template.back.to.overview Data protection and information security in connection with the processing of personal data
-
Responsibility
What are your data protection responsibilities as a technical-administrative case manager?
Technical-administrative employees are those who use a system, such as FS (the national student database), Office 365, P360, SAP or OTRS in order to perform their duties. You may need to process personal data in order to perform such duties. This will then happen through processing/work processes. You have an independent responsibility when processing personal data electronically and manually, regardless of whether such processing takes place at a central level or at faculties/centres.
You are encouraged to contact your immediate manager or the Privacy contact for advice and guidance on how to manage your duties in relation to personal data.
You must
- ensure satisfactory data quality of the personal data you process (adequate, relevant, correct and up-to-date)
- follow established procedures and guidelines at your unit and internal regulations applicable to OsloMet. Ask your immediate manager or Privacy contact if you are unable to find these.
- report any need for training on procedures and guidelines to your immediate manager
- report deviations
-
Training in privacy
See website where you get some tips for training resources.
-
What you need to keep in mind as a case manager
- Check whether you process personal data, i.e. the processing is not sufficiently anonymous. Remember that the processing must be anonymous from the time of collection in order to be considered anonymous, see web page on anonymous, anonymised and de-identified data.
- Make sure not to collect more personal data than necessary for the purpose (in order to perform your duties). Data minimisation requirement.
- Do you have a lawful basis for processing (datatilsynet.no) (in Norwegian), such as a legal basis, agreement, consent or “legitimate interest”? When using consent, please refer to the guidelines for photo and video recordings and consent and information letters in research or other study/interview situations.
- Check that informants have been informed of their rights in an information letter or in the privacy policy. When you collect personal data, you will generally be subject to a disclosure requirement in relation to the individual(s) you collect personal data about. The privacy policy must be updated in the event of any omissions.
-
Check whether the processing is already registered in the overview system for the processing of personal data at OsloMet.
- Has the personal data been classified and is the data processed in accordance with OsloMet's Storage Guide and other web pages on the storage and processing of personal data?
- Ensure that the personal data is updated so that it is correct at all times.
-
Will you be sharing the personal data with other employees? Remember that all employees are subject to a confidentiality requirement relating to personal matters pursuant to section 13(1) no. 1 of the Norwegian Public Administration Act. The "need to know" principle applies here. This means that any data relating to someone's personal circumstances can only be shared with those who need access in order to perform their duties or process a case. This is particularly important for personal data that falls under “special categories” or is otherwise sensitive or protected. Read more about confidentiality at OsloMet and about access to confidential material.
-
Will you be transferring personal data to external parties/other data controllers?
-
Will you be transferring personal data abroad (in Norwegian)?
-
Have you carried out a risk assessment (in Norwegian)?
-
Have you considered whether it is necessary to carry out a data protection impact assessment?
-
Is it necessary to enter into an agreement to govern data protection?
-
Make sure not to store identifiable personal data for longer than necessary (storage limitation). You need to check the guidelines that apply to archiving and deletion in relation to the processing/work process in question (in Norwegian).
-
Documentation
You need to be able to document and archive all assessments and agreements that govern data protection, as well as any other documents that demonstrate your compliance with the data protection regulations.
Data protection documentation in P360 (hioa365.sharepoint.com) (in Norwegian) provides information about the type of data protection documentation you need to store in Public 360, as well as tips on how to structure the documentation in the best possible manner.
-
Security tips
- Use the pull-print solution for printouts when available. This means that any printouts containing potentially sensitive personal data will not remain in the copy room and you will also be looking after the environment.
- Make sure to store any documents containing personal data under lock and key – do not leave such data on your desk when you go home.
- Do not transmit personal identification numbers, bank account numbers or special categories of personal data (sensitive personal data) via unencrypted email. You can send such emails internally provided that you mark the e-mail as Confidential. However, any attachments must be encrypted, including internally.
- Use the employee number and student number or name and date of birth in place of personal identification numbers where possible.
- Do not store any documents in the home directory or on unencrypted memory sticks. Use shared drives with restricted access controls.
- Always remember to lock or sign out of your PC when you leave it.
- Your user account in the systems is personal and must never be shared.
- Keep your passwords a secret.
-
Sending e-mails
Read more about what you need to consider when sending or receiving emails in Safety Instructions 2-9 and on the web page on the use of e-mail at OsloMet (in Norwegian).
NOTE: If you receive unencrypted emails containing personal data, you need to store the data securely as soon as possible in accordance with the Storage Guide (if the data is necessary to OsloMet for a specific purpose) and delete the data from Outlook. Be careful not to forward the data or respond to the sender via unencrypted email.
Please be aware that the data itself does not necessarily need to be sensitive, but may, for example, reveal a patient relationship. This could also be the case when issuing surveys and questionnaires. If such mailings with links to a survey reveal a patient relationship, the email will be considered to contain sensitive personal data. The email must therefore be encrypted.
See also
-
Are you going to use a new IT service or software?
Do you have a need for a new IT service or software that you wish to use? Remember to clarify the need, as well as the conditions surrounding use and management before proceeding.
-
Privacy contact
Contact the privacy contact at your unit, faculty/centre for assistance if needed.