Norwegian version of this page

Privacy notice for applicants, students and PhD candidates

Information on how the University of Oslo (UiO) manages your personal data when you have applied for admission, while you are a student or PhD candidate and later.

How to read this notice?

Read more

Personal data is all forms of data, information and assessments that can be linked to you as an individual.
 
This page describes which personal data is processed at the UiO, how it is processed, who is responsible for the processing, what rights you have and who you can contact about your personal data. All processing of personal data is divided into different processing purposes. This is a purpose where it is necessary for UiO to process your personal data. For each purpose, we have therefore collected information on:
  • Legal basis: why UiO is allowed to process personal data
  • Categories of personal data: what information is being processed
  • Disclosure: whether the information is disclosed to/shared with others 
  • Transfer abroad: whether the information is transferred to one or more countries outside Norway
  • Retention period: how long the UiO stores the information
  • Source: sources we collect data from

1 Processing purposes

1.1 Application process

UiO needs to process your personal data when you apply for admission to a programme of study, PhD programme and courses.

1.1.1 Legal basis

The legal basis for the processing is Article 6-1 e), of the GDPR, cf. 3 b) and Sections 1-3, 3-7 and 4-15 of the Norwegian Universities and University Colleges Act.

1.1.2 Categories of personal data

  • Contact details
  • Information for secure authentication
  • Documentation of necessary expertise
  • Funding source/proof of funding (PhD admission)
  • Financial documents, e.g. bank account statement or sponsor letter (SFM admission)
  • Necessary documentation for PhD projects
  • Other necessary information, cf. the course or programme web pages

1.1.3 Disclosure

  • The Norwegian Universities and Colleges Admission Service (NUCAS)
  • Other universities and university colleges
  • GAUS - search service for the approval of international studies. Please refer to the GAUS privacy notice.

1.1.4 Transfer abroad

No.

1.1.5 Retention period

We will store your data for as long as it is necessary in order to process your application. If you are admitted, we will store your data for as long as you remain a student or PhD candidate.

1.1.6 Sources we collect data from

  • Yourself
  • National diploma database (NVB)
  • Other universities and university colleges
  • The Norwegian National Population Register
  • Emrex - results from universities/university colleges outside of Norway
  • The common contact register (KORR) You may opt out of this, please refer to the The common contact register's web pages.
  • The Norwegian Universities and Colleges Admission Service (NUCAS)
  • GAUS - search service for the approval of international studies. Please refer to the GAUS privacy notice
  • UiO uses various verification bases to check educational documents, language tests, etc., uploaded by applicants.

1.2 Contact and information 

UiO needs to process your personal data when you contact us with questions or you request information.

1.2.1 Legal basis

The legal basis for the processing is Article 6-1 e) of the GDPR, as well as Section 1-3 of the Norwegian Universities and University Colleges Act and Article 6-1 f) of the GDPR.

1.2.2 Categories of personal data

  • Name
  • UiO username
  • Phone number
  • E-mail address
  • National identification number, as required for secure authentication
  • Information you provide in connection with your enquiry

1.2.3 Disclosure

No.

1.2.4 Transfer abroad

No.

1.2.5 Retention period

We will store your data for as long as it is necessary in order to process your enquiry.

1.2.6 Sources we collect data from

  • Yourself
  • UNINETT when logging in
  • The Norwegian Digitalisation Agency when logging in

1.3 Teaching, examinations and supervised professional training

UiO needs to process your personal data when you participate in teaching, examinations and supervised professional training. UiO also delivers digital teaching and examinations.

1.3.1 Legal basis

The legal basis for the processing is Article 6-1 e) of the GDPR and Sections 1-3, 3-3, 3-9 and 4-15 of the Norwegian Universities and University Colleges Act.

For the processing of special categories of personal data, the legal basis is Article 9 g) of the GDPR and Section 4-15 (5) of the Norwegian Universities and University Colleges Act. 

For certain healthcare and teaching programmes, national curriculums and guidelines have been established to govern the implementation of the education and supervised professional training.

1.3.2 Categories of personal data

  • Information relating to the completion of examinations, including answer papers and examination results.
  • Information relating to the implementation of teaching and coursework requirements, including entries in learning support systems and submitted assignments.
  • AV (sound and video recordings) in connection with digital teaching and examinations. 
  • Information relating to the implementation of supervised professional training, including personal data and contact details, programme and course affiliation, results and any other matters that the supervised professional training provider should be aware of.
  • Health information in connection with safeguarding your rights. 

1.3.3 Disclosure

  • Computer system service providers for the implementation of teaching and examinations.
  • Other universities and university colleges when exchanging results in connection with applications for admission or approval.
  • External examiners and supervisors.
  • Organisations that offer supervised professional training places for UiO students.

1.3.4 Transfer abroad

The basis is that no personal data will be transferred outside of the EU/EEA for purposes linked to teaching and examinations. Nevertheless, this may still occur for certain courses, albeit subject to a requirement that explicit information has been provided concerning the transfer in advance on the course web page or in another suitable manner.

1.3.5 Retention period

Examination

  • Examination results and allocated study places will be stored forever.
  • Answer papers will be stored in accordance with UiO’s retention and erasure plan.

Teaching

  • Materials and information in UiO’s teaching tools are stored for as long as you maintain an active user account or remain active in a programme of study or course. User accounts and access to UiO will be discontinued a few months after you cease being an active student. 
  • When you are no longer a student, you can log into Canvas to retrieve anything you wish to keep. 
  • The retention period for administrative procedures relating to teaching, examinations and supervised professional training can be found in the UiO retention and erasure plan.

1.3.6 Sources we collect data from

  • Yourself
  • UiO’s study administration systems and technical systems
  • UiO’s supervisors and examiners
  • External examiners/supervisors
  • Supervised professional training providers
  • Other universities and university colleges

1.4 Reporting and confirmations

UiO reports data about applicants, students and PhD candidates to the database for higher education (DBH) and the Norwegian State Educational Loan Fund. 

UiO also confirms results and other data relating to applicants, students and PhD candidates to employers and others upon request.

1.4.1 Legal basis 

The legal basis for UiO’s reporting is Article 6-1 e) of the GDPR, Sections 7-7 and 7-8 of the Norwegian Universities and University Colleges Act and Sections 21 and 23 of the Norwegian Student Finance Act. 

The legal basis for UiO’s work with confirmations is Article 6-1 e) of the GDPR, as well as Section 1-3 of the Norwegian Universities and University Colleges Act and Article 6-1 f) of the GDPR.

1.4.2 Categories of personal data

Students:

  • national identification number or temporary national identification number 
  • name
  • citizenship
  • information linked to education, e.g. study progression, grades and degrees

The following also applies for PhD candidates:

  • information relating to the position and funding for the position 
  • information relating to scientific publication 

1.4.3 Disclosure

  • Database for higher education (DBH)
  • Norwegian State Educational Loan Fund - information about student status, approvals, examination results and degrees
  • Employers and others that request confirmations

1.4.4 Transfer abroad

No. 

1.4.5 Retention period

Data reported to the database for higher education (DBH) and the Norwegian State Educational Loan Fund is retained as documentation. 

We retain requests for confirmations and the confirmations themselves for as long as it is necessary to process the request.

1.4.6 Sources we collect data from 

UiO’s administrative systems. 

1.5 Access controls and security

The purpose of UiO’s access control system is to safeguard UiO’s properties and ensure the security of and authorised access to  our areas. The system consists of UiO’s card readers and approximately 100 surveillance cameras located both inside and outside UiO’s properties. The estate management department is responsible for the system.

Processing is anchored in UiO’s legitimate interests relating to both material and personal security in the physical and digital environment. UiO finds that these interests outweigh the interests of data subjects.

1.5.1 Legal basis 

The legal basis for processing is Article 6-1 f) of the GDPR. 

1.5.2 Categories of personal data

The following will be processed in connection with access controls: 

  • name 
  • address 
  • phone number 
  • e-mail address 
  • card number 
  • information for contact and authentication, such as photo from the student card
  • access data when the card user registers the card in the card reader 
  • recording from camera surveillance

The following log data will be processed in connection with security:

Activity is logged when accessing and using IT services supplied by UiO. The IT systems will normally log unsuccessful and successful authentications and the services or resources the user attempts to use. A separate procedure for the processing of logs from systems, services and applications at UiO can be found on UiO's webpage Logging, rutiner og rettigheter (in Norwegian).

1.5.3 Disclosure

Uninett. 

1.5.4 Transfer abroad

No.

1.5.5 Retention period

  • Your contact information will be stored for as long as you have a valid access card to access UiO’s properties. 
  • Access data from card readers will be deleted after six months.
  • Recordings from surveillance cameras will be stored for seven days. In cases where such recordings are handed over to the police, they may be stored for up to 30 days. 
  • Logs from IT systems are stored for as long as necessary to achieve the security purpose. The retention period will vary depending on the log source. Most logs are deleted/anonymised after 12 weeks. Nevertheless, logs may be stored for up to 6-12 months when necessary for reasons of security. 

1.5.6 Sources we collect data from

  • Yourself
  • The access control system 
  • The UiOs IT services

1.6 Exchange studies

UiO needs to process your personal data in connection with exchange studies.

1.6.1 Legal basis

The legal basis for the processing is Article 6-1 e) and Section 1-3 of the Norwegian Universities and University Colleges Act, as well as individual agreements.

1.6.2 Categories of personal data

  • Necessary documentation for admission to the place of study 
  • Necessary identification for admission to the place of study

1.6.3 Disclosure

Information relating to you will be disclosed to the institution to which you have applied for admission. 

1.6.4 Transfer abroad

Yes, within and outside of the EU/EEA, depending on the institution to which you have applied for admission. 

1.6.5 Retention period

We will retain your information for as long as you are an exchange student or for as long as the exchange agreement remains in force. Some of the information will be retained forever, cf. the chapter concerning teaching, examinations and supervised professional training.

1.6.6 Sources we collect data from

  • Yourself
  • UiO’s study administration systems 

1.7 Other necessary administration

UiO may need to process your personal data in the event of suspicion of false documents, annulment of an examination or test, suspension and expulsion, certificates of good conduct or suitability assessments.

1.7.1 Legal basis

The legal basis for the processing is Article 6-1 e) and Sections 1-3, 3-7, 4-7, 4-8, 4-9 or 4-10 of the Norwegian Universities and University Colleges Act.

For the processing of special categories of personal data, the legal basis is Article 9 g) of the GDPR and Section 4-15 (5) of the Norwegian Universities and University Colleges Act. 

For the processing of personal data relating to criminal convictions and offences, the legal basis is Article 10 of the GDPR and Section 4-15 (4) of the Norwegian Universities and University Colleges Act. 

UiO requests certificates of good conduct and conducts ongoing suitability assessments of students on healthcare and teaching programmes, as well as theology studies. UiO may also initiate specific suitability assessments in the event of matters that require follow-up. UiO will contact you if there is a need to consider the content of a certificate of good conduct or conduct a specific suitability assessment.

If UiO collects information from or discloses information to the register of banned students (RUST), the legal basis for processing will be Sections 3-7(8), 4-8(1), (2) and (3) or 4-10(3) of the Norwegian Universities and University Colleges Act.

1.7.2 Categories of personal data

Necessary documentation to handle cases regarding false documents, annulment of an examination or test, suspension and expulsion, certificates of good conduct or suitability assessments.   

1.7.3 Disclosure

Register of banned students (RUST). For further information, please refer to the RUST privacy notice.

1.7.4 Transfer abroad  

No. 

1.7.5 Retention period 

The retention period for the relevant administrative procedures can be found in UiO’s retention and erasure plan. 

1.7.6 Sources we collect data from

  • Yourself
  • Any reports of concern relating to suitability from fellow students, practical training supervisors or others you come into contact with during your studies. 
  • Register of banned students (RUST). For further information, please refer to the RUST privacy notice.

1.8 Quality assurance and service improvement

UiO uses personal data collected when using IT services to troubleshoot, produce statistics and perform analyses for the purpose of quality assurance and service improvement.

1.8.1 Legal basis 

The legal basis for processing is Article 6-1 f) of the GDPR. 

The processing is anchored in UiO’s legitimate interests linked to the high quality of the IT services offered at the university. UiO finds that these interests outweigh the interests of data subjects.

1.8.2 Categories of personal data

  • User identificator, for instance name, username
  • Authentication loggs
  • IP-adresse
  • Information on how you use the services (driftslogger). The information contains various variables, for instance which pages you have visited, what information you have searched for in our search engine, date and time for visits and technical information about your unit.

1.8.3 Disclosure

No.

1.8.4 Transfer abroad

No.

1.8.5 Retention period 

Logs from IT systems are stored for as long as necessary to achieve the security purpose. The storage time will vary depending on the log source. Most logs are deleted / anonymized after 12 weeks. After anonymization, logs can be stored for a longer period of time.

1.8.6 Sources we collect data from

  • The relevant IT service
  • Yourself

2 Automated administrative procedures

Read more

When you apply for admission to, or if you are a student at the University of Oslo, a number of procedures relating to admission and your course of study will be conducted as partially or fully automated administrative procedures. The legal basis is Section 4-15 of the Norwegian Universities and University Colleges Act.

Automated administrative procedures are performed in connection with

  • Assessment of whether you are eligible for admission 
  • Calculating credits 
  • Place on a programme of study 
  • Calculation of who is allowed to register for which courses via Studentweb 
  • Application for a place on a programme of study and registration for examinations 
  • Calculation of overall credits for courses with exam parts 
  • Control of the education plan 
  • Creating invoices 
  • Application for student exchange 
  • Calculation of achieved degree 
  • Withdrawal of admission to a course in the event of inadequate study progress 

3 The rights of data subjects

3.1 Right to information and access to information

You are entitled to information about how UiO processes your personal data. This privacy declaration is intended to contain the information you are entitled to receive.

You are also entitled to see/gain insight into any personal information registered on you at UiO. You are also entitled to receive a copy of your personal information if you wish.

If you would like to request access to information contained in medical records at one of the UiO clinics, for example the dental clinic at the Faculty of Dentistry, you will need to contact the clinic to request access to information contained in your records.  

3.2 Right of correction

You have the right to have incorrect personal information about you corrected. You also have the right to have incomplete personal information about you supplemented. If you believe we have registered incorrect or incomplete personal information about you, please contact us. It is important that you state the reason and, where appropriate, document why you believe the personal data is incorrect or incomplete.

3.3 Right to limitation of processing

In certain cases you may have the right to require that the processing of your personal data be limited. Limitation of personal data means that your personal information is still being stored, but that the possibilities for further use and processing will be limited.

If you believe that your personal information is incorrect or incomplete, or you have protested against the processing, you are entitled to require that your personal information be temporarily restricted. That means that the processing will be restricted until we have corrected your personal information, or have assessed whether your protest is justified.

In other cases, you may also require a more permanent restriction of your personal information. In order to be entitled to require the restriction of your personal data, the terms of article 18 of the Personal Data Protection Regulation must be met. If we receive a request from you for restriction of personal data, we will assess whether the conditions of the law are being met.

3.4 Right of deletion

In some cases, you are entitled to request that we delete personal information about you. The right of deletion is not an unconditional right, and whether or not you have the right of deletion must be considered in the light of the Personal Data Act and the Personal Data Protection Regulation. If you wish to have your personal information deleted, please contact us. It is important that you state the reasons why you want your personal information deleted, and if possible, which personal information you want to have deleted. We will then consider whether the legal conditions for requiring deletion are met. Please note that in some cases the legislation allows us to make exceptions from the right to deletion. For example, this would be the case when we are obliged to store your personal data to fulfil a task that is required by the University and University College Act, or to safeguard important societal interests such as archiving, research and statistics.

3.5 The right to object

You may have the right to object to the processing, that is, to protest the processing, if you have a special need for the processing of your personal data to be stopped. Examples may be if you have a need for protection, a secret address, or similar. The right to protest is not an unconditional right, and it depends on what is the legal basis for the processing and whether you have a special need. If you protest against the processing, we will consider whether the conditions for protesting are met. If we determine that you have the right to protest the processing, and that the objection is justified, we will stop the processing and you will also be able to demand the deletion of the information. Please note that in certain cases we can make an exception from deletion. For example, this could be the case when we are obliged to store your personal data to fulfil a task that is required by the University and University College Act, or to safeguard important societal interests.

3.6 Right to appeal against the processing

If you believe we have not processed your personal data in a correct and lawful manner, or if you believe that we have failed to fulfil your rights, you have the possibility to appeal against the processing. You can find information about how to contact us under Point 4.

If we do not accept your complaint, you have the option of presenting the complaint to the Norwegian Data Protection Authority. The Norwegian Data Protection Authority is responsible for verifying that Norwegian companies comply with the provisions of the Personal Data Act and the Personal Data Protection Regulation in processing personal data.

4 Contact

4.1 Data Protection Officer

UiO has a data protection officer who safeguards the data privacy interests of both students and employees of UiO. The data protection officer for administrative processing of personal data at UiO can be contacted by e-mail at personvernombud@uio.no.

4.2 Data Controller

The University of Oslo (UiO) is the data controller for the processing purposes set out in this notice. If you have any questions concerning the contents of the notice, please contact us via e-mail: behandlingsansvarlig@uio.no. We will deal with your enquiry as quickly as possible and no later than one month after receiving your request.

Secure authentication and identification are required for you to be able to exercise your rights. You can use the following online form for verification: https://nettskjema.no/a/170097

5 Limitations to your rights due to national law

Read more

The University of Oslo is a public body. This means that information relating to you may be disclosed pursuant to the Norwegian Freedom of Information Act. UiO will only disclose information relating to you if such disclosure is necessary pursuant to the act.

Published July 27, 2021 11:23 AM - Last modified Feb. 24, 2023 10:58 AM