Processing of personal data about others
- The use of personal data about others
Personal data are used in many contexts, for example in student assignments, teaching, research, publication and case processing.
When you use personal data, you are responsible for familiarising yourself with the rules. You must also consider how the information shall be protected based on its value (confidentiality, accuracy (integrity) and accessibility).
The legislation regulates all processing of personal data (datatilsynet.no)(NO), including the collection, registration, manipulation, storage, adaption, retrieval, transfer and deletion of data. The GDPR calls this processing of personal data. The legislation also applies to information in personal data filing systems.
Assessment before you process personal data about others
The GDPR sets requirements that apply both when the data are collected from the person concerned and when they are openly available online.
You must document:
- A clearly defined purpose of the processing.
- Permission to process information, such as legal authority, consent or other reasons mentioned in the GDPR. See Guidelines on lawfulness of processing (datatilsynet.no)(NO).
- That the personal data are of adequate quality.
- How the risks have been assessed and what measures are taken to protect the data.
- Whether a data protection impact assessment (DPIA) is required. Both the assessment of whether a DPIA is required, and any execution, must be documented. See Guidelines on DPIA (datatilsynet.no)(NO) and Guidelines of Article 29 group (datatilsynet.no).
- That a Data Processor Agreement has be entered into if others are to operate systems or in other ways process personal data on behalf of the institution. If the systems are operated by the institution, the same procedures for processing of data shall be covered by the internal control system. See Guidelines on Data Processor Agreements (datatilsynet.no)(NO) and Sikts (earlier Unit) resources on GDPR (old.unit.no)(NO).
- Whether the processing needs compliance advice from the Data Protection Officer, needs to be reported, have a licence or otherwise needs approval
- Basic principles, see Guidelines on basic principles (datatilsynet.no)(NO)
- Whether the IT solutions or systems you are planning to use are secured for processing of the relevant personal data
- Whether the demands of privacy by design is fulfilled in the IT-system, in the development of routines, organization and training. See Guidelines on privacy by design (datatilsynet.no)(NO)
- Whether everything has been attended to at your place of work or study. There may also be other requirements to be considered and met
Remember to involve your privacy contact as early as possible in the process. The Data Protection Officer will be involved when needed.
- You are responsible for securing information correctly
Personal data shall be secured to prevent unauthorised persons from gaining access to them and changing, deleting or damaging their content, and to ensure that the data are available to the persons who are to have access to them.
The requirements for security increase in line with the need for confidentiality (degree of sensitivity) and the number of registered persons.
Examples of typical security measures are login procedures, backup copies and keeping logs of who reads, modifies or deletes information. Logging can be used to check that no unauthorised persons have accessed the systems or that users misuse their access to snoop around.
For more information about data security, see Securing information
- Disclosure and transfer
Some personal data are required by law to be transferred to other parties, for example to the Norwegian State Educational Loan Fund (Lånekassen) and the tax authorities.
Other public agencies are also entitled to have certain information disclosed, such as the Norwegian Labour and Welfare Administration (NAV) and the police.
It may also be necessary to transfer information between enterprises, for example in research projects with external partners or when external IT services are used. In this case you need to consider if a Data Processor Agreement or another agreement that regulates privacy is required. If the parties are located outside the EU/EØS, separate assessments must be made.
Anyone can ask for access to public archives. Only staff granted special authorisation can make decisions on the disclosure of information. Check the procedures at your place of study or work.
In special cases, the employer can access employees’ e-mails or private files (datatilsynet.no)(NO).
Employee representatives and employees can gain access to payroll information (datatilsynet.no)(NO).
Anyone can ask for access to information about themselves.
- Deletion and filing
Personal data shall normally be deleted (datatilsynet.no)(NO) when they are no longer in use. This also applies to all copies (also in personal file areas).
Research data shall normally be deleted or anonymised when the research project is concluded.
Personal data worth preserving (lovdata.no)(NO) shall be filed. This applies, for example, to personal data that have been used in case processing, information about who has been accepted to different study programmes, examination answer papers and master’s theses.
Check the procedures for deletion and filing at your place of study or work.
For more information about deletion, see slettmeg.no (NO).
- Report undesirable incidents (deviations)
Everyone is responsible for reporting if personal data have fallen into the wrong hands (deviation) (datatilsynet.no)(NO).
Examples of incidents to report:
- E-mails and attachments sent to the wrong address
- Erroneous disclosure or publication
- Lost equipment (mobile phone, laptop, tablet, notes etc.)
- Faults in access rights, equipment or software that may weaken security
- Lacking, ineffective or non-compliance with procedures
The severity of an undesirable incident varies depending on whether it concerns information about a few or many people, and whether it concerns special categories (sensitive data).
Check with your place of study or work how undesirable incidents or deviations shall be reported.
- Privacy when teaching is digital
Sikt (earlier Unit)'s guidelines on digital teaching and privacy (old.unit.no) (NO) can be used as a starting point for a privacy routine at your own institution. The Norwegian Data Protection Authority has approved these guidelines and emphasized that solutions must be practical.
Sikt recommends to create two guidelines, one that is aimed for the lecturer and one for the students.
Recommended legal basis:
- Recording of teachers can be authorized in GDPR art. 6 no. 1 b) «necessary to fulfill an agreement» and / or the employer's right to control.
- Recording of students can be authorized in GDPR art. 6 no. 1 e) «in the public interest», cf. no. 3 b), cf. the Universities and University Colleges Act §§ 1-3, 3-8, 4-2 and 4-3.
- If students are to record during the lecture, they should ask for consent (GDPR art. 6 no. 1 a)) from those who participate in the recording, regardless of whether they record for their own use or if they are going to share this with others. Recording of teaching can hardly be regarded as a "purely personal or family activity", please see GDPR art. 2 no. 2 c) and the website of The Norwegian Data Protection Authority states the following on monitoring, and tracking / sound recordings: «In situations where sound recordings of meetings or teaching are made, the situation is different. Then the context in which the recording takes place and the consideration for those who are present and are recorded, could point in the direction that it is not a purely personal activity within the meaning of the law».
The institution should carry out regular evaluations of the digital processing of personal data.
The lecturer must consider the need for recording the lecture. The lecturer must ask themselves whether it is necessary to record. Do the students who do not want to participate in the recording have other possibilities to participate? According to The Norwegian Data Protection Authority students cannot be forced to show a picture / join in on audio recordings either during compulsory or non-compulsory teaching. They should be able to join via chat or send questions by email, or the institution must have other solutions for anonymous participation.
Information shall be provided about the recording, purpose, legal basis, storage (where and for how long), who shall have access and whether the recording shall be shared. How long the recording can be stored will vary according to who and what is on the recording. The guideline and routine should address this matter.
The information should be posted on the students' information platform at the institution.
It should be stated that you must follow your own institution's regulations for recording audio and video.
See also Guide for digital learning resources (uhr.no) (NO).
Digital learning resources in this context include all forms of material developed for teaching purposes, such as recordings of teaching, presentations, outlines, written teaching material, instructional videos, digital teaching plans, images, graphs and audio files.