Information security and data protection at UiT
UiT The Arctic University of Norway processes large volumes of information relating to research, education, dissemination og administration. It is crucial that we attend to the information security in a proper manner, not least safeguarding the integrity that UiT is reliant on as a research and education institution. This shall occur irrespective of whether the processing in question is physical or digital.
Do you wish to contact the Privacy and Information Security Office? Please send an e-mail to firstname.lastname@example.org
The Information Security and Privacy Management System was adopted by the University Board, initially in 2015 and later revised several times. Through this management system, UiT shall have a comprehensive approach so we can have governance and control of information security and privacy at the university.
The management system consists of three parts: governance, implementation and control. The University Board is responsible for amendments in the governance part (Chapters 1-3), while the Director has responsibility for amendments in the parts concerning implementation and control (Chapters 4-9, as well as the appendices).
Chapter 1: Introduction
Purpose and intent
UiT – The Arctic University of Norway (UiT) is a national and international powerhouse for competence, growth, and innovation in the High North. This shall be shown through, among other things, high quality of UiT's knowledge management and information values: research data, research results and information or knowledge included in teaching, research and dissemination.
Systematic and planning work to safeguard our information values is a key part of UiT's knowledge management. Both internal and external actors – managers, employees, students, partners and the general public – should be able to rely on UiT to ensure that information in all forms
- not become known to unauthorized persons (confidentiality)
- not be altered unintentionally or by unauthorised persons (integrity)
- available to those who have a legitimate need for it (availability)
UiT is subject to a number of laws and regulations that require us to have satisfactory information security. This applies, among other things, to the Public Administration Act with regulations (e-administrative regulations), the Personal Data Act (2018) with regulations, the General Data Protection Regulation (GDPR) and the Health Research Act with regulations. In addition, other legislation, including the Freedom of Information Act and the Archives Act, contain provisions that are important for the work on securing the information at UiT. The management system for information security and privacy at UiT shall meet the requirements set by the legislation and the Ministry of Education and Research (KD) for the work on information security in the university and university college sector.
Safeguarding the security of information when processing personal data is a key part of the obligations under the Personal Data Act, the GDPR and other relevant legislation. However, there are a number of other obligations beyond information security to ensure good privacy and comply with the obligations that UiT is subject to in accordance with the regulations, such as legal basis for collecting and processing information, good and correct information about the processing, safeguarding rights, etc.
Systematic work to ensure that UiT complies with these obligations at all levels is therefore essential for safeguarding the rights and privacy of the people we process information about and safeguarding the trust that UiT relies on in order to maintain and develop its activities in research, education and dissemination.
The Information Security Management System at UiT
The information security and privacy management system shall ensure that UiT's information values are handled in a systematic, planned, and satisfactory manner. The management system includes, among other things, goals, strategy, and organization of the work on information security and privacy, as well as description of roles and responsibilities, overview of information values and guidelines. The management system consists of three main elements:
- Governing part – overall policy, including objectives and strategy, acceptable risk roles and responsibilities.
- Implementation part – specific guidelines and routines, including classification of information, risk assessments, training, etc.
- Controlling part – internal audit, reporting of nonconformities and management's review/annual report.
Information security and privacy are a top management responsibility. The operational responsibility and practical work on safeguarding information security and privacy can be delegated to the individual units at UiT, cf. the description of the security organisation with roles and responsibilities in Chapter 3.
The management system for information security and privacy at UiT includes
- everyone who accesses UiT's information values 
- all UiT campuses
- all organizational units
- all technology
- all information values
Information value is a collective term that includes both the information itself as well as associated support values such as ICT system, digital services, computer equipment of various variants, etc. How to process and protect information values depends on the results of risk assessments. Information security shall be safeguarded for all information values, regardless of media type, format, storage technology, whether digital or non-digital, processed on-premises or in cloud services, etc. It can be an IT system, such as personnel system, learning platform and archival system, or some type of information, such as student information, patient information or data included in a research project. Furthermore, it is not only personal data, but also other information that the university manages. For example, financial information about the business, building information, research data that does not involve people, etc.
 Students, staff, guests, partners etc.
 IT systems, computer networks, databases/registers etc.
Chapter 2: Security strategies and acceptable risk
Chapter 3: Roles, responsibilities and tasks
Below you'll find a description of the responsibilities and tasks allocated to the various roles:
The University Board
- processes and adopts the management system for information security and personvern at UiT
- has the overall responsiblity for ensuring proper processing of personal data at UiT
- shall set requirements for further work on information security and privacy at UiT
Director of Administration
- exercises the overall responsibility for all processing of personal data at UiT
- is responsible for information security at an overall level, including setting aside sufficient resources for the work on information security, including training and competence enhancement
- is responsible for ensuring that the information security and privacy management system is implemented and maintained, as well as for the organization of security work
- ensures that breaches of personal data security where there is an obligation to notify, are timely handed over to the Norwegian Data Protection Authority
- shall annually review the status of the work on information security and privacy3
- shall appointa members of the Information Security and Privacy Forum
- shall appoint members of the Data Protetion Impact Assessment Group (DPIA)
- have the authority to decide whether treatments subject to data protection impact assessment (DPIA) should be deemed to have sufficiently reduced the risk, or whether the treatment must be subject to further measures, alternatively discontinued
3 Cf. Chapter 9 "Management Review"
a Delegated to the IT Director on the 3rd of May 2022.
- has the administrative responsibility for information security and privacy at UiT
- has instructional authority to all entities at UiT in matters concerning information security and privacy
- has the practical responsibility for ensuring that a protocol is maintained on all processing activities that UiT has, both in the role of data controller and as a data processor.
- ensure that attitude-creating programs are carried out
Privacy and information security office
- group leader is head of security (CISO)
- shall exercise the authority of the IT Director in matters concerning information security and privacy
- shall be an advisor to the line organization on issues related to information security and privacy
- will lead the CSIRT team and information security forum
- shall prepare and maintain the overall contingency plan for ICT
- shall follow up deviations at the overall level and ensure that these are channelled to and followed up by affected entities
- shall be given access to all information necessary to follow up incidents and deviations in information security and privacy
- shall conduct information activities, advice and training in information security and privacy
- shall maintain general regulations and routines for information security and personal data
- has the authority to initiate internal audits within information security and/or privacy, on all entities and in all business areas
- shall prepare and maintain tools and guidance materials for the implementation of risk assessments
- shall prepare an annual report to the management's review ("Annual Report on Information Security and Privacy")
- keep track of data processing agreements which UiT enters into
Data protection officer
- reports directly to the Director
- shall inform and advise UiT's employees and students on current obligations under data protection legislation
- shall check UiT's compliance with data protection legislation
- shall be involved at the right time and level in questions concerning privacy
- advising on the assessment of data protection implications (DPIA) and check the implementation of these assessments
- shall be involved at an appropriate level in the handling of nonconformities pursuant to data protection legislation, and at least be informed about the content and scope of nonconformities
- shall prepare an annual report that can be included as an appendix to the annual report on information security and privacy
- have observer status in the Information Security and Privacy Forum
- can be contacted directly by the data subjects with questions about UiT's processing of their personal data, and about the exercise of their rights under the General Data Protection Regulation (GDPR)
- cannot be instructed on the performance of the tasks assigned to the Data Protection Officer pursuant to Article 39 OF the General Data Protection Regulation (GDPR)
Department of Information Technology
- shall assist the system owner in the design of information security requirements when acquiring new systems
- is responsible for the operation of key IT systems, and shall ensure satisfactory information security on IT infrastructure based on risk assessments
- based on risk and vulnerability analyses, we will develop a continuity and contingency plan covering critical and important information systems and infrastructure
- must document systems/infrastructure and associated safety measures
- shall prepare and maintain security policies, guidelines, and procedures for the technical infrastructure
- shall monitor significant changes in threats to UiT's information values
Department of Property Management
- ensure that securing access to buildings, rooms and areas is in line with acceptable risk criteria
- shall assist units in risk assessments of physical safety and in the implementation of necessary physical safeguards
Research, Education and Communication Division
- shall have the contact person for the Norwegian Centre for Research Data (NSD)
- shall receive and be internally responsible for following up data protection impact assessments (DPIA) that NSD prepares on behalf of UiT
Heads of faculties and units
- is responsible for satisfying information security and privacy requirements in their own unit
- ensure that risk assessments are carried out
- shall take action if necessary to safeguard the security of information and privacy in their own unit
- have the overall responsibility for ensuring that data protection impact assessments (DPIA) are implemented where required under Art. 35 GDPR
- shall report results from risk assessments with action plan and nonconformities to the Privacy and information security office
- shall follow up nonconformity reports in their own unit and ensure that these are closed, in cooperation with the Privacy and information security office
- shall inform employees in their own unit of the routines and guidelines that always apply and ensure that the requirements in the management system related to their own unit are followed
- shall establish and maintain routines to meet the safety objectives
- shall set requirements for information security in the procurement, development and maintenance of information and the information system, in consultation with the Department of IT
- should focus on ensuring data protection by design and by default
- ensure that access is provided according to the need for service, terminated when the need ceases, and that necessary training is provided
- ensure that data processing agreements are entered into
- shall carry out risk assessment of the system in accordance with Chapter 5, and document that risk assessments have been carried out
- shall carry out necessary actions identified on the basis of risk assessments
Head of research project
- acts on behalf of UiT as data controller for the specific research project
- has the day-to-day responsibility for ensuring that information security is safeguarded in the research project
- is responsible for ensuring that data protection impact assessments (DPIA) are carried out where required under the General Data Protection Regulation (GDPR) Art. 35.
- more detailed responsibilities and obligations follow from the guidelines for processing personal data in research and student projects
- acts on behalf of UiT as data controller for the concise student project (e.g. master's thesis)
- is responsible for ensuring that data protection impact assessments (DPIA) are carried out where required under the General Data Protection Regulation (GDPR) Art. 35.
- more detailed responsibilities and obligations follow from the guidelines for processing personal data in research and student projects
- is headed by the Research, Education and Communication Division
- assesses prepared data protection impact assessments (DPIA) on behalf of UiT
- gives an assessment to the Director with a recommendation on whether or not the processing of personal data should be initiated
- members shall at least include the Data Protection Officer, one representative from the Privacy and information security office and one representative from a faculty.
Employees and students
- has a duty to familiarize themselves with and follow the safety procedures and guidelines that always apply to the safe handling of information values and personal data
- has a duty to prevent and report incidents that may involve nonconformities, as well as report nonconformities when these occur, through the nonconformity reporting system
Computer Security Incident Response Team
- shall implement, or order, any action deemed appropriate to avert damage to UiT's IT systems and data
- shall report on security incidents, potential for damage, the extent of damage and measures taken to the IT Director
Information Security and Privacy Forum
The Information Security and Privacy Forum consists of one representative per unit1 as well as the Privacy and information security office, which has the leader and referrer of the forum. The Data Protection Officer has the right to meet and speak.
The forum has an advisory function in matters that are important for safeguarding information security and privacy at the university. These may include regulations, training activities, individual cases, etc.
In particular, regulatory changes of principle must be presented to the forum before the proposed changes are adopted, unless special circumstances mean that this is not possible. In such a case, the forum shall be informed of these changes in the subsequent meeting.
The Privacy and information security office have the main responsibility for promoting and preparing cases for the information security forum, but all the forum's members can present their own cases for discussion.
The forum shall be informed about incidents and matters of greater importance for information security or privacy at the university. Normally, such orientation will take place via the ordinary meetings.
The details of such matters will often be exempt from public disclosure, and members of the Forum are obliged to comply.
The members of the Forum represent their unit and shall provide the necessary briefing to the management on their own unit on cases and issues discussed in the Forum.
1"Unit" means the faculties, UB, UMAK and the administrative departments of the joint administration under the university management.
Chapter 4: Classiﬁcation of information
A prerequisite for being able to comment on acceptable use as, well as the need for security measures, is carrying out a classification of the information. The classification forms the basis for the assessment of the degree of security (IT technical, organisational and physical) the information shall be subject to. Moreover, the classification will contribute to obtaining an overview of the information assets that UiT manages.
The classification will also provide those who shall process the information with a specific indication and guidance about how it shall be handled and protected.
You will find the Guidelines for classification of information Classification of information.
Which services can you use for different types of data?
Chapter 5: Risk assessment
Risk assessments are intended to reveal any undesirable incidents/threats that may lead to a breach of the information security at UiT. Consequently, the risk assessments have a central place in the work to ensure safe and secure processing of UiT’s information assets. In addition to revealing what can go wrong, the assessments shall reveal what we have done and what more we can do to prevent the occurrence of undesirable incidents and reduce the consequences of any incidents that do occur.
The risk assessment must be seen in the context of established risk acceptance criteria (cf. Section 2.3), and the acceptable risk must be determined before the risk assessment is conducted. If the risk of one or more undesirable incidents occurring is greater than what is defined as acceptable, this risk must be mitigated by implementing preventive measures.
Risk assessments must be conducted
- when the risk level changes
- prior to starting the processing of personal data
- at the start of research projects
- when establishing or changing ICT systems
- when organisational changes are made that may affect the information security
All risk assessments must be documented in writing. If risk assessments reveal matters requiring follow-up, someone must be named who is responsible for stipulating relevant measures and plans for the follow-up of these. The risk assessment shall be submitted to the Information Security Advisor(s) who shall utilise these in the management’s annual review and ensure that the documents are filed in UiT’s archival system.
Read more about risk assessments (/om/informasjonssikkerhet#innhold_675410)
Chapter 6: Training
Training is intended to contribute to building a good security culture at UiT by raising awareness among employees and students of the importance of information security and to enable them to comply with UiT’s security policy in their day-to-day work. Consequently, training about information security must be included as a natural part of the training of students and employees at all levels of the organisation. System owners have a special responsibility for training in their respective systems.
Managers have the overall responsibility for ensuring that necessary information is provided to the employees and that time and resources are allocated for training. Information security shall be included in UiT’s management training to ensure that managers can comply with this responsibility. Furthermore, the Director of Administration shall ensure that information security is a topic at suitable management forums at least once a year.
Information about information security at UiT shall be easily accessible to everyone via UiT’s website and other relevant channels.
Those assigned key roles and tasks in the work involving information security shall receive special training. External courses, seminars and relevant networks play an important role in ensuring the exchange of information and increasing the level of competence among these employees.
Chapter 7: Internal control and auditing
The purpose of control activities is to be able to assess the extent to which the established measures are sufficient and effective in order to ensure compliance with relevant regulations and general guidelines. Through controlling activities, areas of improvement related to existing measures may be identified and identified any further measures that should be implemented.
UiT's control activities within information security and privacy will consist of both regular activities that are carried out regularly, as well as activities that are carried out if necessary. Examples of regular activities are the annual status report all units provide with mapping of information values as well as self-assessment of the state of the unit.
The more detailed control activities are regulated by guidelines for UiT's control activities within information security and privacy, which are determined by the IT Director. This guideline shall contain both an overview of the fixed control activities, as well as regulation of the type of activity carried out if necessary, including who can decide implementation. Furthermore, requirements for documentation related to the various activities will also be regulated by the guideline and any associated routines.
Internal audit of the information security and privacy management system shall be carried out if necessary, and as a general rule at least every five years.
Chapter 8: Handling incidents and nonconformities
Nonconformities are violations of laws, regulations, or internal regulations at UiT. Reported nonconformities and their handling are a key source for both assessing the safety level at the units where nonconformities occur as well as for UiT as a whole, and through this uncovering the need for new or adjustments to existing security measures. Thus, nonconformity management is about quality and improvement, in addition to damage limitation.
In this context, nonconformities and incidents may be of a security nature, and/or a breach of data protection legislation.
Examples of events and nonconformities:
- theft of computer equipment
- misuse of IT services
- password misuse
- invoice fraud
- computer attacks
- data leak
- weaknesses in IT systems
- violation of, or lack of, routines at UiT
- confidential information astray
- unauthorized access to information
- use of data processor without sufficient agreement
- collection of personal data beyond what was legitimately needed (violation of the data minimization principle)
- processing of personal data without a lawful basis, including further processing for new purposes without having valid, legal grounds to this
Notification and handling of incidents and nonconformities
The person who discovers, or is made aware of, incidents and deviations (hereinafter "incidents") shall report this to the Privacy and information security office ("FPI") as soon as possible. Practical procedures for reporting incidents is determined by FPI and is described at uit.no/security.
FPI investigates the causes of the incident and the need for corrective measures. The responsibility for planning and implementing corrective measures will normally lie with the unit where the incident occurred, but it lies with FPI to decide how the incident should be handled. FPI has the authority to involve the personnel resources necessary to follow up and close an incident.
FPI shall keep an overall overview of all incidents that have been reported. These will be included in the annual management's review and will be used for learning across the organization to prevent recurrence.
In the event of major incidents and/or incidents where it is appropriate to report the incident to the Norwegian Data Protection Authority, FPI will routinely inform the management of the relevant unit on the matter.
Notification to the Norwegian Data Protection Authority
In the event of incidents involving breaches of personal data security, UiT as data controller shall notify the Norwegian Data Protection Authority without undue delay and, where possible, no later than 72 hours after learning of the incident, unless it is unlikely that the breach will entail a risk to the rights and freedoms of natural persons. It is therefore very important that incidnts are reported via UiTs incident-system as quickly as possible.
Notification to the Norwegian Data Protection Authority shall go via the Privacy and information security office ("FPI"); the units shall not submit such a message themselves.
If FPI considers that the duty to notify has occurred, they have the authority to send the notification to the Norwegian Data Protection Authority on behalf of UiT. The IT director decides whether all or part of FPI shall have such authority. Information on such matters must always be forwarded to the top management of UiT, via the director of administration. If the nature of the case dictates, the director of administration shall be actively involved in the handling of the matter, including the preparation of the report, from as early a time as possible.
The Data Protection Officer shall always be informed of reports to the Norwegian Data Protection Authority. As far as possible, the Data Protection Officer shall be informed of the matter and access the report before it is sent. If the nature of the case dictates, the data protection officer shall be directly involved in the handling of the incident from as early a time as possible. However, the Data Protection Officer always has the opportunity to actively engage in the handling of all incidents involving breaches, or potential breaches, of personal data security. FPI shall confer with the Data Protection Officer before a decision is made if the assessment indicates that the duty to notify does not occur.
Chapter 9: The management's review
In aid to management, a report shall be prepared annually that reviews the work on information security and privacy. This is included in the annual report on information security and privacy at UiT, and is promoted to the University Board during the first quarter of the following year. The report is prepared by the Privacy and information security office. The Data Protection Officer prepares its own annual report that is submitted to the University Board in a separate case. As far as possible, the Data Protection Officer's annual report will be presented to the Board at the same meeting as the annual report on information security and privacy.
Management's review shall include
- nonconformities and incidents, including any trends that should be paid special attention to
- the risk picture for UiT
- results/follow-up of control activities
- results/follow-up of internal audit, if applicable
- the condition of risk management at UiT
- status of adopted measures from the previous review
- need for adjustments to the management system
- resource and competence needs, including whether there is a special need for the coming year
In addition to this regular, annual reporting, meetings shall be held with management if necessary; for example, if the balance of risk changes, control activities or incidents reveal issues and situations in which management must be actively involved, and the like.
Follow-up of the annual report in the individual units at UiT
In addition to the senior management at UiT, the management at the individual units has a considerable responsibility in safeguarding information security and privacy.
Units with their own board
After the report has been considered by the University Board, it must be presented to the boards of the individual units at UiT. In addition to the annual report, the case for the unit boards must also address specific issues and areas of improvement for their own unit. It is the management of the unit in question that is responsible for the preparation and presentation of the case to the board of directors in question. The Privacy and information security office shall have access to the board case.
Administrative departments under UiT’s top management
After the report has been considered by the University Board, it shall be sent to all departments of the joint administration ("Level 1"). The report shall be addressed in their internal management meetings, where special issues and the area of improvement for their own unit also shall be addressed. The director of the department is responsible for the preparation and presentation of the matter for the management meeting, and the review must be documented. The Privacy and information security office shall have access to this documentation.
If possible, the Data Protection Officer's annual report will also be presented to the unit boards and administrative departments and if so shall be handled the same way as the annual report on information security and privacy.
- Regulations for users of ICT resources at UiT The Arctic University of Norway
- Guidelines for processing of student data [Norwegian text] (/Content/665919/cache=1581065869000/Retningslinjer+for+processing+av+studentopplysninger+ved+UiT.pdf)
- Guidelines for processing of personal data managed by the Division of Organization and Finance [Norwegian text]
- Guidelines for processing of personal data in research and student projects [Norwegian text]
- System landscape at UiT
- Classification of information assets at UiT
- Procedures for health research [Norwegian text]
See "About risk assessments"
About risk assessments
- when the threat level changes
- prior to starting the processing of personal data
- at the start of research projects
- when establishing or changing ICT systems
- when organisational changes are made that may affect the information security
- What has happened, where did it happen and how did it occur?
- The date and time span of the breach/nonconformity
- When it was discovered
- Have unauthorised persons become aware of (or potentially become aware of) information?
- If so, can you say something about this, e.g. the number of people, describe the situation (published on the internet, sent by mistake to one person, etc.)
- Has the information been lost or unavailable for some time (did this create major or minor consequences)?
- Has the information been changed (either by unauthorised persons or by accident)?
- How many people are affected by the breach/nonconformity (approximately if you don’t have an exact answer)?
- Who we can contact to get more information, if necessary?
(UiT has published courses entitled “Obligatory for everyone” in the course portal XtraMile. One of the lessons deals with how to classify files in Oﬃce365.)
UiT uses various services and it is important that these services are used for the purpose they are intended. In addition to ensuring that data is kept sufficiently “secret”, we must safeguard the availability (What happens if your data are lost and they were stored in a service without adequate backup? Or an examination is held digitally, and the service stops midway through the examination?) and the integrity (What happens if someone can change your research data without you knowing about it? Or their examination grade?) in an adequate manner.
Furthermore, we are subject to various laws that impose requirements about the quality and terms of the services we utilise, not least GDPR. We will publish information here about what the services are approved for (initially related to confidentiality requirements), as well as information about the degree to which you can use services other than those purchased by UiT.
Other collaboration tools than those provided by UiT. Can you use them?
Other digital collaboration tools
- The use of digital collaboration tools other than those offered by UiT via the Department of Information Technology is not permitted. There might be some exeptions if the necessary agreements are in place, but this is not something that every employee can enter into themselves. Please check with the IT Department first, if you are wondering if a given tool is permitted to use.
- We are subject to various statutory provisions and, among other things, data processor agreements must be entered into (which are reviewed for quality assurance (see the checklist for Data processor agreements) and risk assessment, cf. The Information Security Management System Chapter 1, cf. Chapter 5 (https://UiT.no/sikkerhet(/sikkerhet)).
- Major differences will often exist between the agreements UiT enters into, e.g. through sectorial cooperation, and those entered into by departments, which are often direct with contractors. This may be reflected in the terms for processing of data or where data is stored (USA instead of EU/EEA), etc.
- If the existing digital collaboration tools do not meet the unit is requirements, please contact the Section for Digital Platform and Operation (VITE) the Department of Information Technology.
- Please note: This does not apply to external meetings you have been notified of. If you plan to participate in a meeting with, for instance, UiO and you have received a link to a (virtual) meeting room using a tool that UiO utilises, of course you may participate.
The use of private licences in a work context is not permitted; primarily because it involves processing UiT data (including about students and colleagues) in private context, but also with respect to what the license itself permits. Moreover, by definition, UiT loses control over the data and cannot fulfil its statutory requirements pursuant to GDPR, etc.
Licences via other Higher Education institutions
- Do you have an employment relationship with another institution that has a service you wish to use in a teaching context, i.e. implement teaching activities that are under UiT under the auspices of UiT and involve UiT’s students?
- This will require agreements between UiT and the relevant institution, e.g. a data processor agreement if it involves personal data, because the other institution would actually be processing data on UiT’s behalf. Furthermore, a risk assessment must be conducted to ensure that the data can be handled adequately in the relevant service.
- Therefore, you must only use the services you have access to via UiT directly.
Which services can you use for which content?
UiT has numerous systems and services that can and must be used. However, not all these are approved for all types of data. Based on the management system, all information at UiT is classified as either open (green), internal use (yellow), confidential (red) or strictly confidential (black). The types of data the various services and systems are approved for, and what is needed for this approval to apply, is determined through the risk assessments.
The table below shows an overview of which data can be processed where.
You will see that some systems/services have footnotes, which relate to the list below the table. These include key conditions for the approval to apply. However, using the service or system as specified in the guidelines, training etc. will always be one such condition. It is important to follow the guidelines, procedures, etc. because UiT uses such documents to implement measures are required for a given type of information to be processed in the system or service.
If you use the system or service in a manner other than described/stipulated, the information in the table does not apply and you must contact the system owner directly to clarify whether the use is allowed.
Are you wondering what the different categories mean? See the guidelines in Chapter 4 of the management system.
|System/service||Open/Green||Internal/Yellow||Confidential/Red||Stricktly confidential/Black||Data Processor|
|Canvas||OK||OK||Not approved||Not approved||Instructure|
|E-mail (Office 365)||OK||OK||Not approved||Not approved||Microsoft|
|Shared areas (F:\)||OK||OK||Not approved||Not approved||Not applicable|
|Felles studentsystem (FS)||OK||OK||Not approved||Not approved||Sikt|
|Forms (Office 365)||OK||OK||Not approved||Not approved||Microsoft|
|Home drive (H:\)||OK||OK||Not approved||Not approved||Not applicable|
|Mediasite||OK||OK||Not approved||Not approved||Sikt|
|Nettskjema / sikkert Nettskjema||OK||OK||OK1||Not approved||UiO|
|OneDrive for Business (Office 365)||OK||OK||OK2||Not approved||Microsoft|
|Panopto||OK||Not approved||Not approved||Not approved||Panopto|
|Request Tracker (RT)||OK||OK||Not approved||Not approved||Not applicable|
|Sharepoint (Office 365)||OK||OK||OK2||Not approved||Microsoft|
|Stream (Office 365)||OK||OK||Not approved||Not approved||Microsoft|
|Sway5 (Office 365)||OK||Not approved||Not approved||Not approved||Microsoft|
|Teams (Office 365) - files||OK||OK||OK2||Not approved||Microsoft|
|Teams (Office 365) - meetings||OK||OK||OK3||Not approved||Microsoft|
|Tjeneste for sensitive data (TSD)||OK||OK||OK||OK||UiO|
|Yammer (Office 365)||OK||Not approved||Not approved||Not approved||Microsoft|
|Zoom||OK||OK||Not approved||Not approved||Sikt|
1 = The service “sikkert nettskjema” (secure online form) must be used for confidential information. Contact the Section for Digital Research Services (SDF) (/om/enhet/forsiden? p_dimension_id=88223). “Nettskjema (/om/enhet/Article?p_document_id=513952&p_dimension_id=88225)” (online form) is only for open and internal information.
2 = This is conditional on the following security measures being followed: classification of information, two-step verification is activated. Information that is subject to restrictions of processing in Norway (e.g. pursuant to the provisions of the Security Act) cannot be processed here either.
Please note: The chat function in Teams is not encrypted.
3 = For Teams meetings with confidential content, it's recommended to enable the "lobbying feature" so that the host must actively let in the people who are trying to connect to the meeting. Participants must use a camera. Ask for ID if there are any meeting participants you don't know. Do not record the meeting. Do not use the instant messaging (chat) feature for red data
4 = Sensitive personal data (e.g. medical certificates) shall not be processed in WiseFlow. However, confidential information, such as examination question papers before the examination is held, can be processed in this service.
5 = Sway is only approved for open data. Please note that Sway stores all user data in USA.
6 = If TopDesk shall be used for confidential data, prior approval is required (before the operator queue is established).
Use of video
If you would like information and guidance about how to use video in teaching, please check https://UiT.no/digitalundervisning (/digitalundervisning).
This page features resources and guidelines associated with when you can use video, what you need to monitor, which assessments are required, etc. This relates not only in a teaching context, but also in other activities at UiT.
If there are people involved in the video, this will generally involve personal data. Consequently, GDPR must be followed, which involves the following requirements:
- A basis of processing is required, i.e. a lawful basis (in GDPR) for processing personal data.
- Those who are in the video (either directly or indirectly) must be informed about this. This applies irrespective of whether the video is only streamed or also recorded.
- Information security must be attended to and you must consider how long the video shall be available. When the purpose of the recording no longer exists (e.g. after the semester /re-sit examination has ended), it must be deleted (not just deactivated).
You can read more about this and other topics in the submenus below.
All processing of personal data must have a basis for the processing pursuant to GDPR. This is an absolute and unavoidable requirement. The controller (the person who makes key decisions associated with the processing, such as the purpose and which means shall be utilised) must have this basis in place. This guidance assumes that UiT is the controller. In instances where UiT acts as a “data processor”, the contractor must have the basis for the processing in place, while UiT must ensure that we have an adequate data processor agreement before we receive the personal data.
Legal basis for processing personal data
During the period when lectures and seminars at UiT’s campuses/physical locations are cancelled, digital lectures and seminars will be utilised where possible.
A legal basis for the processing is always required.
UiT has categorised various activities where video is utilised (in teaching, examinations, dissemination and for administrative purposes). These activities have so many similarities that we have decided a relevant basis for the processing – for the personal data of both the employees and the students.
Important: It is essential that the unit/lecturer always assesses whether, for instance, video is necessary and, if it is deemed necessary, whether streaming the video is sufficient or if it must be recorded? Is it possible to combine different teaching methods, e.g. publishing a video from a lecturer followed by a chat discussion? These are just examples, and this is largely an academic (educational) decision. However, it is necessary to consider this. One must always undertake such a necessity consideration for the processing of personal data to be lawful. In other words, one cannot simply point to a given basis for the processing and then take it as a “blank authorization”. There must be a balance between what is achieved and how comprehensive this is for the student and the employee, and whether one can utilise means to reduce this impact on employees and students.
Many people often think of GDPR as a “consent law”, i.e. if you are going to process personal data, you must have consent from the person(s) the data applies to. However, this is incorrect. There are numerous bases for the processing and consent is just one of these. For teaching and administrative purposes, consent will often not be applicable and other bases must be used.
Basis for the processing is referred to in two different articles in GDPR:
- For general personal data (most types of data): Article 6
- For special categories of personal data (health, religion, politics, etc.): Article 9 (in addition to Art. 6)
Furthermore, several of the bases for the processing in GDPR require a so-called supplemental authority (“where Union or Member State law”).
- 6 (1) (c): the processing is necessary for compliance with a legal obligation to which the controller is subject
- If this basis for the processing is used, one must refer to a correct legal obligation to which UiT is subject (via an act or regulation)
- 6 (1) (e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- If this basis for the processing is used, one must be able to show that a “task in the public interest” or “exercise of official authority” is vested in UiT. One must also refer to the correct provisions in this context.
- This also applies to several of the bases pursuant to Article 9.
Specifically about consent
Consent is probably the “best known” basis for the processing. We find this basis in both Article 6 (1) (a) and Article 9 (2) (a). However, it is a widespread misunderstanding that consent is the only basis for the processing (“If you are going to process personal data, you must have consent”) or that consent is the preferred basis for the processing and that the order in Articles 6 and 9 give the impression of a “ranking”. This is incorrect. Consent is one of several possible bases for the processing, and these have equal status. Moreover, there is not necessarily any conflict between using any of the other bases for the processing and the fact that the subjects participate freely.
There will be some instances where it will be correct to use consent and where perhaps it will be the only relevant basis for the processing (e.g. this is often the case in research projects).
If one plans to use consent, one must be certain that this consent is valid pursuant to GDPR, as numerous conditions must be met for the consent to be valid. If even one of these conditions are not met, then the consent will be invalid. The consequence will be that the processing is unlawful and nay data collected or generated on the basis of the consent in question must be erased. Reactions can also come from regulatory authorities. In these situations, it will not “help” if you have obtained a consent from everyone because, if the validity conditions are not met, the processing is unlawful.
For UiT, there are numerous situations where we are prevented from using consent as a basis for the processing, and it is important to be aware of this. We will now look briefly at the conditions for consent, especially one that is often problematic for UiT to meet. The conditions for consent are stipulated in Article 4 (11) cf. Art. 7 of GDPR.
However, it is important to emphasize that there are certain limits about what one can consent to. A consent pursuant to GDPR is only a basis of the processing. This means that a person cannot, for instance, consent to other requirements in GDPR being deviated from (e.g. the requirement concerning information security).
Consent must be freely given, specific, informed and unambiguous. If it applies to personal data, the data subject must give his/her consent by a statement or clear affirmative action. Furthermore, it must be possible to demonstrate that the data subject has consented to processing of his or her personal data. If the consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters in the declaration. It must be given in an intelligible and easily accessible form, using clear and plain language. If the processing activities can be distinguished from one another, one must ensure that the consent is not obtained in an ‘’everything or nothing’’ form. The person must have a choice between the various processing activities. A consent may be withdrawn at any time, and the data subject shall be informed of this prior to giving his or her consent. The processing of the personal data about this person must then cease, which often involves erasing the data. Moreover, it shall be as easy to withdraw as to give consent, i.e. If consent can be given with “one click”, it must be possible to withdraw it with “one click”. Finally, it is important to be aware that passive consent is invalid. An active action is required (e.g. ticking a check box. If the box is pre ticked, it means the consent is invalid).
Consequently, many requirements must be fulfilled for a consent to be valid. One must keep track of who has given their consent and be ready to act if someone withdraws their consent.
However, for UiT, we must pay particular attention to the condition that consent must be given freely.
The consent shall genuinely be freely given. When there exists an imbalance of power between the controller and the relevant data subject, this is extremely difficult to achieve. This is described in the following manner in point 43 of the preamble in GDPR (our emphasis): “In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller (...)”.
In working conditions, it will be difficult to meet the requirement that consent be given freely, owing to the uneven balance of power between employer and employee. It is not entirely inconceivable but, in the vast majority of cases, one should avoid trying to use consent as the basis for the processing. Please note that this does not mean it never can be voluntary for an employee to, for instance, perform a task or give information. However, the everyday understanding of “freely given” has a much lower threshold than GDPR. WP29 (advisory group in the EU) stated the following about this question  (our emphasis):
“There may be situations when it is possible for the employer to demonstrate that consent actually is freely given. Given the imbalance of power between an employer and its staﬀ members, employees can only give free consent in exceptional circumstances, when it will have no adverse consequences at all whether or not they give consent. [Example 5:] A ﬁlm crew is going to be ﬁlming in a certain part of an oﬃce. The employer asks all the employees who sit in that area for their consent to be ﬁlmed, as they may appear in the background of the video. Those who do not want to be ﬁlmed are not penalize in any way but instead are given equivalent desks elsewhere in the building for the duration of the ﬁlming”.
There does not need to be explicit ‘threats’ of reactions if one does not consent, or more obvious pressure, for the requirement relating to ‘freely given’ not to be met. More implicit or informal pressure or expectations (“this is desirable for UiT to achieve”, “everyone must pull together”, etc.) will also lead to the requirement relating to ‘freely given’ not being met. Consequently, as an employer, UiT should not use consent as a basis for the processing. However, if one still chooses to use this, it must be thoroughly reasoned and discussed, particularly concerning the requirement relating to ‘freely given’.
Many of the above-mentioned considerations are also applicable when it comes to processing of the students’ personal data. This is a clear imbalance of power between UiT and the students. This applies to everything from UiT as the overall institution to the lecturers. Consequently, UiT must be extremely constrained in the use of consent as a basis for the processing of the students’ personal data, especially in a teaching context. This does not mean that there are not instances when the use of consent is both relevant and correct. However, in such cases, one must ensure that through and documented assessments have been implemented. The main rule is that other bases for the processing should be utilised.
Specifically regarding the situation with Corona (for the time periods when national measures are in place):
Given the situation UiT is currently in with Corona-related measures and the fact that all instruction must be digital for an unknown period, it seems that there is little doubt that, as a main rule, consent cannot be utilised as a basis for the processing. In practice, the lecturer who refuses will not be able to do his or her job and the student who refuses to participate in, for example, a video lecture/seminar (streaming and/or recording with student participation, either directly in video or via chat) in reality misses out on part of the education or will be the “reason” why seminars cannot be held. This means that in reality the choice is not as free as GDPR requires. Consequently, other bases for the processing must be used.
 See Personopplysningsloven og personvernforordningen (GDPR) med kommentarer, Jarbekk (ed.), Gyldendal 2019, p. 151.
You must provide information
The clear main rule in GDPR is that information must be given before one can collect personal data. We will provide more details later, but in brief the following applies for recording of video:
Before you start recording, you must inform those who will be included in the recording:
- That the lecture etc. will be recorded
- What it will be used for
- Who will gain access (this can be at the group level, e.g. the course students?)
- When it will be erased (if not a specific date, the criteria for erasure, e.g. after the re-sit examination for this course this semester has been held)
[Skriv tittel her]
Countless video services are available; some for streaming, some for recording and some for both. Many have their personal preference and perceive clear advantages by using precisely their preferred service.
We understand that, but unfortunately it does not help. The reason for this is that when UiT utilises video, the person data in this video are processed. This can involve employees, students or even external actors. In a video service, the personal data in the actual video and those associated with it (e.g. login, activity logs, chat, etc.) are processed.
We are subject to stringent requirements when it comes to the processing of personal data, and as a minimum we must have a data processor agreement with the supplier. Moreover, a risk assessment must be conducted. Compliance with statutory requirements is not our primary motivation for doing this. These requirements exist for a reason. It concerns safeguarding the data protection of our employees, students and guests, etc. If you use “private” video services in a teaching context, UiT cannot attend to the obligations we have. What happens if the supplier chooses to use the personal data for a completely different purpose, e.g. advertising? If the correct agreements are lacking, it is realistic that they actually have this access.
Furthermore, UiT often purchases services on other terms that those that apply for private individuals or even for a research group or unit. For several services, UiT’s terms of purchase mean that personal data is stored within the EU. However, if you go directly to the same supplier and purchase the service, you will be subject to the purely commercial terms and the data could be stored in, for instance, USA. Have you conducted a risk assessment? Do you have the necessary basis for the transfer (as required by law)?
Even if you manage to not include any personal data (it is difficult to practically impossible when using a digital service), the data you enter or generate probably has a certain value for you and for UiT? Do you know what the supplier is permitted to use these for, cf. the terms you approved when you purchased or registered yourself in the service?
Consequently, it is important that you use the services that UiT (via the Department of Information Technology) has purchased and that you use them as intended. We refer to the information under “IT services and systems – What are you permitted to use?”
We are working on e-learning modules on information security and data protection. In conjunction with the National Cyber Security Awareness Month, UiT created its own courses on information security. You are encouraged to complete these! Go to https://go.nanolearning.com/LessonViewer/?d=468736&key=2FvQUpIbbtJsl7FF&intranetpage=true
It is important that all units have detailed procedures for the handling of information security at their unit, e.g. handling of print outs of confidential information, procedures for conducting and approving risk assessments, etc. – adapted for your unit.
We will publish some guidance and information about what you need to be aware of on this page.
Working from home
Owing to the Corona virus, an extremely high number of UiT’s employees are now working from home. However, it is important that data protection and information security are still safeguarded, and you have an important responsibility in this respect.
UiT manages vast amounts of research data, as well as personal data about employees, students, research participants, guests, partners and others, and other information of great importance to the organisation. Failure here can cause significant harm to UiT and individuals. Attending to information security and data protection is your responsibility and is fulfilled by being careful, complying with relevant legislation, guidelines and procedures, and reporting any undesirable incidents you discover or experience.
If there are other people in your household, remember that your duty of confidentiality also applies to them. This can easily be overlooked if you leave papers lying around, your computer is unlocked or you lend it to your children or you conduct Skype meetings with others present in the room, etc.
Consequently, we would like you remind you of some rules that everyone must be aware of (whenever you are working from home, including post-Corona):
- Work involving confidential (red) and strictly confidential (black) data shall only occur on equipment owned by UiT.
- Papers and notes must be stored in such a way that others in your household cannot read them.
- ICT equipment owned by UIT (e.g. computers and tablets) must not be loaned to others in your household, including children.
- This is not only because they can gain access to confidential information, but they can also erase or share the information by mistake.
- Moreover, we wish to minimise the risk of your device getting malware (which can steel or destroy information, e.g. a crypto virus), and one of the measures to achieve this is that only you use the device and only in a work-related context.
- Private cloud computing services (e.g. Dropbox) shall not be used
- You must lock your screen when you leave the computer unattended (even for short periods) if other people are home.
- Learn to use the keyboard shortcut Win + L to lock your screen quickly:
- On UiT’s computers, you can activate a PIN code to avoid entering your password every time you need to unlock the screen. With newer computers face recognition can also be utilised.
Communication tools like Skype, Teams and Adobe Connect, etc. will be widely used for meetings, teaching, etc. As confidential topics are often discussed (especially during meetings), it is important to be aware of your surroundings. This also applies to teaching, e.g. when you are holding seminars and tutorials. Students expect to ask questions and share their views with you, not you and your immediate family.
Please be aware of the following:
- If others are present in the room, you must use a headset
- We recommend this anyway as using a headset enhances sound quality and reduces background noise.
- Be conscious of what you are say if others are present in the room.
- We remind you about the duty of confidentiality.
Unless you need to reach services that require you to be connected to UiT’s network (e.g. Ephorte, PAGA, the home drive, etc.), you do not have to be connected to VPN.The communication with Oﬃce 365 (e-mail, OneDrive, SharePoint, Teams, etc.) is encrypted and thus VPN is unnecessary.
- Owing to the large number of people who are now working outside the campus, we ask that you are not connected to VPN if this is unnecessary.
- VPN may be required for certain updates on your computer. We will publish a message here and as an operational message if you need to do something and, if so, how.
- This does not apply to all updates, e.g. Microsoft (Windows/Oﬃce) updates will function normally.
How to avoid attempted scams and attacks
Experience from Norway and other parts of the world shows that criminals are already trying to exploit the upheaval caused by the Corona pandemic. There is a vast requirement for information, employees are working at different locations than usual (such as at home) and following different routines and there is rapid development and exchange of information about how to do this. Dishonest and criminal actors are trying to exploit this by hacking into IT systems, steal personal data and committing financial crime, etc.
Consequently, it is especially important to be careful during this period because we know that UiT can be exposed to purposeful attacks. It does not have to be an “IT attacks” where someone tries to hack into systems, but may be “social manipulation” where someone impersonates a person, company or organisation to create trust and entice you into divulging or changing information or accesses. They may also try to get you to install malicious programs (“malware”), which give them direct access to your computer and perhaps the systems, storage services, etc. you have access to at UiT.
Consequently, we will remind you of some of the things you need to be especially aware of. These tips are basically no different from those that apply at other times. However, as mentioned, we can expect additional activity during this period. As such, many of the examples deal directly with the Corona virus (COVID 19).
- We can expect phishing attacks to increase in volume.
- Do you want to read more about phishing and how to discover it? See this lesson (https://app.xtramile.no/new/training/d2caa932-96ca-4566-8aa3- 3a3567ec81fb) UiT created in conjunction with National Cyber Security Awareness Month.
- Be extra vigilant if you receive e-mail related to the Corona virus.
- Naturally, you will receive some legitimate e-mail related to the Corona virus, but check the content, context and sender carefully. For information about how to check if an e-mail is legitimate, please send the link in the point above.
- This involves knowledge and habits that are useful at other times too, both in a work and private context.
- False/illegitimate e-mail will often try to
- play on fear
- deal with financial interests (such as “updated delivery info”, “amended payment details”, etc.)
- get the recipient to act in haste (“Important!”, “Respond immediately”, “Urgent clarification required” etc.)
- give the impression they are a public body/authority (such as WHO, FHI, etc.) or employer and encourage you to implement immediate action
- UiT will provide messages about measures via en.uit.no/corona. We may send updates by e-mail, but the information in these will be reflected on https://en.uit.no/corona or in the official operational messages. If you don’t find it there and the e-mail asks you to log in to a website, open an attachment or install a program, take the time to check the content before you do anything further.
- If you are in doubt, ask your manager or a colleague if this is genuine.
- WHO does not send out e-mail that require you to log in to gain access to the information, attachments that you have not requested or information on pages outside the domain www.who.int.
- get you to click on/open evil-minded links or attachments
- If you are not expecting an e-mail, check that it is genuine, see the point above about phishing attacks.
Still in doubt? send a question about the e-mail to sikkerhet@UiT.no (mailto:sikkerhet@UiT.no)
There have been cases in Norway where employees have received an SMS that gives the impression that it is from the management. They were asked to install a specific tool to simplify the communication while they are working from home. That was an attempted scam and the “tool” in question was malware.
- UiT would not provide this type of information via SMS.
More information about "smishing"
Example from Norway
You may also receive phone calls from scammers.
- For example, “Microsoft” will be extra active at this time. Scammers claiming to be from Microsoft (sometimes they say they are calling from Windows) will call and say they have discovered a problem with your computer that they can help you with. Microsoft would not call anyone like this, so just hang up if you receive such calls.
- The phone number they call from can be a Norwegian number, an overseas number or neither (just a collection of numbers). This is because they hide their real number and give the impression that they are someone else. The actual owner of the phone number has nothing to do with call and have not been hacked (the scammers have simply chosen a number, which they give the impression is their own number).
- If you have followed the scammer’s instructions, in full or in part, please notify email@example.com immediately so we can help you.
Many false websites have been created to take advantage of the situation the society is now in
- This includes a false “coronavirus map” that claims to be providing “live” information about the spread of the virus. It is actually malware.
- These sites are usually based on the information and appearance of genuine sites and can be challenging to uncover.
- “Fake news” is a recurring problem, including in this situation. Be vigilant and practice source criticism.Examples:
Here are some links to more information. Please be aware that the advice to employees/users here is general. In a work-related context, please follow the advice given by UiT.Does something look not quite right? Please contact firstname.lastname@example.org and we can have a chat about it.
- https://www.nsr-org.no/aktuelt/svindelforsok-og-angrep-relatert-til-covid-19 [in Norwegian]
- https://nsm.no/fagomrader/digital-sikkerhet/nasjonalt-cybersikkerhetssenter/varsler-fra-ncsc/varsel-i-forbindelse-med-koronaviruset [in Norwegian]
- https://www.nrk.no/osloogviken/ﬁkk-sms-fra-_sjefen_-_-viste-seg-a-vaere-korona-svindel-1.14942801 [in Norwegian]
- https://www.digi.no/artikler/slik-bruker-hackere-koronavirus-frykten-til-a-spre-skadevare/487347 [in Norwegian]
- https://nrkbeta.no/2020/03/11/slik-spres-falske-nyheter-om-koronaviruset/ [in Norwegian]
For research data, we recommend using SharePoint. OneDrive is personal storage that will be deleted automatically if the user leaves the institution.
Confidential information and personal data may only be stored on Windows computers administered by UiT. Privately owned equipment (laptops/computers, mobile devices), Mac or Linux are currently not approved. For further information about what type of data the various services in Oﬃce 365 are approved for, please see above (“Which services can you use for different types of information/data?”)
For practical information about how to classify your data and secure data processing in Oﬃce 365, please refer to IT support/Orakelet’s user instructions
UiT processes vast amounts of personal data, in many different contexts, in research, education og dissemination.
Do you plan to use personal data in research? Read more on this page (/forskning/art?dim=179056&p_document_id=604029).
It is extremely important to understand the roles various actors have in the processing of personal data.
This is necessary in order to know who has responsibility for ensuring the personal data is processed legally, who will make decisions about the processing and who those registered can contact to exercise their rights, etc.
- Who is the data controller? Does UiT have this responsibility alone or is it shared with others? Does UiT utilise data processors? What is required for this to occur in a legal way?
- Is UiT the data controller for others? What does this role involve?
- If the data is transferred overseas, what must be in place for this to be legal?
- Does UiT have external actors who perform duties for us that involve dealings with personal data although they are not a data processor?
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs, or
- trade union membership,
- processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
- data concerning health or
- data concerning a natural person’s sex life or sexual orientation
Who is responsible?
Someone always has responsibility for the processing of personal data, a so-called “controller”. This responsibility may also be shared with others, “joint controllers”. See the menu below for further information
- Purpose: The determination of the purpose is extremely central to the processing of personal data and must be determined by the controller himself/herself - before collection of the data can commence. The purpose shall describe why it is necessary to process the relevant data, e.g. carry out admission to a programme of study, the goal of a research project, appointment of a new employee, etc.
It is important to be conscious of what the purpose is, so that the data subjects (the people the data deals with) understand what the data is used for, as well as why any subsequent further processing of the data is subject to restrictions. For instance, the data cannot be further processed in a manner that is incompatible with the original purpose(s), cf. Article 5 (1) (b).
The purpose(s) must be specified, explicit and legitimate.
- Means: The term “means” covers more than simply which technical aids shall be utilised. Central assessments and decisions related to how the personal data shall be managed are also covered, such as:
- Which data shall be processed?
- Which third parties shall have access? Which data shall be erased (and when)
- The choice of technical tools may be delegated to the processor, under certain conditions. However, the controller must ensure that the information security is safeguarded. Risk assessments cannot be conducted by the data processor alone (but they can assist)
- The controller cannot delegate assessments as mentioned in the bullet points above to the data processor.
One does not always have sole processing responsibility, as this can be shared with others, e.g. in a research project that is a joint project involving several institutions. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers, cf. Article 26 (1)
This is permitted providing certain requirements are fulfilled, cf. Article 26 of GDPR:
In a transparent manner, each actor (controller) shall determine their respective responsibilities for compliance with the obligations under the regulation, by means of an arrangement between them (particularly regarding the exercising of the rights of the data subjects):
- This arrangement may designate a contact point for data subjects
- The arrangement shall reflect the respective roles of the joint controllers and their relationships with the data subjects
- The essence of the arrangement shall be made available to the data subject
- Please note: Irrespective of the terms of the arrangement, the data subject may exercise his or her rights under the regulation in respect of and against each of the controllers, e.g. one of the actors has the internal responsibility for dealing with requests for access to data. The data subject may choose to send their request to one of the other controllers, who must then deal with the internal communication to process the request. The data subject cannot be rejected on the grounds that they have sent their request to the “wrong” controller.
There is no necessity for equal distribution of responsibility and decision-making authority between the various controllers. There may be different levels of “cooperation”, and different controllers may be involved in different activities/operations and at different stages of (the same) processing. As mentioned, this must be clarified in the arrangement one is responsible for stipulating pursuant to Article 26. Furthermore, it is important to be aware that the establishing of joint processing responsibilities does not give any party a “greater” right to process personal data than they would have had alone. For example, each of the parties must have a lawful basis for the processing and one party cannot simply “expand” on the lawful basis for the processing of one of the other parties.
Please be aware that it is the actual processing that is in focus and the subject of the assessment of whether there shall be joint controllers or not.
- Example: If the same personal data is the subject of processing, but each of the controllers determine their own purpose separately, it sounds more like disclosure of personal data from the original controller rather than joint processing responsibility.
Disclosure to another organization (e.g. a higher education institution)
In many instances, the transfer of personal data to external actors (enterprises, organisations, institutions, physical people) is simply the disclosure/transfer of personal data to a new controller.
When UiT has disclosed the personal data to the new controller, this person/authority is fully responsible for their processing of the personal data. We have no influence over or responsibility for how the data is processed by the external actor. Please note: If UiT still has a copy of the personal data, we are naturally still controller for our processing of these data.
For the disclosure of the personal data to be lawful, we must have a lawful basis for the processing for this disclosure. This lawful basis for the processing must comply with Article 6. If the processing involves special categories of personal data, the lawful basis for the processing must comply with Article 9. Please be aware that disclosure may involve further processing of existing data for a new purpose. In such instances, an assessment must be undertaken of whether the original purpose and the purpose of the further processing are compatible. One cannot determine a new basis for the processing (in isolation) and then the disclosure is lawful.
In instances where the disclosure is not required by law, we must assure ourselves that the recipient has a lawful basis for the processing of the data (before disclosure of the data).
A data processor is someone who processes personal data on behalf of the controller, cf. Article 4 (8). A data processor may be “a natural or legal person, public authority, agency or other body”, cf. Article 4 (8). Special requirements for data processors are outlined in Article 28 and 29.
The data processor must be an independent legal person or entity from the controller, e.g. employees at the controller will not be a data processor.
A data processor may be anything from a major international supplier of a cloud service (e.g. Microsoft is UiT’s data processor for our use of Oﬃce 365) to an individual (e.g. who supplies transcribing services).
There may be instances where it is not impossible that an external actor gains access to personal data when performing duties for us, but where they are not considered a data processor.
If UiT is the data processor
- We must ensure that we have entered into a data processor agreement and comply with the obligations of the agreement and Article 29.
- It is the controller’s duty to ensure that the data processor agreement is in place, but we must not receive or otherwise process personal data as a data processor before such an agreement has been signed.
- As part of the security measures, ensure that the information/data from the various controllers is kept separate from each other and from UiT’s own data.
Requirement before data processors may be utilised
Requirements for the data processor agreement
Some requirements must be fulfilled before one starts to use a data processor:
- A written data processor agreement must be entered into, cf. Article 28 (https://lovdata.no/lov/2018-06-15-38/gdpr/a28).
- There are some specific requirements concerning the content of such agreements (see below).
- You can find a template for data processor agreements here
- A risk assessment must be conducted to ensure the information security is attended to (cf. GDPR art. 32)
- This can be completely basic or extremely complicated and comprehensive, depending on the nature of the assignment/service.
- Ensure this is conducted at a sufficiently early stage to avoid the risk of entering into a binding agreement for something (e.g. for a service) that one cannot then use because the risk assessment revealed unknown risks of such a nature that they are unacceptable
- alternatively, include a “subject to approved risk assessment” clause
The data processor agreement must stipulate:
- the subject matter and duration of the processing,
- the nature and purpose of the processing,
- the type of personal data,
- categories of data subjects, and
- the obligations and rights of the controller
Furthermore, the agreement shall, in particular, stipulate that the data processor
- processes the personal data only on documented instructions from the controller, cf. Article 28 (3) (a)
- including any transfer of personal data to a third country or an international organisation
- ensures that persons authorised to process the personal data have committed themselves to confidentiality, Article 28 (3) (b)
- takes all measures required to attend to the information security (comply with Article 32, cf. Article 28 (3) (c)).
- can only enage other data processors (subcontractors) under the following conditions, cf. Article 28 (3) (d):
- the controller’s approval has been obtained. There are two methods to achieve this and the chosen method must be clarified in the agreement
- The data processor must obtain prior specific authorisation from the controller for each subcontractor, or
- The data processor receives general authorisation but must inform the controller of intended changes concerning additional/replacement subcontractors so the controller has the opportunity to object to such changes, cf. Article 28 (2)
- the data processor must impose the same binding obligations they are subject to, especially with respect to information security, cf. Article 28 (4).
- If the subcontractor fails to fulfil its data protection obligations, the data processor shall remain fully liable to the controller
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services and deletes all existing copies, cf. Article 28 (3) (g)
- makes available to the controller all information necessary to demonstrate the data processor’s compliance with the obligations, cf. Article 28 (3) (h).
- allows for and contributes to audits, cf. Article 28 (3) (h).
- including inspections, conducted by the controller or another auditor mandated by the controller
- taking into account the nature of the processing and to the extent possible
The above mentioned template for the data processor agreement includes all these points but must be adapted for each agreement. It cannot be signed as it is because it does not contain all the information/details required.
Sometimes the contractor may insist on using their own agreement template. This is acceptable providing it is reviewed carefully and it is concluded that the requirements of the data processor and data processor agreement are fulfilled. Please be aware that this is not always the case, even for major contractors. In such instances, one must negotiate changes of the agreement.
When is an external organization not a data processor?
Being a data processor involves processing personal data on behalf of the controller. The purpose of the agreement/assignment must, in full or in part, be to process on the controller’s behalf. If such processing is not part of the purpose of the assignment, then the contractor is not a data processor. However, a declaration of confidentiality may be necessary if there is a possibility the actor can see personal data or other confidential information. See the example declaration of confidentiality in the right-hand menu.
- An agreement is entered into for the repair of photocopiers. It is possible that the service technician may see personal data during the execution of his duties (e.g. on a document left in the photocopier), but this is not part of the purpose of the agreement, which is to repair the photocopier. The service technician is not a data processor even if he/she happens to see personal data.
- An agreement was entered into with a consulting firm to assist with developing a service. The consultants will perform their work on UiT’s systems, locally at UiT. No information will be transferred to their own systems. The parts of the service they will work on will not normally involve personal data. Consequently, they will not be regarded as a data processor.
- We use an external postal service to deliver letters containing personal data. The assignment is to deliver letters from A-B, not to process the personal information, and they are not a data processor.
- For more examples, see this guidance from the Danish Data Protection Agency (where some of the above-mentioned examples come from).
Please note: One cannot simply agree that someone is a controller and a data processor because it is practical or convenient. What is decisive here are the realities – who does what? Who has influence? The situation may involve joint controllers, or is in fact a disclosure/transfer of personal data to another controller.
Transfers outside the EU/EEA
Some things must be in place before personal data may be transferred overseas. Please note that this section deal with the requirements made for transferring to a given country. The requirements that must be fulfilled before one can start using a data processor or disclose personal data to another controller are also applicable, such as
- the requirements relating to a data processor agreement and risk assessment (if the recipient is a data processor)
- the requirement for a lawful basis of disclosure (if the recipient is another controller)
Please note: If the data that shall be processed is subject to special legislation that can restrict the transfer out of Norway (e.g. the Security Act), naturally this must be considered. However, this aspect is not dealt with in the information below.
Transfer to countries within the EU/EEA
Transferring personal data to recipients in countries within the EU/EEA is assimilated to transferring to an equivalent recipient in Norway. It is explicitly forbidden to restrict or prohibit the transfer of personal data to countries within the EU/EEA for reasons connected with data protection, cf. Article 1 (3).
- Please note: As mentioned, this only deals with matters related to the actual country. If, for instance, one shall start using a data processor, requirements related to information security, etc. must still be fulfilled. If this is not the case, one cannot use this data processor – and it makes no difference that it is in, for instance, France.
- What one cannot say is that a data processor must not be used because it is in France.
Transfer to countries outside the EU/EEA (“third countries”) or to international organisations
The transfer of personal data to a recipient in a country outside the EU/EEA, a so-called third country, or an international organisation, requires a lawful basis for the transfer. The transfer of personal data to third countries or international organisations is regulated by Chapter V of GDPR (Article 44 (https:/lovdata.no/lov/2018-06-15-38/gdpr/a44) - 50 (https:/lovdata.no/lov/2018-06-15-38/gdpr/a50). There are various bases for transfer, the most common of which are mentioned below. This list is not exhaustive.
- Approved third countries
EU has approved some countries that have an equivalent level of data protection within the EU/EEA. Transferring to these countries is assimilated to transferring to countries within the EU/EEA. The updated list of these approved countries is published on the EU's websites.
- EU’s Standard contractual clauses
The EU has developed a set of standard contractual clauses that may be utilised for the transfer of personal data to third countries. This contract contains several modules, and you must choose the correct one(s). The different modules regulate transfer of data from
- controller to controller
- controller to processor
- processor to processor
- processor to controller
Please note: If the recipient is a data processor, be aware that the standard contract pertaining to transfers does not replace the data processing agreement!
After the Schrems II-ruling in 2020 the transfer of data on the basis of EUs standard contractual clauses is significantly more difficult. Please be aware of this and ensure that the appropriate considerations and actions are taken before transferring any personal data, even those that might seem trivial in nature.
- Template for data processor agreement: https://anskaffelser.no/verktoy/maler-ogsa-kontrakt-og-avtalemaler/databehandleravtale-og-sjekkliste
- Checklist for data processor agreement, etc.
- Registration form, UiT (completed, signed data processor agreements)
- Declaration of confidentiality
- Protocol of processing at UiT
- Data protection and research at UiT
- Guidance from the Norwegian Data Protection Authority
- Data processor agreement (https://www.datatilsynet.no/regelverk-og-verktoy/veiledere/databehandleravtale/)
- Basis for the processing (https://www.datatilsynet.no/regelverk-og-verktoy/veiledere/veileder-om-behandlingsgrunnlag/)
- Transfer of personal data overseas (https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/overfore/)
NB: Most of these documents are in Norwegian only
Here we will gather information about some key security measures.
Several measures are needed to ensure the operation and information security of UiT's infrastructure, systems, and services, which include the processing of personal data. This is for employees, students, guests at UiT, and others with connections to the university. A typical example is logging.
These can not always be informed in detail, partly because details of safety measures can be a safety risk in themselves. But we will provide the information we can provide, and which we are obliged to provide.
(information in progress)
According to the ICT regulations, any use of UiT's ICT resources can be logged, and this happens. However, it must take place under controlled conditions, and access to logs is strictly regulated. Furthermore, collection and use of logs (as well as other measures, whether it is for the maintenance of operation, security, or both) shall occur following the requirements of the privacy legislation (GDPR etc.).
The threat face UiT faces requires several security measures, not least logging. What must be logged (type of information, activity, and scope) will be more comprehensive. Still, there must be a proportionality between the intervention in the individual's privacy and the necessity and what UiT seeks to achieve.
Information about new measures that affect all users, such as Cisco Umbrella and Microsoft Defender for Endpoint, is announced via operating messages. Of other more comprehensive actions on the log page, UiT is connected to the Alert Service for digital infrastructure ("VDI"). VDI is operated by NSM and acts as a "digital burglar alarm." Some of the further details about VDI are exempt from public access, cf. § 21, and can thus not be shared, but a little more information about the service can be found here:
Multi-factor authentication is authentication or log in with more than one factor. This means that in addition to the username/password, an additional element is required to approve the login attempt. This is used extensively and is becoming more and more common as it is an effective and relatively simple safety measure. You are already using some form of login to browse the online bank and the Tax Administration's pages (BankID, MinID, Buypass). At UiT, we use two factors for several of our services, which will become more widespread. There are many methods to find out which password a person uses, so you can expect the password to go astray at some point. If it does, other people could log in directly to your account, but if you have a two-factor, this will be considerably more difficult.
You can use many methods, but the most common is a one-time code via SMS or an app on the phone. We will also introduce USB tokens ("hardware tokens") if you do not want or can use the app or SMS.
Every service used by employees and students at UiT, such as Office 365, SAP, Wiseflow, Canvas etc. requires multi-factor authentication.
Please see the following user guide to set up and administer multi-factor authentication:
VPN, Virtual Private Network, is a security mechanism that encrypts the network traffic between your PC and the services you use. This encryption is in addition to the security you get with https when you go to websites.
For technical information about UiT's VPN solution, see this support article in TopDesk.
When should I use a VPN?
VPN has two primary areas of use at UiT:
- Secure web traffic to and from your PC on unsecure networks.
- Provide access to resources that are otherwise only available by physically present at UiT's locations.
Secure web traffic to and from your PC on unsecure networks.
Here, VPN can be considered optional. This is because most services are currently secured with encryption already. This applies, for example, to all services in UiT's use of Office365, i.e. email, OneDrive and SharePoint.
However, there are cases when the use of a VPN is recommended, e.g. if you connect to unknown wireless networks or are travelling in countries outside Europe where one must take into account that state surveillance and criminal online activity is widespread.
Note: When travelling to high-risk countries such as China, Russia and Iran, one should not bring their regular work computer or mobile. Contact IT-support for more information.
Provide access to resources that are otherwise only available by physically present at UiT's locations.
The second application of VPN is mainly access to UB's journal bases. In order to directly access scientific articles through UiT's agreements, you must log in from addresses that UiT has stated as their address areas on the internet. This is described in the Help Center article above. If you go to the journals via UB's website, you don't need a VPN (there's a solution set up that bypasses the problem).
Are there any drawbacks to using a VPN?
The VPN system at UiT is set up with good capacity and should not be a bottleneck in normal use for web browsing and email. However, it can cause delays in audio and video on Teams and Zoom if you're traveling far away from Norway. This is because using a VPN sends all internet traffic to Tromsø before it goes on to the internet.
See information regarding roles and responsibilites in chapter three of the information security and privacy management system.
Privacy and information security office ("FPI")
The Privacy and information security office ("FPI") is organizationally affiliated with the Department of IT, and consists of five people:
- Ørjan D. Pettersen (CISO and leader of FPI)
- Lars Slettjord (operational security and head of CSIRT)
- Christian Isaksen (security architect)
- Elise Mengkrogen (senior legal adviser)
- Ingvild Stock-Jørgensen (senior legal adviser)
FPI works with issues of information security and privacy at an overall level, for the entire university and with questions of both digital and non-digital nature. Among other things, FPI is responsible for revising the management system for information security and privacy, managing nonconformities, carrying out control activities, writing annual reports that are submitted to the University Board, etc. More information about the assignments can be found in Chapter three of the management system.
Information security and privacy forum
The forum was created in 2019 and was originally focused on information security. In the spring of 2022, however, the mandate was expanded to include privacy/data protection.
Each unit at levels 1 and 2 has one representative, and the forum is composed of scientific and administrative staff as well as the management level. The Data Protection Officer (DPO) has the right to meet and speak.
The forum does not have decision-making authority but will serve as an advisory body for the university on issues of information security and privacy. Typically, major changes to guidelines will be submitted to the forum for input before they are finalised. Scheduled training activities of a certain size are also discussed by the forum. FPI have the main responsibility for preparing cases for the forum, but each representative has the opportunity to promote cases.
As of May 2022, the forum consists of the following representatives:
- Ingvild Stock-Jørgensen, FPI, (leader)
- Christian Isaksen, FPI (referrer)
- Anders Andersen, NT-fak
- Anders Dalmo, IVT-fak
- Frode Nilsen, UB
- Jan Henriksen, UMAK
- Magne Frostad, JurFak
- Sissel Eriksen, HSL
- Sølvi Brendeford Anderssen, FUF
- Terje Aspen, BFE
- Frank Mengkrogen, Helsefak.
- Eli Synnøve Foam Hanssen, ORGØK
- Nils Johan Lysnes, ITA
In addition the DPO and the CISO attend the meetings.
Data Protection Officer (DPO)
UiT has its own data protection officer who will inform and advise UiT and its employees on the obligations a resulting from the General Data Protection Regulation (GDPR) and associated legislation.
Furthermore, the DPO shall control UiT's compliance with GDPR, internal guidelines, etc. within privacy, training activities, etc.
The Data Protection Officer has an independent position and cannot be instructed in the performance of its duties.
More information about the DPO’s role and tasks can be found here.