Information security and data protection at UiT

Purpose and intent

UiT – The Arctic University of Norway (UiT) is a national and international powerhouse for competence, growth, and innovation in the High North. This shall be shown through, among other things, high quality of UiT's knowledge management and information values: research data, research results and information or knowledge included in teaching, research and dissemination.

Information security
Systematic and planning work to safeguard our information values is a key part of UiT's knowledge management. Both internal and external actors – managers, employees, students, partners and the general public – should be able to rely on UiT to ensure that information in all forms

• not become known to unauthorized persons (confidentiality)
• not be altered unintentionally or by unauthorised persons (integrity)
• available to those who have a legitimate need for it (availability)

UiT is subject to a number of laws and regulations that require us to have satisfactory information security. This applies, among other things, to the Public Administration Act with regulations (e-administrative regulations), the Personal Data Act (2018) with regulations, the General Data Protection Regulation (GDPR) and the Health Research Act with regulations. In addition, other legislation, including the Freedom of Information Act and the Archives Act, contain provisions that are important for the work on securing the information at UiT. The management system for information security and privacy at UiT shall meet the requirements set by the legislation and the Ministry of Education and Research (KD) for the work on information security in the university and university college sector.

Privacy
Safeguarding the security of information when processing personal data is a key part of the obligations under the Personal Data Act, the GDPR and other relevant legislation. However, there are a number of other obligations beyond information security to ensure good privacy and comply with the obligations that UiT is subject to in accordance with the regulations, such as legal basis for collecting and processing information, good and correct information about the processing, safeguarding rights, etc.

Systematic work to ensure that UiT complies with these obligations at all levels is therefore essential for safeguarding the rights and privacy of the people we process information about and safeguarding the trust that UiT relies on in order to maintain and develop its activities in research, education and dissemination.

The Information Security Management System at UiT

The information security and privacy management system shall ensure that UiT's information values are handled in a systematic, planned, and satisfactory manner. The management system includes, among other things, goals, strategy, and organization of the work on information security and privacy, as well as description of roles and responsibilities, overview of information values and guidelines. The management system consists of three main elements:

1. Governing part – overall policy, including objectives and strategy, acceptable risk roles and responsibilities.
2. Implementation part – specific guidelines and routines, including classification of information, risk assessments, training, etc.
3. Controlling part – internal audit, reporting of nonconformities and management's review/annual report.

Information security and privacy are a top management responsibility. The operational responsibility and practical work on safeguarding information security and privacy can be delegated to the individual units at UiT, cf. the description of the security organisation with roles and responsibilities in Chapter 3.
The management system for information security and privacy at UiT includes

• everyone who accesses UiT's information values [1]
• all UiT campuses
• all organizational units
• all technology[2]
• all information values

Information value is a collective term that includes both the information itself as well as associated support values such as ICT system, digital services, computer equipment of various variants, etc. How to process and protect information values depends on the results of risk assessments. Information security shall be safeguarded for all information values, regardless of media type, format, storage technology, whether digital or non-digital, processed on-premises or in cloud services, etc. It can be an IT system, such as personnel system, learning platform and archival system, or some type of information, such as student information, patient information or data included in a research project. Furthermore, it is not only personal data, but also other information that the university manages. For example, financial information about the business, building information, research data that does not involve people, etc.

[1] Students, staff, guests, partners etc.
[2] IT systems, computer networks, databases/registers etc.

Vision

UiT shall establish and maintain proper management and safeguarding of its information assets in order to safeguard society's trust in the university's education, research and dissemination.

UiT shall:

• work purposefully and risk-based with information security and privacy
• safeguard information security and privacy in a comprehensive and systematic manner, and ensure a common approach internally at UiT
• reduce the vulnerabilities to UiT's information assets
• include information security and privacy in university decision-making processes
• simplify and improve the University's information security and privacy policies and processes
• improve the ability to detect and handle incidents, deviations, and breaches quickly so that any consequences are minimal
• provide training and awareness that enables staff and students to prevent, detect and report incidents

Overall objectives for UiT

A. Comprehensive, integrated, and effective management and control
Build and maintain the necessary organization, management of information security and privacy, processes, and support tools. Security and privacy activities must be integrated into UiT's processes.

B. Monitoring and event management
Security should, as far as possible, seek to prevent undesirable incidents. We can achieve this by providing measures that make it possible not only to detect incidents and violations, but also to manage and reduce their consequences.

C. Responsible culture
Establish and maintain a culture where employees and students are aware of their responsibilities and tasks within information security and privacy and have the will and ability to safeguard UiT's information values.

The work to achieve the overall goal picture must be built in layers, over time. It has no end date as it must not only be established, but also maintained in a large and complex organization with a dynamic risk and threat picture.

To achieve the overall target picture, a set of targets has been set for each category, and measures to achieve these targets shall be adopted annually through a roadmap. There will often be various measures over time that entail that the sub-goal is achieved, and then measures must be implemented to maintain and maintain this. The targets and associated measures are set out in the roadmap.

Acceptable risk

It is not possible to eliminate every risk, but UiT will work systematically and purposefully to have a risk level that is acceptable, seen in relation to UiT's goals and risk picture.

UiT shall have a risk-based approach to information security, and "acceptable risk" is thelevel of risk UiT is willing to accept in order to create value and achieve the goals and benefits sought.

Risk appetite can be categorized in different ways:

• Unwilling: Should avoid risk.
• Minimalist: Extremely conservative.
• Caution: Should avoid unnecessary risk.
• Flexible: Will take strongly justified risks.
• Open: Will take justified risks.

Too high a risk appetite on UiT's part will expose employees, students and research participants to an unsustainable risk of harm and negative consequences, as well as could damage UiT's reputation and / or have financial consequences. Too low risk appetite will mean that projects, processes, activities, etc. are not feasible either because it is not possible to bring the risk down to a very low level, or it will be disproportionately time-consuming and expensive. This could have major negative effects on UiT's activities.

The stronger and better the security culture, basic security, and systematics around the work with information security throughout the university, the greater the scope for implementing ambitious projects and processes which in an organization with a weaker security culture and work will entail an unacceptable risk. Both UiT's risk picture and overall basis for managing risk in a responsible and trustworthy manner will be dynamic, and must be continuously assessed, including measuring the safety culture among employees and students.

As a rule, therefore, "acceptable risk" will be in the middle three categories ("minimalist", "cautious" and "flexible"). This may vary based on, for example, the type of data processed, the benefits sought to be achieved and the risk involved in not initiating a process, carrying out a research project, adopting an IT system, etc. However, it is not up to the individual's discretion how risk is to be assessed, or what level of risk can be accepted. Therefore an account of how UiT assesses risk, as well as the limits for acceptable risk, is set.

The University Board

• processes and adopts the management system for information security and personvern at UiT
• has the overall responsiblity for ensuring proper processing of personal data at UiT
• shall set requirements for further work on information security and privacy at UiT

Director of Administration

• exercises the overall responsibility for all processing of personal data at UiT
• is responsible for information security at an overall level, including setting aside sufficient resources for the work on information security, including training and competence enhancement
• is responsible for ensuring that the information security and privacy management system is implemented and maintained, as well as for the organization of security work
• ensures that breaches of personal data security where there is an obligation to notify, are timely handed over to the Norwegian Data Protection Authority
• shall annually review the status of the work on information security and privacy³ 
• shall appoint^a members of the Information Security and Privacy Forum
• shall appoint members of the Data Protetion Impact Assessment Group (DPIA)
• have the authority to decide whether treatments subject to data protection impact assessment (DPIA) should be deemed to have sufficiently reduced the risk, or whether the treatment must be subject to further measures, alternatively discontinued

³ Cf. Chapter 9 "Management Review"

--------------------

^a Delegated to the IT Director on the 3rd of May 2022.

IT Director

• has the administrative responsibility for information security and privacy at UiT
• has instructional authority to all entities at UiT in matters concerning information security and privacy
• has the practical responsibility for ensuring that a protocol is maintained on all processing activities that UiT has, both in the role of data controller and as a data processor.
• ensure that attitude-creating programs are carried out

Privacy and information security office

• group leader is head of security (CISO)
• shall exercise the authority of the IT Director in matters concerning information security and privacy
• shall be an advisor to the line organization on issues related to information security and privacy
• will lead the CSIRT team and information security forum
• shall prepare and maintain the overall contingency plan for ICT
• shall follow up deviations at the overall level and ensure that these are channelled to and followed up by affected entities
• shall be given access to all information necessary to follow up incidents and deviations in information security and privacy
• shall conduct information activities, advice and training in information security and privacy
• shall maintain general regulations and routines for information security and personal data
• has the authority to initiate internal audits within information security and/or privacy, on all entities and in all business areas
• shall prepare and maintain tools and guidance materials for the implementation of risk assessments
• shall prepare an annual report to the management's review ("Annual Report on Information Security and Privacy")
• keep track of data processing agreements which UiT enters into

Data protection officer

• reports directly to the Director
• shall inform and advise UiT's employees and students on current obligations under data protection legislation
• shall check UiT's compliance with data protection legislation
• shall be involved at the right time and level in questions concerning privacy
• advising on the assessment of data protection implications (DPIA) and check the implementation of these assessments
• shall be involved at an appropriate level in the handling of nonconformities pursuant to data protection legislation, and at least be informed about the content and scope of nonconformities
• shall prepare an annual report that can be included as an appendix to the annual report on information security and privacy
• have observer status in the Information Security and Privacy Forum
• can be contacted directly by the data subjects with questions about UiT's processing of their personal data, and about the exercise of their rights under the General Data Protection Regulation (GDPR)
• cannot be instructed on the performance of the tasks assigned to the Data Protection Officer pursuant to Article 39 OF the General Data Protection Regulation (GDPR)

Department of Information Technology

• shall assist the system owner in the design of information security requirements when acquiring new systems
• is responsible for the operation of key IT systems, and shall ensure satisfactory information security on IT infrastructure based on risk assessments
• based on risk and vulnerability analyses, we will develop a continuity and contingency plan covering critical and important information systems and infrastructure
• must document systems/infrastructure and associated safety measures
• shall prepare and maintain security policies, guidelines, and procedures for the technical infrastructure
• shall monitor significant changes in threats to UiT's information values

Department of Property Management

• ensure that securing access to buildings, rooms and areas is in line with acceptable risk criteria
• shall assist units in risk assessments of physical safety and in the implementation of necessary physical safeguards

Research, Education and Communication Division

• shall have the contact person for the Norwegian Centre for Research Data (NSD)
• shall receive and be internally responsible for following up data protection impact assessments (DPIA) that NSD prepares on behalf of UiT

Heads of faculties and units

• is responsible for satisfying information security and privacy requirements in their own unit
• ensure that risk assessments are carried out
• shall take action if necessary to safeguard the security of information and privacy in their own unit
• have the overall responsibility for ensuring that data protection impact assessments (DPIA) are implemented where required under Art. 35 GDPR
• shall report results from risk assessments with action plan and nonconformities to the Privacy and information security office
• shall follow up nonconformity reports in their own unit and ensure that these are closed, in cooperation with the Privacy and information security office
• shall inform employees in their own unit of the routines and guidelines that always apply and ensure that the requirements in the management system related to their own unit are followed

System owner

• shall establish and maintain routines to meet the safety objectives
• shall set requirements for information security in the procurement, development and maintenance of information and the information system, in consultation with the Department of IT
• should focus on ensuring data protection by design and by default
• ensure that access is provided according to the need for service, terminated when the need ceases, and that necessary training is provided
• ensure that data processing agreements are entered into
• shall carry out risk assessment of the system in accordance with Chapter 5, and document that risk assessments have been carried out
• shall carry out necessary actions identified on the basis of risk assessments

Head of research project

• acts on behalf of UiT as data controller for the specific research project
• has the day-to-day responsibility for ensuring that information security is safeguarded in the research project
• is responsible for ensuring that data protection impact assessments (DPIA) are carried out where required under the General Data Protection Regulation (GDPR) Art. 35.
• more detailed responsibilities and obligations follow from the guidelines for processing personal data in research and student projects

Students supervisors

• acts on behalf of UiT as data controller for the concise student project (e.g. master's thesis)
• is responsible for ensuring that data protection impact assessments (DPIA) are carried out where required under the General Data Protection Regulation (GDPR) Art. 35.
• more detailed responsibilities and obligations follow from the guidelines for processing personal data in research and student projects

DPIA Group

• is headed by the Research, Education and Communication Division
• assesses prepared data protection impact assessments (DPIA) on behalf of UiT
• gives an assessment to the Director with a recommendation on whether or not the processing of personal data should be initiated
• members shall at least include the Data Protection Officer, one representative from the Privacy and information security office and one representative from a faculty.

Employees and students

• has a duty to familiarize themselves with and follow the safety procedures and guidelines that always apply to the safe handling of information values and personal data
• has a duty to prevent and report incidents that may involve nonconformities, as well as report nonconformities when these occur, through the nonconformity reporting system

Computer Security Incident Response Team - CSIRT

• shall implement, or order, any action deemed appropriate to avert damage to UiT's IT systems and data
• shall report on security incidents, potential for damage, the extent of damage and measures taken to the IT Director
• for more information, see here

Information Security and Privacy Forum

The Information Security and Privacy Forum consists of one representative per unit¹ as well as the Privacy and information security office, which has the leader and referrer of the forum. The Data Protection Officer has the right to meet and speak.

The forum has an advisory function in matters that are important for safeguarding information security and privacy at the university. These may include regulations, training activities, individual cases, etc.

In particular, regulatory changes of principle must be presented to the forum before the proposed changes are adopted, unless special circumstances mean that this is not possible. In such a case, the forum shall be informed of these changes in the subsequent meeting.

The Privacy and information security office have the main responsibility for promoting and preparing cases for the information security forum, but all the forum's members can present their own cases for discussion.

The forum shall be informed about incidents and matters of greater importance for information security or privacy at the university. Normally, such orientation will take place via the ordinary meetings.

The details of such matters will often be exempt from public disclosure, and members of the Forum are obliged to comply.

The members of the Forum represent their unit and shall provide the necessary briefing to the management on their own unit on cases and issues discussed in the Forum.

-------------------------------

¹"Unit" means the faculties, UB, UMAK and the administrative departments of the joint administration under the university management.

Legal basis for processing personal data

During the period when lectures and seminars at UiT’s campuses/physical locations are cancelled, digital lectures and seminars will be utilised where possible.

A legal basis for the processing is always required.

UiT has categorised various activities where video is utilised (in teaching, examinations, dissemination and for administrative purposes). These activities have so many similarities that we have decided a relevant basis for the processing – for the personal data of both the employees and the students.

Important: It is essential that the unit/lecturer always assesses whether, for instance, video is necessary and, if it is deemed necessary, whether streaming the video is sufficient or if it must be recorded? Is it possible to combine different teaching methods, e.g. publishing a video from a lecturer followed by a chat discussion? These are just examples, and this is largely an academic (educational) decision. However, it is necessary to consider this. One must always undertake such a necessity consideration for the processing of personal data to be lawful. In other words, one cannot simply point to a given basis for the processing and then take it as a “blank authorization”. There must be a balance between what is achieved and how comprehensive this is for the student and the employee, and whether one can utilise means to reduce this impact on employees and students.

General/introduction
Many people often think of GDPR as a “consent law”, i.e. if you are going to process personal data, you must have consent from the person(s) the data applies to. However, this is incorrect. There are numerous bases for the processing and consent is just one of these. For teaching and administrative purposes, consent will often not be applicable and other bases must be used.

Basis for the processing is referred to in two different articles in GDPR:

• For general personal data (most types of data): Article 6
• For special categories of personal data (health, religion, politics, etc.): Article 9 (in addition to Art. 6)

Furthermore, several of the bases for the processing in GDPR require a so-called supplemental authority (“where Union or Member State law”).

• 6 (1) (c): the processing is necessary for compliance with a legal obligation to which the controller is subject
• If this basis for the processing is used, one must refer to a correct legal obligation to which UiT is subject (via an act or regulation)
• 6 (1) (e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• If this basis for the processing is used, one must be able to show that a “task in the public interest” or “exercise of official authority” is vested in UiT. One must also refer to the correct provisions in this context.
• This also applies to several of the bases pursuant to Article 9.

Specifically about consent

Consent is probably the “best known” basis for the processing. We find this basis in both Article 6 (1) (a) and Article 9 (2) (a). However, it is a widespread misunderstanding that consent is the only basis for the processing (“If you are going to process personal data, you must have consent”) or that consent is the preferred basis for the processing and that the order in Articles 6 and 9 give the impression of a “ranking”. This is incorrect. Consent is one of several possible bases for the processing, and these have equal status. Moreover, there is not necessarily any conflict between using any of the other bases for the processing and the fact that the subjects participate freely.

There will be some instances where it will be correct to use consent and where perhaps it will be the only relevant basis for the processing (e.g. this is often the case in research projects).

If one plans to use consent, one must be certain that this consent is valid pursuant to GDPR, as numerous conditions must be met for the consent to be valid. If even one of these conditions are not met, then the consent will be invalid. The consequence will be that the processing is unlawful and nay data collected or generated on the basis of the consent in question must be erased. Reactions can also come from regulatory authorities. In these situations, it will not “help” if you have obtained a consent from everyone because, if the validity conditions are not met, the processing is unlawful.

For UiT, there are numerous situations where we are prevented from using consent as a basis for the processing, and it is important to be aware of this. We will now look briefly at the conditions for consent, especially one that is often problematic for UiT to meet. The conditions for consent are stipulated in Article 4 (11) cf. Art. 7 of GDPR.

However, it is important to emphasize that there are certain limits about what one can consent to. A consent pursuant to GDPR is only a basis of the processing. This means that a person cannot, for instance, consent to other requirements in GDPR being deviated from (e.g. the requirement concerning information security).

Consent must be freely given, specific, informed and unambiguous. If it applies to personal data, the data subject must give his/her consent by a statement or clear affirmative action. Furthermore, it must be possible to demonstrate that the data subject has consented to processing of his or her personal data. If the consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters in the declaration. It must be given in an intelligible and easily accessible form, using clear and plain language. If the processing activities can be distinguished from one another, one must ensure that the consent is not obtained in an ‘’everything or nothing’’ form. The person must have a choice between the various processing activities. A consent may be withdrawn at any time, and the data subject shall be informed of this prior to giving his or her consent. The processing of the personal data about this person must then cease, which often involves erasing the data. Moreover, it shall be as easy to withdraw as to give consent, i.e. If consent can be given with “one click”, it must be possible to withdraw it with “one click”. Finally, it is important to be aware that passive consent is invalid. An active action is required (e.g. ticking a check box. If the box is pre ticked, it means the consent is invalid).
Consequently, many requirements must be fulfilled for a consent to be valid. One must keep track of who has given their consent and be ready to act if someone withdraws their consent.

However, for UiT, we must pay particular attention to the condition that consent must be given freely.

The consent shall genuinely be freely given. When there exists an imbalance of power between the controller and the relevant data subject, this is extremely difficult to achieve. This is described in the following manner in point 43 of the preamble in GDPR (our emphasis): “In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller (...)”.

In working conditions, it will be difficult to meet the requirement that consent be given freely, owing to the uneven balance of power between employer and employee. It is not entirely inconceivable but, in the vast majority of cases, one should avoid trying to use consent as the basis for the processing. Please note that this does not mean it never can be voluntary for an employee to, for instance, perform a task or give information. However, the everyday understanding of “freely given” has a much lower threshold than GDPR. WP29 (advisory group in the EU) stated the following about this question [1] (our emphasis):
“There may be situations when it is possible for the employer to demonstrate that consent actually is freely given. Given the imbalance of power between an employer and its staff members, employees can only give free consent in exceptional circumstances, when it will have no adverse consequences at all whether or not they give consent. [Example 5:] A film crew is going to be filming in a certain part of an office. The employer asks all the employees who sit in that area for their consent to be filmed, as they may appear in the background of the video. Those who do not want to be filmed are not penalize in any way but instead are given equivalent desks elsewhere in the building for the duration of the filming”.

There does not need to be explicit ‘threats’ of reactions if one does not consent, or more obvious pressure, for the requirement relating to ‘freely given’ not to be met. More implicit or informal pressure or expectations (“this is desirable for UiT to achieve”, “everyone must pull together”, etc.) will also lead to the requirement relating to ‘freely given’ not being met. Consequently, as an employer, UiT should not use consent as a basis for the processing. However, if one still chooses to use this, it must be thoroughly reasoned and discussed, particularly concerning the requirement relating to ‘freely given’.

Many of the above-mentioned considerations are also applicable when it comes to processing of the students’ personal data. This is a clear imbalance of power between UiT and the students. This applies to everything from UiT as the overall institution to the lecturers. Consequently, UiT must be extremely constrained in the use of consent as a basis for the processing of the students’ personal data, especially in a teaching context. This does not mean that there are not instances when the use of consent is both relevant and correct. However, in such cases, one must ensure that through and documented assessments have been implemented. The main rule is that other bases for the processing should be utilised.

Specifically regarding the situation with Corona (for the time periods when national measures are in place):
Given the situation UiT is currently in with Corona-related measures and the fact that all instruction must be digital for an unknown period, it seems that there is little doubt that, as a main rule, consent cannot be utilised as a basis for the processing. In practice, the lecturer who refuses will not be able to do his or her job and the student who refuses to participate in, for example, a video lecture/seminar (streaming and/or recording with student participation, either directly in video or via chat) in reality misses out on part of the education or will be the “reason” why seminars cannot be held. This means that in reality the choice is not as free as GDPR requires. Consequently, other bases for the processing must be used.

[1] See Personopplysningsloven og personvernforordningen (GDPR) med kommentarer, Jarbekk (ed.), Gyldendal 2019, p. 151.

You must provide information

The clear main rule in GDPR is that information must be given before one can collect personal data. We will provide more details later, but in brief the following applies for recording of video:

Before you start recording, you must inform those who will be included in the recording:

1. That the lecture etc. will be recorded
2. What it will be used for
3. Who will gain access (this can be at the group level, e.g. the course students?)
4. When it will be erased (if not a specific date, the criteria for erasure, e.g. after the re-sit examination for this course this semester has been held)

[Skriv tittel her]

Countless video services are available; some for streaming, some for recording and some for both. Many have their personal preference and perceive clear advantages by using precisely their preferred service.

We understand that, but unfortunately it does not help. The reason for this is that when UiT utilises video, the person data in this video are processed. This can involve employees, students or even external actors. In a video service, the personal data in the actual video and those associated with it (e.g. login, activity logs, chat, etc.) are processed.

We are subject to stringent requirements when it comes to the processing of personal data, and as a minimum we must have a data processor agreement with the supplier. Moreover, a risk assessment must be conducted. Compliance with statutory requirements is not our primary motivation for doing this. These requirements exist for a reason. It concerns safeguarding the data protection of our employees, students and guests, etc. If you use “private” video services in a teaching context, UiT cannot attend to the obligations we have. What happens if the supplier chooses to use the personal data for a completely different purpose, e.g. advertising? If the correct agreements are lacking, it is realistic that they actually have this access.

Furthermore, UiT often purchases services on other terms that those that apply for private individuals or even for a research group or unit. For several services, UiT’s terms of purchase mean that personal data is stored within the EU. However, if you go directly to the same supplier and purchase the service, you will be subject to the purely commercial terms and the data could be stored in, for instance, USA. Have you conducted a risk assessment? Do you have the necessary basis for the transfer (as required by law)?

Even if you manage to not include any personal data (it is difficult to practically impossible when using a digital service), the data you enter or generate probably has a certain value for you and for UiT? Do you know what the supplier is permitted to use these for, cf. the terms you approved when you purchased or registered yourself in the service?

Consequently, it is important that you use the services that UiT (via the Department of Information Technology) has purchased and that you use them as intended. We refer to the information under “IT services and systems – What are you permitted to use?”

Working from home

After corona it's more common that UiT’s employees are working from home part of the time. However, it is important that data protection and information security are still safeguarded, and you have an important responsibility in this respect.

UiT manages vast amounts of research data, as well as personal data about employees, students, research participants, guests, partners and others, and other information of great importance to the organisation. Failure here can cause significant harm to UiT and individuals. Attending to information security and data protection is your responsibility and is fulfilled by being careful, complying with relevant legislation, guidelines and procedures, and reporting any undesirable incidents you discover or experience.

If there are other people in your household, remember that your duty of confidentiality also applies to them. This can easily be overlooked if you leave papers lying around, your computer is unlocked or you lend it to your children or you conduct Skype meetings with others present in the room, etc.

Consequently, we would like you remind you of some rules that everyone must be aware of (whenever you are working from home, including post-Corona):

Basic rules

• Work involving confidential (red) and strictly confidential (black) data shall only occur on equipment owned by UiT.
• Papers and notes must be stored in such a way that others in your household cannot read them.
• ICT equipment owned by UIT (e.g. computers and tablets) must not be loaned to others in your household, including children.
• This is not only because they can gain access to confidential information, but they can also erase or share the information by mistake.
• Moreover, we wish to minimise the risk of your device getting malware (which can steel or destroy information, e.g. a crypto virus), and one of the measures to achieve this is that only you use the device and only in a work-related context.
• Private cloud computing services (e.g. Dropbox) shall not be used
• You must lock your screen when you leave the computer unattended (even for short periods) if other people are home.
• Learn to use the keyboard shortcut Win + L to lock your screen quickly: 
• On UiT’s computers, you can activate a PIN code to avoid entering your password every time you need to unlock the screen. With newer computers face recognition can also be utilised.
• https://www.microsoft.com/nb-no/windows/windows-hello

 

Skype/video meetings
Communication tools like Skype, Teams and Adobe Connect, etc. will be widely used for meetings, teaching, etc. As confidential topics are often discussed (especially during meetings), it is important to be aware of your surroundings. This also applies to teaching, e.g. when you are holding seminars and tutorials. Students expect to ask questions and share their views with you, not you and your immediate family.

Please be aware of the following:

• If others are present in the room, you must use a headset
• We recommend this anyway as using a headset enhances sound quality and reduces background noise.
• Be conscious of what you are say if others are present in the room.
• We remind you about the duty of confidentiality.

VPN
Unless you need to reach services that require you to be connected to UiT’s network (e.g. Ephorte, PAGA, the home drive, etc.), you do not have to be connected to VPN.

 

The communication with Office 365 (e-mail, OneDrive, SharePoint, Teams, etc.) is encrypted and thus VPN is unnecessary.

• Owing to the large number of people who are now working outside the campus, we ask that you are not connected to VPN if this is unnecessary.
• VPN may be required for certain updates on your computer. We will publish a message here and as an operational message if you need to do something and, if so, how.
• This does not apply to all updates, e.g. Microsoft (Windows/Office) updates will function normally.

How to avoid attempted scams and attacks

There is an ever present challenge with criminals and other hostile actors trying to scam or otherwise attack UiT. They will continuously come up with new methods, and will try to exploit periods of big changes or vulnerabilites.

For instance, during the Corona pandemic Norway and other parts of the world quickly experiened that criminalst tried to exploit the upheaval caused by the pandemic. There is a vast requirement for information, employees are working at different locations than usual (such as at home) and following different routines and there is rapid development and exchange of information about how to do this. Dishonest and criminal actors are trying to exploit this by hacking into IT systems, steal personal data and committing financial crime, etc.

Consequently, it is especially important to be careful during this period because we know that UiT can be exposed to purposeful attacks. It does not have to be an “IT attacks” where someone tries to hack into systems, but may be “social manipulation” where someone impersonates a person, company or organisation to create trust and entice you into divulging or changing information or accesses. They may also try to get you to install malicious programs (“malware”), which give them direct access to your computer and perhaps the systems, storage services, etc. you have access to at UiT.

Consequently, we will remind you of some of the things you need to be especially aware of. These tips are basically no different from those that apply at other times. However, as mentioned, we can expect additional activity during this period. As such, many of the examples deal directly with the Corona virus (COVID 19).

E-mail

• We can expect phishing attacks to increase in volume.
• Do you want to read more about phishing and how to discover it? See this lesson (https://app.xtramile.no/new/training/d2caa932-96ca-4566-8aa3- 3a3567ec81fb) UiT created in conjunction with National Cyber Security Awareness Month.
• Be extra vigilant if you receive e-mail related to the Corona virus.
• Naturally, you will receive some legitimate e-mail related to the Corona virus, but check the content, context and sender carefully. For information about how to check if an e-mail is legitimate, please send the link in the point above.
• This involves knowledge and habits that are useful at other times too, both in a work and private context.
• False/illegitimate e-mail will often try to
• play on fear
• deal with financial interests (such as “updated delivery info”, “amended payment details”, etc.)
• get the recipient to act in haste (“Important!”, “Respond immediately”, “Urgent clarification required” etc.)
• give the impression they are a public body/authority (such as WHO, FHI, etc.) or employer and encourage you to implement immediate action
• UiT will provide messages about measures via en.uit.no/corona. We may send updates by e-mail, but the information in these will be reflected on https://en.uit.no/corona or in the official operational messages. If you don’t find it there and the e-mail asks you to log in to a website, open an attachment or install a program, take the time to check the content before you do anything further.
• If you are in doubt, ask your manager or a colleague if this is genuine.
• WHO does not send out e-mail that require you to log in to gain access to the information, attachments that you have not requested or information on pages outside the domain www.who.int.
• get you to click on/open evil-minded links or attachments
• If you are not expecting an e-mail, check that it is genuine, see the point above about phishing attacks.

Still in doubt? send a question about the e-mail to sikkerhet@UiT.no (mailto:sikkerhet@UiT.no)

More information:

• https://www.europol.europa.eu/covid-19/covid-19-phishing-and-smishing-scams
• https://nettvett.no/falske-e-poster/ [in Norwegian]
• https://nettvett.no/hvorfor-far-jeg-svindel-e-post/ [in Norwegian]

 

SMS
There have been cases in Norway where employees have received an SMS that gives the impression that it is from the management. They were asked to install a specific tool to simplify the communication while they are working from home. That was an attempted scam and the “tool” in question was malware.

• UiT would not provide this type of information via SMS.

More information about "smishing"

• https://www.fintechmagazine.com/fraud-and-cybersecurity/covid-19-slater-and-gordon-rising-homeworking-challenges

Example from Norway

• https://www.nrk.no/osloogviken/fikk-sms-fra-_sjefen_-_-viste-seg-a-vaere-korona-svindel-1.14942801 [in Norwegian]

 

Phone
You may also receive phone calls from scammers.

• For example, “Microsoft” will be extra active at this time. Scammers claiming to be from Microsoft (sometimes they say they are calling from Windows) will call and say they have discovered a problem with your computer that they can help you with. Microsoft would not call anyone like this, so just hang up if you receive such calls.
• The phone number they call from can be a Norwegian number, an overseas number or neither (just a collection of numbers). This is because they hide their real number and give the impression that they are someone else. The actual owner of the phone number has nothing to do with call and have not been hacked (the scammers have simply chosen a number, which they give the impression is their own number).
• If you have followed the scammer’s instructions, in full or in part, please notify sikkerhet@uit.no immediately so we can help you.

 

Websites
Many false websites have been created to take advantage of the situation the society is now in

• This includes a false “coronavirus map” that claims to be providing “live” information about the spread of the virus. It is actually malware.
• These sites are usually based on the information and appearance of genuine sites and can be challenging to uncover.
• “Fake news” is a recurring problem, including in this situation. Be vigilant and practice source criticism.

Examples:

• https://nrkbeta.no/2020/03/11/slik-spres-falske-nyheter-om-koronaviruset/
• https://www.forbes.com/sites/thomasbrewster/2020/03/12/coronavirus-scam-alert-watch-out-for-these-risky-covid-19-websites-and-emails/#880fff71099f
• https://www.digi.no/artikler/slik-bruker-hackere-koronavirus-frykten-til-a-spre-skadevare/487347

 

More information/sources
Here are some links to more information. Please be aware that the advice to employees/users here is general. In a work-related context, please follow the advice given by UiT.

 

Does something look not quite right? Please contact sikkerhet@uit.no and we can have a chat about it.

 

• https://www.nsr-org.no/aktuelt/svindelforsok-og-angrep-relatert-til-covid-19 [in Norwegian]
• https://nsm.no/fagomrader/digital-sikkerhet/nasjonalt-cybersikkerhetssenter/varsler-fra-ncsc/varsel-i-forbindelse-med-koronaviruset [in Norwegian]
• https://www.nrk.no/osloogviken/fikk-sms-fra-_sjefen_-_-viste-seg-a-vaere-korona-svindel-1.14942801 [in Norwegian]
• https://www.digi.no/artikler/slik-bruker-hackere-koronavirus-frykten-til-a-spre-skadevare/487347 [in Norwegian]
• https://nrkbeta.no/2020/03/11/slik-spres-falske-nyheter-om-koronaviruset/ [in Norwegian]
• https://www.forbes.com/sites/thomasbrewster/2020/03/12/coronavirus-scam-alert-watch-out-for-these-risky-covid-19-websites-and-emails/#880fff71099f

Controller

• Purpose: The determination of the purpose is extremely central to the processing of personal data and must be determined by the controller himself/herself - before collection of the data can commence. The purpose shall describe why it is necessary to process the relevant data, e.g. carry out admission to a programme of study, the goal of a research project, appointment of a new employee, etc.
  
  It is important to be conscious of what the purpose is, so that the data subjects (the people the data deals with) understand what the data is used for, as well as why any subsequent further processing of the data is subject to restrictions. For instance, the data cannot be further processed in a manner that is incompatible with the original purpose(s), cf. Article 5 (1) (b).
  
  The purpose(s) must be specified, explicit and legitimate.

• Means: The term “means” covers more than simply which technical aids shall be utilised. Central assessments and decisions related to how the personal data shall be managed are also covered, such as:
• Which data shall be processed?
• Which third parties shall have access? Which data shall be erased (and when)
• The choice of technical tools may be delegated to the processor, under certain conditions. However, the controller must ensure that the information security is safeguarded. Risk assessments cannot be conducted by the data processor alone (but they can assist)
• The controller cannot delegate assessments as mentioned in the bullet points above to the data processor.

Joint Controllers

One does not always have sole processing responsibility, as this can be shared with others, e.g. in a research project that is a joint project involving several institutions. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers, cf. Article 26 (1)

This is permitted providing certain requirements are fulfilled, cf. Article 26 of GDPR:

In a transparent manner, each actor (controller) shall determine their respective responsibilities for compliance with the obligations under the regulation, by means of an arrangement between them (particularly regarding the exercising of the rights of the data subjects):

• This arrangement may designate a contact point for data subjects
• The arrangement shall reflect the respective roles of the joint controllers and their relationships with the data subjects
• The essence of the arrangement shall be made available to the data subject
• Please note: Irrespective of the terms of the arrangement, the data subject may exercise his or her rights under the regulation in respect of and against each of the controllers, e.g. one of the actors has the internal responsibility for dealing with requests for access to data. The data subject may choose to send their request to one of the other controllers, who must then deal with the internal communication to process the request. The data subject cannot be rejected on the grounds that they have sent their request to the “wrong” controller.

There is no necessity for equal distribution of responsibility and decision-making authority between the various controllers. There may be different levels of “cooperation”, and different controllers may be involved in different activities/operations and at different stages of (the same) processing. As mentioned, this must be clarified in the arrangement one is responsible for stipulating pursuant to Article 26. Furthermore, it is important to be aware that the establishing of joint processing responsibilities does not give any party a “greater” right to process personal data than they would have had alone. For example, each of the parties must have a lawful basis for the processing and one party cannot simply “expand” on the lawful basis for the processing of one of the other parties.

 

Please be aware that it is the actual processing that is in focus and the subject of the assessment of whether there shall be joint controllers or not.

• Example: If the same personal data is the subject of processing, but each of the controllers determine their own purpose separately, it sounds more like disclosure of personal data from the original controller rather than joint processing responsibility.

Disclosure to another organization (e.g. a higher education institution)

In many instances, the transfer of personal data to external actors (enterprises, organisations, institutions, physical people) is simply the disclosure/transfer of personal data to a new controller.

When UiT has disclosed the personal data to the new controller, this person/authority is fully responsible for their processing of the personal data. We have no influence over or responsibility for how the data is processed by the external actor. Please note: If UiT still has a copy of the personal data, we are naturally still controller for our processing of these data.

For the disclosure of the personal data to be lawful, we must have a lawful basis for the processing for this disclosure. This lawful basis for the processing must comply with Article 6. If the processing involves special categories of personal data, the lawful basis for the processing must comply with Article 9. Please be aware that disclosure may involve further processing of existing data for a new purpose. In such instances, an assessment must be undertaken of whether the original purpose and the purpose of the further processing are compatible. One cannot determine a new basis for the processing (in isolation) and then the disclosure is lawful.

In instances where the disclosure is not required by law, we must assure ourselves that the recipient has a lawful basis for the processing of the data (before disclosure of the data).

Requirement before data processors may be utilised

Requirements for the data processor agreement

Some requirements must be fulfilled before one starts to use a data processor:

• A written data processor agreement must be entered into, cf. Article 28 (https://lovdata.no/lov/2018-06-15-38/gdpr/a28).
• There are some specific requirements concerning the content of such agreements (see below).
• You can find a template for data processor agreements here
• A risk assessment must be conducted to ensure the information security is attended to (cf. GDPR art. 32)
• This can be completely basic or extremely complicated and comprehensive, depending on the nature of the assignment/service.
• Ensure this is conducted at a sufficiently early stage to avoid the risk of entering into a binding agreement for something (e.g. for a service) that one cannot then use because the risk assessment revealed unknown risks of such a nature that they are unacceptable
• alternatively, include a “subject to approved risk assessment” clause

The data processor agreement must stipulate:

• the subject matter and duration of the processing,
• the nature and purpose of the processing,
• the type of personal data,
• categories of data subjects, and
• the obligations and rights of the controller

Furthermore, the agreement shall, in particular, stipulate that the data processor

• processes the personal data only on documented instructions from the controller, cf. Article 28 (3) (a)
• including any transfer of personal data to a third country or an international organisation
• ensures that persons authorised to process the personal data have committed themselves to confidentiality, Article 28 (3) (b)
• takes all measures required to attend to the information security (comply with Article 32, cf. Article 28 (3) (c)).
• can only enage other data processors (subcontractors) under the following conditions, cf. Article 28 (3) (d):
• the controller’s approval has been obtained. There are two methods to achieve this and the chosen method must be clarified in the agreement
• The data processor must obtain prior specific authorisation from the controller for each subcontractor, or
• The data processor receives general authorisation but must inform the controller of intended changes concerning additional/replacement subcontractors so the controller has the opportunity to object to such changes, cf. Article 28 (2)
• the data processor must impose the same binding obligations they are subject to, especially with respect to information security, cf. Article 28 (4).
• If the subcontractor fails to fulfil its data protection obligations, the data processor shall remain fully liable to the controller
• at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services and deletes all existing copies, cf. Article 28 (3) (g)
• makes available to the controller all information necessary to demonstrate the data processor’s compliance with the obligations, cf. Article 28 (3) (h).
• allows for and contributes to audits, cf. Article 28 (3) (h).
• including inspections, conducted by the controller or another auditor mandated by the controller
• taking into account the nature of the processing and to the extent possible
• assists the controller to fulfil its obligation to respond to requests for exercising the data subject’s rights, cf. Article 28 (3) (e)
• assists the controller in ensuring compliance with the obligations pursuant to Articles 32-36 of GDPR, cf. Article 28 (3) (f)

 

The above mentioned template for the data processor agreement includes all these points but must be adapted for each agreement. It cannot be signed as it is because it does not contain all the information/details required.

Sometimes the contractor may insist on using their own agreement template. This is acceptable providing it is reviewed carefully and it is concluded that the requirements of the data processor and data processor agreement are fulfilled. Please be aware that this is not always the case, even for major contractors. In such instances, one must negotiate changes of the agreement.

When is an external organization not a data processor?

Being a data processor involves processing personal data on behalf of the controller. The purpose of the agreement/assignment must, in full or in part, be to process on the controller’s behalf. If such processing is not part of the purpose of the assignment, then the contractor is not a data processor. However, a declaration of confidentiality may be necessary if there is a possibility the actor can see personal data or other confidential information. See the example declaration of confidentiality in the right-hand menu.

Some examples:

• An agreement is entered into for the repair of photocopiers. It is possible that the service technician may see personal data during the execution of his duties (e.g. on a document left in the photocopier), but this is not part of the purpose of the agreement, which is to repair the photocopier. The service technician is not a data processor even if he/she happens to see personal data.
• An agreement was entered into with a consulting firm to assist with developing a service. The consultants will perform their work on UiT’s systems, locally at UiT. No information will be transferred to their own systems. The parts of the service they will work on will not normally involve personal data. Consequently, they will not be regarded as a data processor.
• We use an external postal service to deliver letters containing personal data. The assignment is to deliver letters from A-B, not to process the personal information, and they are not a data processor.
• For more examples, see this guidance from the Danish Data Protection Agency (where some of the above-mentioned examples come from).

Please note: One cannot simply agree that someone is a controller and a data processor because it is practical or convenient. What is decisive here are the realities – who does what? Who has influence? The situation may involve joint controllers, or is in fact a disclosure/transfer of personal data to another controller.