Privacy at the institute
Personal information consists, for example, of your name and contact information. Information can also identify you indirectly; for example, names of municipalities with information about position or memberships in associations.
You have the right to know exactly what personal information we process about you. We are obliged to protect your rights and must be able to document all processing of (your) personal data. We assist if you have questions or comments regarding the processing of personal data.
- Responsibility for processing
- When does ISF process personal information?
- Privacy and ethics in research
- Processing of personal data on our website
- Case processing and enquiries
- Other processing of personal data
When using external data processors (actors who provide services to us), ISF bears the responsibility for processing the data, a relationship is governed by a data processor agreement.
Processing of personal information about employees is set out in a separate privacy statement.
Data protection officer
ISF has an agreement with NSD concerning data protection officer-related tasks. You can contact our data protection officer at NSD by e-mail: firstname.lastname@example.org.
The data protection officer is the contact point for everyone that we process personal information about and shall ensure that personal information about you is processed correctly and that your rights are protected. The data protection officer has a duty of confidentiality.
- The purpose of the processing of information
- The lawfulness of processing personal data, i.e., that ISF as the data controller must be able to demonstrate that we have a legal basis under the Personal Data Act and the General Data Protection Regulation (GDPR) for the processing. Under the GDPR, ISF has different legal bases depending on the type of processing: Consent is governed by Article 6 (1)(a), contractual relationships by Article 6 (1)(b), legal obligations by Article 6 (1)(c) and legitimate interests by Article 6 (1)(f).
- Collection of personal information
- How personal data is processed
- What rights you have to access, correct or delete information and that you have the right to withdraw your consent to processing throughout the processing.
We process information about you in the following situations:
- You have registered for an event.
- You subscribe to our newsletter.
- You have applied for a job or assignment with us.
- You would like copies of lectures, reports or brochures.
- You have contacted us as a journalist or similar for a statement.
- You have sent us an enquiry or complaint.
- You visit our website.
We may also receive information about you in other contexts:
- Your information appears in a statement or enquiry that is sent to ISF from external parties, such as another company.
- We receive information about you from public authorities or other companies.
- A job seeker has listed you as a reference.
- You are registered as a contact person for an external company or organisation.
ISF's website has various offerings and functionalities that are relevant to your privacy, both directly and indirectly. This applies to:
- Cookies that are imported into your computer when downloading a website and when searching and downloading.
- User statistics based on users' activity on the website.
- Storage of the keywords that are used in the free text field.
- Feedback function.
- Comments on blogs on ISF's website.
- Sharing of posts published on the website.
- Photos of attendees at public events at ISF.
Case processing and archive
ISF uses the Public360 archive system for electronic recordkeeping and electronic storage of documents. Public360 is an archive and case processing system from the supplier Tieto following the conclusion of a framework agreement with Uninett/an administrative body under the Ministry of Education.
Enquiries from external, private individuals or a company that is archived will contain the personal information that is included in the enquiry. Further case processing will include personal data to the extent necessary to perform the task. Registration, saving and storage takes place in accordance with the NOARK standard. Special security measures and routines have been established for highly protected information in the archive, such as sensitive personal data. All information is password-protected and access to sensitive information is restricted through access control.
E-mail and phone
ISF employees use e-mail in general dialogue with internal and external contacts. The individual is responsible for deleting messages that are no longer relevant. Upon resignation, the employee’s e-mail accounts will be deleted, and relevant e-mails will be transferred for follow-up. According to the employees' security Instructions, special categories of personal information must not be sent by e-mail unless they are encrypted.
Telephone calls (telephone number and the time of the call) are logged in our telephone exchange. Call logs are automatically deleted by Telia. Incoming and outgoing traffic data are not stored for more than 90 days. No other systematic registration of telephone calls is done where callers can be identified.
The Schrems II ruling resulted in stricter requirements for transferring personal data to third countries. ISF's administration has identified that MailChimp transfers personal information to the United States.. ISF has sought advice from external lawyers who assist us in the assessments of MailChimp. ISF is in dialogue with MailChimp and the Data Protection Agency. ISF has decided to minimize the use of MailChimp until we have a final conclusion. This decision has been clarified with ISF's privacy representative. In the period ISF will not send out newsletters. We will only send out invitations to digital events via MailChimp.
We will update the information below when the decision has been made.
ISF sends out monthly newsletters by e-mail. Invitations to our open events are occasionally sent out by e-mail. In order for us to send e-mails with newsletters and invitations to events, you must register an e-mail address and give consent to what information you wish to receive from ISF. MailChimp is the data processor we use. The information ISF collects for the service is stored at MailChimp. If you accept the terms, you permit:
- e-mail, time of registration and transfer of IP address to MailChimp
- e-mail, time of registration and storage of IP address at MailChimp
- newsletters to be sent from MailChimp to your e-mail address
- Invitations to events to be sent from MailChimp to your e-mail address
MailChimp stores e-mail addresses and IP addresses as long as each individual chooses to be the recipient of the ISF newsletter. If you want to change your e-mail address or choose to unsubscribe, you can do so by following the links at the bottom of a newsletter, or unsubscribe from ISF. Read more about the privacy terms of MailChimp here.
As a result of the new Schrem II verdict of 16 July 2020 in the EU, we are currently reviewing our routines using Mailchimp.
List of participants at events
When you sign up for our seminars or other events, information about you is stored for use in connection with conducting the event. We register an e-mail address, and in some cases we ask you to provide names and allergies in order to be able to make arrangements for at in the events where it is relevant. The information is not used for any purpose other than the implementation of the event in question, and is deleted within six months after the event. We use USIT's registration solution Web form to manage the registrations.
Applying for a job at ISF
ISF uses the job search portal JobbNorge to administer submitted applications. The hiring process involves processing the information you provide to us through your application, CV, diplomas and certificates. In addition to information collected during any interviews, ISF may obtain information on its own initiative, for example by checking references.
Pursuant to Section 28 of the Personal Data Act, applications with personal data shall not be stored longer than necessary to carry out the purpose of the processing. While you are an applicant, we delete information about you according to where you are in the hiring process. If you are not called for an interview, your application will be deleted four months after the first processing. If you are called for an interview, your application will be deleted after 18 months after the announcement process is completed. This also applies if you are hired.
Entrance control - camera function in intercom
A camera with a microphone is installed at ISF’s street-level entrance to ensure that we do not let in unauthorised persons. The camera and microphone are activated manually when the doorbell rings. The image of the entrance area is displayed in real time and has no snapshot option.
The basis for processing this processing is Article 6 (1) (f) of the GDPR, which allows us to process information necessary to safeguard a legitimate interest that outweighs the interests of the individual or fundamental rights and freedoms. The legitimate interest is to ensure access to ISF's premises.