Privacy and Data Protection in NORCE

Personal data at NORCE

When NORCE determines the purpose and means of processing personal data, NORCE is data controller for the processing. This privacy policy provides details about the processing for which NORCE is responsible.

Overall responsibility for personal data protection lies with Acting CEO Thor Arne Håverstad.

NORCE's privacy work is coordinated by Renate Storetvedt Lien, Head of Research administration.

The data protection officer for NORCE is Marita Ådnanes Helleland, Senior Adviser, Sikt - Norwegian Agency for Shared Services in Education and Research (a merger between NSD (Norwegian Centre for Research Data), Uninett AS and Unit – the Norwegian Directorate for ICT and Joint Services in Higher Education and Research).

NORCE personal data contact information

Data controller

NORCE attn. Acting CEO Thor Arne Håverstad

Postal address: PO Box 22 Nygårdstangen, 5838 Bergen
Tel.: +47 56 10 70 00
Email: post@norceresearch.no

Personal data coordinator

NORCE attn. Renate Storetvedt Lien, Head of Research Administration

Postal address: PO Box 22 Nygårdstangen, 5838 Bergen
Tel.: +47 92 89 80 57
Email: reli@norceresearch.no

Data protection officer

Marita Ådnanes Helleland, Senior Adviser, Sikt.

Postal address: Harald Hårfagres gate 29, 5007 Bergen.
Email: personvernombud@norceresearch.no

When does NORCE collect personal data?

NORCE processes personal data either because there is a statutory basis for this or because we have received consent from the person in question.

We generally process personal data about you in the following situations:

• Personal data about you is included in the data in one of our research projects.
• Your details have been entered into one of our registers.
• You participate in one of our activities.
• You represent one of our commissioners or a party that funds our research.
• You or the company you are employed by is affiliated with us or one of our clients.
• You have been in contact with or collaborate with our researchers.
• You have attended one of our courses, seminars, workshops or other events.
• You subscribe to our newsletter.
• You visit our web page or other external webpages.
• You have applied for a job with us.
• A job applicant has given your name as a reference.
• You have received access to our IT services.
• You hav access to our locals.
• You have been connected to our guest networks to access the Internet
• You have been paid remuneration or have received a reimbursement from us.
• You represent one of our suppliers or a supplier who have submitted a tender to us.
• You represent a customer or a funder.

IT-platform

NORCE's IT platform consists of physical infrastructure, networks, PCs, configuration, data, internal and external IT services, and more. Data traffic and activities in the IT platform are inspected and logged. This is used in troubleshooting, uncovering and documenting any breaches of law, deviations from internal rules and routines or other breaches of our information security. Logs can be handed out to our external partners. This also applies to guests who connect equipment to the IT platform, typically a wireless network.

NORCE has established guidelines for classification and storage of data and information. The classification is important for where and how information is to be processed and stored. IT services catalog has an overview of which information classes are approved for the specific IT services and applications.

Classification and storage of data and information

NORCE has guidelines for classification and storage of data and information. The classification has an impact on where and how information is to be processed and stored. IT Service Catalog has an overview of which information classes are approved for the specific IT services and applications

Persons we are in contact with – email, phone and archive

NORCE processes the personal data of people we are in contact with. We use email, phone, video conferencing and other collaboration tools for our internal and external communication. We store the necessary information about our activities in file and archive systems. Each employee is responsible for deleting emails they no longer need to keep. Once an employment relationship comes to an end, that person's email account is deleted, but certain relevant emails are normally transferred to his/her colleagues. Strictly confidential information must not be sent by email. Confidential information must only be sent by encrypted email.

Documents that should be preserved will be archived in NORCE's document system. Everyday responsibility for NORCE's archive has been delegated to the archive manager.

The lawful basis for this processing is point (f) of article 6 (1) of the General Data Protection Regulation (GDPR), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our task as a research institute.

Use of personal data in research

NORCE delivers research and innovation in energy, health care, climate, the environment, society and technology. Part of our research requires the use of research data that contains personal data.

We have an agreement with Sikt - Norwegian Agency for Shared Services in Education and Research for the purchase of data protection services for research. Sikt Data Protection Services must be notified of all projects that imply processing personal and health data. Sikt also provides NORCE with the following services:

• General information, training and counselling on the processing of personal data and security of personal data in research.
• Assessment of the use of personal data in research projects that have been notified to Sikt, both before, during and at the end of a research project.
• Handling queries from data subjects (participants) in research projects.
• Notification of and, if applicable, assistance with handling personal data breaches and other data protection breaches that are identified in any part of a research project's planning, execution and/or conclusion.
• Data Protection Impact Assessments – DPIA.
• Prior consultation and dialogue with the Norwegian Data Protection Authority.
• Development and maintenance of systems for notification and counselling, and an updated notification archive for all research projects.
• A publicly accessible overview of the processing of personal data for research purposes.

Research data that contain personal data must be processed in accordance with NORCE guidelines for classification and storage of data and information and must only be available to the people who will be processing the data. Each research project contacts the data subjects directly and provides information about which personal data is to be processed, the purpose of the processing, how the data is to be processed and the data subjects’ rights. This can be done by giving the data subjects information letters or – if this is not practically feasible – by publishing information on the project website.

The lawful basis for processing personal data for research purposes may be consent or that it is necessary for the performance of a task carried out in the public interest. Information about the lawful basis will be provided in each research project’s listing in Sikt’s notification archive.

Use of personal data at our knowledge and competence centres

NORCE runs several knowledge and competence centres on behalf of the Norwegian authorities which, in addition to their research activities, process different types of personal data for different purposes. The centres of excellence and centres of knowledge will contact the data subjects directly and provide information about which personal data is to be processed, the purpose of the processing, how the data is to be processed and the data subject’s rights. This will be done by giving the data subjects information directly and by describing the activities on the website.

The lawful basis for processing personal data at centres of excellence and centres of knowledge may be consent or that it is necessary for the performance of a task carried out in the public interest.

More information about the activities at our knowledge and competence centres.

Participants at seminars, conferences, courses and continuing education

When you attend seminars, conferences, courses or educational events at NORCE, we register information such as your name, email, place of work, position and IP address. At events where food is to be served, we may also ask questions about food preferences/food allergies or about other matters we need to take into consideration.

Participant lists with names and other relevant information may be shared with third parties for reporting purposes. Personal information that is necessary for invoicing, statistics and reports will be deleted as soon as it is no longer necessary for such purposes. Other personal data is deleted as soon as the event is completed.
We organize regular seminars for research communities, users, commissioners, decision-makers and other parties. In addition, some of our units organize regular courses and teaching. Information about these courses and continuing education activities can be found on the website of the NORCE community that organizes them.

The lawful basis for processing your personal data in connection with participation in events is point (f) of GDPR article 6 (1), i.e., that the processing is necessary for the purposes of the legitimate interests pursued by the controller. The legitimate interests are to run events in a satisfactory manner and to be able to document participation.

The lawful basis for processing information about food allergies or other health related information is point (a) of GDPR article 9 (2) t, i.e., that the data subject has given explicit consent to the processing of such personal data. You may withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of the processing of personal data that took place before you withdrew your consent.

Newsletter subscribers

You must give your email address if you want to subscribe to our newsletter. Your email address will be used by the Mailchimp service to send you the newsletter. Your email address will only be used to distribute the newsletter, and it will not be shared with other third parties. Your email address will be deleted when you unsubscribe from the newsletter.

Mailchimp’s guidelines for cookies

The lawful basis for processing your email in connection with our newsletter is point (a) of GDPR article 6 (1), i.e., consent. You may withdraw your consent at any time by unsubscribing from the newsletter. The withdrawal of your consent will not affect the lawfulness of the processing of personal data that took place before you withdrew consent.

Data subjects in connection with dissemination activities

NORCE takes photos/videos in different situations showing activities involving NORCE. People who participate in these activities may have their photo taken, and we use such material in the external dissemination of our research and innovation. The dissemination includes articles on NORCE’s website that contain photos/videos, posts in our social media channels, brochures, etc. The basis for this processing is point (e) of GDPR article 6 (1), which allows us to process the information necessary in order to perform a task that is in the public interest.

Media contacts and contacts from influential players

NORCE occasionally collects and stores contact details about representatives of the media, influential players, and other relevant contact persons. We do this in order to increase the efficiency of our contact with these groups. In such cases, we obtain information from the internet and ensure that if any data subjects leave their job, they are also deleted from the list of such contacts.

The basis for the processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest is to provide information about our activities in the media and effectively cooperate with influential players.

Visitors to our website

At norceresearch.no, we use cookies to record how visitors use the website and we collect personal information when visitors register for webinars, courses, conferences and newsletters.

Read more about NORCE's use of cookies in our cookie statement.

Partners

If you are one of our partners, your personal data may be included in the applications and tenders we submit and the projects we carry out. You will already have sent us your CV, hourly rate, qualifications and other information required in an application, tender or for the execution of a project. Your personal data will therefore be stored in application and project folders in our archive and filing system.

Project cooperation and shared results will be visible on our web pages, the Current Research Information System in Norway (Cristin), and in our academic repository.
NORCE uses the Brage academic repository service to provide open access to reports, series, films, audio recordings, and other material produced at the institute, if applicable in collaboration with others.

More information about NORCE's Brage academic repository.

NORCE makes its results available in Cristin. Publications you have co-authored with our researchers are registered here. We link the authors’ names and publication address to the publication in Cristin. We register several types of personal data in the system for academic and administrative staff who have roles in Cristin.

More information about how personal data is processed in Cristin.

The lawful basis for this processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our task as a research institute.

Contact persons from the client/source of funding, suppliers and providers

If you are the contact person of the client/source of funding or supplier we store contact details regarding your workplace, like your email, telephone number and job title. Such information will be found in documents that we store in our archive and filing system.

When competing for projects, we are happy to provide documentation of our reference projects, including the client's contact details. We therefore occasionally give the details of your workplace to such a third party who represents the client.

The lawful basis for this processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each individual's privacy. The legitimate interest is being able to perform our task as a research institute.

Applicants for positions at NORCE

If you apply for a job at NORCE, we need to process your personal data in order to review your application. The hiring process entails processing the data you provide in the documents you send us, including your application, CV, diplomas and certificates. In addition to interviews, NORCE may perform its own checks, which typically involve talking to the applicant’s references.

NORCE uses the Jobbnorge application portal to manage applications for our job vacancies.

In order to review the documentation submitted, conduct interviews and call references, the lawful basis for the processing is point (b) of GDPR article 6 (1). This provision allows us to process personal data when it is necessary to take action on the applicant’s request before entering into an agreement. By applying for a position and uploading documents, we consider that the applicant is asking us to review the documentation submitted, conduct interviews, and call references, with a view to entering into an employment agreement.

If we perform any other checks, for example if we contact someone who has issued a certificate but is not listed as a reference, the lawful basis for processing in connection with such checks is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest is finding the right candidate for the position.

You do not need to provide special categories of personal data in your application or at the interview. However, you may choose to do so. If you state that you have a disability that requires adaptation of the workplace or the employment relationship, our lawful basis for processing will be point (a) of GDPR article 6 (1), i.e., your explicit consent, see point (a) of article 9 (2). You can withdraw your consent at any time. The withdrawal of your consent will not affect the lawfulness of the processing of personal data that took place before you withdrew consent.

Job applications are kept in Jobbnorge's application system. Applications are deleted 6 months after a position is filled. Lists of applicants and recommendations are transferred to the case and archive system. If we hire you, your application will be transferred to your personnel file.

Employees

Based on the different positions they hold, NORCE employees are registered in different IT systems and services that are either operated by NORCE itself or by external suppliers. All employees are registered in our central systems, such as the ERP system, authentication system, archive system, access control system and case processing system. In addition, employees are registered in specific systems associated with their role in order to be able to perform work for NORCE. Information about how we process personal data about our employees at NORCE can be found in our personnel handbook, which is available to our employees on the intranet.

NORCE processes personal data about its employees in order to perform pay administration, personnel tasks, and for each employee to be able to do the job they were hired to do. The lawful basis for the processing is point (b) of GDPR article 6 (1) (performance of a contract) and point (c) of article 6 (1) (compliance with a legal obligation). This means in order to fulfil the employment agreement with you as an employee and in order to meet our statutory obligations.

Recipients of remuneration and reimbursements

The information needed to disburse remuneration must be registered in the pay system. This includes the person’s remuneration, tax rate, tax municipality, a copy of their passport (for foreign citizens without a work permit in Norway), expenses to be reimbursed, per diems, and bank account number. Expenses can also be reimbursed as supplier disbursements. Information about the person's name, address and bank account number, and documentation of what is being reimbursed will then be stored in the invoice processing system.

Access to the information is limited through access control to the pay system, invoice processing system, general ledger, and reporting tools.

Under the Bookkeeping Act, NORCE is under an obligation to keep accounting documentation regarding disbursements for 5 years after the end of the financial year. NORCE's clients may request that they be kept for longer. This information is provided in the contracts for each project. At NORCE, accounting documents are deleted 15 years after the end of the financial year.

The lawful bases for processing such information are point (c) of GDPR article 6 (1) (necessary for compliance with a legal obligation) as well as point (f), which allows us to process the data that is necessary in order to protect a legitimate interest that outweighs the consideration of the individual's privacy. The legitimate interest is to be able to disburse remuneration and reimbursements and meet documentation requirements towards commissioners.

Visitors to our locations

NORCE has several locations, and cameras are installed at some of these, both inside the building and outside the entrance doors. The reason for this is to:

• Prevent break-ins, theft and vandalism
• Secure evidence in the event of a crime.
• Prevent attacks against our buildings and facilities.
• Protect our employees and guests.

There are signs at every door of these locations, as well as at the driveway, stating that there is CCTV in the area.

The staff at the reception at the location in question can see images from every camera. The cameras record continuously. There are also sensors that can send an alarm to the security company. The security company can access the relevant cameras when an alarm is triggered.

Access to surveillance data is highly restricted, and storage and deletion follow current legislation and recommendations.

Recordings are automatically deleted after 7 days, unless there is good reason to do otherwise, for example if the police has opened an investigation in connection with a break-in or other crime. In such cases, recordings may be stored for up to 30 days.

At certain locations, the visitor's name, company and the name of the person they are visiting are registered in the building owner's visitor management system. The data is managed by the building owner's reception. The data is used for security purposes and is stored for 180 days in a system with strict access limitations.

The lawful basis for this processing is point (f) of GDPR article 6 (1), which allows us to process the data that is necessary in order to protect a legitimate interest that weighs more heavily than the consideration of each person’s rights and freedoms. The legitimate interest is to secure access to our premises.

Your rights

According to the data protection legislation, the data subjects have several rights:

• You are entitled to a reply without undue delay, and at latest within one month.
• You can ask for a copy of all of the information we are processing about you.
• You can ask us to correct or supplement data that is incorrect or misleading.
• In certain situations you can ask us to delete information about yourself.
• In some situations you can also ask us to limit the processing of your data.
• If we process your data because of our activities or based on a balancing of interests, you have the right to object to our processing of your data.
• If we process your data based on consent or a contract, you may ask us to transfer your data to you or to a different controller.
• You can make a complaint about our processing of your personal data.

NORCE is under the obligation to provide general information about the personal data we process. Research managers, project managers and data managers in research projects, in registers, and teaching and programme measures at NORCE must further ensure transparency about the use of personal data.

As a rule, you have the right to information about what data has been registered about you, as well as the right to access this data. If you believe that the information registered about you is incorrect, you can ask for it to be corrected. In certain situations, you can ask us to delete information about yourself. In that case, please contact the project manager of the research project in question. You may withdraw your consent to participate in research projects at any point, and without giving an explanation.

Note that some limits have been placed on the rights to access, correction and limitation of processing, pursuant to section 17 of the Personal Data Act. The right to demand destruction, deletion or surrender of data will not apply if the material or data have been anonymised. You may exercise your rights by contacting NORCE as the data controller, or our data protection officer.

More about your rights as a data subject on the Norwegian Data Protection Authority's website.

We hope that you let us know if you believe that we are not complying with the rules in the Personal Data Act. Please contact us initially through the contact or channel that you have already established with us. You can also contact our data protection officer if you need advice or guidance. The data protection officer has a duty of confidentiality if you want to discuss something in confidence.

You can file a complaint about our processing of personal data. Such a complaint must be sent to the Norwegian Data Protection Authority. If you believe that NORCE is processing personal data in an unlawful manner, you can contact the Data Protection Authority via their website.

How to send a complaint to the Norwegian Data Protection Authority.