Processing of personal data about others
- The use of personal data about others
Personal data are used in many contexts, for example in student assignments, teaching, research, publication and case processing.
When you use personal data, you are responsible for familiarising yourself with the rules. You must also consider how the information shall be protected based on its value (confidentiality, accuracy (integrity) and accessibility).
The legislation regulates all processing of personal data (datatilsynet.no)(NO), including the collection, registration, manipulation, storage, adaption, retrieval, transfer and deletion of data. The GDPR calls this processing of personal data. The legislation also applies to information in personal data filing systems.
Assessment before you process personal data about others
The GDPR sets requirements that apply both when the data are collected from the person concerned and when they are openly available online.
You must document:
- A clearly defined purpose of the processing.
- Permission to process information, such as legal authority, consent or other reasons mentioned in the GDPR. See Guidelines on lawfulness of processing (datatilsynet.no)(NO).
- That the personal data are of adequate quality.
- How the risks have been assessed and what measures are taken to protect the data.
- Whether a data protection impact assessment (DPIA) is required. Both the assessment of whether a DPIA is required, and any execution, must be documented. See Guidelines on DPIA (datatilsynet.no)(NO) and Guidelines of Article 29 group.
- That a Data Processor Agreement has be entered into if others are to operate systems or in other ways process personal data on behalf of the institution. If the systems are operated by the institution, the same procedures for processing of data shall be covered by the internal control system. See Guidelines on Data Processor Agreements (datatilsynet.no)(NO) and Units resources on GDPR (NO).
- Whether the processing needs compliance advice from the Data Protection Officer, needs to be reported, have a licence or otherwise needs approval,
- With the Data Protection Officer or your institution as early as possible in the process,
- Basic principles, see Guidelines on basic principles (datatilsynet.no)(NO)
- Whether the IT solutions or systems you are planning to use are secured for processing of the relevant personal data,
- Whether the demands of privacy by design is fulfilled in the IT-system, in the development of routines, organization and training. See Guidelines on privacy by design (datatilsynet.no)(NO),
- Whether everything has been attended to at your place of work or study. There may also be other requirements to be considered and met.
- You are responsible for securing information correctly
Personal data shall be secured to prevent unauthorised persons from gaining access to them and changing, deleting or damaging their content, and to ensure that the data are available to the persons who are to have access to them.
The requirements for security increase in line with the need for confidentiality (degree of sensitivity) and the number of registered persons.
Examples of typical security measures are login procedures, backup copies and keeping logs of who reads, modifies or deletes information. Logging can be used to check that no unauthorised persons have accessed the systems or that users misuse their access to snoop around.
For more information about data security, see Securing information
- Disclosure and transfer
Some personal data are required by law to be transferred to other parties, for example to the Norwegian State Educational Loan Fund (Lånekassen) and the tax authorities.
Other public agencies are also entitled to have certain information disclosed, such as the Norwegian Labour and Welfare Administration (NAV) and the police.
It may also be necessary to transfer information between enterprises, for example in research projects with external partners or when external IT services are used. In this case you need to consider if a Data Processor Agreement or another agreement that regulates privacy is required.
Anyone can ask for access to public archives. Only staff granted special authorisation can make decisions on the disclosure of information. Check the procedures at your place of study or work.
In special cases, the employer can access employees’ e-mails or private files (datatilsynet.no)(NO).
Employee representatives and employees can gain access to payroll information (datatilsynet.no)(NO).
Anyone can ask for access to information about themselves.
- Deletion and filing
Personal data shall normally be deleted (datatilsynet.no)(NO) when they are no longer in use. This also applies to all copies (also in personal file areas).
Research data shall normally be deleted or anonymised when the research project is concluded.
Personal data worth preserving (lovdata.no)(NO) shall be filed. This applies, for example, to personal data that have been used in case processing, information about who has been accepted to different study programmes, examination answer papers and master’s theses.
Check the procedures for deletion and filing at your place of study or work.
For more information about deletion, see slettmeg.no (NO).
- Report undesirable incidents (deviations)
Everyone is responsible for reporting if personal data have fallen into the wrong hands (deviation) (datatilsynet.no)(NO).
Examples of incidents to report:
- E-mails and attachments sent to the wrong address
- Erroneous disclosure or publication
- Lost equipment (mobile phone, laptop, tablet, notes etc.)
- Faults in access rights, equipment or software that may weaken security
- Lacking, ineffective or non-compliance with procedures
The severity of an undesirable incident varies depending on whether it concerns information about a few or many people, and whether it concerns special categories (sensitive data).
Check with your place of study or work how undesirable incidents or deviations shall be reported.