Processing of personal data for system owners

Processing of personal data for system owners

System owners at NHH are responsible for ensuring that personal data is properly handled from processing starts until it is concluded.

The system owner’s data protection responsibility in connection with the processing of personal data entails the following tasks:

  • When buying/developing a system or service

    When buying/developing a system or service

    • When purchasing or development of a system, make sure to require built-in privacy from the system solution provider.
    • Describe and document what personal information processed in the system or which service it is used for: what is the purpose of the system or service?
    • Describe and make an overview of the types of personal data to be processed in the system or service.
    • Describe what legal basis NHH have for processing personal data in the system or service.
    • Describe the requirements for the necessary protection of the personal data to be processed in the system or service, this to ensure that the system or service has adequate technology and mechanisms to meet the requirements.
  • Before the system or service is used

    Before the system or service is used

    • Perform a risk assessment of information security for the personal information in the system or service. 
    • Make an agreement with any data processor (data processor agreement) operating the system or service on behalf of NHH. 
    • Report the information of the system or service to NHH's Data Protection Officer. 
    • Create information for staff, students, guest researchers or guests about their privacy rights – ie, prepare a privacy statement. 
    • Ensure that there are routines for deletion of data in the system.
  • While the system or service is in use

    While the system or service is in use

    • Ensure that the personal information processed in the system or service is not being used for any purposes other than planned without the basis of processing covering it, including consent or legal basis.
    • Ensure that the personal data processed in the system or service is of satisfactory quality, ie that the information is sufficient and relevant, correct and up to date.
    • Ensure that no surplus information is saved in the system or service (personal information not necessary to meet the purpose of the system or service).
    • Delete or anonymize any surplus information 
    • Respond to inquiries from and safeguard the rights of the person to whom the personal data applies.
    • Make regular risk assessments of information security to the personal data processed in the system or service.
    • Implement measures that ensure that the information security of the personal data processed in the system or service is satisfactory.
    • Regularly check that any data processors comply with the terms of the data processor agreements.
    • Report deviations that occur when processing personal data in the system or service.
    • Report significant changes in the use of the system or service to the NHH Data Protection Officer.
    • Assist with annual internal control.
  • When the system or service is discontinued

    When the system or service is discontinued

    • Decide which personal data to delete, possibly anonymize, and which to archive.
    • Ensure that any personal data that is not being archived, must be properly deleted and anonymized.
    • Ensure that personal information that you need to keep, is being archived.

Any questions? Please contact personvernombud@nhh.no

NHH has its own information security management system. System owners who do not have access to it can contact the Office of IT Services at helpdesk@nhh.no