Privacy policy

How OsloMet processes personal data

The Rector is the data controller at OsloMet. The data controller's duties are delegated to line managers.

OsloMet processes data:

• about you as a student (ansatt.oslomet.no, in Norwegian)
• about you as an employee​​​​​​ (ansatt.oslomet.no, in Norwegian)
• about research participants (ansatt.oslomet.no, in Norwegian)
• about patients (ansatt.oslomet.no, in Norwegian)
• about record keeping and archiving personal data (ansatt.oslomet.no, in Norwegian)
• in cookies at ansatt.oslomet.no
• in cookies at student.oslomet.no
• i IT logs (ansatt.oslomet.no, in Norwegian)
• in connection with security on OsloMet's premises (ansatt.oslomet.no, in Norwegian)
• when registering for compulsory and voluntary meetings, arrangements and seminars (ansatt.oslomet.no, in Norwegian)

1. Disclosure of personal data

Requests for access to personal data are handled in accordance with the Freedom of Information Act.

The general rule in the Freedom of Information Act (cf. Section 3) is that case documents, journals and similar records of the institution are open to access. Rejections must state the relevant legal authority. This applies, for example, to information for (not an exhaustive list):

• The data subject’s employer, to the extent that the information relates to the employee's suitability for a particular job or assignment, when provided for by law.
• Forskning.
• Norwegian Labour and Welfare Administration NAV has the right to obtain information for control purposes in connection with processing a case, cf. the Norwegian National Insurance Act, Section 21-4.
• The Norwegian State Educational Loan Fund (Lånekassen), provided for by law.
• Tax authorities, provided for by law.
• Next of kin. Next of kin have the right to information in order to make decisions on behalf of a relative unable to make a decision for him/herself.
• Information necessary to process certain types of cases will be handed over to the board/committee processing the case. This means that necessary information relating to
  • complaints and cases concerning cheating will be handed over to the relevant complaints body, which is OsloMet's Appeals Board
  • suitability cases will be handed over to the Suitability Board, and
  • individual cases relating to academic misconduct will be handed over to the Research Ethics Committee.

More on disclosure of personal data (ansatt.oslomet.no, in Norwegian).

2. Media and public access under the Freedom of Information Act

Under the Freedom of Information Act, case documents of administrative bodies are, as a rule, available to the public. This means that anyone seeking access, whether the media or others, will be able to familiarise themselves with the information contained in the documents. Consequently, enquiries to OsloMet will also be public, whether in the form of a letter, fax or e-mail (which will be printed and registered).

A journal is a register of case documents that are processed by an administrative agency. You can request a copy of OsloMet's public journal (oslomet.no, in Norwegian). The case officer is responsible for ensuring the documentation is correct and sufficient, and the Section for Records and Information Management (SDI) quality assures the public journal before publication.

All requests for access are currently logged in the journal. However, OsloMet handles a large amount of documentation that contains confidential information, for example, sensitive information relating to students and employees, patient information relating to treatment/research, and confidential business matters. Documents such as these are exempt from public access. Internal documents may also be withheld from the public.

Procedures for public disclosure assessments (ansatt.oslomet.no)

3. Primary legislation pertaining to OsloMet's processing of personal data

The General Data Protection Regulation (GDPR) and the new Personal Data Act set out rules on how collected personal data is processed, including how it is secured, who has access, and whether it can be disclosed to external parties. The GDPR gives the data protection advisor, the Data Protection Services (Sikt), a basis for consider and recommending the processing of personal data in registers used in quality studies and other research, on behalf of OsloMet and the data protection officer at OsloMet. The Regional Committees for Medical and Health Research Ethics (REK) assess whether health research is ethically justifiable in accordance with the Health Research Act. In addition to the GDPR and the Personal Data Act, the following laws are relevant to OsloMet's processing of personal data:

For employees, the Public Administration Act (lovdata.no), and for students the Administration Act, the Universities and University Colleges Act and internal regulations, set out rules for how cases will be processed at OsloMet. As a party to the case, you have special rights, such as access to the case documents.

The Freedom of Information Act (lovdata.no) and pertaining regulations sets out rules for when a document is available to the general public, and when a document can be exempt from being made public. OsloMet practices the enhanced access to information principle, meaning that we strive, as far as possible, for documents to be publicly available.

The Archives Act (lovdata.no, in Norwegian) sets out the rules on how case documents are to be stored, including storage in an archive institution.

The Personal Health Data Filing System Act (lovdata.no, in Norwegian) sets out rules for how collected information about health will be processed, including how data must be secured, who has access and whether they can be disclosed to others.

The Health Personnel Act (lovdata.no, in Norwegian) regulates the use of personal data for quality registers for evaluating patient treatment at OsloMet, and contains rules on healthcare personnel's duty of confidentiality.

The Health Research Act (lovdata.no, in Norwegian) regulates the use of personal data for medical and health-related research. REK is responsible for this assessment.

The Universities and University Colleges Act (lovdata.no) regulates certain areas of universities' and university colleges’ processing of cases, while in other areas, only lays down guidelines pertaining to internal regulations at individual educational institutions.

4. Your rights

Right to information and access

You have the right to information about how OsloMet processes your personal data. The purpose of this privacy policy is to provide you with any and all information you have the right to get.

You also have the right to view/access any and all personal data registered about you at <Navn på utdanningsinstitusjon>. You also have the right to request a copy of the personal data registered about you if you so wish.

Right to correction

You have the right to have corrected any and all incorrect personal data about you. You also have the right to supplement any and all incomplete data registered about you. Please contact us if you believe we have registered incorrect or incomplete personal data about you. It is important that you justify and, if relevant, document why you believe the personal data registered is incorrect or incomplete.

Right to limit processing

In certain circumstances, you have the right to demand limited processing of your personal data. Limiting the processing of personal data means that your personal data will still be registered, but the opportunities for further processing are limited.

If you believe that personal data about you is incorrect or incomplete, or you have filed a complaint against the processing of your data (read more about this below), you have the right to demand to demand that the processing of your personal data be limited temporarily. This means that processing will be limited until, if relevant, we have rectified your personal data, or until we have been able to assess whether your complaint is justified.

In other circumstances you may also demand a more permanent limitation on the processing of your personal data. In order to qualify for the right to limit processing of your personal data, the conditions established by the Personal Data Act and Article 18 of the GDPR must be met. If we receive a request from you to limit processing of your personal data, we will assess whether the statutory conditions have been met.

Right to erasure

In certain circumstances you have the right to demand that we erase your personal data. The right to erasure is not unconditional, and whether this applies to your situation must be assessed in light of relevant privacy legislation, i.e. the Personal Data Act and GDPR. Please contact us if you want to have your personal data erased. It is important that you justify why you want the personal data erased, and, if possible, that you also specify which personal data you want erased. We will den consider whether the conditions for erasure, as established by law, have been met.

Please be advised that the law allows for us to make exceptions to your right to erasure. For example, we may need to store personal data for the purpose of performing a task in compliance of the Act Relating to Universities and University Colleges, or for reasons of public interest, such as archiving, research and statistics.

Right to object

You may have the right to file an objection against the processing, i.e. object to the processing, on grounds that you have a specific need to stop the processing, e.g. if you have a need for protection, have a secret address, etc. The right to object is not unconditional, and it is contingent upon the legal basis for the processing, and on your particular circumstances. The conditions are established by Article 21 of the GDPR. If you object to processing of your personal data, we will consider whether the conditions for filing an objection have been met. If we find that you have the right to object to the processing and that your objection is justified, we will discontinue processing, and you will have the right to demand erasure of the data.

Please be advised that we, under certain circumstances, may make exceptions from erasure, e.g. if we have to store your personal data for the purpose of performing a task in compliance with the Act Relating to Universities and University Colleges, or for reasons of public interest.

Right to file complaint against processing

If you believe we processed your personal data incorrectly or unlawfully, or if you believe we failed to protect your rights, you have the right to file a complaint against processing. Please see item 10 below for how to contact us.

If we dismiss your complaint, you may file your complaint with the Norwegian Data Protection Authority (DPA). The DPA is responsible for making sure Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR in their processing of personal data.

5. Contact

Data controller

OsloMet is the data controller of personal data in EpN, cf. GDPR Article 4 no. 7.

If you wish to exercise your rights as established in items 4 above, see how to gain access to your own information (in Norwegian) where you can find who to contact. We will process your request as soon as possible and within 30 days at the latest.

Read more about processing requests for access to information (ansatt.oslomet.no).

Data protection officer

OsloMet has appointed a data protection officer whose responsibility it is to protect the personal data interests of both students and staff at OsloMet.

You may contact the data protection officer about the administrative processing of personal data at OsloMet via e-mail.