Privacy declaration for employees, job applicants, and contractors at Nord University

Personal data is any kind of data, information, facts, and assessments that can be linked to you as an individual, cf. GDPR article 4 no. 1. What determines whether a piece of information is personal data is whether the data can be linked to an identified or identifiable physical person.

Data that on its own cannot be linked to an individual person may constitute personal data if they indirectly identify a person in connection with other data.

We process personal data to fulfill our obligations as an employer and other legal obligations. For example, we can process information about you in order to hire you, pay out wages and other remuneration, decide on applications for leave, provide follow-ups on sick leaves, report wages to the tax authorities, etc.

Information about you will be registered in various IT systems and services. You must be registered in our central systems, such as the payroll and personnel administration system, archive system, access control system, and various IT systems in order for us to provide you with access to basic services. In addition, you may be registered in additional systems that you use in your specific position/assignment to be able to carry out your tasks.

For security reasons, we have video surveillance in parts of our campuses and in that context, we can process video images of you. We also have electronic access control on all our campuses and your use of access cards will be registered with us.

We process personal data on the basis of the General Data Protection Regulation (GDPR) Article 6, no. 1, letters b and em and Article 9, no. 2, letter b. The processing is necessary in order to fulfill the employment contract with you and to fulfill duties imposed on us in other legislation, such as the Working Environment Act, the University and University Colleges Act,​ the Norwegian Accounting Act, and the Equalisation Act (ligningsloven).

Some processing is done on the basis of a balancing of interests according to the General Data Protection Regulation (GDPR), Article 6, no. 1, letter f. This applies to video surveillance of campuses, which we consider necessary to secure the buildings, as well as ensuring safety in the event of an accident/crisis.

Si​tuations may arise in which we must have your consent to process information about you. You will then be asked to sign a consent form. Personal data collected for one purpose will not be used for other purposes without consent.

We will only  process the data that is necessary to achieve the purpose of the processing. For job applicants, we will therefore only process the information that is necessary to carry out an employment process. For contractors, we will only process the information necessary for the completion of the assignment and to administer the contractual relationship. For employees, we will process the information necessary to administer the employment relationship.

Personal data that we process will essentially be:

• Name
• Social security number
• Account number
• Phone number
• Address
• Marital status
• Name of relatives/next of kin and their phone numbers
• Name and birth date of own children
• Application for position
• Résumé
• Certificates and diploma
• Seniority
• Education/position level
• Position code
• Employee number
• Employment contract/assignment contract
• Documentation of any changes in the employment relationship
• Salary information
• Specific agreements in the employment relationship, for example leave and pension notices
• Any correspondence between you and the employer
• Minutes from employee interviews
• Disciplinary punishment
• Sick leaves, personal notices, absence
• Holiday
• Pictures
• Video images from video surveillance
• Log of your IT systems activity
• Log of your access control activity
• Information about resignation and termination certificate
• Language
• Union membership
• Health information
• Ethnicity​

PersonopplysninThe personal data is primarily collected from information you provide via application/résumé, as well as various paper and electronic forms. In addition, your leader and and advisor at Nord University may register information about you when necessary. Information may also come from external bodies, such as the National Population Register, the Norwegian Labour and Welfare Administration, and the Norwegian Tax Administration.​

Your personal data is processed in Nord University's electronic systems. In addition, we may keep information about you in paper documents. You will also leave electronic traces through the use of an access card, IT systems, digital tools, camera surveillance, and more.

Primarily, your personal data will be processed in the following systems:

Jobbnorge
Recruitment system. Here, information about people who apply for positions with us are processed.

Case management and archive system
Employment matters and personnel matters are processed here. Upon employment, a personnel file is created in our case management and archive system, which contains documents that are significant to your employment and pension.

Access control and video surveillance
Information about you will be registered in the access control system for you to access the university's buildings and rooms with the help of your employee card. 

At some campuses, we have video surveillance. Recordings from video surveillance are stored for 7 days. If handed over to the police, recording may be stored for up to 30 days.

Crisis and preparedness system
Management system for security and preparedness. Information about you will be registered here in order for us to be able to contact you in the event of a crisis or unwanted incident.

Finance and personnel system
Personal information about you is processed here to ensure your rights and duties in regard to salary, holiday, time off, etc.

Office 365
Communication system. Information about you is processed here in order to give you access to e-mail, Yammer, Teams, and Sharepoint (Intranet and Onedrive), among other things.

Feide
Login system. Information about you is processed here to ensure you access to intranet and all digital services that require logging in.

Travel operator
Information about you will be transferred and processed by a travel operator. This is done so that you can book business trips and for the travel operator to be able to contact you if there are any changes in connection to your travel.

Other electronic systems in which we process personal data about employees:

• ​Email system
• System for phone and video conferences
• Core system for personal data flow to and from other personal data systems at the institution
• Microsoft's catalogue service for the management of users, user rights, and resource control
• Case management system for the managements of cases and orders to the property management
• Switchboard - distribution of calls
• Case management system
• Equipment and agreement register
• Library services
• System for study administration
• Room allocation and time planning system

In addition, information about you may be stored in systems connected to certain roles or services at the university. This may apply for the following systems:

• Tools for recording and publishing
• Tools for web meetings
• Tools for recording, streaming, and publishing
• Quality ensurement systems, risk assessment, and deviation
• Database for research results and information about documentation of scientific activity
• Digital archive for research results
• System for administration and support of the implementation of teaching, exams, and student tasks
• System for the administration of exams and censorships
• System for plagiarism control of exams and research
• Safety data sheet for hazardous chemicals
• System for subject planning
• System for curriculum lists

In some cases, we may carry out completely or partly automated processing. In SAP, several automated processings of your personal data are carried out, for example when the number of holiday days or carer's leave days you are entitled to.

Nord University carries out regular risk and vulnerability analyses of the computer systems we use to protect your personal information.

In addition, we have safety measures, such as access controls to prevent that more staff than neccesserary have access to your personal data. Such access controls may be both access control to computers systems and physical control in the form of lockable archives/cabinets. Persons that will have access to your data, may be a leader, the personnel department, the organisation department, and the salary department.

Employees who process personnel information are subject to the duty of confidentiality and are trained in privacy protection. All registrations are logged.​

We do not disclose your data to others unless there is a legal basis for such disclosure. Examples of such a basis would typically be because you have consented to it, because the disclosure is necessary to fulfill an agreement with you to because there is a legal basis that requires us to release the information.

Nord University can hand over or export data containing personal data to other systems, i.e. external data processors in cases where it is considered necessary. A data processing agreement is then entered into between Nord and the data processor, which will protect the subjects' rights and protection needs.

In principle, personal information is not disclosed to countries outside the EU/EEA or to any international organisations. In cases where this is necessary, Nord will ensure that there is a legal basis for the transfer and implement the necessary security measures.

Your personal data may be disclosed to the following parties:


1. The National Population Register (Folkeregisteret)
In order for your name and address to be correctly registered in our financial system Agresso and SAP, we collect your name, birth number (11 digits) and your address registered in the national register.

2. The Norwegian Labour and Welfare Administration (NAV)
In cases of sick leave and parental leave, we are required to disclose information to Nav.


3. The Norwegian Tax Administration
We have a legal duty to report your salary to the Norwegian Tax Administration.


4. The Norwegian Public Service Pension Fund
We have a legal duty to disclose information to the Norwegian Public Service Pension Fund.

5. Other parties who, under the Freedom of Information Act, have a right to your personal data
In cases where Nord University receives requests for access in accordance with the Freedom of Information Act, the Personal Data Act will not restrict this right of access. It may therefore happen that Nord University sends personal data about you to other parties other than those mentioned in this privacy declaration.​

In principle, personal data are not stored longer than necessary. It is the controller's responsibility to assess how long it is necessary to keep the information available. In some cases, we have an obligation to store the information for a certain period of time, in accordance with the Archival Act and the Bookkeeping Act, among others.

Personal data about applicants for positions will be deleted in Jobbnorge 120 days after the application process at Nord is concluded, unless the individual is hired or consent to the information being stored longer. Information about applicants may also be processed in our case management and archival system in connection with an employment case, and in these cases, Nord is required to archive information.

Documents that do not have a long-term significance to your employment or salary are deleted as soon as it is no longer necessary to store them. For other documents, Nord is subject to the filing obligation in the Archival Act, so that information in Public360 cannot in principle be deleted without consent from the National Archives of Norway, cf. §9. This applies even after the termination of the employment relationship.

As registered, you are entitled to information about how Nord University processes your personal data. You also have a number of other rights that are listed below. 

If you wish to make use of your rights, have questions or need advice regarding the processing of personal data at Nord, you can contact us at behandlingsansvarlig@nord.no. We will process your inquiry without undue delay and at the latest within 30 days.

When you contact us, you may be asked to confirm your identity. We do this to ensure that unauthorized persons do not gain access to your personal data. You may also be asked to provide additional information.

Right to access to information
You are also to see/access information in respect of personal data recorded about you at Nord University. You are also entitled to receive a copy of your personal data if you wish. In some IT systems, you can access the registered information yourself. In the ESS/DFØ portal, you can see which information we have stored about you in our payroll system SAP and which information we have registered about any other jobs you may have. Here you also have the opportunity to change some of the information your self.

Right to withdraw consent
If we process information about you on the basis of your consent, you can withdraw your consent at any time. The easiest way to do this, it to directly contact the department/unit that obtained your consent. You may also contact the data controller.

Right of correction
You have the right to have corrected any incorrect personal data about yourself. You also have the right to have supplemented any incomplete personal data about yourself. If you believe we have registered incorrect or incomplete personal data about you, please contact us. It is important that you state the reasons why and, if appropriate, document why you believe that the personal data is incorrect or incomplete.
 
Right to limit processing
In certain cases you may be entitled to require that the processing of your personal data should be limited. Limitation of personal data means that your personal data will still be stored, but that the possibilities for further use and processing will be limited.

If you believe that your personal data is incorrect or incomplete, or you have objected to the processing (see more about this below), then you are entitled to require that your personal data should be temporarily limited. That means that processing will be limited until we have either corrected your personal data, or have been able to assess whether your objection is justified.

In other cases, you may also be able to require a more permanent limitation of your personal data. In order to be entitled to require the limitation of your personal data, the terms of the Personal Data Act and GDPR article 18 must be met. If we receive a request from you regarding the limitation of personal data, we will consider whether the legal provisions are being met.

Right to erasure
In certain cases, you can require that we delete personal data about you. The right to erasure is not an unconditional right, and whether or not you have the right to erasure must be considered in the light of the Personal Data Act and the Privacy Protection Regulation. If you wish to have your personal data deleted, please contact us. It is important that you state the reason why you want your personal data to be deleted, and if possible, which personal data you would like to have deleted. We will then consider whether the legal conditions for requiring erasure are met. 

Please note that, in some cases, legislation allows us to make exceptions to the right to erasure. For example, this would be the case when we are obliged to store your personal data to fulfil a task that is required by the Universities and University Colleges Act, or to safeguard important societal interests such as archiving, research and statistics.

Job applicants have the right to have their information deleted whenever they wish.

Right to present an objection
You may have the right to present an objection to the processing, i.e. to protest against the processing, if you have a special need for the processing of your personal data to be stopped. Examples might be if you have a need for protection, a secret address, or the like. The right of objection is not an unconditional right, and it depends on the legal basis for the processing, and whether you have a special need. The conditions are set out in GDPR article 21. If you present an objection to the processing, we will consider whether the conditions for presenting an objection are met. If we determine that you have the right to object to the processing, and that the objection is justified, we will stop the processing and you will then be able to require that the data should be erased. However, please note that in certain cases we would not be allowed to erase your data. This could be the case, for example, when we are obliged to store your personal data to fulfil a task that is required by the Universities- and University Colleges Act, or to safeguard important societal interests.

Right lodge a complaint in respect of the processing
If you believe we have not processed your personal data in a correct and lawful manner, or if you believe that we have failed to fulfil your rights, you have the possibility to object to the processing. You can find information about how to contact us in Point 11.

If we do not accept your complaint, you have the possibility to present your complaint to the Norwegian Data Protection Authority. The Data Protection Authority is responsible for verifying that Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR regulations for the processing of personal data.​

If Nord uncovers or is notified of a security breach, the matter is dealt with by the insitution's information security coordinator (CISO) in accordance with the current regulations and routines.

If the security breach is assessed to entail a risk of breach of privacy, the Norwegian Data Protection Authority will be notified without undue delay and within 72 hours at the latest.

Those registered and most likely to be affected by a security breach will be notified as soon as possible. The registered will in such a case be notified individually. If it is not possible to notify the registered individually, the breach will be announced as a news story at Nord University's website.