- Who is responsible for processing your personal data
- For what purposes UiB processes personal data
- What obligations UiB has when we process personal data
- Your rights as a data subject
Processing of personal data at UiB
UiB shall not process personal data to a greater extent than is necessary for the purposes of The University. The University's activities are described in more detail in Section 1-3 of The Act relating to Universities and University Colleges. The purpose of the Personal Data Act is to protect the individual against the violation of privacy by the processing of personal data. It is important to UiB that the processing of personal data constitutes as little intervention as possible for the individual data subject, based on what is practically, technically and financially possible, cf. the Personal Data Act and the Privacy Regulation Article 5. As a data subject, you therefore have important rights, which must be protected.
The data controller
The University of Bergen, by the Rector, is the data controller responsible for the institution's processing of personal data. The data controller's tasks are delegated to the line managers. Where the daily responsibility is delegated, the details are described in each section below. The delegation only includes the tasks and not the responsibilities.
At UiB, personal data is processed for administrative purposes, for archiving purposes and for research purposes. As a general rule, information collected for a particular purpose cannot be used for other purposes.
In general, we process information that you have provided to us for one of the following reasons:
- You have contacted us regarding study programs or are, or have been a student
- You have applied for a position with us or are, or have been employed with us
- You have been a participant in a research project or for other research purposes
- You are or, have been a patient at one of our university clinics
- You have requested public access to official documents under the Freedom of Information Act
- You have signed up for courses or events
- You subscribe to newsletters
- UiB has a legitimate interest to be able to contact you
We also process personal data which has not been obtained directly from you for the following reasons:
- We receive information about you from another government agency
- A complaint or guidance case contains information about you
- A non-conformity matter or personal data breach contains information about you
- An employee, student, patient or research participant has named you as their next of kin
- A job applicant has provided you as a reference
- When previously collected data is permitted to be reused for scientific research or quality assurance or auditing purposes
Key legislation for the University's handling of personal data
The Personal Data Act, which incorporates the EU General Data Protection Regulation (GDPR) into Norwegian law in its entirety, contains provisions on the processing of personal data, including collection, information security, who has access and disclosure. All processing of personal data must comply with the basic principles incorporated in Article 5 of the GDPR, including lawfullnes of processing in Article 6, and the conditions in Article 9 for the processing of special categories of personal data.
The Administration Act, the State Employees Act, Act relating to universities and university colleges and regulations, contain case processing rules for how matters regarding staff and students will be dealt with at UiB.As a part in a case, you have special rights, including access to case documents. In some areas, the Act relating to universities and university colleges regulates the processing of cases by universities and colleges, while in other areas it only lays down guidelines for the internal regulations of the individual educational institution.
Freedom of Information Act with regulations contains the rules for when a document is publicly available to the public and when a document can be exempt from public disclosure. UiB practices open public access to government papers, which means UiB strives for all documents to be public as far as it is possible.
The Archives Act contains rules on how the case documents should be kept, including storage in the archiving institution.
Personal Health Data Filing System Act contains rules on how health information collected will be processed, including how they are secured, who has access and whether they can be disclosed to others.
The Patient Record Act with regulations contains provisions on the processing of health information that is necessary to provide, administer or quality assure health care to individuals.
The Health Personnel Act regulates the use of personal data for quality registers to evaluate patient treatment at UiB and contains rules on the duty of confidentiality of health personnel.
The Health Research Act with regulations regulates the use of personal data for medical and health research and human biological samples, and must be approved by the Regional Ethical Committee for health and medical research (REK).
Who can I contact?
The data controller
The Personal Data Act and Article 4 (7) of the GDPR provides that the data controller is the institution, which alone or jointly with others determines the purposes and means of the processing of personal data. According to the delegation of authority, the rector has the overall responsibility for all processing of personal data, and is the data controller. The daily operational responsibility for information security is delegated to the IT Director. Each department is responsible for their processing of data about you.
If you wish to receive information about what personal data is registered about you, or you wish to exercise the right to access, the right to rectification, the right to erasure, or other rights according provided in the GDPR, you can submit your request to the Data protection officer. You are entitled to a response without undue delay, and no later than 30 days.
If you have general questions about the processing of your personal data at UiB, you can contact our
Data Protection Officer.
Data Protection Officer
UiB has a Data Protection Officer to safeguard the privacy interests of both students and employees, and other data subjects that UiB processes personal data about. The Data Protection Officer can, among other things, assist individuals who are registered with personal data at UiB, to safeguard their rights. However, it is the controller who is responsible for UiB complying with the rules and regulations. The Data Protection Officer can also provide assistance and answer any questions. You can contact the data protection officer at personvernombud@UiB.no.
Access to information
You are entited to know what personal data is registered about you at UiB and how this data is processed, cf. the provisions of the Personal Data Act and the GDPR Article 15. You are entited to know what the purpose of the processing of the data is, the type of data that is processed, whether they are or will be disclosed to others and, if so, to whom, how long the data will be stored and any procedures for erasure. You also have the right to know the extent to which you have the right to rectification, erasure, restriction of processing or to object to the processing. You also have the right to know how the information is collected. You are entitled to a copy of all the data about you, including electronic tracking. You have the right of access without undue delay and within one month at the latest.
Information provided under the GDPR Articles 13 and 14 and any communication and actions taken under Articles 15 to 22 and 34 shall be provided free of charge, unless the exemptions set out in GDPR Article 12(5) apply.
Read more about the right of access here, on The Norwegian Data Protection Authority website.
Correction of personal data
In certain cases, you have the right to demand rectification and erasure of information about yourself, cf. Article 16 of the General Data Protection Regulation. You must be able to prove that the registered information is incorrect, and what is correct information is.
You are entitled to rectification without undue delay and normally within one month. In cases where correction is not practicable or where the information is correct but gives an incorrect impression, you may require that the information be supplemented.
Read more about the right to correct or supplement information here, on The Norwegian Data Protection Authority website.
Deletion of personal data
In some cases, you have the right to request that information be deleted. This is also called "the right to be forgotten". Unless one of the exceptions applies, you may require the deletion of your information in the following cases, cf. Article 17 of the General Data Protection Regulation:
- If you exercise the right to object to the use of your information
- If the information is processed on the basis of consent and you withdraw the consent
- If you are a minor and have used a digital service, such as social media
- If the purpose of the use of the information is achieved
- If the information has been obtained illegally
- If the company has a duty of deletion under the law
In the above cases, the institution shall carry out deletion without undue delay and normally within one month at the latest.
The right to delete does NOT apply in the following cases (exceptions):
- The personal information is part of an expression that is protected by freedom of expression and information
- Storage is necessary for archiving in the public interest, scientific or historical research or statistical purposes. The exception only applies if deletion will solemnly hinder the achievement of the targets
- The company has a duty to store by law (for example, accounting duty or archiving duty)
- Storage is necessary for certain types of use within the health service, cf. Article 9 of the General Data Protection Regulation
- Storage is necessary to establish, enforce or defend legal claims
Read more about the right to delete here, on The Norwegian Data Protection Authority website.
Limitation of processing of personal data
In some cases, you may request the processing of your personal data information be restricted. In that case, the information can be stored but not used for anything.
Read more about the right of restriction here, on The Norwegian Data Protection Authority website.
Protest against processing of a personal data
If we process information about you on the basis of our assignments or on the basis of a balance of interests, you have the right to object to our processing of your personal data. This is mainly when we process personal data without your consent. Article 21 of the General Data Protection Regulation therefore states that you may in some cases object to the processing of your information.
The right to protest does NOT apply in the following cases (exceptions):
- The personal information is required to execute an agreement with the company
- The company is required by law to process your personal data information
The right to protest also does not apply if the company can show that weighty reasons are ahead of your protest (balancing of interests).
Read more about the right to protest here, on The Norwegian Data Protection Authority website.
What are cookies?
Cookies are small text files that are stored locally on your computer when you download a website, such as uib.no. Cookies are a standard technology that most websites use.
Most browsers (such as Google Chrome, Safari, Internet Explorer) are set to automatically accept cookies, but you can choose to change these settings if you prefer. Doing so can cause that some websites will not work optimally. See information down the page if you want to withdraw your consent or change your browser settings.
By using uib.no you agree that we set cookies in your browser.
The statistics are a tool for improving our website, as well as assessing the impact of marketing on other digital platforms. For each page viewed, the following information is stored on our servers.
- Which page you look at, which page you come from and which page you go to
- If you have visited our site before
- Date and time
- Which browser you use, which device and which operating system you have
Your IP address is anonymized and cannot be associated with you as a person. The address is only used for troubleshooting system errors, and the IP addresses are deleted after six days.
The following cookies are used on uib.no:
Google Analytics is used to analyze the visits we get to our site. This is done using the following cookies:
- __utmz: Provides us with information about where you come from when you land on a website at UiB, for example from a search engine (Google, Bing etc.). We use Google Analytics both internally on the website, in the banner and for images. Therefore, users can sometimes find two cookies called __utmz.
- __utma: Is a cookie that gives us information about the number of times the user has been on our site. We use __utma to look for users who visit us for the first time, and for users who have been here for several times.
- __utmb and __utmc: Shows us how long the user stays on our site. __utmb and __utmc will be deleted as soon as you leave websites belonging to the university.
- __utmt: This cookie is used to refine the data collection from the website so that the performance is not affected. The cookie is deleted after ten minutes.
- __utmv: This is a cookie that allows you to map website behavior and site performance.
You can opt out cookies from Google Analytics by visiting Google's web site..
Siteimprove is a tool we use to improve the quality of the content on our website (such as broken / dead links, languages and universal design).
The publishing solution to uib.no UiB.no (w3) has a cookie that is used in connection with marketing:
_mauuid: The cookie enables us to set up fully automated, intelligent email campaigns that adapt depending on the usage pattern of the individual recipient. It also gives us the opportunity to start automatic campaigns for potential students who identify themselves by subscribing to newsletters or filling out contact forms.
Third party requests are queries created by a user to an external service provider, such as ads and social media widgets. Although these queries do not set cookies, they can still transmit information to third parties. Google Analytics works through third-party queries.
You can prevent cookies from being stored on your computer by changing your browser settings. However, please be aware that if you change your settings, you may not be able to use the site's functionality in its entirety.
On nettvett.no you can read more about managing cookies in your browser:
The legal basis for the processing of personal data on applicants and students is The Personal Data Act and The General Data Protection Regulation Article 6 (1) (a), (b), (c), (e), (f), Article 9 (2) (a), (b), and the act relating to Universities and University Colleges.
What personal information does UiB process?
If you are applying for admission and / or are a student at UiB, we must collect and register, information such as; name, birth number and contact information. If you have agreed, we may also collect your results from some other educational institutions. The purpose of the registrations is to administer your application and your studies with us. You normally register the information yourself via The Norwegian Universities and Colleges Admission Service, in addition to Evuweb and Application web. Some recordings are made with paper-based application forms, and then we record the information you have given us in our systems.
Felles Studentsystem (FS) is the system UiB uses for student administrative data. Studentweb is part of FS. Privacy Statement for FS and related applications can be found here. UiB's learning platform (My UiB) and digital exam system (Inspera) collects data about you from FS. MittUiB's calendar and message solution retrieves information about which programs and topics you are registered with from FS. If you have an application and / or decision process at The University, this will be registered in the university's case management and archiving system. The image on active student cards and key cards is stored in FS and will be the same image that may be transferred to the student certificate mobile app when activated.
Personal data to third parties
UiB will be able to disclose or export data containing personal data to other systems, ie external data processor, for example to the Norwegian State Educational Loan Fund, in cases where it is considered necessary. For a complete overview of external data processors from which personal data can be retrieved and provided, see the Privacy Statement for FS.
Disclosure of personal data according to the Freedom of Information Act
At regular intervals, UiB receives requests for access in accordance with the Freedom of Information Act. We want to remark that the provisions of the Personal Data Act will not be able to impose restrictions on this right of access where the inquiry relates to personal data.
Delegated process responsibilites
The Director of Department for Student Administrative Department is delegated the day-to-day responsibility for processing personal data information about applicants and students. This involves making sure that necessary routines have been established to ensure confidentiality and quality and that the information is not stored longer than necessary. The Director of Department is also responsible for providing necessary training in the use of IT systems and current routines.
The legal basis for the processing of personal data on applicants and students is The Personal Data Act and The General Data Protection Regulation and Article 6 (1) (a), (b), (c), (e), (f), Article 9 (2) (a), (b), and the act relating to Universities and University Colleges.
Delegated process responsibilites
The HR Director is delegated the day-to-day responsibility for processing personal data information about employees. This involves making sure that necessary routines have been established to ensure confidentiality and quality and that the information is not stored longer than necessary. The HR Director is also responsible for providing necessary training in the use of IT systems and current routines.
The purpose of processing personal data information about employees is to fulfill legal obligations and agreements. The legal basis for the processing of personal data on employees is The Personal Data Act and The General Data Protection Regulation Article 6 (1) (a), (b), (c), (e), (f), Article 9 (2) (a), (b), and Article 88.
What personal information does UiB process?
Employees at UiB are registered with name, birth number and contact information. In addition, job and salary information, education and seniority, as well as names and ages of children under the age of 12 and names and contact information for the next of kin are recorded. Employee side tasks are also recorded.
The information is collected from you as a job seeker or employee and from other agencies, such as the tax authorities, Norwegian Labor and Welfare Administration and former employer.
The employee personal information can be disclosed to public authorities such as the Tax Administration, the Norwegian Public Service Pension Fund and the Norwegian Labor and Welfare Administration. Salary information can also be provided to trade unions on the basis of a collective agreement. In addition, information can be provided to cooperating companies such as travel agents, credit card companies, etc. if you as an employee have consented to it.
Information about name, position and field of work is considered to be public information and can be published on the university's website. A portrait of you as an employee will be published unless you reserve against such publication.
Archiving and deleting personal information
The information is archived in the university's recruitment tool, personnel data system, central user management system at the IT department for access to electronic tools and archive system with personnel files. The systems are access controlled, and no one but those who need it have access to personal information.
The main point is that personal data should not be stored longer than necessary to carry out the purpose of the processing. If personal data is not to be stored in accordance with the Archives Act or other legislation, they must be deleted.
Disclosure of personal data and access according the Freedom of Information Act
Information on disclosure and access to information can be found under the section Disclosure and access, and the press and public's access under the Freedom of Information Act. (Links)
Employees have access to their personal data in the personnel data system (HR portal). Access to other information in the personnel directory is given by contacting the administration at the faculty or center. For the central administration, please contact the HR department.
An account of how UiB processes personal data used in research
Personal data is processed in accordance with Sections 8-10 of the Personal Data Act, cf. Articles 5, 6 and 9 and Article 89 of the Privacy Act, and the Health Research Act.
The Personal Data Act provides access to the processing of personal data for research purposes, provided that the privacy of the participants is safeguarded through technical and organizational measures implemented by the data controller, that privacy consequences have been assessed and a privacy representative / adviser is consulted where necessary. UiB has an agreement with the Norwegian Center for Research Data (NSD) for advice on privacy issues in research. Health research projects must have a prior ethical approval from REK, in addition to the grounds for treatment in The General Data Protection Regulation.
Information processed as part of research projects
Which personal data (defined as information and assessments related to an individual) that is to be recorded is considered based on what personal data is needed to achieve the purpose of the research project. As a rule, personal data collected for research purposes cannot be used for other purposes without consent.
The General Research Ethics Guidelines state that consent is the main rule in research on people or on information and material that can be linked to individuals. The consent must be informed, express, voluntary and documentable. Consent presupposes the capacity to give such consent. To ensure real voluntariness, vigilance must be exercised in cases where the participant is in a dependency relationship to the researcher or in a situation of restricted freedom.
The consent may be withdrawn at any time during the execution of the research project.
Researchers, students and supervisors who have access to personal data have a duty of confidentiality.
Procedures for the processing of personal data have been established. The main rule is that there should never be a greater degree of personal identification than is necessary for the research project. The personal data can be de-identified or anonymised.
- De-identified personal data is personal information where names, birth numbers and other direct personal identifiers have been removed and replaced by a number or code (link key), so that the information cannot be directly linked to an individual.
- Anonymous data is information where names, birth numbers and other unique characteristics are removed, so that the information can no longer, directly or indirectly, be associated with an individual. Anonymous data is therefore not considered personal data.
All research projects that process personal data are subject to the process control system's internal control system for research. Processors shall ensure that the principles set out in Article 5 of The General Data Protection Regulation are complied with in all projects, including that the processing has the basis for processing in Article 6 and in Article 9, if the processing includes special categories of (sensitive) personal data. The processing of special categories of personal data for research purposes has a duty of consultation with a Data Protection Offical or privacy advisor with similar competence and independence, with which the institution has an agreement with. Health research projects need ethical prior approval from the Regional Ethical Committee for Medical and Health Research Ethics (REK). When data controllers consider it necessary or when the regulations require it, a Data Protection Impact Assessment (DPIA) shall be carried out.
Personal data should normally not be stored for longer than it is necessary to carry out the research project. If there is a need for storage beyond the time specified at the start of the project, new consent must be obtained or an exemption must be sought.
Transfer and secondary use of personal data
In some cases, the transfer of personal data between research institutions may be granted. Confidential material such as journal information, information from public agencies and various registers such as health records, criminal records, social and social security registers can also be obtained for use in research. Such use of confidential personal information requires that the register owner has waived the requirement to obtain new consent. When assessing an exemption, a balance of interest will be made where the social benefit of the research must exceed the disadvantage it is for the research participant not to be asked.
The personal data may be transferred to other companies, provided that they can provide satisfactory storage of the personal data and otherwise comply with the terms of the privacy regulations.
The personal data can also be transferred abroad, provided that the terms of the privacy regulations are fulfilled. Companies that want to transfer personal data abroad can only transfer to states that ensure the proper processing of the information.
Personal data can be stored both electronically and on paper. At the University of Bergen, there are guidelines for active research data to be stored on the university's research server (SAFE) or other similar secure solution.
Personal data should normally be deleted or anonymized at the end of a project.
Read more about the processing of personal data after the project has been completed.
Delegation of tasks
The Rector of the University of Bergen has overall academic responsibility for the research conducted at the University. Each faculty has a dean who has been delegated daily (operational) research responsibility. Some tasks must be carried out by the dean, others can be delegated in the line to the head of the department or the head of the center.
The responsibility applies to all information collected for research purposes that are processed, regardless of storage form. This means that necessary procedures have been established to ensure the privacy regulations, including secure confidentiality, quality and that the information is not stored for longer than necessary. Responsibility also entails providing the necessary training to project managers on privacy laws, ethical, medical, health, scientific, and information security issues.
You are entitled to access, rectification and deletion in accordance with Article 15 of The General Data Protection Regulation. However, the legislator has set certain restrictions on the rights of the data subjects when information is used for research purposes, cf. section 17 of the Personal Data Act. For more read about Your rights.
Account on how UiB processes personal data on patients in connection with health care, teaching and quality assurance
For information on processing of your information when participating in a research project, see the processing of information about research participants.
UiB records, processes and stores personal data on patients in accordance with the Archives Act, the Patient Records Act, the Health Personnel Act and the Health Research Act.
Information that is processed
Patient information is stored in the electronic patient record. It contains information about names, birth numbers and contact information, as well as information about diagnosis, course of disease, treatment, information provided and other matters that may be of importance.
Which personal data is processed is evaluated based on the personal data needed to conduct a survey and processing. As a general rule, information about you collected for a particular purpose cannot be used for other purposes without your consent. Reuse of the information may be used for quality assurance purposes and for other purposes incompatible with the original purpose.
Both the student treating you and the supervisor are subject to the duty of confidentiality.
Information is obtained in the form of conversations, surveys, treatment, observations and the like.
Information can also be collected from other therapists, such as a GP or hospital, or from relatives. In order for UiB to obtain information from others, consent is generally required.
The personal data information is preferably processed on the basis of an informed consent.
Information that is registered about patients at UiB is usually provided only after consent.
There are strict rules for how a journal should be processed, kept and who can access it. The journal information is stored electronically on a secure terminal server or on a PC that is not connected to the network. Students have limited access to medical records for patients they do not treat and students' access is limited to the period of practice.
Records must be kept until they are no longer thought to be of use to them. When this is no longer the case, as a general rule, the journals must be safely shredded.
Delegation of tasks
Daily treatment responsibility: Clinic Director.
Processing in connection to courses and events /
Event / Conference online registration privacy statement - for UiB
Disclosure of personal data to others outside UiB
The personal data information about students and staff is registered by the university for use for specific purposes and shall be used according to it. At the same time, UiB is required by law to disclose some information to other public bodies, such as the Norwegian State Educational Loan Fund and the tax authorities. Other players may also be interested in such information.
As a general rule, UiB can only disclose your personal information to others once you have consented. In some cases, information is provided without consent: when authorized by law, to fulfill an agreement with you, or when necessary to perform tasks assigned to UiB as the controller.
Examples of disclosure of personal data without consent:
- Information to which an employer insofar as the information relates to the employee's fitness for a particular job or assignment when permitted by law
- Research: Extradition usually requires consent, but can also be done without consent if the research project has been granted exemption from the duty of confidentiality.
- To The Norwegian Labour and Welfare Administration. The Norwegian Labour and Welfare Administration has the right to obtain information for control purposes as part of case processing, cf. Section 21-4 of the National Insurance Act.
- The state loan fund for education, under the provisions of the law.
- To the tax authorities, under the provisions of the law.
- Closest relatives, when the information is needed for the next of kin to make decisions on behalf of a relative / relative who is not in a position to make a decision.
- Information necessary for the handling of certain types of cases can be provided to the committee / committee responsible for handling the case. This means that necessary information in connection with:
- Complaints and fraud cases to the Central Appeals Committee at UiB, and the national Joint Appeals Committee (appointed by the Ministry of Education and Research)
- Suitability cases to The Suitability Committee
- Individual cases in connection with scientific dishonesty to The Research Ethics Committee.
Process responsibilites access to employees and students' personal storage areas, e-mail boxes or the individual's online activity
In principle, no one at UiB or outside has access to students and employees' personal e-mail box, personal storage area or the individual's online activity. This can only happen in very special cases regulated by the ICT Regulations and pursuant to Section 9-5 of the Working Environment Act, the Personal Data Act and The General Data Protection Regulation. Such exceptions may, for example, be in connection with sickness absence, death or suspected criminal circumstances.
The purpose of logging is to ensure stable operation, capture and clarify conditions around undesirable events and manage quota restrictions (for example, for printing and disk space). Only logging personnel are responsible for the systems in question. They should not be used for any purpose other than that for which they were collected and they will not be disclosed to outsiders. Extradition to the police and prosecuting authority shall only take place with the written permission of the university director
Press and public access to personal data according to the law of publicity
All case documents at UiB are usually public if no exceptions are made in law or pursuant to law. This means that anyone who requests access can get to know the contents of the documents. Confidential information is except public. This may include sensitive information related to students, staff, patients and research participants, and information related to research and trade secrets. Internal documents can also be excluded from the public.
The Documentation Management Center manages UiB's central postal reception and archive. The section has the overall archive academic responsibility at the university.
The Documentation Management Center manages UiB's central postal reception and archive. The section has the overall archive academic responsibility at the university.
A journal is a register of case documents that are processed in a body. UiB's Public Journal is an electronic postal journal that provides an overview of journalized case documents at UiB. The information is available online for the last three months. The case officer is responsible for ensuring that documentation is accurate and sufficient, and that any exceptions from public disclosure have been made on the correct legal basis. The Documentation Managment Center conducts a quality assurance of the Public Journal before publication.
Access to case documents
Inquiries to UiB regarding access requests will also be public, whether it is in the form of letters or electronically in the form of e-mail. All inquiries are registered in UiB's electronic archive and case management system.
Information about how UiB processes personal data in logs from IT systems.
The legal basis for the processing of personal data in logs is the Personal Data Act and the General Data Protection Regulation Article 32.
The purpose of logging the activity in IT systems is to manage systems, ensure stable operation and detect and resolve unwanted events.
The logs are categorized as:
- operating logs - logs that are normally stored in UiB's or partners' IT systems and have information about the technical state of a solution but may also have information about logins and other activities related to people.
- application logs - logs from services that can contain data that identifies people and activities in applications.
UiB has regular operating logs and application logs in its IT systems.
There are also flow-logs that contain information about which devices are communicating and how much data is being sent. This means that most of the activities users of the systems undertake, leaving electronic traces.
The information exists in the logs as part of a larger technical logging activity. They are obtained from a number of systems where central machines ensure reliable traffic between the user and the systems.
Usually, the logs are not extradited, as they are intended as technical operating logs to ensure stable operation and detect unwanted or abnormal events. They can be handed over to police or prosecutors on the basis of a court order. The University Director may request that logs be handed out in accordance with. Articles 32 and 33 of the General Data Protection Regulation.
All logs from the IT systems are collected in central log receipt where they are processed and deleted in accordance with the guidelines set by the IT Director.
Logs are only available to those in the IT department who run the central logging facility. Those who have access to search the logs must have a service need and such searches are also logged. Everyone at the IT department has signed a secrecy statement.
An account of how UiB processes personal data to secure the university's premises
The legal basis for processing personal data in logs and camera surveillance is Article 6 (1) and Article 10 of the General Data Protection Regulation.
The purpose of the University's use of personal data in connection with the use of the University's buildings and premises by employees and students, is to protect the lives and health of employees and students, as well as to protect information and values that are important for the operation of the University, including to detect and resolve unwanted events. , such as theft and vandalism.
Students and staff are photographed when given access cards. The name, username, date of birth and library username are stored. In addition, technical information about which access is granted to the card is stored, such as rights related to specific buildings or areas. The personal information is automatically retrieved from UiB's user systems and The Common Student System (FS).
UiB has electronic access control on selected doors / functions in UiB's buildings. Only the cardholder can consent to seeing the log of the card number, or police when notification is given. The information stored using card and pin code is card number up to name, time and door / card reader. The log is deleted after 30 days. Only staff at the card center have access to stored information.
Cameras are placed only to cover the outside and the interior and exterior. The cameras film continuously and recordings are stored for 7 days before being deleted.
Only dedicated people have access to the systems. They have an access profile tailored to their tasks. They log on to the systems as personal users.
Information from the physical security systems is only released to the police if there is a court order, or upon notification. Anyone who is to report an incident / relationship to the police can be given a recording / picture by documenting in writing from the director / department head that authority to report from the faculty or central administration has been granted. Only the Fire Protection and Physical Security Manager has the authority to provide information from the systems.
Users are disabled when they no longer need access cards.
The property director is delegated daily responsibility for processing personal data, as part of the physical security. This means, among other things, to make sure that necessary routines have been drawn up to ensure confidentiality, quality and that the information is not stored longer than necessary, as well as ensure that the necessary training is provided.