General principles for processing personal data
Brief summary of the privacy principles
- Legal, fair and transparent - there must be a legal basis for a planned processing.
- Limitation of purpose - any purpose must be identified and described precisely
- Data minimization - no more information should be collected than strictly necessary for the described purpose.
- Integrity/correctness - the personal data must be correct and must be updated/corrected if necessary
- Confidentiality/Storage limitation - personal data must be deleted or anonymised when they are no longer necessary for the defined purpose
- The integrity, confidentiality and availability of the information must be protected. the processor must ensure that measures are taken against accidental and illegal destruction, loss and alteration of personal data.
Project support - internal systems and external partners
Prosjektweb
All research projects carried out by NIH employees must be registered in Prosjektweb. Prosjekweb is avilable via Innersvingen.
For master students' projects, the supervisor must register the project and then add the student as a project member (@student.nih.no).
PhD students and supervisor can agree on who will classify as project manager in Prosjektweb. This does not alter the supervisor's responsibility for the research project.
In Prosjektweb, you get access to checklists for project administration. By uploading project documents such as agreements, budgets and reports, you also fulfill the filing obligation - documents are transferred directly to P360. See tutors at Innersvingen.
Sikt - data protection services
All research projects at NIH that include personal data must be reported to Sikt - Data Protection Services (previous NSD) for assessment of privacy and data protection before initiation. Researchers register the project themselves via Sikt's notification portal. For master student projects, the student must give the supervisor access to the project/registration form. The supervisor has formal project management responsibility and must have approved the project/project documents before the notification is submitted.
Via the notification portal, researchers and students also get access to templates for information letters to project participants and letters of consent. Any amendments to the project - including delays, extensions, new project staff - must be reported to Sikt.
Although Sikt assesses privacy risks for NIH, it is still the NIH/project manager who is responsible for ensuring that the project implementation complies with laws and regulations in the area of privacy.
In projects with special privacy challenges, an extended assessment (Data Protection Impact Assessment - DPIA) may have to be carried out. Sikt can carry out DPIA in consultation with the researcher and the privacy officer at NIH.
Link to notification to Sikt/Sikt's services.
Privacy/Data Protection Officer NIH
The Privacy/Data Protection Officer should look after the data protection interests of both students and staff and also strengthen the institution's ability to comply with the regulations. the Data Protection Officer can be reached via e-mail personvernombud@nih.no
As of April 2024, the Data Protection Officer at NIH is Lene Brandt at Sikt.
Privacy Advisor NIH
- kajast@nih.no
- Phone
- +47 23 26 20 95
Information Security Advisor NIH
- hansok@nih.no
- Phone
- +47 23 26 20 65
Sikresiden.no
Sikersiden.no is created by and for Norwegian universities, colleges and research organisations. On sikresiden.no, preventive training and advice on what to do in a crisis situation is provided. You must always assess for yourself what is best to do in a specific situation..
See Information about privacy at sikresiden.no
See also the Information about information security at sikresiden.no
NIH as data controller
NIH Privacy Obligations
In its role as data controller, NIH has a number of privacy obligations. The duties mainly follow from the provisions of the Personal Data Protection Ordinance and the Personal Data Act.
NIH must ensure that:
- electronic and manual processing of personal data takes place in a legal and responsible manner in line with the privacy principles
- the individual is ensured co-determination over and control over how NIH processes his/her personal data
- NIH has established internal routines, guidelines and implements suitable technical and organizational measures that safeguard the privacy obligations imposed on NIH.
Read more about the personal data protection regulation (lovdata.no).
As data controller, NIH is obliged to safeguard the privacy rights of those to whom the information relates, i.e. employees, students, guest researchers, guests or respondents and informants in research projects.
The individual's privacy rights apply to all electronic processing of general and special categories of personal data that takes place in research, teaching, administration and dissemination at NIH. The rights also apply to the processing of personal data that is included (or is intended to be included) in manual personal registers.
The purpose of the privacy rights is that those to whom the information relates must have a say in and control over how NIH processes their personal information.
To ensure that those registered have a say in and control over how NIH processes their personal data, the individual has, under certain conditions, the following rights:
- right to information about the controller, the purpose of the processing of personal data and any other recipients of the personal data
- right of access
- right to rectification/correction
- right to deletion
- right to restriction of treatment
- right to data portability
- right to protest
Electronic aids - use and rules
The Personal Data Protection Regulation covers all processing of personal data, including where electronic aids are used.
By electronic aids is meant, for example:
- computers
- software
- computer network
- portable computing devices (mobile phones, tablets, PCs, etc.)
- electronic access control
- camera surveillance systems
Electronic aids also include computer systems used at NIH, for example FS, SAP / DFØ, P360 or Canvas.
In addition, online resources, such as websites, cloud services or educational online services, are considered electronic aids.
What rules apply to the introduction and operation of electronic control measures?
Electronic control measures may, among other things, have the purpose of protecting NIH's buildings and assets against vandalism, destruction or theft. Such measures include, for example, the use of camera surveillance and systems for access control where passage data about students or employees is recorded and stored.
Electronic control measures also include, under certain conditions, access to employees' or students' e-mails, personal storage areas, private computer equipment and internet use.
When introducing electronic control measures at NIH, the rules in the Working Environment Act Chapter 9 apply. The rules in the Working Environment Act include the following:
- Control measures must not be introduced unless there is a factual reason for it.
- Control measures must only be introduced if the benefit of the measure clearly exceeds the privacy disadvantage it entails for employees, students, visiting researchers and guests.
- Control measures must be discussed with representatives of staff and students before the measures are introduced.
- Information must be given to employees and students about how the introduced control measures are designed and function.
- Introduced control measures must be regularly evaluated and the need to maintain the measures assessed.
Read more about the rules in the Working Environment Act that apply when control measures are introduced (arbeidstilsynet.no).
The Working Environment Act has special rules on access to employees' e-mail, personal storage areas, private computer equipment and internet logs (datatilsynet.no). Access to students' e-mail, personal storage areas, private computer equipment and internet logs is regulated by the Personal Data Protection Ordinance.
System or service owners have been appointed for all electronic control measures introduced at NIH. The system or service owners are delegated responsibility for ensuring that the rules on privacy and processing of personal data are followed.
In addition to complying with the special rules in the Working Environment Act and the Personal Protection Ordinance on the introduction and operation of electronic control measures, the system or service owners for electronic control measures have the same obligations as other system or service owners at NIH.
External data processors
Data processors are external actors (often commercial companies or other universities/colleges) who have been commissioned to operate an electronic system or service on behalf of NIH.
External actors become data processors for NIH when the operation of electronic systems or services means that they gain access to personal data for which NIH is responsible for processing.
As data controller, NIH is obliged to ensure that only data processors are used that provide sufficient guarantees that they will implement suitable technical and organizational measures that ensure that the processing meets the requirements of the Personal Data Protection Regulation when they process information about employees, students, guest researchers, guests or respondents /informants in research projects.
This must first be done by carrying out risk assessments of the information security in the external systems or services that NIH is considering using. If the risk assessment shows that information security is satisfactory, written agreements (data processor agreements) must be entered into with the data processors.
Relevant Laws
All resources listed below are in Norwegian. Please contact the Privacy Advisor or Security Advisor if you need further help.
Regulations on the processing of personal data
Regulations on the organization of medical and healthcare research
Regulations on clinical trials of medicinal products for humans