NTNU - privacy policy

This page includes NTNU’s central privacy policy and specific privacy statements for subsystems.

Denne siden på norsk: Personvernerklæring NTNU

NTNU’s central privacy policy

NTNU’s general privacy policy and links to subsystems with supplementary privacy statements are available here.

Privacy statement for subsystems

Privacy statements are added here for subsystems where this is regarded as necessary.

Statement on how NTNU collects and uses personal data

The Rector is the data controller for NTNU’s processing of personal data. The duties of the data controller are delegated to the Director of Organization and Infrastructure, and responsibility for day-to-day follow-up is subdelegated to the line managers.

The privacy policy complies with the requirements set out in articles 12 to 15 of the General Data Protection Regulation (GDPR). The GDPR is the EU’s legislation on the protection of personal data. It entered into force for the whole EU from 25 May 2018, and in the rest of the European Economic Area including Norway from July 2018.

Personal data means any information or assessment that can be linked to you as an individual, either directly or indirectly. For NTNU to be able to use (register, collect, disclose, etc.) personal data about you, we must have a basis as specified in law.

What is a privacy policy?

A privacy policy describes which personal data is processed, how it is processed, who is responsible for processing it, what rights you have and who you can contact about your personal data.

NTNU processes personal data:

  1. About you as a student (applicant, former student, student and PhD candidate)
  2. About you as an employee and former employee
  3. About you as a research participant

General provisions

All processing at NTNU must take place in accordance with the applicable laws and statutory regulations. NTNU must not process personal data to a greater extent than is necessary to fulfil the university’s purposes, which will be education, research, innovation, dissemination and administration. NTNU must ensure that processing takes place on the necessary basis specified in law, whether this is consent or follows from law/regulations or if implementation of a processing operation is necessary.

When processing an individual’s personal data, NTNU must ensure that the processing involves as little intervention as possible for the data subject, and that no more information about the individual is used or stored for longer than necessary; see the requirements for data minimization.

Where NTNU uses personal data about individuals, the data subject will be entitled to access information about processing of the data, as well as its purpose and basis.

All use of NTNU’s ICT infrastructure leaves an electronic trail. NTNU collects, analyses and keeps electronic trails to manage the ICT infrastructure, to ensure effective operations and cost management, and to protect NTNU’s ICT infrastructure against threats and abuse. NTNU’s ICT infrastructure includes logging and backup solutions for purposes that include enabling documentation of breaches of the law or non-conformance with internal rules and procedures, but also to make it possible to detect/discover security breaches in the ICT infrastructure. Collection, storage and use (and deletion) of electronic trails complies with the applicable legislation.

Data protection officer

At NTNU, we have our own data protection officer, Thomas Helgesen, who you can contact with any questions about the processing:

Questions about privacy at NTNU

To ask NTNU about our use of your personal data, please contact us by phone or email:

Disclosure of personal data

NTNU must have a legal basis for disclosing your personal data. Apart from consent, a legal basis may be (this list is not exhaustive):

  • Research. In principle, disclosure requires consent, but it is also possible without consent if the research project has been granted an exemption from the duty of confidentiality.
  • The Norwegian Labour and Welfare Administration (NAV) has the right to obtain information for control purposes in connection with the processing of a case; see Section 21-4 of the National Insurance Act (folketrygdloven).
  • Lånekassen (the Norwegian state educational loan fund), authorized by law.
  • The tax authorities, authorized by law.
  • Next of kin. Next of kin have the right to information that enables them to make decisions on behalf of a relative who is not in a position to make the decision themself.
  • Information that is necessary for handling certain types of cases will be disclosed to the board/committee that is to consider the case. This means that necessary information in connection with
    • appeals and cases of cheating will be disclosed to the Appeals Committee, which is NTNU’s appeals body, and the national Joint Appeals Committee, which is the appeals body for cases including cheating
    • cases concerning suitability will be disclosed to the suitability committee and
    • individual cases related to research misconduct will be disclosed to the Research Ethics Committee.

Access by the press and the public under the Freedom of Information Act

The main rule under the Freedom of Information Act (offentleglova) is that the case documents of administrative agencies are available to the public. This means that anyone who requests access, including the press and others, will be able to familiarize themselves with the contents of the documents. Your enquiry to NTNU will thus also be public, whether it is in the form of a letter, oral and written down, or email.

A journal is a register of case documents processed by an administrative agency. NTNU’s postal journals are made available on its website. The official in charge of the case is responsible for ensuring that exemptions from access to documentation are applied correctly and adequately; the Records Management Division conducts quality assurance of the electronic public records before publication.

All requests for access are journalized. However, NTNU handles large volumes of documentation that contains confidential information. Examples include sensitive information relating to both students and employees, patient information relating to treatment of patients and research, and trade secrets. Such information is exempt from public disclosure. Internal documents may also be exempt from public disclosure.

Your rights

Natural persons whose personal data we process (data subjects) have the right to basic information about NTNU’s processing of personal data. The GDPR requires NTNU to provide adequate information about our processing operations. If you are registered in one of NTNU’s systems, you have the right of access to your own information. NTNU has created a solution for lookup and access to central systems at NTNU. Information and communication and any measures in connection with the exercise of data subjects’ rights must as a general principle be free of charge.

Information about you that has been collected for a particular purpose cannot be used for other purposes without your consent or for another lawful reason.

You have the right to request that data about you which are incorrect, incomplete, or unnecessary, or which NTNU does not have access to process, be rectified, deleted or completed, or restricted. Requests from data subjects who wish to exercise their rights must be answered free of charge and at the latest within 30 days.

See how you can request access to and/or ask to have data about you disclosed or deleted: Access to information about processing

Right to rectification

Your personal data must be correct. You have the right to rectification of any of your personal data that is incorrect. You also have the right to have incomplete personal data about you completed. If you believe we have registered incorrect or incomplete personal data about you, please contact us. It is important that you justify and, if relevant, document why you believe the personal data registered is incorrect or incomplete.

Right to restrict processing

In some cases, you may have the right to demand that the processing of your personal data be restricted. Restricting the processing of personal data means that your personal data will still be stored, but the opportunities for further use and processing will be limited.

If you believe that the personal data are incorrect or incomplete, or you have objected to its processing, you have the right to demand temporary restriction of the processing of your personal data. This means that processing will be restricted until, if relevant, we have rectified your personal data, or we have assessed whether your objection is justified.

In other cases, you may also demand a more permanent restriction of processing of your personal data. For you to have the right to demand that processing of your personal data be restricted, one of the conditions in Article 18 of the GDPR must be met. If we receive an enquiry from you about restricting the processing of your personal data, we will assess whether the legal conditions have been met.

Right to erasure

In some cases, you have the right to demand that we erase personal data about you. This right follows from Article 17 of the GDPR. The right to erasure is not unconditional, and whether you are entitled to this must be assessed in terms of the Personal Data Act (personopplysningsloven) and the GDPR.

Please contact us if you want to have your personal data erased. It is important that you give reasons for wanting your personal data to be erased, and, if possible, that you also specify which personal data you want to have erased. We will then consider whether the conditions for erasure have been met. Please note that in some cases the legislation allows us to make exceptions to the right to erasure. For example, we may need to store personal data to perform a task imposed on us in compliance with the Act relating to Universities and University Colleges, or for important reasons of public interest, such as archiving, research and statistics.

Right to object

You may have the right to file an objection against the processing, that is, to protest against it, if you have a particular need to stop the processing of your personal data. This right follows from Article 21 of the GDPR. Examples might be if you have a need for protection, a confidential address, or similar.

The right to object is not unconditional, and it depends on the legal basis for the processing and whether you have a particular need. If you protest against processing of your personal data, we will consider whether the conditions for filing an objection have been met. If we find that you have the right to object to the processing and that your objection is justified, we will stop the processing, and you will have the right to demand erasure of the data.

Claims from you as a data subject must be answered free of charge and at the latest within 30 days.

Right to be notified in the event of a personal data breach

If NTNU becomes aware of a breach of personal data security, for example that sensitive information about an individual has gone astray, NTNU may be obliged to notify the Norwegian Data Protection Authority and the individual of the breach; see articles 33 and 34 of the GDPR.

Right to file a complaint about the processing with the Norwegian Data Protection Authority

If you believe we have not processed your personal data correctly or lawfully, or if you believe we have not fulfilled your rights, you can file a complaint against the processing.

If we dismiss your complaint, you can file the complaint with the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is responsible for checking that Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR in their processing of personal data.

Processing of personal data about you as a student

What personal data is collected about you as a student?

Examples of your personal data that are registered and processed at NTNU include your name, picture, contact information, teaching and examination messages, grades, and degrees awarded.

If you are applying for admission and/or you are a student at NTNU, we must collect and register your name, national identity number and contact information, among other data. If you have given your consent, we may also collect your results from certain other educational institutions (in Norwegian). The purpose of recording this data is administration of your application and your studies with us. You normally register the information yourself via The Norwegian Universities and Colleges Admission Service (Samordna opptak), in Søknadsweb (NTNU’s portal for student applications) or in Studentweb.

Brief information about the Common Student System (FS)

The information is stored in the *Common Student System (Felles studentsystem - FS)*, which is the administrative system NTNU uses for student data. FS is a student information system developed for universities, specialized universities and State university colleges in Norway. The Søknadsweb applications portal as well as Studentweb and Nominasjonsweb are part of FS. If you have an application and/or decision process at the university, this will be registered in FS or the university’s systems for administrative procedures and records management.

The purpose of processing personal data in FS is to safeguard your rights as an applicant, student, doctoral candidate, or course participant and to fulfil NTNU’s tasks and obligations under the Universities and University Colleges Act.

For the processing, NTNU has a legal basis in Article 6 (1) (e) of the GDPR on the exercise of official authority and letter (c) on legal obligations and, in addition, a separate provision in the Act relating to Universities and University Colleges, Section 4-15.

RUST - register of excluded students

Decisions on exclusion due to false diplomas, disruptive behaviour, serious breaches of confidentiality, cheating and lack of suitability are registered in the register of excluded students (RUST). The Norwegian Agency for Shared Services in Education and Research (Sikt) has administrative responsibility for RUST. Through RUST, other higher education institutions receive information about sanctions in a secure way when the person in question is an applicant or student at their institution. Privacy policy for RUST.

Digital teaching and exams

Digital systems for teaching and examinations receive and process personal data about students at NTNU. We use the digital examination system Inspera Assessment for a variety of examinations. To make it possible for you to take a digital examination, we send personal data about you to Inspera, which develops and operates the Inspera Assessment system. They will have access to the following personal data: Feide ID, candidate number, other examination data from FS, IP address.

NTNU uses a learning management system called Blackboard Learn during the course of study. Here, communication takes place with teaching staff and other students, information from the education institution and submission and marking of coursework.

NTNU uses the plagiarism control system Ouriginal (formerly known as Urkund) to detect plagiarism in submitted answers. Ouriginal checks against sources on the internet, various text databases, submissions at NTNU and other universities and colleges in Norway.

Access control

Your data will also be registered in the university’s access control system to enable you to access the university’s buildings and rooms during your studies, using your student identity card. The picture on active student cards and key cards is stored in FS and will be the same picture that is transferred to the Studentbevis student ID mobile app for students who choose to use it.

Administrative and records management systems

If you have an application and/or administrative or decision process at NTNU, this will be registered in the university’s administrative and records management system, ePhorte. Under the Public Archives Act (arkivloven), NTNU is obliged to take care of such information.

Personal data to third parties

Disclosure or export of data is defined as any transfer of data other than for use in the controller’s own systems/processing or to the data subject themself or any other party receiving data on the data subject’s behalf. NTNU may disclose or export data including personal data to other systems, such as to external data processors or the Lånekassen loan fund, in cases where this is regarded as necessary.

Disclosure of personal data under the Freedom of Information Act

At regular intervals, NTNU receives requests for access under the provisions of the Freedom of Information Act. Please note that the provisions of the Personal Data Act cannot lead to restrictions on this right of access where the enquiry relates to personal data.

Processing of data about you as an employee

NTNU processes personal data about you as an employee at NTNU. The information is used for the purposes of payroll and human resources administration, such as calculating salary and keeping track of working hours, absence, holiday leave, and leave of absence.

Legal basis

The legal basis for processing of personal data about employees is Article 6 (1) (a), on consent, or Article 6 (1) (b), on processing that is necessary for the performance of an employment contract or other contract with the employee. In addition, Article 6 (1) (f) applies to processing that is necessary for the implementation of NTNU’s legitimate interests, after balancing these against the employee’s interests, rights and freedoms.

Where NTNU processes sensitive data, such as personal health data, the lawful basis for NTNU will be in Article 9 (2) (a) where the data subject has given explicit consent, or Article 9 (2) (b) where processing is necessary for NTNU as the data controller or for the employee to fulfil obligations or exercise rights in the field of employment law. An example here could be the use of health information to provide adaptations in a work situation. Section 6 of the Personal Data Act stipulates that sensitive personal data as mentioned in Article 9 (1) of the GDPR can be processed when necessary for carrying out obligations or exercising rights under employment law.

What information is used about you as an employee?

Examples of information that is processed about you as an employee include your name, national identity number, and contact details (address and telephone number). The HR Director is delegated the day-to-day responsibility for processing personal data information about employees.

The information is collected from you as a job seeker or employee and from other agencies, such as the tax authorities, the Norwegian Labor and Welfare Administration and your former employer.

Details of your name, position and area of work are regarded as public information and can be published on NTNU’s Internet pages.

Information on disclosure of information is available under general information on disclosure of personal data and access for the press and public under the Freedom of Information Act.

Personal data about employees is mainly processed in NTNU’s payroll and human resources systems (Paga). In NTNU’s administrative and records management systems (link to privacy statement for archives/ephorte), there is a personnel file for you with information such as:

  • application(s) for position(s) (only job applications from the person who is hired for a position are journalized and archived)
  • certificates of education/work experience
  • competence-building courses and training
  • offer of employment
  • employment contract
  • non-disclosure agreements
  • documents regarding pension conditions and placement of positions within the salary structure
  • special agreements in the employment relationship
  • leave of absence
  • any correspondence between you and the employer, as well as regarding resignation and a copy of the testimonial

When you leave NTNU, your personnel folder is reviewed and unnecessary information is deleted. NTNU will continue to store information about matters such as who has worked in the organization, for how long and what you as an employee have worked with.

People in HR only have access to personal data about employees that is necessary for carrying out their work duties. Sensitive information (special categories of personal data) is protected with a separate access code in the records management system.

Through process ownership, the head of the HR/HSE Division has a responsibility for ensuring that necessary routines have been drawn up to safeguard confidentiality and quality in the processing of employees’ personal data and that the information is not stored longer than necessary. The head of HR/HSE is also responsible for providing the necessary training in the use of NTNU’s ICT systems and applicable routines.

It is every manager’s responsibility to ensure that their own employees have received sufficient training and that document management and administrative procedures within their own area of responsibility take place in accordance with NTNU’s routines.

NTNU’s occupational health services will be able to process information about you with your consent.

Processing of personal data about you as a research participant

Legal basis

Where NTNU processes personal data about you in research projects, the legal basis will either be your consent or that the use of the information is necessary for research purposes.

The personal data is processed in accordance with Article 6 (1) (a) (consent) of the GDPR or Article 6 (1) (e) on processing in the public interest. Section 8 of the Personal Data Act stipulates that personal data may be processed on the basis of Article 6 (1) (e) of the GDPR if this is necessary for purposes related to academic research. According to principles of research ethics, consent is the main rule in research on information that can be linked to individuals.

If sensitive personal data is processed, the processing will be lawful if informed and explicit consent has been obtained; cf. Article 9 (2) (a). If consent has not been obtained, Article 9 (2) (j) on processing that is necessary for scientific research will be the basis for processing.

In addition, Section 9 of the Personal Data Act stipulates that the processing of sensitive personal data may take place without the consent of the individual, provided that public interests in the processing being carried out clearly outweigh the disadvantages for the individual. The processing must also be subject to necessary safeguards, for example, de-identification of personal data (the data are no longer directly linked to the individual without additional information), access management, and logging of storage areas.

Further processing for research purposes

Further processing for research purposes of personal data that have already collected is regarded as compatible with the original purpose. This requires the introduction of technical and organizational measures to safeguard the rights of the data subject, especially to ensure compliance with the principle of data minimization. An example of a relevant measure is pseudonymization.

If the research purpose can be fulfilled through anonymized data, further processing must take place in this way. A condition for further processing for research purposes is that the data already collected has been processed in accordance with the regulations. If the further processing involves transfer to another data controller (that is, a party other than NTNU), the party receiving the information must have a separate legal basis for processing it.

Preliminary assessment of research projects

Like most institutions in the higher education sector, NTNU has an agreement with the Norwegian Centre for Research Data (NSD), which has expertise in assessing the privacy-related aspects of a research project and whether a project can be carried out. It also sets requirements and conditions for such processing. Health research must be approved by the Regional Committee for Medical and Health Research Ethics (REK).

What personal data is processed

Assessment of which personal data is to be recorded is based on which personal data it is necessary to record in order to achieve the purpose of the research project. As a main rule, information about you collected for a particular purpose cannot be used for other purposes without your consent.

In many research projects, the information is anonymized, and then there is no way that it can be traced back to you.

In other cases, the personal data may be de-identified/pseudonymized. In such cases it will be possible to recognize the individual using a scrambling key (identifier key), such as a code, which will be subject to access control. In health research projects, personal data must always be de-identified.

Examples of de-identified information that will be registered include names, national identity number, age, gender, weight, height, diagnoses, place of residence, occupational information, institution, education, or the size of the institution. Personally identifiable characteristics such as names and personal identification numbers are replaced with a number, a code, fictitious names or similar, which refer to a list of the direct personal data. The list of direct personal data is kept separately from the other personal data. The scrambling key must be stored securely and inaccessible to unauthorized persons (encrypted).

Researchers collect the information in the form of surveys, interviews, observations, video and audio recordings and similar data where the research participant is present.

Personal data is preferably to be processed on the basis of informed consent. Consent may be withdrawn at any time during the implementation of the research project. Further use of the personal data will then end.

Both students and researchers/supervisors who come into contact with personal data have a duty of confidentiality.

Transfer from other organizations

Researchers may be granted permission by other organizations to obtain personal data in their research that the organization has collected.

Confidential personal data may not be used unless dispensation has been granted and the project manager has legitimate reasons for not obtaining valid consent. This applies to studies where, for various reasons, it is believed that the public benefit of the study exceeds the disadvantage for the research participants if they are not asked.

Transfer to other organizations

By agreement, the personal data may be transferred to other organizations, provided that they can provide satisfactory storage of the personal data and otherwise comply with the terms of the Personal Data Act.

The personal data may also be transferred abroad, provided that the conditions of the Personal Data Act are fulfilled. This means that there must be a basis for transfer and that the security of the information must be satisfactory.

Storage of personal data

The main rule is that the personal data must be de-identified when they are stored on computer-based equipment. The degree of personal identification must never be greater than is necessary for the research.

Personal data must normally not be stored for longer than is necessary to complete the research. If consent is required and personal data is to be kept longer than the original consent provides rights to, new consent must as a general rule be obtained. In the case of health research, such use must be submitted to the regional committee for medical and health research ethics (REC).

Personal data must normally be deleted or anonymized at the end of a project unless otherwise determined by the regional committee for medical and health research ethics (REK) or for example, by the funder of the research project.

Responsibility for research projects

The dean of each faculty has been delegated the day-to-day (operational) responsibility for research. Some tasks can be subdelegated further down the line.

The responsibility applies to all information collected for research purposes that is processed and stored electronically or on paper.

This entails ensuring that necessary routines have been drawn up for purposes including securing confidentiality and quality as well as making sure that the information is not stored longer than necessary. This responsibility also means that necessary training of project managers is offered and that adequate routines are established.

Any manager at a faculty to whom the duties of the person responsible for research have been delegated is responsible for ensuring that project managers and research staff who come into contact with personal data in their research receive adequate training, comply with privacy legislation, and take care of ethical, medical, health, scientific and information security matters.

Contact for this website

The legal advisers in the Division for Governance and Management Systems

3894 Visninger