Policy for processing of personal data.

• Pdf of the topic specific policy

Norwegian version - Retningslinje for behandling av personopplysninger

• Type of document: Topic specific policy
• Managed by: CISO, Digital Security Section
• Approved by: Director of Organization and Infrastructure
• Valid from: 01.10.2025
• Next revision by: 01.10.2027
• Classification: Open
• Reference ISO: ISO 27002:2022; 5.10, 5.34, 8.10, 8.11
• Reference LOV/Rule: EUs personvernforordning (General Data Protection Regulation (GDPR) article 5 (core principles) and 24
• Reference intern documents: The Policy for the Processing of Personal Data is subject to NTNU's policy for information security and ICT regulations.

Purpose

The purpose of this policy is to:

a. Ensure that personal data about applicants, students, employees, research participants, and others whose personal data is processed by NTNU is handled in accordance with applicable legislation

b. Protect individuals from violations of their privacy

c. Ensure that individuals, upon request, have access to the information registered about them

d. Facilitate research involving the collection and processing of personal data, while safeguarding the rights and legal protections of research participants in a proper manner

Applies to

a. All employees at NTNU

b. All students at NTNU

c. Anyone who has access to and/or processes and manages personal data through NTNU’s ICT infrastructure.

Scope

The policy applies to all areas of activity at NTNU. It applies to personal data that is processed electronically, in whole or in part. The policy also applies to manual processing of personal data that is included or intended to be included in a filing system, i.e., where it is easy to identify individuals.

Personal data also includes pseudonymized data, indirect data, and confidential information. Anonymous data is not considered personal data.

Roles and responsibilities

Information security work affects the organization at all levels. Responsibility and authority for information security follow the regular line management structure. All roles related to the management system are defined in the Information Security Policy

For the policy on processing personal data, line managers, process owners, and system owners have key roles with corresponding responsibilities.

Key terms and Definitions

Personal Data: Information and assessments that can be linked to an individual, either directly or indirectly, such as name, identification number, personal photo, online identifier, IP address, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual. Indirectly identifiable personal data includes background information that may make it possible to trace the data back to an individual, such as municipality of residence or institutional affiliation combined with information about age, gender, occupation, nationality, etc.

Special Categories of Personal Data: Data concerning racial or ethnic origin, political opinions, religion, beliefs or trade union membership, processing of genetic and biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person's sexual life or sexual orientation.

Health Data: Personal data related to a natural person's physical or mental health, including information about received health services, which provides insight into the individual's health status.

Processing of Personal Data: Any operation or set of operations performed on personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pseudonymization: Processing of personal data in such a way that the data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures that ensure the data cannot be linked to an identified or identifiable natural person. The data is still considered personal data under the law.

Confidential Information: Information about someone's private matters (e.g., family, illness, health, personal or financial circumstances). Special categories of personal data are a distinct category under the EU General Data Protection Regulation (GDPR) that require additional security measures (e.g., data about health, sexual life, ethnic origin, or political opinions). Both confidential and special categories of personal data are classified as confidential or strictly confidential according to NTNU’s Policy for Information Classification.

Anonymous Data: Data where names, personal identification numbers, and other unique identifiers have been removed so that the data can no longer be linked to an individual. Only when it is certain that the data cannot be traced back to an individual is it considered anonymized. Anonymized data is not personal data and is not regulated by data protection legislation.

Register: Any structured collection of personal data that is accessible according to specific criteria, whether the collection is centralized, decentralized, or distributed based on functional or geographical considerations.

Data Controller: A natural or legal person, public authority, institution, or any other body that alone or jointly determines the purposes and means of processing personal data. NTNU is the data controller in most cases where personal data is processed at NTNU. If two or more data controllers jointly determine the purposes and means of processing, they are considered joint data controllers.

Legal Basis for Processing: The legal grounds for processing personal data. Processing of personal data must have a legal basis to be lawful. The legal bases are set out in Articles 6 and 9 of the GDPR for special categories of personal data.

Data Processor: An external natural or legal person, public authority, institution, or any other body that processes personal data on behalf of the data controller.

Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, through a statement or clear affirmative action, agree to the processing of personal data relating to them. Consent must always be documented and must be as easy to withdraw as it is to give.

Requirements for the Processing of Personal Data

General Principles for Privacy

Privacy concerns the right to a private life and the right to control one’s own personal data. Individuals should, to the greatest extent possible, be able to decide how their personal data is used. The rules for processing personal data are based on a set of fundamental principles, as outlined in Article 5 of the EU General Data Protection Regulation (GDPR). All other provisions in the GDPR are built upon these principles. All processing of personal data must comply with the following principles:

a. Lawfulness, Fairness, and Transparency. There must be a legal basis for processing personal data. At least one of the legal grounds specified in the GDPR must be met. Processing must respect the interests of the data subjects and foster trust. It must be understandable and predictable for the data subject, enabling them to exercise their rights. Transparency is essential for individuals to safeguard their rights and interests.

b. Purpose Limitation. Personal data must only be processed for specific, explicit, and legitimate purposes. It cannot be reused for purposes incompatible with the original intent. Further processing for archiving in the public interest, scientific or historical research, or statistical purposes is considered compatible with the original purposes, provided that technical and organizational measures are implemented to protect the rights of data subjects—particularly to ensure compliance with the principle of data minimization. Measures may include pseudonymization. If the purposes can be fulfilled through processing that does not allow identification of data subjects, this must be done (i.e., anonymization). Further processing requires that the GDPR and relevant laws were followed during the original collection of personal data. *

c. Data Minimization. The amount of personal data collected must be limited to what is necessary for the intended purpose.

d. Accuracy. Personal data must be accurate and, where necessary, kept up to date.

e. Storage Limitation. Personal data must be deleted or anonymized when no longer needed for the purpose for which it was collected, unless the data is subject to archiving requirements (i.e., included in documents used for case processing and valuable for documentation). Public institutions are subject to archiving obligations, which means NTNU is generally required to archive data about employees and students.

f. Integrity and Confidentiality. The data controller (NTNU or its representative) must implement measures to prevent accidental or unlawful destruction, loss, or alteration of personal data. These measures take precedence over availability.

g. Accountability. NTNU must act in accordance with these principles and ensure that the rights of data subjects are upheld. NTNU must be able to document that the organization has implemented the necessary organizational and technical measures to comply with the GDPR.

Record of Processing Activities

a. The overview must include the information specified in Article 30(1) of the EU General Data Protection Regulation (GDPR).

b. The overview must be maintained in NTNU’s central system for documenting the processing of personal data.

c. The notification archive of Sikt’s privacy services for research, which designated NTNU employees have access to, provides an overview of personal data processing in student and research projects that have been reported to Sikt.

d. Health research projects where the Faculty of Medicine and Health Sciences is the research responsible party must be registered in NTNU’s protocol system.

e. Health research projects where other faculties are the research responsible party must be reported to Sikt and will be registered in Sikt’s notification archive.

f. NTNU’s functional analysis (FUP framework) forms the basis for documenting processing activities carried out within the scope of administrative case processes in NTNU’s protocol system.

g. Processing of personal data in ICT systems is documented in a separate overview.

h. Processing of personal data where NTNU acts as a data processor is documented in a separate overview, in accordance with Article 30(2) of the GDPR.

Basis of Treatment

General

Processing of personal data requires a legal basis, meaning that there must be a law (e.g., the EU General Data Protection Regulation, the Personal Data Act, or the Universities and University Colleges Act) or regulation that permits the specific processing activity.

To process personal data, one of the legal bases listed in Article 6(1) of the GDPR must be fulfilled. The basis may be consent or one of the other alternatives. At least one of the following conditions must be met:

The data subject has given consent (which must be documented) to the processing of their personal data for one or more specific purposes

The processing is necessary to:

a. Fulfill a contract with the data subject

b. Protect the vital interests (life and health) of the data subject or another natural person

c. Comply with a legal obligation to which the data controller is subject

d. Perform a task carried out in the public interest

e. Exercise official authority vested in the data controller

For the last three alternatives, an additional legal basis in national law is required. Provisions in the Personal Data Act, the Universities and University Colleges Act, or other legislation may serve as such supplementary legal grounds.

If special categories of personal data are to be processed (e.g., health data, data on ethnicity, political opinions, etc.), one of the conditions in Article 9(2) of the GDPR must also be met.

Article 6(1)(f) of the GDPR allows processing of personal data if the organization has a legitimate interest in the processing and the data subject’s privacy does not override this interest. This provision generally cannot be used as a basis for processing personal data about students, as it does not apply to processing carried out by public authorities in the performance of their tasks. However, it may be used as a basis for processing personal data about employees.

Personal Data About Applicants, Students, and Doctoral Candidates

Under Section 2-8 of the Universities and University Colleges Act, the university may process personal data about applicants, students, and PhD candidates when necessary to carry out tasks pursuant to the Act.

This provision also allows for the processing of special categories of personal data when necessary for handling cases under Sections 12-1 to 12-7 of the Universities and University Colleges Act (e.g., police certificates, academic misconduct, suitability assessments), or when the data subject has provided the information or has given permission for it to be collected.

a. The purpose of the processing must be to safeguard the rights of the data subject or to fulfill the institution’s duties and responsibilities under the Universities and University Colleges Act.

b. The university may collect information such as name, national identity number or D-number, work experience, diplomas, and other documentation of acquired competence from other public authorities, from public diploma systems, and from state, county, or private educational institutions, when necessary to carry out tasks under the Universities and University Colleges Act.

If personal data is to be processed in other contexts, the student must give consent, or another legal basis must be present.

Personal Data About Employees

The legal basis for processing basic employee data is Article 6(1)(b) of the EU General Data Protection Regulation (GDPR), meaning that the processing is necessary for the performance of a contract with the data subject. For special categories of personal data, one of the conditions in Article 9(2) must also be fulfilled. Section 6 of the Norwegian Personal Data Act provides a supplementary legal basis for processing special categories of personal data when necessary to fulfill employment-related obligations or rights.

Provisions regarding access to an employee’s email inbox and workplace video surveillance are established by the Ministry as regulations under the Working Environment Act, pursuant to Sections 9-5 and 9-6 of the Act.

Consent as Basis of Treatment

Consent from the data subject can serve as a legal basis for processing personal data. This requires that the following conditions are met:

a. Voluntary – Consent must not be linked to any benefits or negative consequences. If the university considers relying on consent from students and employees, the imbalance between the parties must be taken into account. This may mean that the consent is not considered truly voluntary.

b. Specific – The purpose(s) for which the consent is given must be clearly stated.

c. Informed – The scope of the consent must be clear to the data subject at the time of giving consent.

d. Unambiguous – It must be evident that the individual has given consent, including the date it was given and the name of the person who gave it. The data controller must be able to demonstrate this, meaning it must be documented either in writing or electronically.

The data subject must be able to withdraw consent at any time, and it must be just as easy to withdraw consent as it is to give it.

For certain types of personal data processing, consent alone is not sufficient—an additional legal basis is required. This applies to the processing of sensitive personal data, automated individual decisions, and transfers of personal data to countries outside the EU/EEA. In such cases, explicit consent may serve as an additional legal basis. Explicit consent means that the consent is given in a particularly clear manner. Examples include the individual submitting a written declaration of consent or using BankID to sign a consent request.

See section 6.4 for specific information about consent in research.

Risk Assessment

The risk assessment shall help prevent unwanted incidents or deficiencies in the processing of personal data at NTNU, which may have consequences for students, employees, research participants, and/or society more broadly. Key factors in the risk assessment include the scope of the project/processing, the sensitivity of the data, the threat landscape related to the environment in which the data is processed and stored, and the duration of the project/processing. All assessments and measures must be documented.

NTNU’s Policy for Risk Management in Information Security provides guidance on how to conduct a risk assessment. In addition, support materials are available on Innsida for conducting risk assessments related to information security and research projects involving personal data.

Assessment of Privacy Implications and Prior Consultation with the Norwegian Data Protection Authority

General Information About Data Protection Impact Assessments (DPIA)

If it is likely that a type of processing will result in a high risk to the rights and freedoms of individuals, the data controller must assess the potential consequences of the planned processing for privacy, in accordance with Article 35 of the EU General Data Protection Regulation (GDPR).

This may be relevant, for example, when using new technology, conducting automated processing that has legal effects for individuals, large-scale processing of special categories of personal data, or systematic large-scale monitoring of a public area. The Norwegian Data Protection Authority (Datatilsynet) has developed a guide for conducting a Data Protection Impact Assessment (DPIA). The guide provides an overview of when a DPIA must be carried out. DPIAs must be conducted in consultation with the Data Protection Officer. NTNU’s template must be used, and the assessment must be documented in NTNU’s case and archive system.

An assessment that concludes a DPIA is not necessary, must also be documented, either in NTNU’s central system for documenting personal data processing activities or in the case and archive system.

See the Norwegian Data Protection Authority’s guide and checklist for DPIAs, and NTNU’s website for assessing privacy implications.

Obligations to Consult with the Norwegian Data Protection Authority in the Case of Persistent High Risk

NTNU is required to consult with the Norwegian Data Protection Authority (Datatilsynet) if the conclusion is that the processing will still involve a high risk, even after technical and/or organizational measures have been implemented, no measures are taken to reduce the risk, and the planned processing is still intended to proceed.

Data Processor Agreement

If external parties (an organization or individual) are to process personal data on behalf of NTNU, a data processing agreement must be established. Agreements may only be made with data processors who provide sufficient guarantees that they will implement appropriate technical and organizational measures to ensure that the processing of personal data complies with the requirements of the EU General Data Protection Regulation (GDPR) and protects the rights of data subjects.

The agreement must meet the requirements set out in Article 28 of the GDPR. NTNU, in collaboration with the higher education sector, has developed a standard data processing agreement that must be used. If NTNU’s template cannot be used, the proposed agreement must be reviewed by NTNU’s legal counsel before it is signed.

NTNU’s procedure for entering into data processing agreements must be followed (see NTNU’s website), and the procedure must be reviewed every two years and revised if necessary.

The data processor must not engage another data processor (subcontractor) without written approval from NTNU as the data controller. NTNU is responsible for the processing of personal data by data processors and any subcontractors and is obligated to assess and verify their competence to process the relevant personal data in accordance with the GDPR.

The data processor must regularly conduct security audits of its handling of personal data to protect against unauthorized or unlawful access, alteration, deletion, damage, loss, or unavailability. The data processor must document these audits, and NTNU must be given access to the audit reports.

When NTNU jointly determines the purpose and means of processing personal data together with other data controllers, this constitutes joint controllership. In such cases, an agreement specifying the responsibilities of each party must be established. NTNU’s template may be used.

Transfer of Personal Data to Countries Outside the EU/EEA

Personal data may only be transferred to countries or international organizations outside the EU/EEA if the requirements of Chapter V (Article 44 et seq.) of the EU General Data Protection Regulation (GDPR) are met. Note that transfer also includes granting access to personal data.

A risk assessment of the transfer must be conducted to ensure that information security is adequate. The risk assessment must be documented.

a. Transfers to countries outside the EU/EEA may take place if the European Commission has approved that the country ensures adequate protection of personal data.

b. Transfers beyond this require the use of the EU’s standard contractual clauses for transfers to data controllers or data processors in third countries, or that the transfer is permitted under other provisions of Chapter V of the GDPR. The EU’s standard contractual clauses are available on the Norwegian Data Protection Authority’s website.

c. Transfers based on Article 49 of the GDPR provide exceptions for specific cases. This applies, for example, if the data subject has explicitly consented to the transfer, or if the transfer is necessary to fulfill a contract entered into in the data subject’s interest between the data controller and another natural or legal person. An example of this is members residing outside the EU/EEA who participate in expert committees.

Rights of the Data Subjects

The term “data subject” refers to individuals, applicants, students, employees, research participants, and others whose personal data is processed by NTNU.

A person whose personal data is registered has a number of rights, including the right to receive information when data is collected, access to their personal data processed by the institution, the right to rectification, erasure, restriction of processing, objection, and the right to data portability (Articles 12–23 of the EU General Data Protection Regulation).

There are several exceptions to these rights, both in the GDPR and in Sections 16 and 17 of the Norwegian Personal Data Act. For example, access may be denied if the data is confidential (e.g., if access would reveal information about other individuals or security measures). There are also specific exceptions related to archiving, research, or statistical purposes. As a public institution, NTNU is subject to the Archives Act, which means that personal data about employees and students is largely subject to archiving requirements and cannot be deleted upon request.

Data subjects who wish to request access or exercise other rights must follow NTNU’s established procedure and identify themselves before access or other rights can be granted.

Requests for access must be handled in accordance with NTNU’s routine.

Photo, Video-, and Audio Recordings

Anyone who intends to publish a photo publicly (e.g., on the internet, intranet, in a learning support system, or in printed form) of an individual or a small group of individuals must obtain consent from the person(s) depicted. The consent must be in writing or otherwise documented, for example electronically.

According to Section 104 of the Copyright Act of 15 June 2018, photographs depicting a person may not be reproduced or displayed publicly without the consent of the person depicted. Exceptions apply if:

• the image is of current and public interest
• the depiction of the person is of lesser importance than the main content of the image
• the image depicts gatherings, public processions outdoors, or events of public interest

Video and/or audio recordings of identifiable individuals require consent from each person. The same applies to publication, for example on the internet, intranet, or in learning support systems.

Consent forms and guidance/procedures must be available on NTNU’s website.

Camera Surveillance

Clear signage must indicate that the area is under surveillance, whether audio recording is included, and who the data controller is (NTNU, represented by the Property Department). The need for video surveillance is assessed regularly.

Recordings must be deleted one week after they are made. If it is likely that the recordings will be handed over to the police in connection with the investigation of criminal acts or accidents, they may be retained for up to 30 days.

Recordings may only be disclosed in the following cases:

• The person depicted consents
• Disclosure is made to the police in connection with the investigation of criminal acts or accidents, and statutory confidentiality does not prevent disclosure
• Disclosure is otherwise permitted by law

Access Control

Personal data from NTNU is transferred daily from the central database to NTNU Security and Service.

The personal data transferred includes the individual’s name, national ID number/student number, email address, workplace, and start date. The data shall only be used for the production of access cards. Only designated employees in Security and Service shall have access to the data.

General Processing of Personal Data

NTNU’s case and archive system supports digital case processing, digital signing, and secure digital dispatch.

Confidential or special categories of personal data must be processed in NTNU’s case and archive system or in another approved specialized system. These are data classified as confidential or strictly confidential according to NTNU’s information classification system.

Paper documents containing confidential, sensitive, or other personal data that are exempt from public disclosure must be stored in lockable cabinets in offices/areas that are locked outside regular working hours.

Documents containing confidential or special categories of personal data that are sent electronically to members of boards and committees must be separated from other matters so that members can delete the data once the case has been processed. Electronic transmission is only permitted if the digital solution is classified for transferring confidential or special categories of personal data.

NTNU has developed web pages with guidance on secure storage of files and documents, including which systems/tools may be used for different purposes. These resources must be available on NTNU’s website.

Confidentiality

Anyone who routinely works with confidential personal data must be familiar with data protection regulations. NTNU has dedicated web pages about confidentiality, and employees have a confidentiality clause included in their employment contract.

Employees, as well as consultants and vendors who, through maintenance and operation of NTNU’s ICT infrastructure and systems, gain access to confidential personal data, must be familiar with the regulations governing the processing of personal data and must sign a confidentiality agreement. Requirements and information about confidentiality for members of committees, boards, and councils must be included in the appointment letter to the members.

A student who, during their studies, becomes aware of someone’s personal matters is subject to confidentiality rules applicable to professionals in the relevant field. Universities and university colleges must prepare a confidentiality agreement to be signed by the students for whom this is relevant. It is the responsibility of the student’s faculty to ensure that such an agreement is prepared and signed.

Storage, Deletion, and Archiving

Personal data must not be stored longer than necessary to fulfill the purpose of the processing, unless otherwise specified by law or, for example, in connection with research funding. This follows from the principles of storage limitation and data minimization.

Each individual employee is responsible for deleting personal data stored in their personal user area.

a. Personal data that is not subject to retention under the Archives Act or other legislation must be deleted.

b. Personal data must be deleted or cleaned up continuously—and no later than six months—after an employee leaves NTNU or a student graduates or discontinues their studies.

c. Personal data that is temporarily stored in a personal area for the purpose of completing a work task must be deleted once the purpose no longer applies.

d. Members of committees and boards who receive case documents electronically containing confidential or special categories of personal data must delete the material once the case has been processed.

e. Documents subject to archiving requirements—i.e., documents that are part of case processing and have value as documentation—must be archived in the institution’s archive system.

Use of National Identification Numbers

a. National identity numbers and other unique identifiers may only be processed when there is a legitimate need for secure identification, and the method is necessary to achieve such identification, in accordance with Section 12 of the Norwegian Personal Data Act.

b. National identity numbers may be sent via secure digital mail. They must not be accessible to anyone other than the intended recipient.

c. If a national identity number is to be sent by email, the email must be encrypted.

Use of E-mail

In accordance with the guidelines from the Norwegian Data Protection Authority (Datatilsynet), the following must not be sent by email:

a. Confidential or special categories of personal data

b. National identity numbers and other unique identifiers

c. Personal data about many individuals, e.g., spreadsheets, lists

These rules apply to both internal emails within NTNU and external emails.

If the email and/or attached files are encrypted, email may be used in exceptional cases. The risk must be assessed, and the password must be sent separately (e.g., via SMS or verbally) and must comply with NTNU’s password requirements, as outlined in the Policy for Cryptographic Controls.

Disclosing Information About Students and Employees to External Parties

Information collected and stored for general personnel administration and about students for administrative purposes should normally not be disclosed to external parties, unless those requesting the information have a legal right of access under the Norwegian Freedom of Information Act (offentleglova). Disclosure of personal data from NTNU’s systems for purposes other than those for which the data was originally collected must be approved by the system owner. The system owner is responsible for ensuring that the disclosure is documented so that NTNU can fulfill its duty to inform the data subject upon request.

If the request concerns information that is not subject to access under the Freedom of Information Act, the requesting entity (e.g., NAV, the Norwegian Armed Forces) must refer to a legal provision that grants the right to obtain the information. Such requests must be handled by the system owner, who is responsible for verifying whether a valid legal basis for disclosure exists and, if necessary, requesting it.

Confidential information may be disclosed if the conditions in Section 13b of the Public Administration Act (forvaltningsloven) are met—for example, to a lawyer representing a student or employee in a case at NTNU.

If access is granted, it must be made clear that the recipient must have a separate legal basis for any further electronic processing of the information.

Relationship to Access Rights Under Other Laws

Requests for access to public documents are regulated by the Freedom of Information Act of 19 May 2006.

Access for parties to a case is regulated by the Public Administration Act of 10 February 1967.

According to Article 86 of the EU General Data Protection Regulation (GDPR), each member state may establish rules regarding access to public documents. The provisions on general access under the Freedom of Information Act and party access under the Public Administration Act therefore take precedence over the GDPR and the Norwegian Personal Data Act. This means that, in cases involving access to documents at NTNU, access may be granted to documents containing personal data if the Freedom of Information Act provides a legal basis for doing so. In such cases, the definition of a document under the Freedom of Information Act determines which documents may be disclosed. The same applies to party access under the Public Administration Act.

The case officer, possibly in consultation with their manager, decides whether access should be granted.

Privacy by Design

Privacy by design and privacy by default means that privacy considerations are taken into account during all phases of the development of a system or solution. This is a commitment the organization has under Article 25 of the EU General Data Protection Regulation (GDPR).

The purpose of Privacy by design is to ensure that the data controller assesses privacy issues before and during the procurement/development of systems and services. The requirement for built-in privacy and privacy by default applies regardless of the level of risk.

The Processing of Personal Data in Research

According to Recital 159 (the preparatory works) of the EU General Data Protection Regulation, the processing of personal data for purposes related to scientific research should be interpreted broadly and, for example, include technological development and demonstration, fundamental research, applied research, and privately funded research.

Notification to Sikt Privacy Services

Research-, student-, and quality assurance projects that process personal data, as well as health research where a faculty other than the Faculty of Medicine and Health Sciences (MH) is the data controller, must be reported to Sikt’s Data Protection Services. The same applies to projects where personal data is processed on paper, if such data is or will be included in a personal data registry.

Sikt has an advisory role. Sikt shall assess whether the project meets the requirements of the EU General Data Protection Regulation (GDPR). The processing of personal data cannot begin until Sikt has provided feedback to the project manager confirming that the planned processing is considered to be in compliance with the GDPR, and that necessary prerequisites, recommended measures, and assessments are implemented. If there are questions regarding Sikt’s assessment, a dialogue will be initiated between Sikt and NTNU to align on necessary measures. If Sikt and NTNU have differing views on what is sufficient, the final decision will be made by the data controller in consultation with relevant subject matter experts and in accordance with guidelines from the process owner.

If a student or researcher plans to collect data abroad, the obligation to report to Sikt applies in the same way as for data collection in Norway.

The project must be reported no later than 30 days before data collection begins. Sikt also offers archiving of project data upon project completion.

According to the GDPR, organizations are required to maintain a record (protocol) of all personal data processing activities. Sikt, on behalf of NTNU, shall maintain a record of all research, student, and quality assurance projects reported to Sikt. This record will form the basis for supervision and control of research projects, cf. the policy section Control and Compliance – Research Projects.

For processing activities with low privacy risk to the data subjects, NTNU may establish its own procedures for internal recordkeeping and assessment.

Health Research – Pre-approval by REK

Medical and health-related research (health research) refers to research involving humans, human biological material, or health data, where the purpose is to generate new knowledge about health and disease. This also includes research involving pilot studies and experimental treatments.

Health research must be pre-approved by the Regional Committee for Medical and Health Research Ethics (REK) before the project can begin, cf. Section 33 of the Health Research Act. REK is responsible for conducting an ethical assessment of the project. However, REK’s pre-approval is not a sufficient legal basis for processing personal data in health research. The processing of personal data must also have a valid legal basis under the EU General Data Protection Regulation (GDPR). The data controller is responsible for assessing whether the processing of personal data in health research projects complies with the GDPR.

This policy also provides overarching guidelines for health research. NTNU’s portal for medical and health-related research contains more detailed administrative procedures and guidelines.

If a faculty other than the Faculty of Medicine and Health Sciences (MH) is the data controller in a health research project, the project must, in addition to the application to REK, also be reported to Sikt’s Data Protection Services. Sikt will assess whether the planned processing of personal data in the project complies with the requirements of the GDPR. Personal data processing cannot begin until Sikt has provided feedback on its assessment.

It is generally recommended that project information be submitted to both Sikt and REK as early as possible, preferably in parallel. Sikt will assess on a case-by-case basis whether to complete its evaluation independently or await REK’s assessment of the project.

For further details, please refer to section 4.2 of the policy regarding requirements for maintaining a protocol for health research projects.

Evaluation of Privacy Consequences (DPIA)

If it is likely that a type of processing will involve a high risk to the rights and freedoms of individuals, the data controller must assess the potential impact of the planned processing on privacy, cf. Article 35 of the EU General Data Protection Regulation (GDPR). This also applies to research.

Sikt initiates and assists in the assessment of privacy risks through a Data Protection Impact Assessment (DPIA). Sikt shall carry out the DPIA assessment in consultation with the Data Protection Officer.

The Faculty of Medicine and Health Sciences has developed a dedicated template for DPIA in health research projects. The project manager is responsible for ensuring that a DPIA is conducted. The Data Protection Officer shall, upon request, provide advice on the DPIA and verify its implementation. .

Legal Basis for Processing

In General

A central research ethics requirement is that research involving human subjects must be based on freely given and informed consent. In addition, a legal basis for the processing of personal data is required. This legal basis may be the participant’s consent, but there are also alternative legal bases that may be relevant for research projects. It is important to conduct thorough assessments to determine the appropriate legal basis for each individual project.

For the processing of general personal data, the applicable legal basis may be:

Consent under Article 6(1)(a) of the EU General Data Protection Regulation (GDPR), or

a. If not based on consent: that the processing is necessary for the performance of a task carried out in the public interest and is necessary for purposes related to scientific research, cf. Article 6(1)(e) and Section 8 of the Norwegian Personal Data Act as supplementary legal basis.

b. The processing must include necessary measures to ensure compliance with the GDPR and to safeguard the privacy of research participants.

For the processing of special categories of personal data, the legal basis may be:

a. Consent under Article 9(2)(a), or

b. If not based on consent: that the processing is necessary for scientific research, provided that the public interest in the processing clearly outweighs the disadvantages to the individual, cf. Article 9(2)(j) and Section 9 of the Norwegian Personal Data Act as supplementary legal basis.

c. The processing must be subject to appropriate safeguards, such as pseudonymization of personal data so that the data can no longer be directly linked to individuals without additional information, as well as access control and logging.

For the processing of personal data relating to criminal convictions and offenses, the legal basis may be:

a. Consent under Article 6(1)(a), or

b. If not based on consent: the same principles apply as for special categories of personal data, i.e., the public interest in the processing must clearly outweigh the disadvantages to the individual. In this balancing of interests, particular weight must be given to the fact that the processing is carried out without the data subject’s consent. The assessment must be documented. Legal basis: Article 6(1)(e) and Article 10, with supplementary legal basis in Section 11 of the Norwegian Personal Data Act.

c. The processing must be subject to appropriate safeguards to protect the privacy of research participants, cf. the section above on special categories of personal data.

Health Research

A decision to grant an exemption from the duty of confidentiality constitutes a supplementary legal basis. REK’s ethical assessment of the research (pre-approval pursuant to Sections 9 and 33 of the Health Research Act) serves as an appropriate and specific measure to protect the rights and interests of the data subject. As part of its ethical review, REK shall also assess the processing of personal data.

Further Processing for Research Purposes

Further processing of personal data for research purposes using data that has already been collected is considered compatible with the original purpose. This assumes that technical and organizational measures have been implemented to safeguard the rights of the data subject, particularly to ensure compliance with the principle of data minimization. Relevant measures may include, for example, pseudonymization.

If the research purpose can be achieved using anonymized data, the further processing must be carried out in that manner. Further processing for research purposes also requires that the originally collected data has been processed in accordance with applicable regulations.

If the further processing involves disclosure to another data controller (i.e., someone other than NTNU), the recipient must have their own legal basis for processing the data.

Data Management Plan (DMP)

All research projects must have a Data Management Plan (DMP). The DMP must describe how research data will be collected, stored, and shared to ensure that the data is handled securely and responsibly.

The plan should be a living document that is updated throughout the project and documents how research data is processed and organized during all phases of the project. A Data Management Plan must also include ethical and data protection assessments. The plan must meet the requirements of funding bodies and be in accordance with NTNU’s policy for processing personal data.

Storage of Active Research Data

Personal data must not be stored longer than necessary for the purpose for which it was collected, unless otherwise specified by law or, for example, in relation to research funding.

Access to Research Data by Project Staff

Research data must only be accessible to approved project staff until the project is completed. The project manager determines which team members should have access to pseudonymized personal data and the key for re-identification. The project manager must maintain a documented overview of who has access to the data. This overview must be available to the data controller.

Project staff should normally not have access to the re-identification key. In cases where they do, the data can no longer be considered pseudonymized, but rather directly identifiable personal data, which increases the requirements for secure processing and storage.

Conclusion of Research Projects

Personal data must be anonymized or deleted if there is no requirement for retention based on approvals granted or in connection with the funding of the research project. Necessary confirmations must be sent to REK and Sikt. NTNU offers the service “REK Archiving” and has developed dedicated information pages.

Monitoring and Compliance – Research Projects

The data controller must implement systematic measures to ensure that the project is conducted in accordance with the guidelines, and that the processing of personal data complies with applicable laws, regulations, and NTNU’s internal policies.

A sample of 10% of all research projects must be reviewed annually. The sample should include projects from different phases of implementation: initiation, execution, and completion.

Monitoring of Initiation

Research projects that have been awarded funding and other known projects must be reviewed against the notification overview maintained by Sikt. This is to verify whether the obligation to seek advice has been fulfilled.

Monitoring of Execution

The data controller must verify whether the research project has obtained any necessary approvals or permits, and whether the obligation to consult with Sikt and the Data Protection Officer has been fulfilled. The review should determine whether the project is being conducted in accordance with the information provided to REK / Sikt and the approvals or advice that have been given.

Monitoring of Conclusion

The data controller must verify whether the procedures related to project completion have been followed, and whether research data stored electronically or in other archives has been deleted or anonymized.

In the management dialogue with their supervisor, the data controller must report on the extent to which laws, guidelines, and procedures are being followed, and what measures have been implemented.

The Processing of Personal Data in Connection with Teaching

Video- and Audio Recordings

It is not necessary to obtain consent from the course instructor to stream or record teaching sessions that are required to fulfill NTNU’s obligation to provide instruction to students, and which require NTNU login to access. Article 6(1)(f) of the EU General Data Protection Regulation (GDPR) provides the legal basis for such processing. NTNU may have a legitimate interest in streaming lectures, for example, to make them accessible to students across multiple campuses. The privacy risk is considered low when NTNU login is required to access the teaching.

If the recording is to be made publicly available on the internet, consent from the course instructor is always required. NTNU’s agreement form for online publication must be used.

If students are present, it must be clearly indicated at the entrance and inside the room that the teaching session is being recorded.

Video and/or audio recordings of students that allow them to be identified require consent from the student. This applies, for example, when students are presenting a project or similar. The consent must meet the requirements for valid consent (see the section “Consent as a legal basis”) and must be documented.

Students who wish to record (video and/or audio) a teaching session must obtain consent from the course instructor, unless there is a formal decision regarding accommodation. The student may only use the recording for personal study purposes. The recording may not be used for other purposes or published without written consent from the instructor (e.g., on the internet or in other contexts).

If video recording of students is a mandatory part of the teaching in order to achieve the learning objectives, this must be stated in the study plan. In such cases, the legal basis for recording and use of the recording is Article 6(1)(e) of the GDPR, with supplementary legal basis in Section 2-8 of the Universities and University Colleges Act.

Image, Video, and Audio Recordings – Students in Internships/Practical Training

If students in practical training are to take photos or video/audio recordings of individuals, this requires consent from the individual, cf. the section “Consent as a legal basis.” Photos, video, or audio recordings of minors require consent from parents or guardians. Images from practical training must not be published online or on social media.

Use of video and audio recordings in teacher education practical training

The university may process personal data about students, children, pupils, and staff present during teaching in primary or secondary schools or in kindergartens, through video or audio recordings, when the purpose of the processing is to guide and assess the students’ practical training. The student’s practical training must be part of a mandatory component of the institution’s study plan for the relevant teacher education program. Recordings may only be used in learning situations related to student guidance and must be deleted as soon as the assessment of the student’s practical training is completed, and no later than when the student completes their studies, cf. Section 9-2 of the Regulations to the Universities and University Colleges Act.

Children and pupils have the right to opt out of such processing of personal data.

Learning Platforms

NTNU’s approved learning platforms, which have a valid data processing agreement, must be used to coordinate and manage course content and for communication in teaching activities.

If an instructor plans for students to use IT tools that incorporate generative artificial intelligence (AI tools) during teaching or in connection with exams, the tools must be approved by NTNU. This means the tool must either be developed by NTNU or NTNU must have entered into and approved a data processing agreement with the provider in accordance with its internal procedures. NTNU cannot require students to use AI tools that have not been approved by NTNU.

Student Projects

When processing personal data in connection with bachelor’s, master’s/thesis, and doctoral projects, the rules for processing personal data in research must be followed, as outlined in Chapter 5.

Monitoring and Compliance

Departments must report annually on compliance with the policy for processing personal data and on the monitoring of research projects. The faculty decides how reporting should be carried out, based on expectations outlined in the rector’s annual allocation letter.

Units within the central administration must conduct annual internal audits of personal data processing within their administrative case processes.

These reports form the basis for the rector’s annual briefing to NTNU’s Board on the university’s work with information security, including the processing of personal data.

Compensation and Restitution for Privacy Breaches

Violations of data protection regulations may result in administrative fines from the Norwegian Data Protection Authority (Datatilsynet) and entitle the affected individual to compensation or redress. If NTNU is issued a fine, the unit where the violation occurred is responsible for covering the cost. The same applies to any compensation or redress amounts owed to affected individuals.

References

Key Laws and Regulations Include:

• EU General Data Protection Regulation (GDPR) – provides rules for electronic processing that can be linked to individuals, obligations for NTNU as the data controller, and rights for the data subject.
• The Personal Data Act – incorporates the GDPR into Norwegian law and provides certain provisions in addition to the regulation.
• The Universities and University Colleges Act, and its associated regulations – provide rules (supplementary legal basis) for processing personal data about applicants, students, and PhD candidates, the national diploma and grade portal, and reporting to databases for higher education and scientific publishing.
• The Constitution § 102 – sets requirements for the protection of personal integrity.
• The Working Environment Act, and regulations to Chapter 9.
• Regulations on video surveillance in enterprises.
• Regulations on employer access to email accounts and other electronically stored material.
• The Public Administration Act – provides rules on case processing, including confidentiality and the right of access for parties.
• The Freedom of Information Act – provides rules on the obligation to grant access to documents and exceptions from the right of access.
• The Archives Act – provides rules on which documents must be archived and requirements for archiving.
• The Health Registries Act – provides rules on the collection and processing of health data.
• The Health Personnel Act – provides rules on confidentiality and exemptions from it for research purposes.
• The Health Research Act – provides rules on the organization, roles, responsibilities, and pre-approval of health research.
• The Research Ethics Act – provides rules requiring that research be conducted in accordance with recognized research ethics standards.
• The Copyright Act – provides rules on the use of images (§ 104).

This list is not exhaustive; other laws and regulations may also be relevant.