New needs and follow-up

See website about request for a new IT services. 

Please contact the Privacy contact at your unit as early as possible in the process. This should take place before decisions are made and early enough to establish good processes, procedures and requirements.

Checklist

• Check whether personal data will be processed in the system, i.e. that processing is not sufficiently anonymous. See anonymous, anonymised and de-identified data.
• Check that no more personal data is registered than necessary for the purpose (to carry out the duties that need to be performed using the system). Data minimisation requirement.
• Is there a lawful basis for processing, such as a legal basis, agreement, consent or “legitimate interest” covering the purpose?
• Check that informants have received information about their rights via an information letter or the privacy policy. When personal data is collected and registered in a system, you will generally be subject to a duty of disclosure relating to the individual(s) about whom personal data is collected. The privacy policy must be updated in the event of any omissions.
• Register the system in the Excel form and conduct the data protection assessment, see overview of the processing of personal data (protocol) (in Norwegian).
• Have you conducted a classification of the personal data that will be processed in the system?
• Will you be transferring personal data to external parties/other data controllers?
• Will you be transferring personal data abroad?
• Have you carried out a risk assessment (in Norwegian)?
• Have you considered whether it is necessary to carry out a data protection impact assessment?
• Is it necessary to enter into an agreement to govern privacy?
• Make sure that no identifiable personal data is stored for longer than necessary (storage limitation). Is it possible to take steps to reduce the possibility of unnecessary storage (principle of privacy by design)? You should check the guidelines that apply to archiving and deletion for the processing/processes that will be carried out using the system in question.

Draw up information for employees, students, visiting lecturers or visitors concerning data protection rights and ensure that any information online is kept up-to-date. The information can be linked to OsloMet’s privacy policy, or a separate website about the system can be created, referencing the general privacy policy at OsloMet. The most important thing is to ensure that employees, students, researchers, etc. are informed of their rights and know who to contact.

You need to be able to document and archive all assessments and agreements that govern data protection, as well as any other documents that demonstrate your compliance with the data protection regulations. Data protection documentation in P360 provides information about the type of data protection documentation you need to store in Public 360, as well as tips on how to structure the documentation in the best possible manner.

• Check that personal data that is processed using the system is not used for incompatible purposes other than those planned, without such use being covered by the lawful basis for processing, including consent or legal basis, see the Norwegian Data Protection Authority on basis for processing (datatilsynet.no) (in Norwegian).
• Check that personal data that is processed in the system is of satisfactory quality, i.e. that the data is adequate and relevant, correct and up-to-date.
• Check that no surplus data is registered in the system (personal data not necessary for the purposes/purpose of the system).
• Delete or anonymise surplus data that has still been registered in the system.
• Respond to enquiries from and safeguard the rights of the individuals to whom the personal data relates.
• Conduct regular risk assessments (in Norwegian) of the information security of the personal data processed using the system. A new risk assessment must be conducted and any relevant forms must be updated in the event of major system changes. The new risk assessment must be archived in P360. New risk assessments must be conducted every three years, or more frequently in accordance with internal guidelines.
• Implement measures to ensure that the information security of the personal data processed in the system is satisfactory.
• Regularly check that any data processors comply with the terms and conditions set out in the data processing agreements that have been entered into.
• Report deviations that arise when processing personal data using the system.
• In order to register changes to the use of the system, please see the overview of the processing of personal data (protocol) (in Norwegian). Forms must be updated and new versions must be stored in the Teams created for the purpose.
• Assess whether the system complies with requirements relating to management systems for security, information security and data protection (in Norwegian).

• Determine which personal data needs to be deleted or anonymised and which to archive.
• Ensure that all personal data that does not need to be archived is securely deleted (in Norwegian) or anonymised.
• Ensure that any personal data that needs to be retained is archived.

About requesting a new IT service.