepare information for employees, students, guest researchers or guests about their privacy rights
While the system or service is in use
- control that the personal data that is processed in the system or service is not used for entirely different purposes than what is planned, without the grounds for processing, including consent or legal authority, covering this.
- control that the personal data processed by the system or service is of satisfactory quality, i.e. the information is sufficient and relevant, correct and up-to-date
- control that excess data is not recorded in the system or service (personal data that is not necessary to maintain the purpose/intention of the system or service)
- erase or anonymise excess information that has already been registered in the system or service
- reply to enquiries from and safeguard the rights of those to whom the personal data relates/the data subject
- make regular risk assessments of the data security of the personal data that is processed in the system or service
- take steps to ensure that the data security of personal data processed in the system or service is satisfactory
- regularly check that any data processors comply with the terms of data processor agreements.
- report discrepancies arising from the processing of personal data in the system or service.
- report any significant changes in the use of the system or service to the Data Protection Officer at UiO (in Norwegian)
- assist in annual internal control (audit) and local controls performed by employees in the IT director's staff. See guidelines for performing annual internal control (in Norwegian).
When winding up the system or service
- decide which personal data to erase or anonymise and which to archive
- ensure that all personal data that is not to be archived is properly erased or anonymised
- ensure that personal information to be kept is archived
- Checklist for processing personal data as a system owner (in Norwegian).