Privacy Policy

1) Brief presentation of the Diploma Registry

Through the Diploma Registry you can access your results from higher education and share them with learning institutions, potential employers and other relevant parties. The Diploma Registry ensures that the results shared are accurate.

2) About this privacy policy

This privacy policy describes how Unit - The Norwegian Directorate for ICT and Joint Services in Higher Education and Research, processes your personal data in the Diploma Registry. The purpose of this privacy policy is to inform you of the types of personal data processed, how it is processed, who is responsible for the processing, your rights and whom to contact.

3) What is personal data?

The term personal data includes any data, information and assessment that can be linked to you as an individual, cf. GDPR Article 4 no. 1. The determining factor in whether data is considered personal information, is whether it is fit to identify a specific person.

In some cases, data which, on its own, cannot be linked to an individual person, may constitute personal data if it is used in combination with other data.

4) The purpose of the processing of personal data in the Diploma Registry

Purpose

The purpose of processing personal data in the Diploma Registry is to identify you so that you can access your results from universities and/or university colleges affiliated with the Diploma Registry. Also, a second purpose is to make it possible for you to share your results with your chosen recipients.

Legal basis

The legal basis for the processing of personal data in the Diploma Registry is GDPR Article 6 no. 1 litra e, jf. nr. 3 litra b, and provisions in the Act Relating to Universities and University Colleges § 4-14 and Regulations Relating to a National Diploma and Grade Portal.

5) Which kinds of personal data are processed in the Diploma Registry, and how long to we store your personal data?

No sensitive personal data is stored in the Diploma Registry.

  1. Individuals who have completed and passed one or more examinations at a university/university college affiliated with the Diploma Registry (provided this institution has at least one digital result)

The Diploma Registry will at any given time keep your 11-digit national identity number (or, if relevant, your D-number or S-number), and any affiliation you may have with universities/university colleges that have a digital record of results you have earned. This personal data will only be erased if they are incorrect. Personal data is retrieved directly from the databases of universities/university colleges where you studied and will remain in the Diploma Registry whether you have logged on to the Diploma Registry or not. Without this data it would not be possible for you to access your results through the Diploma Registry. New individuals earning results are added to the Diploma Registry automatically every night.

  1. Individuals who are registered in the Diploma Registry (see item 1 above) and individuals who log on to the Diploma Registry

If you log on to the Diploma Registry, the Diploma Registry will retrieve your name from the National Population Register, Feide or the universities/university colleges where you studied.

When you log on to the Diploma Registry we register information about your activities. We register the method of log-in (Feide or ID-porten), how long you stayed logged-in, whether you accessed your results, whether you shared any results, which results you shared, where the results came from, whom you shared the results with, how long the link you shared is active, and how many times the link was used. We register the time when these actions took place, and which hardware (computer/tablet/mobile phone) and software (browser) you used. We also register your geographic location when you used the Diploma Registry and which Internet address (URL) you used to access the Diploma Registry. This data about your activity is recorded in order to be able to provide user support and for statistical purposes, to indicate how the Diploma Registry is normally used.

Personal data made available through links you generate in the Diploma Registry are stored in the Diploma Registry for 12 months after the link expired/was deactivated by you. The reason for this is that it is not possible to generate statistics on how many people used the Diploma Registry without registering your personal data. After 12 months, your personal data is automatically pseudonymized. The term pseudonymization means that the data we collect can no longer be traced back to you.

  1. Individual recipients of links to results

When you click on a link to results in the Diploma Registry we register information about your activities. We register how many times the link has been used and the hardware (computer/tablet/mobile phone) and software (browser) you used. We also register information about your geographic location when you used the link. This data about your activity is recorded in order to be able to provide user support and for statistical purposes, to indicate how the Diploma Registry is normally used.

Information about your activity will be retained for 12 months. We do this in order to generate statistics on the use of the Diploma Registry. After 12 months, your personal data is automatically pseudonymized. The term pseudonymization means that the data we collect can no longer be traced back to you.

6) Automatic processing

Your personal data will not be made subject to automated processing or profiling.

7) Disclosure of your personal data to third parties

Disclosure or export of data is defined as any transfer of data save for use in the controller’s own systems/processing or to the data subject itself or any other party receiving data on the data subject’s behalf.

Unit - The Norwegian Directorate for ICT and Joint Services in Higher Education and Research, may disclose or export data including personal data to other systems, i.e. external data processors, whenever it is deemed necessary.

Your personal data will not be disclosed to countries outside of the EU/EEA, or to any international organizations.

Your personal data may be disclosed to the following parties/agencies:

  1. University Center for Information Technology (USIT) at the University of Oslo (UiO)

The Diploma Registry is operated by USIT at UiO. USIT staff who need to access your personal data as part of their job will be granted such access. They need this access in order to provide user support and, if relevant, correct errors as part of their duties.

  1. UNINETT AS

It is possible to log in to the Diploma Registry using the log-in solution FEIDE. FEIDE is developed and provided by UNINETT AS. If you log in with FEIDE, UNINETT AS staff may access your FEIDE user name and IP address, provided they need such access in order to perform their duties. They need this access in order to provide user support and, if relevant, correct errors as part of their duties. Your personal data will be erased from FEIDE after six months.

  1. Agency for Public Management and eGovernment (Difi)

It is possible to log in to the Diploma Registry using the log-in services MinID, BankID, Buypass and Commfides through ID-porten. The Agency for Public Management and eGovernment (Difi) is the data controller for any and all personal data processed in ID-porten, as well as for personal data used in the administration of MinID.

If you log in through ID-porten, Difi’s user support and administrative staff may, if necessary, access your national identity number and contact information, as well as a limited log-in history. This need arises when Difi is asked to provide user support or troubleshoot/correct errors in the service.

Providers of electronic IDs (BankID, Buypass and Commfides) are data controllers for any and all personal data required for the administration of their log-in solutions.

8) Personal data safety

A number of security measures have been implemented in order to protect your personal data in the Diploma Registry: all transfers to and from the Diploma Registry are encrypted, recipients of links from the Diploma Registry must use a unique PIN (6 digits) in order to see what is shared in the link, and we have taken various technical steps to prevent browsers from automatically accessing data from a link from the Diploma Registry. Also, Unit - The Norwegian Directorate for ICT and Joint Services in Higher Education and Research, regularly perform risk and vulnerability analyses and test the security of the Diploma Registry to protect your personal data.

9) Your rights

Right to information and access

You have the right to information about how the Diploma Registry processes your personal data. The purpose of this privacy policy is to provide you with any and all information you have the right to get.

You also have the right to see/access any and all personal data registered about you in the Diploma Registry, as well as other personal data retrieved following your active log-on. You also have the right to request a copy of the personal data registered about you if you so wish.

As for your right of access, this right has already been largely accommodated for by the self-service nature of the Diploma Registry. Upon logging on, you have access to your education results from any learning institution you have been affiliated with.

Right to correction

You have the right to have corrected any and all incorrect personal data about you. You also have the right to supplement any and all incomplete data registered about you. Please contact us if you believe we have registered incorrect or incomplete personal data about you. It is important that you justify and, if relevant, document why you believe the personal data registered is incorrect or incomplete.

Right to limit processing

In certain circumstances, you have the right to demand limited processing of your personal data. Limiting the processing of personal data means that your personal data will still be registered, but the opportunities for further processing are limited.

If you believe that personal data about you is incorrect or incomplete, or you have filed a complaint against the processing of your data (read more about this below), you have the right to demand to demand that the processing of your personal data be limited temporarily. This means that processing will be limited until, if relevant, we have rectified your personal data, or until we have been able to assess whether your complaint is justified.

In other circumstances you may also demand a more permanent limitation on the processing of your personal data. In order to qualify for the right to limit processing of your personal data, the conditions established by the Personal Data Act and Article 18 of the GDPR must be met. If we receive a request from you to limit processing of your personal data, we will assess whether the statutory conditions have been met.

Right to erasure

In certain circumstances you have the right to demand that we erase your personal data. The right to erasure is not unconditional, and whether this applies to your situation must be assessed in light of relevant privacy legislation, i.e. the Personal Data Act and GDPR. Please contact us if you want to have your personal data erased. It is important that you justify why you want the personal data erased, and, if possible, that you also specify which personal data you want erased. We will den consider whether the conditions for erasure, as established by law, have been met. Please be advised that the law allows for us to make exceptions to your right to erasure. For example, we may need to store personal data for the purpose of performing a task in compliance of the Act Relating to Universities and University Colleges, or for reasons of public interest, such as archiving, research and statistics.

Right to object

You may have the right to file an objection against the processing, i.e. object to the processing, on grounds that you have a specific need to stop the processing, e.g. if you have a need for protection, have a secret address, etc. The right to object is not unconditional, and it is contingent upon the legal basis for the processing, and on your particular circumstances. The conditions are established by Article 21 of the GDPR. If you object to processing of your personal data, we will consider whether the conditions for filing an objection have been met. If we find that you have the right to object to the processing and that your objection is justified, we will discontinue processing, and you will have the right to demand erasure of the data. Please be advised that we, under certain circumstances, may make exceptions from erasure, e.g. if we have to store your personal data for the purpose of performing a task in compliance with the Act Relating to Universities and University Colleges, or for reasons of public interest.

Right to file complaint against processing

If you believe we processed your personal data incorrectly or unlawfully, or if you believe we failed to protect your rights, you have the right to file a complaint against processing. Please see item 10 below for how to contact us.

If we dismiss your complaint, you may file your complaint with the Norwegian Data Protection Authority (DPA). The DPA is responsible for making sure Norwegian enterprises comply with the provisions of the Personal Data Act and the GDPR in their processing of personal data.

10) Contact information

Data controller

The Ministry of Education and Research is the data controller of personal data in the Diploma Registry, cf. GDPR Article 4 no. 7. The Ministry of Education and Research have delegated the day-to-day responsibility to Unit – The Norwegian Directorate for ICT and Joint Services in Higher Education and Research. Unit manages the Diploma Registry and processes personal data in the Diploma Registry on behalf of the data controller.

Contact information for Unit: vitnemalsportalen@ceres.no

Published June 14, 2018 3:00 PM - Last modified June 22, 2018 2:50 PM