This page presents NTNU’s policy for information security.

Norsk versjon: Politikk for informasjonssikkerhet

About Policy for information security

• Type of document: Policy
• Managed by: Digital Security Section
• Approved by: Director of Organization and Infrastructure
• Applies from: 01.10.2025
• Next revision by: 01.10.2027
• Classification: Open
• Reference ISO: 27002:2022; 5.1, 5.2, 5.31, 5.35, 5.36
• Reference Policy on information security and data protection in higher education and research (F-04-20): Pts 1-2
• Reference NSMs bacis principles of ICT-security: 1.1.1, 1.1.2, 1.3.3a
• Reference LOV/Rule: eGovernment regulations (eForvaltningsforskriften) §15 and § 20, personvernforordningen artikkel 5, 24, 32
• Reference internal documents: ICT Regulations Policies for Information Security and Privacy, NTNUs Governance document for Security and Emergency Preparedness

Purpose

The purpose of the Information Security and Data Protection Policy is to establish the framework for NTNU’s work on information security and digital security. The policy is intended to ensure that efforts to safeguard NTNU’s information assets comply with key laws and regulations, as well as relevant governmental guidelines. It also defines the scope of NTNU’s information security work, including overarching principles, security objectives, and strategy.

The work on information security and digital security aims to enable NTNU to fulfill its societal mission in a way that maintains trust among employees, students, partners, and society at large.

Information security efforts at NTNU largely overlap with digital security work. Most of the assets processed and stored at NTNU are information, or areas, systems, and people that store or process information. These are structured as either primary or secondary assets.

• Primary assets refer to information managed and processed through NTNU’s research, education, innovation, and administration.
• Secondary assets refer to the tools we use and the competence of those who use them. This includes employees, students, locations, organizational structures, hardware, software, and networks.

The Information Security and Data Protection Policy is subject to NTNU’s ICT regulations and overarching information security guidelines. Together, these constitute the information security management system, which forms the foundation for NTNU’s information security work and is an integral part of NTNU’s overall governance. The management system provides the framework for a systematic and holistic approach across the governing, implementing, and controlling aspects of information security work.

Applies to

NTNU’s policy on information security, digital security and privacy applies to all individuals who has access to, store, process, or transmit information assets through NTNU or its affiliated activities.

Definition

Information assets are information that can cause harm to individuals, organizations, or society if it is compromised, lost, or altered. Information assets are structured as either primary or secondary value. Primary value pertains to information processed and managed through NTNU’s research, education, innovation, and administration. Secondary values relate to the tools we use and the competence of those who use the tools. This includes employees, students, locations, organization structures, hardware, software, and networks.

Information security refers to the protection of information against unauthorized access, ensuring its availability when needed, and safeguarding it against unwanted alterations. Information security is concerned with how the confidentiality, integrity, and availability of information are maintained.

Confidentiality – Ensuring that specific information is not disclosed to unauthorized individuals and that only authorized personnel have access to it.

Integrity – Ensuring that information processing is complete, accurate, valid, and the result of authorized and controlled activities.

Availability – Ensuring that a service meets specific stability requirements so that relevant information is accessible when needed.

These are the same definitions used in the «Nasjonal Strategi for informasjonssikkerhet» (National Strategy for Information Security).

Overarching Principles

Overarching principles define the framework for all work related to information security, digital security, and privacy at NTNU. By adopting this policy, the management has established the following overarching principles:

• The work on information security shall form the foundation for NTNU to fulfill its societal mission and maintain public trust.
• NTNU shall work systematically, methodically, and purposefully with information security to balance risk with openness.
• NTNU shall protect its information assets and digital infrastructure through complementary security measures across multiple layers that prevent or limit damage from unwanted incidents affecting NTNU, partners, individuals, or society.
• NTNU shall safeguard confidentiality, integrity, and availability through security measures where value and action are balanced—being as open as possible, but as closed as necessary.
• A risk owner cannot accept risks that extend beyond their own risk domain or that may cause harm to NTNU, individuals, society, partners, or others.

Security Goals

The NTNU management has adopted the following goals and priorities for the work on information security:

• NTNU shall maintain an overview of the information assets that are processed and managed, as well as the risk-reducing measures implemented to protect them.
• NTNU shall have a resilient and defensible digital infrastructure, designed to adequately protect information and infrastructure, and to detect, manage, and limit damage from unwanted incidents.
• Everyone with a user account associated with NTNU shall have an awareness of information security and privacy, and contribute to protecting NTNU’s information assets by adhering to principles and requirements for information security.
• NTNU shall use security incidents, deviations, and audits for systematic and continuous learning, improvement, and targeted actions so that the organization can best address risks and the current threat landscape.

Strategy for Information Security

The strategy outlines how NTNU will achieve its goals for information security by focusing on three core areas. The first is the implementation of risk management by the organization and its leaders within their units, the second is the development of a security culture, competence, and attitudes, and the third is maintaining a robust infrastructure that ensures digital security:

Risk management and control of information security are leadership responsibilities and part of regular organizational governance and internal control. Leaders must have a solid understanding of risk and an overview of the information assets they are responsible for, enabling them to make informed decisions and prioritize the implementation of security measures.

Work on security culture and training shall be a systematic and continuous improvement process. Increased competence should enable employees and students to protect NTNU’s information assets through a risk-based approach.

NTNU shall protect information assets through systematic implementation of the requirements in guidelines designed according to control points in ISO 27002:2022. Requirements for information security and privacy shall be addressed in the design, procurement, development, management, and disposal of information systems and digital infrastructure. The Norwegian National Security Authority’s (NSM) Basic Principles for ICT Security, version 2, are used as the benchmark for the minimum acceptable level of foundational digital infrastructure security. In addition, incidents and deviations are actively used to measure compliance with various requirements.

The work on information security is a continuous process and can be divided into three parts:

• Governing part defines principles and goals, guidelines, and delegated responsibilities within the work on information security. This is specified through the information security management system.
• Implementing part consists of training and the execution of requirements in the information security management system. At a high level, this involves maintaining an overview of information assets, performing value assessments and establishing ownership, identifying risks to the information assets, and implementing risk-reducing measures to reach an acceptable level of risk.
• Controlling part consists of incident handling, deviation management, reporting, auditing, and management review.

Follow-up on digital security culture, training, and competence development in information security and data protection

NTNU shall have a systematic follow-up of digital security culture and implement targeted, risk-based measures. This work shall be documented and follow a transparent methodology adapted to NTNU as an organization.

Security culture can be defined as the values, attitudes, knowledge, and norms related to information security among students and employees in the organization (https://snl.no/sikkerhetskultur ). The concept also includes data protection in digital contexts.

The measures shall provide employees and students with appropriate training and competence development, as well as access to other awareness-raising initiatives. NTNU shall:

• Offer basic training in information security and privacy to all students and employees
• Increase awareness and understanding of the risk and threat landscape (at NTNU, nationally, and internationally)
• Provide staff, leaders, and students with the competence to safeguard information security and privacy in their daily work and study activities, based on their role and function at NTNU
• Through targeted training for leaders and other key roles, raise awareness of information security and ensure appropriate competence in support functions).

Roles and Responsibility

The work on information security affects the organization at all levels. Responsibility and authority for information security follow the regular line management structure.

Managers who are responsible for goals, tasks, services, and processes also hold responsibility for the associated information handling and information security. Some roles are specified through the information security management system and are assigned specific responsibilities for defined areas.

Board

• Is ultimately responsible for information security and should be informed annually about the work on information security
• Is responsible for conducting internal audits of information security at NTNU

Rector 

• Is the overall data controller for the processing of personal data at NTNU
• Is the overall research responsible party (applies to health research) at NTNU
• Has overarching responsibility for ensuring that information security and data protection are integrated into strategic decisions
• Shall annually inform the Board about the work on information security and data protection

Director of Organization and Infrastructure

• Is delegated responsibility for the day-to-day data processing in accordance with the General Data Protection Regulation (GDPR) Article 4(7) and Article 24
• Is the local emergency preparedness coordinator for the central administration
• Is responsible for approving, coordinating, and implementing necessary measures to ensure that the processing of personal data complies with NTNU’s objectives, guidelines, and legal requirements
• May assign obligations to faculties to ensure satisfactory information security
• Is responsible for ensuring that the requirements in the information security policy are implemented in the organization through a functioning information security management system
• Shall ensure sufficient funding for the work on information security
• Shall ensure that the Data Protection Officer is regularly invited to meetings with the Rector and the Deans
• Shall ensure that the Chief Information Security Officer (CISO) is regularly invited to meetings with the Rector and the Deans
• Approves revisions of the information security management system

Chief Security Officer (CSO)

• Is delegated the coordinating responsibility for security and emergency preparedness work at NTNU by the Director of Organization and Infrastructure
• Shall structure the overall security work in accordance with legal and regulatory requirements, and in line with the ambition of "One NTNU"
• Is responsible for professional coordination and support to local/on-site security resources within the security organization
• Due to the overarching coordinating responsibility of the role, Chief Security Officer shall be consulted in case of changes to the information security management system

Chief Information Security Officer (CISO)

Responsibility and Leadership:

• Is delegated responsibility for information security by the Director of Organization and Infrastructure
• Acts as an advisor to the Rector and the organization on matters of information security
• Is responsible for leading the overall work on information security in the organization by developing, implementing, and following up on strategy, policy, guidelines, and measures to protect the institution’s data, systems, and information resources against physical and digital threats
• The Information Security Manager also leads the Digital Security Section in the IT Department

Measures and Implementation:

• Is responsible for digital emergency preparedness, including detecting, managing, analyzing, and investigating security incidents, executing immediate damage control measures, and handling discrepancies related to information security and data protection
• Is responsible for developing and implementing strategies within information security
• Is responsible for systematic preventive work on information security targeting students, employees, and managers
• Shall ensure that relevant parties are notified in the event of serious breaches of information security
• Is responsible for initiating necessary actions to ensure proper deviation handling in case of information security breaches
• Is responsible for ensuring that the information security management system is reviewed at least every two years to ensure desired effectiveness and efficiency in the work on information security

Reporting and Authorization:

• Is responsible for collecting and reporting to management’s annual review of the information security work to the Board, including reporting on discrepancies, incidents, risks and vulnerabilities, compliance with the information security management system, and the digital threat landscape
• Supports the Chief Security Officer in the annual reporting of NTNU’s overall security work
• Is responsible for user authorization across various systems, updates necessary instructions, provides guidance on information security, and prepares and participates in meetings with external authorities regarding information security

Line managers

Line managers are responsible for ensuring that their unit complies with the provisions of the information security management system. This applies to managers at all levels (Pro-Rectors, Directors, Heads of Office, Heads of Section, Deans, Museum Director, Heads of Department etc), both in academic and technical/administrative lines.

Line managers, through delegation from the Rector, have responsibility and authority for security work within their own area of responsibility and operations, as outlined in the delegation regulations.

Line managers have the following responsibilities:

Information Security og Data Protection:

• Are responsible for compliance with information security requirements, including the processing of personal data within their own unit
• Shall be familiar with NTNU’s information classification and the types of information processed by their unit
• Shall ensure that the unit has routines to guarantee that both digital and analog information is processed, handled, and stored in ICT systems approved for use, transport, or storage according to the information classification
• Are responsible for maintaining an up-to-date overview of ICT systems used within their unit that are not part of the IT department’s service catalog, as well as an overview of personal data processing activities within their unit (outside the IT department)
• Shall ensure that a record (protocol) is kept of personal data processing activities within their unit, and are also responsible for keeping this record updated and maintained
• Are obligated to ensure that a risk assessment is conducted before the processing of personal data can begin
• Shall ensure that a Data Protection Impact Assessment (DPIA) is carried out where required, in consultation with the Data Protection Officer. The line manager is the risk owner for measures in the DPIA within their unit
• Are responsible for entering into a written data processing agreement if external parties (an organization or individual) are to process personal data on behalf of NTNU
• Are responsible for reviewing the data processing agreement every two years, revising it if necessary, and obtaining documentation from the data processor’s security audit
• Are responsible for ensuring that personal data transferred to countries or international organizations outside the EU/EEA is only transferred if the requirements of Chapter V (Article 44 ff.) of the GDPR are met
• Shall ensure that data subjects are informed and that inquiries from data subjects are followed up in accordance with the requirements of the GDPR
• Are responsible for ensuring that the processing (use, storage, deletion, disclosure, etc.) of images, video, and audio recordings is carried out in accordance with privacy regulations and NTNU’s processes, routines, and selected tools/systems
• Are responsible for ensuring that the physical conditions support secure processing of personal data within the unit
• Are responsible for developing routines to minimize security risks in the processing of personal data within the unit, including routines for deletion
• Are responsible for ensuring that personal data is deleted from shared areas within their unit
• Shall ensure continuous deletion/clean-up of unnecessary personal data—within 6 months—after an employee leaves or a student graduates or withdraws

Training and Competence:

• Is responsible for ensuring that employees receive necessary training in the regulations governing the processing of personal data
• Is responsible for ensuring that employees within the unit have sufficient training in information security, and are able to fulfill their duty to assess risks in new projects and processing activities, as well as report deviations in case of information security breaches
• Is responsible for ensuring that staff have adequate competence to handle personal ICT equipment used to access, transport, and/or store NTNU’s information assets

Routines and Internal Control

• Is responsible for establishing necessary local routines when needed
• Is responsible for ensuring compliance with legislation, routines, and approvals, and for closing any deviations
• Is responsible for ensuring that internal control in the information security work functions properly within their unit
• Shall ensure that the department has routines that guarantee the use of personal ICT equipment for processing, handling, and storing information complies with the guideline for securing personal ICT equipment
• Is responsible for ensuring that their unit complies with routines for suppliers and supplier agreements
• Shall ensure proper registration and management of roles and identities within their area of responsibility
• Shall ensure corrections and removal of access are carried out according to the principles and requirements set out in the Access Control Guideline within their area of responsibility
• Shall ensure that access to sensitive information is managed according to the principles and requirements defined in the information security management system within their area of responsibility

Discrepancy Management and Improvement Work:

• Is responsible for ensuring that discrepancy management is part of the improvement work within their unit
• Is responsible for conducting dialogue with respective subordinate units regarding the information security work, including the follow-up of routines and deviations, at least on an annual basis

Administration and documentation:

• Is delegated authority as the research responsible party under the Health Research Act for their unit and shall maintain an overview of the unit’s health research portfolio
• Is delegated authority as the data controller for their unit and shall maintain an overview of the unit’s research portfolio
• Is responsible for ensuring that all employees within the unit have access to services and materials that enable users to protect NTNU’s information and information systems
• Is responsible for ensuring that confidentiality agreements are used within the unit in accordance with the requirements of the information security management system

Head of Development and Governance Division

• Is responsible for ensuring that information security and data protection, as part of several operational areas, are included in a comprehensive internal control system
• Is responsible for ensuring that access control work is subject to internal/external audit to verify that the desired effect is achieved with appropriate use of resources

Head of HR and HSE Division

• Is responsible for ensuring that managers are familiar with and have sufficient competence to fulfill their responsibilities in accordance with the information security management system
• Is responsible for ensuring that NTNU has established adequate confidentiality agreements that meet the requirements for information security in accordance with the information security management system
• Shall ensure proper routines for the management of roles and identities, and that these are integrated into relevant processes

Head of Financial Division

• Is responsible for ensuring that NTNU maintains an overview of supplier agreements
• Is responsible for ensuring that NTNU has a routine for supplier follow-up

Head of Procurement and Purchasing Section

• Is, in collaboration with the Head of the IT Divison, responsible for developing routines that ensure compliance with information security requirements when entering into supplier agreements and during contract management.

Head of IT Division

ICT Infrastructure and Information Security

• Is responsible for maintaining a continuous and updated overview of NTNU’s ICT infrastructure, and for ensuring that information security and data protection are safeguarded within and between systems
• Is responsible for keeping a record of ICT tools (in accordance with the Personal Data Act)
• Is responsible for implementing security requirements for NTNU’s ICT infrastructure
• Is responsible for ensuring that the requirements in the “Guideline for Network and Information Transfer” are implemented within the organization
• Is responsible for ensuring that the requirements in the “Guideline for Operational Security” are implemented within the organization
• Is responsible for ensuring that the requirements in the “Guideline for Securing Personal ICT Equipment” are implemented within the organization
• Is responsible for ensuring that the principles and requirements defined in the Access Control Guideline are followed within the IT Division
• Is responsible for developing routines that safeguard information security in all phases of ICT management

Emergency Preparedness and Incident Management

• Is responsible for emergency preparedness for the IT Division
• Is responsible for incident and crisis management within the IT Division
• Approves the incident management plan
• Approves the crisis management plan

Access and Competence

• Is responsible for ensuring that all employees and students at NTNU have access to services and materials that enable users to protect NTNU’s information and information systems
• Is responsible for managing NTNU’s electronic organizational certificate
• Is responsible for reporting on implementation rate, effect, and efficiency in the work on secure development
• Is responsible for ensuring that staff have the competence to meet the requirements for secure development

Head of Digital Security Section

Incident management and security:

• Is responsible for implementing the incident response plan
• Is responsible for implementing the crisis management plan
• Is responsible for detecting, coordinating, and managing security incidents
• Is responsible for detecting, coordinating, and managing vulnerabilities
• Is responsible for the procedure for triage of security incidents
• Shall ensure that the incident response plan is followed within the Digital Security Section
• Is responsible for procurement, application processing, and contract management of the organizational certificate, as well as its termination
• Is responsible for setting requirements for securing information in the network or information transferred to others
• Is responsible for providing guidance to secure the network
• Is responsible for proposing measures to reduce vulnerabilities in the network
• Is responsible for systems and routines for technical vulnerability management within the organization
• Is responsible for establishing a central logging system within the organization
• Is responsible for providing central solutions for malware protection within the organization
• Is responsible for central security monitoring and analysis
• Is responsible for approving changes that may affect NTNU’s security
• May impose additional security measures on the organization, beyond those mentioned in this guideline, based on threat and risk assessments

Access Control and Reporting:

• Is responsible for ensuring that the unit has sufficient competence and tools to meet the requirements in the “Guideline for Operational Security”
• Is responsible for ensuring that the access control guideline complies with the necessary requirements to ensure secure access to NTNU’s ICT infrastructure
• Is responsible for temporarily overriding assigned access rights in situations where this is necessary to safeguard the security of NTNU’s ICT infrastructure
• Is responsible for reporting on the effectiveness and efficiency of measures implemented to protect against unauthorized access, attacks, and/or threats to NTNU’s ICT infrastructure

Head of IT Infrastructure Section

Operations Management and Emergency Preparedness:

• Is the emergency preparedness leader for the IT Division
• Is responsible for detecting, coordinating, and managing operational incidents
• Is responsible for classifying operational incidents
• Is responsible for the procedure for triage of operational incidents
• Shall be consulted regarding the incident response plan
• Shall be consulted regarding the crisis management plan
• Shall ensure that the incident response plan is followed within the IT Infrastructure Section
• Is responsible for central operations monitoring for the organization
• Is responsible for backup of shared systems and infrastructure

Information Security and certificates:

• Is responsible for distributing the organizational certificate and storing it in a secure location
• Is responsible for developing routines that safeguard information security in all phases of ICT operations
• Is responsible for ensuring that systems are operated and decommissioned in accordance with the information security management system
• Is responsible for ensuring that the unit has sufficient competence and tools to meet the requirements in the “Guideline for Operational Security”
• Is responsible for implementing mandated security controls in the infrastructure within a reasonable timeframe and without undue delay

Head of IT FOCUS Section

• Shall ensure that the incident response plan is followed within the IT Development Section
• Is responsible for developing routines that safeguard information security in all phases of ICT development
• Is responsible for ensuring that employees have the competence to meet the requirements for secure development and privacy by design

Head of IT Support Section

• Shall ensure that the incident response plan is followed within the IT Support Section
• Is responsible for ensuring that the unit has sufficient competence and tools to meet the requirements in the “Guideline for Operational Security”

System Owner

System Administration and Maintenance

• All information systems at NTNU must have a designated system owner
• Responsible for ensuring that the system’s development, management, and operation meet information security and privacy requirements
• Shall ensure that systems are developed, implemented, operated, and decommissioned in accordance with the management system
• Shall ensure that systems and services are delivered in accordance with guidelines
• Shall register the system in NTNU’s Service Portfolio
• Responsible for keeping documentation updated and accurate
• Shall ensure that functionality and user interfaces comply with information security requirements
• Shall provide relevant training materials for secure use of the system
• Shall ensure internal control of IT systems
• Shall implement access control in accordance with guidelines
• Shall define roles with access to the system

Information Security and Classification

• Specify which classifications of information an ICT system may use, transfer, and store
• Conduct risk assessments of the system
• Ensure regular quality assurance of information security throughout the system’s lifecycle

System Administrator

• Responsible for safeguarding the system owner’s interests in relation to the content of agreements with suppliers
• Shall place internal and external orders in accordance with contracts when needed
• Shall notify the system owner of any need for changes to contracts
• Responsible for managing the system in accordance with documented information security requirements and other relevant documentation related to development, operation, and management
• Shall assist with advice and content for training and ensure it is available where relevant
• Shall ensure that all development, operation, and management are carried out in accordance with applicable guidelines
• Responsible for acceptance testing before the IT system is put into production, including preparation of criteria, test plans, and execution of acceptance tests

System Developer

• Responsible for secure coding, with particular responsibility for ensuring privacy by design in solutions, as well as testing, identifying, and reporting deviations or suspected vulnerabilities

Process Owner

A process owner is a manager in the central administration responsible for cross-functional administrative processes at NTNU. The process owner often shares responsibilities with line managers and is responsible for common procedures and guidelines, and for continuously managing, improving, and following up on cross-functional processes within their area.

• Responsible for cross-functional administrative processes at NTNU
• Shall maintain a record of personal data processing for cross-functional administrative processes and ensure it is updated and maintained
• Responsible for common procedures and guidelines and shall continuously manage, improve, and follow up on processes to ensure compliance with personal data processing requirements
• Shall conduct an overall risk assessment of processes involving personal data
• Responsible for entering into written data processing agreements if external parties (organizations or individuals) process personal data on behalf of NTNU
• Responsible for reviewing data processing agreements at least every two years, revising them if needed, and obtaining documentation from the data processor’s security audit
• Responsible for ensuring that personal data transferred to countries or international organizations outside the EU/EEA complies with Chapter V (Article 44 ff.) of the GDPR
• Responsible for developing routines to minimize security risks in personal data processing in cross-functional administrative processes, including routines for deletion
• Shall ensure continuous deletion/clean-up of unnecessary personal data—within 6 months—after an employee leaves or a student graduates or withdraws

Research Project Leader / Project Manager

• Responsible for internal control in the project and for operational execution from planning to completion, ensuring compliance with relevant legislation, research ethics, and internal guidelines
• Responsible for obtaining necessary approvals and notifications, and for ensuring that required agreements related to information security and privacy are in place
• Responsible for managing access if confidentiality is required, e.g., when processing personal data in the project
• Responsible for ensuring that relevant and necessary documentation requirements are met in the project
• Shall ensure that sufficient risk assessments are conducted for the project
• Responsible for ensuring that confidentiality agreements are used in the project in accordance with the requirements in the management system guidelines
• Responsible for ensuring that information transferred during the project period is secured in accordance with the guideline for information classification

Supervisor for Students and PhD Candidates

• Responsible for ensuring that students and PhD candidates in student projects are made aware of NTNU’s routines, guidelines, and overarching regulations related to information security and personal data processing

Data Protection Officer

• Shall advise NTNU as data controller on how to best safeguard privacy interests
• Shall provide advice upon request regarding Data Protection Impact Assessments (DPIAs)
• Shall monitor the execution of DPIAs
• Shall monitor compliance with regulations
• Shall be informed of and follow up on deviations in case of privacy breaches
• Shall be the contact point for the Norwegian Data Protection Authority and data subjects
• Shall ensure that NTNU’s guideline for deviation handling is followed
• Shall ensure that NTNU fulfills its obligations to notify the Data Protection Authority and data subjects

Research Data @ NTNU

• Provides advice and guidance related to personal data processing in research projects
• Shall collaborate with and serve as a contact point for Sikt in the follow-up of specific projects
• Is a shared support service for research data provided by the University Library and NTNU IT

Data protection Advisor for Research (Sikt)

• Shall advise NTNU as data controller on how to best safeguard privacy interests in research projects
• Shall receive notifications of personal data processing in research projects and maintain a record/archive of such processing activities

All Users of NTNU’s Infrastructure

• Responsible for complying with the ICT regulations
• Responsible for familiarizing themselves with relevant legislation on information security, including the Personal Data Act, Health Research Act, Copyright Act, and eGovernment Regulations
• Responsible for familiarizing themselves with relevant guidelines for information security when using NTNU’s ICT infrastructure and in research and other projects
• Obligated to report deviations (unwanted incidents) in case of breaches of information security or personal data processing, in accordance with the current deviation handling guideline
• Obligated to complete mandatory training offered by NTNU on security
• Obligated to comply with security requirements in daily tasks at NTNU

Keys Laws and Regulations

• Personal Data Act (and General Data Protection Regulation – GDPR): Provides rules for the protection of individuals in connection with the processing of personal data, obligations for NTNU as the data controller, the use of a data protection officer, and rights for the data subject
• Administrative Procedure Act (and eGovernment Regulations): Requirements for case processing, documentation, due diligence, as well as requirements for internal control and information security
• Public access to information Act: Requires that NTNU, as a public institution, be open to scrutiny while allowing exceptions for access when permitted or required by law
• Archives Act: Contains rules regarding the documents that should be archived and requirements for archiving
• Health Research Act: Requirements for organization, roles, and responsibilities in health research
• Health Registers Act and Health Personnel Act: Rules on the processing of patient data and confidentiality obligations for healthcare personnel
• Research Ethics Act: Rules that research should adhere to recognized research ethical norms, for both the researcher and the institution
• Copyright Act: Contains rules on intellectual property rights and the use of images
• Protection Instruction and Security Act: Imposes requirements for classification and handling of information
• Export Control Act: Provides rules for control and prohibition of the export of strategic goods, services, and technology, including illegal knowledge transfer

Additionally, other laws and regulations may be relevant, such as the Electronic Communications Act, Police Register Act, Biobank Act, Patient Records Act, etc.