Privacy policy for employees of the Research Council of Norway

The Research Council is the data controller for all processing of personal data where we determine the purpose of the processing and the means used.

Go directly to:

• Pre-employment: the recruitment process
• Employed by the Research Council of Norway
• Former employee of the Research Council of Norway
• More information to view

Pre-employment: the recruitment process

When you apply for a job with us, we process the personal data from your application to assess whether you are qualified for the position.

In the recruitment process, the legal basis for processing will be Article 6 (1) (b) of the General Data Protection Regulation. This provision allows us to process your personal data when it is necessary to carry out an employment process with us, before we enter into an employment contract.

During the interview, interview notes are usually taken. The purpose of this is to document and evaluate your performance during the interview. The legal basis in this context will be Article 6(1)(f) of the General Data Protection Regulation, as we have a legitimate interest in clarifying your suitability for the position. The interview notes will be deleted once the position is filled.

Systems we mainly use to process your personal data

Jobbnorge

We use the recruitment system Jobbnorge when we are hiring new employees. Here we process information about everyone who applies for a job with us.

The following personal data is processed:

• Name
• Contact information
• CV
• Appendix
• Application Letter
• Answers to questions/reference questions

The following personal data may be processed:

• Disabilities
• Immigrant background
• Gaps in the CV

Your data in Jobbnorge is stored for this amount of time:

• Applicant who has not proceeded with an interview: 120 days
• Applicant who has proceeded to an interview/been hired: 540 days

Semac AS

We work with Semac AS to conduct a background check of all relevant candidates. This includes an identity verification, good conduct and police certificate, and a background check.

Semac AS processes your personal data based on your consent in line with GDPR Article 6 (1) letter a. The information from the background check is stored at Semac and will be deleted automatically after 12 months.

Employed by the Research Council of Norway

As a member of the Research Council, you are registered in various IT systems and services that are either operated by the Research Council itself or by external suppliers.

The purpose of the processing of personal data in central systems is to safeguard your rights as an employee and to fulfil the Research Council's tasks and obligations as an employer in accordance with legislation such as the Working Environment Act, the Tax Act, the Accounting Act and the Archives Act. The personal data is also processed in order for you to be able to do the job you are hired to do.

The processing is based on Article 6 (1) (b), (c) and (e) of the General Data Protection Regulation. That is, in order to fulfil the employment contract with you as an employee and to fulfil obligations imposed on us by law.

Below you can see an overview of the most central systems we use.

Financial and HR system

We use Unit4 as a system for financial and personnel administration. The system is primarily used for:

• Payroll processing
• Timesheets
• Travel and reimbursement settlements
• Registration of holidays and time off in lieu
• Processing of sickness benefits

The following personal data is processed:

• Name
• Contact information
• Salary
• Place of work
• Working hours
• Tax information
• Information about sick leave, time off in lieu, holidays and leave of absence
• Information about next of kin

Archive system

The Research Council archives appointment cases (where this is documented in the recruitment process) and personnel files (where the personnel management of the individual employees is documented).

The personnel files and appointment cases contain, among other things:

• Name
• Phone number
• Address
• Email address
• CV
• Job applications
• Health-related information

As a general rule, the Research Council cannot delete information contained in documents that are of archival value and subject to a record-keeping obligation, and which must also be submitted to the National Archives once the archives are no longer in active administrative use. We can only dispose of documentation that is not required to be preserved, or individual information for which the National Archives has granted permission for disposal pursuant to Section 13 of the Archives Act and Sections 43 and 44 of the Archives Regulations.

If there is personal data in the personnel file that you believe is incorrect, you can request that the information be corrected or deleted.

As a general rule, you also have the right to access documents in the personnel file. If you wish to do so, you must contact HR, but you do not have the right to access other employees' personnel files.

Access system

KLP Eiendom is the supplier of the access system. Employees will be given an access card, which gives access to the Research Council's premises.

The following personal data is processed:

• Name
• Phone number
• Registration (time)
• PIN code on access card
• Image
• Footage from camera surveillance

Footage from camera surveillance is stored for seven days and will then be deleted. Passage log is stored for 90 days. This information is only disclosed upon request to the police.

Other central systems and useful information for you as an employee

Email system

Microsoft is the supplier of the email system Outlook. The solution is also used to allocate rooms and create schedules.

Your email inbox at the Research Council is private, even if you use it to carry out your work tasks. There are strict rules for when we as an employer can access our employees' email inboxes or private files.

When you use email, it is important that you mark these with the correct sensitivity label. For private emails that are not work-related or contain information about the Research Council, this must be marked as "private".

Sound recording and filming/recording in connection with meetings, courses, lectures, etc.

The Research Council uses Microsoft Teams and Quickchannel in connection with meetings, courses, lectures, etc.

It is possible to make audio and video recordings in these cases. Participants must be informed of this and must give consent. This applies to both physical and digital participants. By in-person participation, you agree by participating in the discussion and agreeing that recording will be made before recording begins. If you participate digitally and give consent, the camera and microphone will be activated. If you do not approve this, you will join the meeting with your camera and microphone disabled.

If you participate in lectures, courses, etc. in larger meeting arenas, as a general rule, only the course and speaker will participate in audio and video recordings. In such arenas, questions can be opened, and then you consent to audio recording when you voluntarily ask the question.

In some cases / in some departments, it may be appropriate for employees to participate in training videos. In such cases, it will be difficult to remove individuals. It is therefore important that this is clarified between you as an employee and your employer before you give consent to participate in video.

Photos of employees on intra- or the internet

As a general rule, the Research Council, as your employer, must ask for your consent before we publish photos of you on our website. However, we can publish so-called "situational pictures" on the intranet without the consent of employees. A situational picture will be pictures from events organised by the Research Council, such as pictures from Christmas parties or lectures. In such cases, you can still ask your employer to remove the photo.

Other publishing on the intranet

The Research Council has an internal contact database where you can find other employees. Here you will find your name, phone number and email address, as well as your place of work. This is available so that other employees can reach the right person in case of questions, etc.

Employee surveys

The Research Council regularly conducts employee surveys to map how employees experience our working environment, and uses this knowledge to develop the organisation. The survey is voluntary. Employee surveys can include both larger surveys that cover several topics and smaller surveys such as pulse surveys or topic-specific surveys related to the working environment, well-being and management.

Ramboll Management Consulting AS is the data processor and assists the Research Council of Norway in conducting the survey. The data processor collects employees' contact information, demographic information (e.g. gender, age, job type) and answers to questions about the work situation, working environment, management and the like. The Research Council only processes anonymous datasets, i.e. the resultsare processed in aggregate form and are only used for improvement purposes. No individuals will be identifiable in the reporting.

Section 3-1 of the Working Environment Act provides guidelines for HSE work, and employee surveys help to ensure that the Research Council fulfils this legal obligation, cf. Article 6(1)(c) of the GDPR.

Occupational health service

The Research Council has an agreement with an external provider of occupational health services (BHT) to comply with the requirements of the Working Environment Act. The occupational health service assists with health checks, working environment mapping and counselling. The legal basis for this processing is Article 6 (1) (c) of the GDPR and Article 9 (2) (h), cf. Section 3-3 of the Working Environment Act.

The BHT is the independent data controller for health information and keeps its own patient records in accordance with the Health Personnel Act and the Patient Records Act. The Research Council only shares necessary administrative information with the occupational health service, and there are clear agreements on responsibility and information sharing.

You can read more about the occupational health service on the intranet.

Use of AI tools

As an employee of the Research Council of Norway, you may use Microsoft Copilot. This is an AI assistant that is integrated into other Microsoft 365 services such as Outlook, Teams, Word, Excel, and Power Point, to help employees automate work tasks, generate texts, and retrieve relevant information. Copilot serves as a support tool.

In order to use the AI assistant, your name, email address and IP address are collected. The AI assistant will also have access to text in various documents, email correspondence from your email account, chat logs from Teams and meeting notes, in addition to all open teams and documents. It also has access to information about when and how files and messages have been created, shared, or modified. This information may include personal information about you and other individuals.

When you use Copilot, the assistant will be able to create new personal data about you and others by compiling the information that is used.

As a user, you can delete your log on the "My Account Portal" via Settings and Privacy.

The Research Council processes your personal data based on our legitimate interest in line with Article 6(1)(f) of the GDPR. Our main interest is to improve internal efficiency and support for employees, and the use of Copilot makes this possible.

Who do we share your information with?

We only share personal data with individuals who have a legitimate need to access your personal data.

Your calendar will be available to everyone in the workplace.

In some cases, we also share your personal data with our data processors, other data controllers and other public bodies. We do this on the basis of a data processing agreement, an agreement on shared processing responsibility, a law/regulation, or a similar legal basis, respectively. The key recipients of personal data are mentioned on an ongoing basis under the various teams above

Your rights as an employee

When we collect and process personal data about you, you have a number of rights you should be aware of. As an organisation, the Research Council is obliged to ensure you that your rights are fulfilled.

Read more about Your rights | The Norwegian Data Protection Authority.

Former employee of the Research Council of Norway

In order to be able to store former employees' personal data further, there must be a special reason for this, for example that the personal data is subject to an archiving obligation with regulations and therefore cannot be deleted. See the National Archivist's regulations for what information we are required to answer and which information must be deleted (discarded).

Please contact HR and/or the Research Council's documentation team if you have any questions related to the deletion of personal data upon termination of employment.

More information to view

Read more about Privacy in the workplace on the Norwegian Data Protection Authority's website.

If you as an employee of the Research Council want to learn more about GDPR: take an introduction to GDPR courses in the Course Portal.