Innkjøp og utvikling av systemer - Ansatt

New needs and follow-up

New needs and follow-up

How to take into account data protection and information security in connection with new needs and the adoption of a new system? What clarifications are required in advance and how do we implement the new system?
  • Privacy considerations in connection with the procurement/development of a system

    Learn how to report a need for new IT services

    Please contact the Data Protection Manager at your unit as early as possible in the process. This should take place before decisions are made and early enough to establish good processes, procedures and requirements.


    Draw up information for employees, students, visiting lecturers or visitors concerning data protection rights and ensure that any information online is kept up-to-date. The information can be linked to OsloMet’s privacy policy or a separate web page about the system can be created, referencing the general privacy policy at OsloMet. The most important thing is to ensure that employees, students, researchers, etc. are informed of their rights and know who to contact.

  • Documentation

    You need to be able to document and archive all assessments and agreements that govern data protection, as well as any other documents that demonstrate your compliance with the data protection regulations. Data protection documentation in P360 provides information about the type of data protection documentation you need to store in Public 360, as well as tips on how to structure the documentation in the best possible manner.

  • Privacy considerations when using the system

    • Check that personal data that is processed using the system is not used for incompatible purposes other than those planned, without such use being covered by the lawful basis for processing, including consent or legal basis, see the Norwegian Data Protection Authority on basis for processing (, in Norwegian).
    • Check that personal data that is processed in the system is of satisfactory quality, i.e. that the data is adequate and relevant, correct and up-to-date.
    • Check that no surplus data is recorded in the system (personal data not necessary for the purposes/purpose of the system).
    • Delete or anonymise surplus data that has still been recorded in the system.
    • Respond to enquiries from and safeguard the rights of the individuals to whom the personal data relates.
    • Conduct regular risk assessments of the information security of the personal data processed using the system. A new risk assessment must be conducted and any relevant forms must be updated in the event of major system changes. The new risk assessment must be archived in P360. New risk assessments must be conducted every three years, or more frequently in accordance with internal guidelines.
    • Implement measures to ensure that the information security of the personal data processed in the system is satisfactory.
    • Regularly check that any data processors comply with the terms and conditions set out in the data processing agreements that have been entered into.
    • Report non-conformities that arise when processing personal data using the system.
    • In order to register changes to the use of the system, please see the overview of the processing of personal data (protocol, in Norwegian). Forms must be updated and new versions must be stored in the Teams created for the purpose.
    • Assess whether the system complies with requirements relating to management systems for information security and data protection (in Norwegian).
  • Privacy considerations when decommissioning a system

    • Determine which personal data needs to be deleted or anonymised and which to archive.
    • Ensure that all personal data that does not need to be archived is securely deleted or anonymised.
    • Ensure that any personal data that needs to be retained is archived.
  • Do you need help?