Skip to content
 

Personal data protection – privacy statement

This privacy statement describes how the Research Council of Norway collects and uses personal data in its activities.

  1. Data controller
  2. Data Protection Officer
  3. Web-based processing of personal data
    1. General information about the processing of data
    2. Web usage statistics
    3. Web analysis and cookies
    4. Event registrations
    5. Surveys/data collection
    6. Newsletters
    7. Membership in Nysgjerrigper
    8. Digital adviser
    9. The eSøknad online submission system and My RCN web
  4. Electronic recruitment tools
  5. Case handling and archiving
    1. Right of access to documents
  6. R&D statistics and analysis
  7. Personnel data
  8. Right of access
  9. Contact information

1. Data controller

The Chief Executive of the Research Council is the data controller responsible for ensuring that the Research Council processes personal data in accordance with the provisions of the Personal Data Act.

2. Data Protection Officer

The Research Council has a Data Protection Officer whose primary tasks are to serve as a professional resource regarding the protection of privacy, provide information and guidance and ensure compliance with all rules and internal guidelines relating to the processing of personal data.

The Data Protection Officer also serves as the link between the Research Council, as the data controller, and the Norwegian Data Protection Authority (DPA) as the supervisory authority.

The Data Protection Officer also answers questions from individuals whose personal data are or may be processed by the Research Council. Contact information is provided at the end of this document.

3. Web-based processing of personal data

3.1 General information about the processing of data

The Research Council collects and processes personal data via its webpages, www.forskningsradet.no and other domains registered by the Research Council for use in connection with the operations of its various programmes and activities.

Providing personal data via these webpages is voluntary. The processing of personal data in connection with the services provided, such as subscribing to a newsletter, registering for an event as well as other services for sharing or submitting information, is contingent on user consent.

Operational and maintenance services for the Research Council’s webpages are provided by EVRY. Bouvet and Redpill Linpro provide operational and maintenance services for www.nysgjerrigper.no, and Hyper and Ravn Webveveriet for www.forskningsdagene.no. These suppliers serve as data processors for the Research Council. Only the Research Council, the respective service providers and their subcontractors have access to these data.

For event streaming, the Research Council uses Vbrick and YouTube. Research Council webpages contain links to its Facebook and Twitter profiles. The use of these features is covered under the respective privacy statements of the companies supplying these services.

3.2 Web usage statistics

The Research Council’s webpages register the IP address of users visiting the site. These data are processed in a de-identified format which prevents the data from being linked to individual persons. These data are collected for the purpose of statistical analysis to develop and improve webpage content. These statistics are used to find out the number of times different pages are viewed, the duration of these visits, which websites users are visiting from and which browsers are being used.

3.3 Web analysis and cookies

The Research Council uses the analytical tools, Google Analytics, Webtrends and Hotjar on its main page, www.forskningsradet.no. By closing the disclaimer that appears when visiting a page, the user consents to the use of cookies, and agrees that the guidelines for privacy protection of Google Analytics, Webtrends and Hotjar will apply.

Google Analytics is set up so that IP addresses may only be processed in an anonymised format. Webtrends’s analytical tool employs a third-party cookie (ACOOKIE) for tracking and analysing traffic across domains. Hotjar’s analytical tool employs its own cookie (_hjIncludedInSample) to track traffic on www.forskningsradet.no.

Cookies are small text files downloaded to the visitor’s computer when a webpage is downloaded. The Research Council uses cookies to generate statistics and for web analysis to provide the best possible functionality and user-experience on its webpages.

Most web browsers are configured to handle cookies automatically. A browser’s settings may have to be changed if the user does not wish to accept cookies. Blocking cookies may limit a website’s functionality.

3.4 Event registrations

In connection with the registration process for various events, the Research Council uses an external registration system by Pindena. In addition, the Research Council has entered into framework agreements with three event management agencies, Congress Conference, Conventor and Medvind AS, who handle event registration for the Research Council using their own registration systems. When a registration form is submitted, only the registrant’s name and contact details are stored for the purpose of administering registrations and participant services/communications. These data are deleted after conclusion of the event.  The data collected are de-identified and stored in a protected area, isolated from any access key.

3.5 Surveys/data collection

The Research Council uses the survey tool, SurveyXact, in connection with questionnaire-based surveys and other data collection activities targeting website visitors. Survey participation is voluntary and is based on consent granted by the participant(s). Names and email addresses must be collected in order to ensure that communications are sent to the correct respondents. These data are deleted after survey completion.

3.6 Newsletters

It is possible to subscribe to newsletters from the Research Council and its various programmes and activities. The newsletter solution for these various subscriptions is supplied by the company, APSIS, which handles data in this context for the Research Council as set out in an agreement. To send out newsletters in connection with the Health&Care21 monitor, the Research Council uses the MailChimp platform (www.mailchimp.com). Names and email addresses must be collected in order to ensure that communications are sent to the correct subscribers. These data are stored in a separate database. They are not shared with any third party and are deleted whenever a user unsubscribes from the service. The information is only used in connection with newsletter distribution. To cancel a subscription, users must themselves unsubscribe from the service, either via the website or a link in the newsletter.

3.7 Membership in Nysgjerrigper

It is possible to register an individual Nysgjerrigper membership and subscribe to the Nysgjerrigper magazine (although classroom subscriptions are the most common subscription type). Names and email addresses must be collected for membership administration and in order to ensure that magazines are sent to the correct subscribers. Date of birth is also registered to determine the age of members. Members under 18 must also provide the name(s) and telephone number(s) of parent(s) or guardian(s). This information is used solely for the purpose of membership administration. The data are stored in a separate database and are not shared with others. Members must themselves cancel these services if they no longer wish to take part.

3.8 Digital adviser

The Research Council has a tool called Digital adviser, which uses the Google Maps API to indicate event locations. Use of this service entails processing of personal data, with Google acting as the data processor for the Research Council, cf., Google’s Privacy Policy statement, which applies for this activity. 

3.9 The eSøknad online submission system and My RCN web

The Research Council collects personal data via its online application system, eSøknad, via the “My RCN” web portal. The purpose of processing data in this context is for the receival and processing of grant applications for research funding. A more detailed description of the categories of information collected is available below, under point 5: “Case handling and archiving”.

4. Electronic recruitment tools

The Research Council also processes personal data through its electronic recruitment system, HR Manager. The solution is supplied and operated by HR Manager Talent Solutions International, which manages these data on behalf of the Research Council in accordance with a written agreement. The purpose is to administer and carry out recruitment activities at the Research Council.

All job applications are entered into in the Research Council’s mail journal, and stored in an archive for approximately one year before being destroyed. The head of archives oversees this process. Journal information is not deleted, but is secured in an electronic public record archive (i.e. the individual’s/applicant’s name is not included). Exceptions apply for job applications at the department director level, which are kept on record.

5. Case handling and archiving

The Research Council uses ACOS Websak, a NOARK 5-compliant (“Norwegian Archive Standard”) case handling and archive system, in connection with entering and archiving records in accordance with the provisions of the Act relating to archiving (Arkivlova) and appurtenant regulations. The head of archives is responsible for the day-to-day operation of the system and the physical archives and for ensuring that necessary routines for their use have been drawn up. The respective department directors at the Research Council are responsible for ensuring that the case handling processes in practice are carried out in line with the routines.

The Research Council handles personal data in connection with application processing, in the assessment and follow-up of projects that have been granted funding, and in monitoring of use of allocated funding in submitted project account reports. These data are stored in a separate electronic case handling system and in an archive system to which employees with tasks related to application processing have access.

As part of the electronic case handling system, a registry has been established that provides an overview of the names of project managers for projects that have sought funding support, persons who serve as project administrator for projects, researchers and other project participants, fellowship holders, etc. The registry also contains information about the referees used by the Research Council in the application review process and members of the Research Council’s various boards.

The specific categories of information that will be stored will vary in relation to the role in question. The information collected consists primarily of name, national ID Number, email address, position, place of employment and role in relation to the project. For persons receiving remuneration from the Research Council, e.g. referees and board members, the information necessary for disbursing the remuneration, such as national ID Number (alternatively, a D-number when relevant), is stored in the registry. For referees, information linked to previous involvement in application assessment is also recorded.

Employees, referees, and members of the Executive Board, programme boards and division research boards and others receiving remuneration from the Research Council are registered in Agresso, the Research Council’s Enterprise Resource Planning (ERP) system. This is necessary in order to carry out contractual payments and mandatory reporting to Norwegian (and, when applicable foreign) authorities.

5.1 Right of access to documents

With regard to access to public documents, personal data are disclosed in accordance with the Freedom of Information Act and the Public Administration Act.

Special security measures and routines have been implemented for highly confidential information stored in the archive, such as sensitive personal data.

The Research Council is required to make its public records available to the public via the Internet, using the eInnsyn joint publication service for government agencies and the City of Oslo. Section 7 of the Regulations relating to the Freedom of Information Act, as referred to in Section 6, paragraph 4 specified certain categories of information that are not to be made public in public records and journals published on the Internet. It has also been stipulated that the names of individuals must not be retrievable from eInnsyn after one year has passed from the time the data were entered.

6. R&D statistics and analysis

One of the main tasks of the Research Council is to serve as an advisory body for the Government and ministries on research policy issues. This requires a sound knowledge base in the form of statistics and analyses. Therefore, the Research Council has established a data warehouse that retrieves data (including personal data) from its eSøknad online submission system, the case handing and archive system, the ERP system and the national Current Research Information System in Norway (Cristin). The data warehouse is used to compile reports, overviews and statistics related to R&D grant allocations. The data warehouse is also the source of published information on applications and projects. The names and titles of project managers for projects allocated funding, along with the project summaries, are published on the Research Council’s website and in the Project Databank as well as the Agency for Public Management and eGovernment’s (Difi) data set repository. Applicant institutions have access to information concerning their own applications and projects, including the names and titles of project managers, whether or not their proposals have been awarded funding. Other data retrieved from the data warehouse are always presented as aggregates.

The Research Council is the data controller for personal data processed in connection with efforts to collect, prepare, develop and make available R&D statistics on Norway. The Nordic Institute for Studies in Innovation, Research and Education (NIFU) prepares the R&D statistics and acts as data handler in the processing of personal data needed in these efforts. The Research Council and NIFU have entered into a written agreement regulating data handling activities.

The following information is handled as part of the compilation of registries:

  • The Research Personnel Register: name, information about the individual’s position (title, position code and percentage of full-time equivalent), institutional affiliation (institution/faculty/department/institute), subject area, degree, discipline, year and place of university degree, doctoral degree and the year of defense of doctoral dissertation. The data are collected each year from universities, university colleges, research institutions and hospitals.
  • The Doctoral Degree Register: name, gender, age, nationality, education (university or equivalent), educational institution, year of degree conferral, type of degree (title), year/month of dissertation defense, degree-conferring entity (institution/department), subject area for the degree. These data are collected twice a year from degree-conferring institutions and from the Research Council’s case handling system, which provides an overview of the fellowship positions funded by the Research Council.

Personal data stored in the Research Personnel Register and the Doctoral Degree Register may only be disclosed to research organisations that are approved as research organisations in accordance with the Research Council’s criteria, and may only be used for statistical, research and analytical purposes. The legal basis for practices concerning the processing of data is set out in the Section 8 litra d of the Personal Data Act.

7. Personnel data

The Research council handles personal data on its employees for the purpose of payroll and personnel administration pursuant to the Section 8, litras a, b or f, and Section 9, litras a, b and f of the Personal Data Act §, first paragraph.

The data registered by the Research Council are necessary for payroll disbursement, for example, basic data, salary level, timesheets, tax rate, tax municipality and union membership. Other information collected about employees is used in connection with job descriptions and facilitating work activities.

8. Right of access

Individuals registered in the Research Council’s systems have the right of access to their own information. If the data processed by the Research Council are inaccurate, incomplete or not authorised, individuals have the right to demand that the information is corrected, deleted or amended. Enquiries regarding personal data are to be dealt with free of charge and not later than 30 days from the date of receipt.

For questions relating to the Research Council’s processing of personal data, please contact:

Process Responsible

Personal data Officer

The Research Council
post@forskningsradet.no

Anja Wiesbrock
personvern@forskningsradet.no
+47 22 03 70 00
P.O. Box 564, NO-1327 Lysaker, Norway

 

Published:
05.03.2018
Last updated:
30.08.2018