1. Nettskjema can be used for collection of information from anybody who has a UiO user name or any institutions who have signed a Data processor agreeme with UiO/USIT.
Nettskjema is a service that has been developed and is being supplied by UiO to design and manage data collection with the aid of web-based forms. To be able to use the service, i.e. to design a form, you need a UiO-user name, Feide user or erstablish use through autentication ID-porten. You will be given a UiO user name through your role as a student or member of staff, and it is given on allocation of a user account, in the form of a user name and an associated password. (User accounts for members of staff are set up on the basis of information on the staff member in the university’s HR system SAPUIO, while user accounts for students are set up on the basis of information on each student in the study-related administrative system National Student Database.)
You can choose whether to establish an open form to which anybody who has Internet access can respond, a form that requires respondents to log on with a UiO user name, or a form to which only those invited by email can respond. If you send out an invitation, the only criterion is that you use a valid email address.
You also have the option of defining a form that permits the respondents to remain anonymous, even if they need to log in. This requires you as the form owner to take active steps.
2. Nettskjema shall not be used for long-term storage of data. When a form no longer receives new data, the data must be deleted from Nettskjema. If they are to be kept, the data collected must be downloaded and stored in an appropriate location.
Nettskjema is a tool for designing and managing data collection, and is not intended for storage of data. If you need and are permitted to store the collected data for a period of time, this must be done in a location appropriate to the type of data in question. For example: (i) if the data are anonymous, you can store them on an open, shared location, (ii) if the data file contains personal information, it must be stored in a location that has a security level appropriate for the information, (iii) if the data are sensitive pursuant to the Personal Data Act, they must be stored in TSD, and (iv) if the data are subject to archiving obligations they must be stored in accordance with the archiving regulations.
Personal information is stored in Nettskjema, see more details in item 7. Section 28 of the Personal Data Act states that personal information must not be stored any longer than is deemed necessary to carry out the purpose of the processing.
3. All data must be deleted no later than six months after submission of the last response. In case of failure to do so, all data will be cleared from the form.
We base this on the assumption that when the last response has been submitted and the form is no longer active, the purpose of storing personal information in the web-based form no longer exists. To avoid inappropriate storage of data in the application, the data in the submitted responses must be deleted as soon as possible and no later than within six months.
A form will be deemed completed if no responses have been submitted during the last six months, irrespective of whether the form has been closed or not.
An alert will be sent to the person registered as the owner of the form when the deadline for deletion approaches.
.4 Before using Nettskjema you must have read and accepted the rules for the use of IT services at the University of Oslo.
The IT regulations are UiO’s internal rules for ensuring appropriate, legal and safe use of the university’s IT services and equipment.
As a user of the IT services at the University of Oslo you have rights as well as obligations. Before using IT services you must have read and accepted the IT regulations.
5. All processing of personal data related to the use of web-based forms must comply with the provisions in the Personal Data Act (see the guidelines for responsible data collection and use of web-based forms). If you have any questions concerning the handling of personal data go to Data protection at UiO.
At UiO, the University Director holds general responsibility for all processing of personal information, including administrative processing as well as processing for research purposes. This does not absolve those who process personal information in the context of their work of their responsibility. All those who in any capacity process personal information at UiO are responsible for familiarizing themselves with prevailing regulations and routines, for ensuring that all processing is performed appropriately and for reporting adverse events to the person responsible for processing if any such are detected.
All processing of personal information must comply with prevailing legislation and regulations. UiO shall not process personal information any more than is necessary for meeting UiO’s objectives. The institution’s activities are described in Section 1‑3 of the Act relating to universities and university colleges.
For those who are registered, UiO’s processing of their personal information shall constitute an encroachment on the privacy interests of individuals which is as minimal as possible in practical, technical and financial terms. cf. Sections 8, 9, 11 and 28 of the Personal Data Act.
Note: UiO’s net-based forms are designed in such a way as to permit collection of sensitive data. However, this will require you to perform this task appropriately. Contact TSD for more information.
7. In Nettskjema, the following personal information is stored:
User name, full name and email address at UiO.
Information on the user’s access rights and any amendments that have been made to the form.
Information on the respondent to a form:
Forms with a log-in or direct link from an email store the email address, name, user name and time of submission.
Anonymized forms store only information on whether a person has responded to a form or not. In this case, the person cannot be linked to the submitted form.
The term “personal information” refers to all information that can be linked to an individual, for example name and email address. In the vast majority of cases, the response to a web-based form will contain personal information as described in items a, b and c. This means that all responses submitted via a form must be processed in accordance with the provisions of the Personal Data Act with appurtenant regulations. If you are uncertain how to proceed with this, you can send your questions to email@example.com.
Re. items a and b:
All information stored in web-based forms on the owner of the form or other editors is taken from UiO’s internal data system. This information is processed in accordance with prevailing internal UiO guidelines.
Re. item c:
Information stored on the respondent to a form:
- If the owner of the form wishes to be able to identify individuals who respond to the form, the following information will be available to the owner and the other editors: name, user name, email address and time of submission, as well as the content of the response. The owner of the form will be able to store this information separately or in combination with the response when the data file is to be transferred from the web-based form to another suitable storage location.
- If the owner of the form chooses to let the respondents remain anonymous, the form will not store information on respondents. In other words, identification of individual respondents will not be possible.
Your rights as a user of Nettskjema:
- Access: Pursuant to Section 18 of the Personal Data Act, any person who so requests can be informed of the kind of processing of personal data which is undertaken by a data processor, in this case UiO. Information may also be requested with regard to a processing procedure (see Section 18 for an overview of the types of information). UiO has a list of all procedures foreseen for the Norwegian Social Science Data Services (for research and student projects) or for UiO’s Privacy Protection Ombud (for administrative procedures). These can be reached electronically over the Internet. Those who want further information on a procedure can send a request for such access to UiO. Contact information can be found on Data protection at UiO.
- Correction, deletion: In certain cases you have the right to request that your personal data be corrected or deleted, cf. Section 27 of the Personal Data Act and Section 28 of the Personal Data Act. This may, for example, apply to information which is incorrect and/or incomplete, or to information that UiO is not authorized to process.
Responses to requests from individuals must be sent without undue delay, and no later than within 30 days (with certain exceptions).