This privacy statement describes how NOKUT processes personal data. NOKUT is committed to ensuring the privacy, confidentiality and availability of personal information.
1 Regulations and definitions
The EU Regulation No. 2016/679 General Data Protection Regulation (GDPR) came into force in the EU on 25 May 2018. The Regulation will be incorporated into Norwegian law when the new Personal Data Act enters into force and, from the same date, the Personal Data Act from 2000 will be annulled. This privacy statement is based on the new regulations; however, NOKUT complies with the current regulations at all times.
The data controller is the person or body responsible for the correct processing of personal data. The NOKUT director, on behalf of NOKUT, is the controller of personal data for the organization.
A data subject is a person whose personal data is recorded.
Personal data means any form of information about an identified or identifiable natural person.
The data processor is the person or body that has been assigned by the controller to process personal data on the controller’s behalf. In such a case, there must be a data processing agreement between the two parties that regulates the duties of the data processor and the framework for the processing.
2 Data protection officer
NOKUT has its own data protection officer. The duties of the data protection officer are to:
• Inform and advise the data controller or data processor and employees who perform processing of their obligations under GDPR and other privacy regulations.
– Verify compliance with privacy regulations
– Advise on privacy impact assessments
– Collaborate with the Data Protection Authority and be the public relations contact for privacy issues
Requests to the data protection officer for disclosure, correction or deletion of personal data will receive a reply within 30 days. See Section 10 for contact information.
3 Personal information on the NOKUT website
3.1 General information
The web editor has everyday responsibility for NOKUT's personal data processing at nokut.no. People who visit the website are not obliged to provide personal information in relation to services, such as receiving newsletters. The basis for processing such information is the consent of the individual concerned, unless otherwise specified. See Section 3.5 for further information about newsletters.
3.2 Web statistics, web analytics and cookies
NOKUT has a strong focus on creating a user-friendly website, and we therefore study the usage patterns of visitors to our site. To analyse this information, we use the Google Analytics tool.
The Electronic Communications Act states that all visitors to a website using cookies must have access to information about cookies and what the website uses them for.
To learn more about cookies, you can read about them on the website of the Data Protection Authority or the Norwegian Communications Authority (Nkom).
Cookies previously downloaded can also be deleted via the browser. For information on how to do this, please see the instructions for the browser you are using.
3.3 Sharing service
NOKUT has created its own sharing service that allows the user to share articles from its website or send them to different social networking sites. How a particular networking site handles the data is governed by the agreement you have with the site. We do not store any personal or identifiable information.
3.4 Registration for events
When NOKUT holds an event, we use electronic registration forms on our website. By completing the form, you agree that we store personal information about you for use for the particular event. We need this information to know the details of the participants. After an event, we sometimes send out a questionnaire for you to evaluate the event. You may also give NOKUT your consent to keep your personal information (name, email address and the event you attended) in order to invite you to other relevant events on later occasions. If you do not agree to this, we will delete the information about you after the event.
This information is only shared with our partners, and is necessary in order for them to perform their respective tasks. This includes
Server and CMS: Intility AS, Laboremus Oslo AS, Quesnay AS, Episerver og EpiCentrum (Serbia)
Accounting system: Contempus
Information processed in connection with invoicing participants directly complies with accounting legislation, and we are required to store this data in the accounting system for ten years. This information is not used for other purposes and is restricted to those working with NOKUT's accounts.
You can subscribe to electronic newsletters from NOKUT. In order to send email to the correct recipient, we must store your name and email address. This information is stored in a separate database. We do not share the information with others than our server supplier (see 3.4). When you unsubscribe, your information will be deleted.
3.6 Institution portal
On our website you can access our institution portal to apply for accreditation of subjects and courses. You can see details of the personal data processed in the application portal under "case processing and archives".
4 Personal data in recruitment
NOKUT processes personal data in the recruitment process using the Webcruiter recruitment tool. This tool is provided by Webcruiter AS, which processes data for NOKUT. The purpose is to manage and implement recruitment processes in NOKUT. Applications are anonymized (equivalent to deletion under GDPR) in Webcruiter about once a year.
All job applications are entered into NOKUT's post journal, but personal data is protected in the public records.
See Section 8 for the processing of personal information about employees.
5 Case management and archiving
NOKUT uses the Public 360 archiving and case management system for electronic recording and storage of documents. Public 360 is supplied by Tieto and complies with public standards (NOARK). The archive manager has been delegated everyday responsibility for the system and manual archives.
Applications for accreditation/approval of institutions are recorded in NOKUT's institution portal.
NOKUT processes personal information to fulfil our statutory obligations as laid down in e.g. the Higher Education Act, the Tertiary Vocational Education Act, the Education Act, the Public Administration Act, the Freedom of Information Act and the Archives Act.
Various types of personal data are recorded in Public 360, such as names, addresses, telephone numbers, email addresses and other relevant information mentioned in inquiries.
NOKUT is required to make its public mail records available on the Internet, in the Norwegian Electronic Public Records (OEP). The records are a systematic and continuous recording of all incoming and outgoing case documents.
The recording, saving and storing of data take place as required by archiving legislation.
5.2 Institutional applications
Institutions enter their applications in our institution portal. Information from the Central Coordinating Register for Legal Entities (Enhetsregisteret) is automatically retrieved when the director of the institution logs on to the portal to create an application. In order to process applications, we will need to have personal information about the director, the board of directors (if any) and the contact person(s) of the institution.
There is also some personal data in applications from institutions. Applications from institutions with attachments are public documents accessible by any person interested. Please note therefore that applications should not contain sensitive personal data or other personal information that should not be made public.
NOKUT conducts the Student Survey, the Vocational School Survey and the Teacher Survey every year. The surveys are sent to students and teachers throughout the country, with voluntary participation. The personal data collected for the surveys consists of names, email addresses and IP addresses. NOKUT receives the names and email addresses from the Common Student System (FS) or educational institutions. IP addresses are recorded for technical reasons when the questionnaire is accessed and will be automatically deleted a few days later. Names and e-mail addresses are deleted by NOKUT at the end of each project. Information from the surveys is transferred to the Database for Statistics on Higher Education (DBH). The Norwegian Centre for Research Data (NSD) is in charge of data protection for surveys conducted by NOKUT, and we follow the instructions for processing personal data provided by NSD. We use the SurveyXact tool, and our supplier and data processor for this software is Rambøll.
7 National exams
On behalf of the Ministry of Education and Research, NOKUT organizes national exams. Here, NOKUT is the data processor and the Ministry is the data controller. Our processing is thus based on a data processing agreement. The Ministry is responsible for determining how personal data related to national exams is processed and NOKUT follows these guidelines.
8 Personal information about employees, assessors and examiners
NOKUT processes employee personal data in order to manage human resources. NOKUT also records information necessary for salary payments, such as basic data, salary level, hours worked, tax rate, tax authority and union membership. Other information about employees is related to their job description, instructions and organization. NOKUT also processes information necessary to pay fees to expert assessors and external examiners. This information is provided only in connection with salary payments and other statutory information. Personal data is deleted in accordance with the Accounting Act and the Archives Act.
We have personnel files in our archives for all previous and current employees. The personnel files are removed when the employee leaves. Personnel files have to be transferred to the National Archives of Norway.
9 Rights of data subjects
Any person whose data is recorded in our system is entitled to request access to his/her data and, in the event of incorrect or incomplete information, has the right to request that the information be corrected or completed. If NOKUT processes personal data that it is not allowed to process, the data subject may request deletion of this information. If consent was the basis for processing, the data will be deleted if consent is withdrawn or is no longer valid.
Please note that in some cases legislation entitles us to make an exception to the right to delete data. For example, this will apply if we are obliged to store personal data to fulfil a legal requirement or to safeguard important societal interests such as archiving, research and statistics.
We process requests for access, correction and deletion within 30 days.
10 Contact information
Below you will find information on how to get in touch with NOKUT. Please note that normal email is not encrypted. We therefore suggest that you do not send confidential, sensitive or other private information by email.
Address: Postboks 578, 1327 Lysaker
Telephone: +47 21 02 18 00
For questions about foreign academic or vocational qualifications:
Telephone: +47 21 02 18 60 (Tuesdays and Thursdays from 12:00 to 14:00)
10.2 The NOKUT data protection officer
Questions related to the processing of personal data by NOKUT should be addressed to the data protection officer.
- 11 Useful links
12 Changes to this privacy statement
Changes may be made to the NOKUT Privacy Statement. Date of last change: 24. January 2023.