Reporting security and privacy incidents
Why should you report incidents and deviations?
You reduce the risk of future incidents and violations, lay the foundation for improving routines, provide a good safety culture and reduce the consequences of unfortunate routines and systems.
What should I report?
In case of uncertainty, it is better to report one incident too many rather than too few.
- Sensitive/confidential personal information going astray.
- Theft and hacking of computer devices and information.
- Mistakenly sent e-mail and attachments.
- Sending unencrypted e-mail with sensitive/confidential personal information.
- Personal identity number sent unencrypted by e-mail or made available online.
- If you have received sensitive/confidential personal information about others by mistake.
- Safety routines or technical safety measures that are missing, malfunctioning or not adhered to and consequently entail breach of personal data security.
- Signature data related to organizational certificates going astray, suspicion of loss or risk of misuse.
- Faults in accesses, equipment or software that could impair security.
- Open data lacking access control and where there are requirements for the confidentiality and / or integrity of the information.
- Open data that may fall under the export control regulations.
- Publication of personal data without legal basis or sufficient anonymisation.
- Incorrect disclosure or publication.
- Lost/forgotten/misplaced paper documents, mobile, laptop, tablet, USB Flash Drives (not encrypted) etc.
See also information on sikresiden.no “Report it”.
Where and how should you report privacy deviations and security incidents?
Form for privacy deviations shall be filled out and sent as soon as possible to email@example.com. You must also inform your immediate manager.
Unresolved security incidents such as suspected hacking or attempted fraud by e-mail must also be reported to firstname.lastname@example.org. Let us know as soon as you can! If you are not directly affected, you do not need to fill in the entire deviation form.
Privacy deviations are defined as incidents that involve breaches of personal data security (datatilsynet.no).
- Guideline for non-conformance reporting and non-conformance handling.
- The Norwegian Data Protection Authority’s website on new guidelines for non-conformance reports (datatilsynet.no) and
- GDPB’s guidelines 01/2021 “Examples regarding Data Breach Notification” (edpb.europa.no).
The EU Privacy Commissioner (EDPS) has made an overview of how to act in the event of privacy breach (PDF).
Privacy Deviation Form
The deviation points below shall be copied, filled in and sent by e-mail to email@example.com.
- Unit affected
- The immediate manager of the unit concerned
- Unit of the reporter of the deviation
- The notifiers immediate manager
Description of the deviation
- What is the main reason for the deviation?
- When did the deviation occur?
- When was the deviation discovered?
- Number of persons affected
- Description of what happened
- Description of types of personal data that were affected
- What is the relationship between the organization and the affected persons?
- Description of where the personal information is located after the deviance.
Consequences for the organization and the registered
- What negative consequences could the deviation have for the organization and the registeres person?
- Measures (What is done to reduce the negative consequences for the organization and the registered person?)
- Information – Does the deviation entail such a high risk for those affected that it is necessary to inform them? If so, is this sent? If not, why?
The deviation report shall not contain personal information related to names or other types of information related to names or other types of information where there may be a need for confidentiality.
Deviations must never be directed at the person, but at the element or action in the work process that caused the safety breach. The action is the “subject” of the deviation, not the person.
How are privacy deviations assessed?
OsloMet assesses and decides whether there has been a breach of personal data security. A breach with a medium or high risk for the data subject must be reported to the Norwegian Data Protection Authority within 72 hours of the discrepancy being discovered. It is important to obtain sufficient information to make this assessment as soon as possible.
According to the Data Protection Authority (datatilsynet.no) (no):
- The data controller does not need to report the breach to the Norwegian Data Protection Authority if "the breach is not likely to entail a risk to the data subject`s rights and freedoms". The controller must be almost completely certain that the breach will not entail or has entailed any risk for those affected, in order for the exception to be fulfilled. If the data controller is unsure whether the exception has been met, it is better to report to the Norwegian Data Protection Authority just to be on the safe side."
- If there is a high risk, it is necessary to report to the Norwegian Data Protection Authority and inform those affected.
If it takes time for OsloMet to answer all the questions, OsloMet can send a preliminary message to the Norwegian Data Protection Authority and state in the message that further information will be forwarded.
Suspicions of violation of research ethics and good research practice
All complaints or claims regarding violation of research ethics and good research practice shall be reported in writing to the dean or the head of research centre where the personed is employed (doc). Head of studies shall be available for consultation before the complaint is sent to dean/head of centre.
- Employees at OsloMet
- Job applicants at OsloMet
- Persons admitted to a PhD programme or a senior lecturer programme at OsloMet
- Persons who are granted or is to be granted a doctorate at OsloMet