Privacy Policy

• You have contacted us regarding potential study, are or have been a student
• You have applied for a job with us, are or have been employed, had an assignment, a function etc. with us
• You are or have been a participant in a research project
• You have requested access pursuant to the Freedom of Information Act, the Personal Data Act or the Public Administration Act
• You are a member of or nominated to one of MF's governing, advisory or other institutional bodies
• You have signed up for courses or events
• You have a subscription to one of our newsletters
• You have visited MF's website
• MF has a legitimate interest in contacting you

• The receipt of information about you from another government agency
• Content about you in a deviation report
• Content about you in a case we process
• You being named next of kin by an employee, student or research participant
• You being designated as a reference by a job seeker
• Permission to reuse previously collected information for research or quality assurance purposes

With some exceptions, you have the right to know what personal data is registered about you at MF, and how this information is processed.

Read more about the right of access on the Norwegian Data Protection Authority's website.

In certain cases, you have the right to demand correction and deletion of information we have registered about you.

Read more about the right to have information corrected on the Data Protection Authority's website.

Read more about the right to have information deleted on the Norwegian Data Protection Authority's website.

In some cases, you can request that our processing of your personal data be restricted.

Read more about the right to restriction on the Norwegian Data Protection Authority's website.

Sometimes your personal data is processed without your consent. In some of these cases, you can object to your personal data being processed.

The right to object does NOT apply in the following cases (exceptions):

• if the personal data is necessary to fulfil a contract you have with MF
• if MF is required by law to process your personal data
• if MF can show that significant reasons take precedence over your protest (balancing of interests)

Read more about the right to object on the Norwegian Data Protection Authority's website.

MF has a duty to provide general information about the personal data we process. If you believe that we are not complying with the rules of the Personal Data Act, you can let us know. Contact information can be found above. The Data Protection Officer has an obligation of confidentiality if you wish to report something in confidence.

You can also complain about our processing of personal data. You do this to the Norwegian Data Protection Authority. If you believe that MF is processing personal data in an unlawful manner, you can contact the Norwegian Data Protection Authority on their website.

How to complain to the Data Protection Authority.

Telephone

When you call us, your phone number will be stored with our telephone service provider along with details of when you called and how long the call lasted.

The log is stored in order to be able to follow up on phone calls when needed, for example to call people who have contacted us.

Login Services

MF uses Feide, which is the national solution for secure login and data sharing in education. With Feide, users get access to several digital services with one username and one password. Feide is provided by SIKT, Norwegian Agency for Shared Services in Education and Research. SIKT will have access to your Feide name and IP address in order to be able to perform user support and any error correction within the service.

MF also uses login via BankID through NETS, e.g. when activating an account. Please refer to separate privacy statements for these external services.

MF's User Directory

MF's user directory is a local source system for usernames, passwords, e-mail addresses and group information. Source system means a system from which other systems retrieve/receive information. The user directory interacts with other systems. For example, the user directory enables you to log in to various services with your MF username and MF password.

The data in the user directory is normally retrieved from FS (an administrative system developed for universities and university colleges) and Flex (a system for payroll and personnel administration).

Examples of systems that retrieve their basic data from the user directory are cloud storage services, intranet, home drives and e-mail systems.

Digital Communication Platforms

If you contact us via the contact form or shared email address, the inquiry will be stored for as long as we need it to follow up on the inquiry. Some requests will be stored in the archive system Public360 or in FS.

The inquiries will be deleted when they are no longer needed. Information stored in the archive system will be deleted in accordance with the provisions of the Archives Act.

Microsoft365

MF uses Microsoft 365, a product family of productivity software, collaboration, and cloud-based services owned by Microsoft. The service includes tools such as Teams, Outlook/Exchange and Sharepoint. M365 also contains Entra ID, a user directory where all users of MF's systems are registered with:

• name
• e-mail address
• organisation affiliation and position code
• affiliation and access to various tools such as membership in Teams etc.
• device information, such as model, operating system, IP address, and browser
• usage information, such as which products you use, when and where you use them, how you use them, and how often you use them

Users can also enter information into the user directory themselves, e.g. photo and phone number.

Contact Centre Solution

MF uses a system for handling incoming inquiries (ticket). The inquiries mostly come into the system via e-mail. The inquiries are sorted into queues, which are available to one or more case workers. A receipt can be sent to the person making the request, with a reference number. This makes it easy to track your inquiries. A case worker can also create a case manually. All data is stored on a local server at MF.

Inquiries that come in via the contact centre are stored for as long as they are needed for the sake of case processing. Inquiries worthy of archiving are stored in our archive system Public360.

Web Form

MF uses Nettskjema, which is a service developed and operated by the University of Oslo. Nettskjema is a form solution for data collection via the internet and is used, among other things, for various types of application processing. All employees and students can log in with FEIDE. In Nettskjema, usernames, full names and email addresses of those who create and edit the form are stored, as well as information about what permissions a user has and what changes have been made to the form. We only collect the information you provide yourself, or that is pre-filled in the form. See the separate privacy statement for Nettskjema under Privacy Statements for external services below.

Our Messaging and Notification Systems

Speak up!

Speak up! is our whistleblowing service that applies to the learning environment. All reports will be read by MF's quality control officer, who sends the case to the head of the unit where the case belongs.

Notification of Personal Data Breaches

In the event of a breach of personal data security, information reported via telephone and online forms will be registered for the case, which is then archived in our archive system Public360.

Doubts About Suitability

When you report doubts about a student's suitability, the form will be saved as a case document in our archive system Public360 and stored in accordance with the provisions of the Archives Act.

Purpose and Legal Basis

We process personal data about applicants, students and course participants in order to safeguard their rights and fulfil our tasks and obligations in accordance with legal regulations and study contracts. The legal basis for the processing is set out in the individual privacy statements discussed below.

What personal data does MF process, how do we process the data, and what systems do we use for this?

When you apply for admission to, study at or are a course participant at MF, your personal data will be processed in FS. FS is a student information system developed for universities and university colleges in Norway.

Several applications are linked to the student information system FS. This means that data processed in these applications is also stored in FS. FS is managed by Sikt.

Applications belonging to FS are

• Søknadsweb and EVU-web - for applicants to studies and courses
• Studentweb - for semester registration etc.
• Fagpersonweb - a tool that allows teachers to carry out student administrative routines and tasks
• The Student ID app
• GAUS - for approving foreign studies
• Nomination - where external institutions can nominate exchange students to Norwegian educational institutions
• A register for the exchange of information about sanctions

Data in FS and associated applications are reported in various contexts to several parties/enterprises.

See the privacy statements for FS and related applications below.

In the privacy policy for FS, you will also find information about MF's use of an archive system and a financial system (for tuition and course fees, etc.), as well as what personal information about you is registered in our library system. See also the privacy statement for MF's library below.

When you have paid the semester fee or been granted the right to study with us, SiO (the welfare organisation for students at several educational institutions in Oslo) will have access to personal information registered in FS about you. Read more about SiO's processing of personal data in the privacy statement for FS.

The Diploma Registry is a digital sharing platform where you can retrieve your results in higher education and share them with educational institutions, potential employers and other relevant third parties. The Diploma Registry is managed by the Directorate for Higher Education and Skills. See the privacy statement for the Diploma Registry.

If you are not registered with a permanent residence permit in Norway, MF will prepare a report about you regarding your study progression and part-time work permit. You can get the report from MF. You deliver it yourself to UDI (The Norwegian Directorate of Immigration).

If you are going to do an internship in connection with your education, the internship institutions will receive the following information about you: name, national identity number, e-mail address and telephone number.

Pursuant to Section 2 of the Freedom of Information Act, the act applies to MF in cases where we make individual decisions or issue regulations. If you are involved in cases concerning individual decisions at MF, the case documents will be publicly available in accordance with the provisions of the Freedom of Information Act.

Teaching & Exam Software

Teaching

MF uses the learning platform Canvas to support the carrying out of teaching and assessment. This means that Instructure, which develops and operates Canvas, will have access. Information is retrieved from FS (e.g. name, e-mail, course and study programme), student submissions, time of submissions, individual feedback from the lecturer, debate contributions and various types of messages or notifications.

Sensitive personal data is generally not processed in Canvas, but may emerge from student responses or dialogues. See separate privacy statement for Canvas.

As part of teaching, Kahoot, Mentimeter, Padlet and various other systems that are accessible via the internet can be used. These systems will be able to process personal data, and each student must approve the terms of use of these systems. Participation in these activities is voluntary.

MF uses Zoom for streaming and Panopto for recording digital teaching. See the separate section Streaming and Class Recording about this.

Exams

The digital exam system WISEflow is used to conduct exams. In order for you to be able to complete a digital exam, we send personal data about you to UNIwise, which develops and operates the WISEflow system. UNIwise will have access to the following personal data: Feide ID, candidate number, other exam data from FS and IP address.

WISEflow collects all personal data from FS.
WISEflow is used for

• preparation, administration, assessment and archiving of digital exams
• submission and evaluation of exam answers
• storing copies of students' exam results, including examiners' comments

In some cases, Zoom is also used for digital oral exams.
Both WISEflow and Zoom are provided by Sikt.

MF uses Ouriginal by Turnitin to detect plagiarism and cheating in exams and study requirement submissions. Information that is necessary for those who are to detect plagiarism, such as MF's board for student affairs, will be disclosed to them.

Please note that some digital teaching tools build upon cloud-based solutions. In some cases, personal data processed in such solutions may be accessible outside the EEA, e.g. in the United States. See more about this under the section Transfers out of the EEA.

Student exchange

Universities and university colleges must cooperate with educational institutions in other countries in order to, among other things, be able to offer higher education at a high international level, cf. Sections 1-1 and 2-1 of the Universities and University Colleges Act. Section 2-2 of the Academic Supervision Regulations also requires institutions to have arrangements for internationalisation and international student exchange.

MF transfers personal data because it is necessary to perform a task in the public interest. In relation to the individual student who is going on exchange, the basis for the transfer is the student's consent. The purpose of the transfer of personal data is to facilitate the exchange of students.

As a general rule, the following data is transferred to the partner institution/exchange institution about students who are going on an exchange: name, nationality, the student's e-mail address at MF and the study programme the student is following at MF.

In the case of exchanges outside the EEA, and where it has not been determined by the European Commission that the data is adequately protected pursuant to Article 45 of the General Data Protection Regulation (adequacy decision), MF may ensure the exchange of personal data through the EU's standard contractual clauses, cf. Article 46, or exceptions because this is necessary to fulfil an agreement entered into in the student's interest between MF and the partner/exchange institution, cf. Article 49.

Jobbnorge is MF's portal and system for recruiting employees. Information about applicants is stored here upon consent. Deletion routines and security are taken care of by Jobbnorge. See the privacy statement for Jobbnorge in the section Privacy Statements for External Services.

When a person applies for a job at MF, a case folder will be created in the archive system Public360 which deals with the recruitment process in question. Upon completion of the process, all documents belonging to the person who is hired, such as CV and application, will be stored in the folder, and the case will be archived. The recommendation document and an extended list of applicants is also archived in the folder. Information about the person who is hired is transferred to the personnel file in Public360.

See the introductory section of this privacy statement here.

External contractors, such as part-time teachers, examiners and supervisors, fill in digital forms for salaries and travel reimbursements. Machform is used as a supplier of digital forms. Access and processing are access-controlled, and the answers are encrypted. Personal data that is necessary for the payment and reporting of salaries is collected. The basis for the processing is Article 6 nr. 1 b of the General Data Protection Regulation.

The personal data is stored for as long as MF has an obligation to store it in accordance with the provisions of the Accounting Act. Information about timesheets, payslips, employment contracts, etc. is stored for 3.5 years. Other personal data is generally stored for 5 years.

We process information about your name and contact information. We also process other information if it is relevant to the position in question, e.g. title, education, professional practice, positions and appointments, other qualifications and date of birth.

The information is collected directly from you, and the basis for the processing is your consent, cf. Article 6 nr. 1 a of the General Data Protection Regulation.

The personal data is used as a basis for election to the position you are running for as a candidate.

We use the contact information in order to be able to provide you with relevant information in connection with the election or appointment.

We store the information you have provided in our archive system Public360. Those nominate or select relevant candidates, e.g. a nomination committee, will have access to the information. The committee's election secretary or others who assist in the processing of the selection will also have access to the information.

The information will be deleted in accordance with the provisions of the Archives Act.

We continuously arrange academic seminars aimed at research environments, employees in churches, schools and other social institutions. When you are going to participate in meetings, seminars, conferences, courses and continuing education at MF, we register information such as your name, e-mail, place of work and position. At events where food will be served, we also ask questions about food preferences/food allergies or other considerations we need to take.

Participant lists with names and other relevant information may be shared with third parties for reporting purposes. Personal data collected for invoicing, statistics and reporting purposes will be deleted as soon as they are no longer required for the said purpose. Other personal information will be deleted as soon as the event has ended.

See below about streaming and recording of teaching and other events.

The legal basis for processing your personal data in connection with participation is Article 6 nr. 1 f of the General Data Protection Regulation, i.e. that the processing is necessary to safeguard a legitimate interest that outweighs the consideration of the individual's interests or fundamental rights and freedoms. The legitimate interests are to conduct events in a good way, to be able to document participation, to ensure identification of users of MF's buildings and systems, and to be able to distinguish authorized and unauthorized access from each other.

The legal basis for the processing of data on food allergies and any other considerations that affect health conditions is Article 9 nr. 2 a of the General Data Protection Regulation, i.e. that the data subject has given explicit consent to the processing of such personal data. You can withdraw your consent at any time. Your withdrawal of your consent will not affect the lawfulness of the processing of personal data that occurred before you withdrew your consent.

As a partner with us, personal data about you is included in applications and offers we send and projects we carry out. In this connection, you may have provided us with your CV, hourly rate, competence description and other information required in the application, offer or for the implementation of the project. As part of joint project implementation, we may have contact and participant lists, minutes of meetings and other documents. Personal data about you in connection with this will be stored in our archive.

The basis for the processing is Article 6 nr. 1 f of the General Data Protection Regulation, which allows us to process data that is necessary to safeguard a legitimate interest that outweighs considerations of the individual's privacy. The legitimate interest is to be able to carry out research projects and collaborative activities.

Purpose and Legal Basis

The Personal Data Act allows the processing of personal data for research purposes. The personal data is processed in accordance with the Personal Data Act §§ 8-10, the General Data Protection Regulation §. 6, 9 and 89, and the Health Research Act chapter 4. The legal basis for the processing may be consent or the public interest. This is specified in each individual research project and will appear in accordance with Sikt's notification archive.

This is conditioned on the processing being subject to necessary guarantees to safeguard the rights and freedoms of the data subject. The guarantees are intended to ensure that technical and organisational measures have been introduced to ensure, in particular, that the principle of data minimisation is complied with, that data protection consequences have been assessed, and that the data protection officer/data protection advisor is consulted when necessary.

MF has an agreement with Sikt Data Protection Services for Research for data protection services in connection with research. All research projects that involve the use of personal and health data must be reported to Sikt's privacy services via a notification form.

In addition to the basis for processing in the GDPR, health research projects must have prior ethical approval from the Regional Committee for Medical and Health Research Ethics (REK).

Which Personal Data is Collected and How it is Processed

Which personal data is to be registered is assessed based on the personal data that is necessary to achieve the purpose of the research project.

Research data containing personal data will be processed in accordance with MF's guidelines for classification and storage of data and information and will only be accessible to those who will process the data. Each research project provides the data subjects with information about what personal data is to be processed, what the purpose of the processing is, how the data is to be processed and the rights of the data subjects. This is done by means of information sheets that are given directly to the data subjects or – if this is not feasible – with information on the project website.

Personal data must not be stored for longer than is necessary to carry out the research project. If there is a need for storage beyond the time specified in the research project, the basis for processing must be reassessed, or information must be provided about the change pursuant to Article 14 of the General Data Protection Regulation. Furthermore, the case must be brought before Sikt, and an application must also be made to REK for an extended storage period.

Researchers, students and supervisors who have access to personal data have an obligation of confidentiality pursuant to the rules on this.

MF has an internal control system that contains rules and procedures for how personal data is to be processed. To secure personal data, we regularly carry out risk and vulnerability analyses of the computer systems we use.

Purpose and Legal Basis

We process the data in order to be able to carry out our obligations as publisher in agreement with you as subscriber.

We also use the information to be able to provide information, offers and services in connection with these obligations.

The basis for this processing is your consent, cf. Article 6 nr. 1 a of the General Data Protection Regulation.

What Information is Collected, How it is Processed and for How Long it is Stored

We process the names, dates of birth and contact details of our subscribers, which we receive from you via a web form, letter, e-mail or telephone:

Where you have consented to this, the data may be used to provide you with information related to your subscription via e-mail, telephone or SMS. You may opt-out of receiving such information from us at any time.

In order to fulfil our obligations under the agreement, your name and contact details will be disclosed to the printing company and postal service.

You can cancel your subscription at any time. Your personal data will then be deleted.

Purpose and Legal Basis

We process the data in order to be able to carry out our obligations as recipient in agreement with you as donor.

We also use the data to be able to provide you with information, offers and services in connection with these obligations by letter, e-mail or telephone.

What Information is Collected, How it is Processed and for How Long it is Stored

We store the name, date of birth, contact details, account number and donation history of our donors, which we receive from you via a web form, letter, e-mail or telephone.

If you provide your personal identity number in order to claim a tax deduction, we will register this.

In order to fulfil our obligations under the agreement, necessary personal data is disclosed to our partners, such as the Norwegian Tax Administration.

Information we are obliged to retain under the Accounting Act will be stored for up to 5 years in accordance with the requirements of the act.

Delegated Responsibility for Processing

The library manager at MF has been delegated the day-to-day responsibility for the processing of personal data concerning users of the library and archive service at MF.

Tools and Services that the Library Uses in its Activities

The library at MF offers information and documentation services for teaching, research, public education and administration at MF.

You can find privacy statements for these services in the Privacy Notices for External Services section below.

Alma

The Alma library system. Alma is an application and a platform for digital library services. Alma defines library rules, users, and entitlements, and supports processes for acquisition, lending, inventory and metadata management, financial management, and reporting. Alma is integrated with several systems for exchanging data related to the work processes at the library.

Oria

Oria is a shared portal to the collected material available at most Norwegian academic and research libraries. Supplemented with a wealth of electronic material from open sources, Oria provides unified access to materials such as books, electronic books, journals, electronic journals, documents, articles, music and films.

Leganto

Leganto is MF's digital curriculum/bibliography system for students, lecturers and librarians, connected to the search service Oria. Syllabi are created and published directly in Leganto and are available on the semester pages and in Canvas.

With Leganto, you can, among other things:

• find and view syllabi/bibliographies
• get direct access to articles and digital resources
• see library availability and order books
• write your own notes in your list in Leganto
• mark references you've read
• suggest references for fellow students and teachers
• create your own collection of references

EndNote

MF makes the reference tool EndNote available to MF employees. The use of EndNote is voluntary. Please note that by using the online service, you agree to EndNote's terms and conditions.

EndNote can be used to handle green data of a non-sensitive nature. Interview recordings, files containing personal data and the like must be stored in other ways. Read more about MF's guidelines for privacy in research and student work here.

Grammarly

MF makes the proofreading tool Grammarly available to employees and students on English programs at MF. Using Grammarly is voluntary. Please note that by using Grammarly, you agree to the terms and conditions of Grammarly. The text on which you apply the Grammarly tool will be available to this service. We therefore recommend caution when using Grammarly, and use it only for selected sections that do not disclose personal data.

EZproxy

EZproxy, which provides access to various databases and literature, is run locally at MF and uses MF's own authentication solution (LDAP), and stores information about the device used. The following information is stored:

• the IP address of the device you use to connect to the service
• the URL of the online resource you want to use
• date and time of connection
• the HTTP method, HTTP code, and connection response time
• session ID generated by EZproxy
• username for your MF account
• the information about your web traffic is not shared with a third party.

Zotero

MF anbefaler referanseverktøyet Zotero for studenter og ansatte ved MF. Det er frivillig å bruke Zotero. Vi gjør MF recommends the reference tool Zotero for students and employees at MF. The use of Zotero is voluntary. Please note that by using the Service, you agree to Zotero's terms and conditions (note point two), and the information you provide to Zotero will be stored on servers in the United States.

Zotero can be used to handle green data of a non-sensitive nature. Interview recordings, files containing personal data and the like must be stored in other ways. Read more about MF's guidelines for privacy in research and student work here.

DataverseNO

DataverseNO is a national, generic archive for open research data from researchers at Norwegian research institutions. Some of the collections in DataverseNO also accept data from researchers from other institutions. DataverseNO is managed in line with the FAIR Guiding Principles for Scientific Data Management and Stewardship and is CoreTrustSeal certified. More information about the archive can be found on the About page.

NVA

NVA is part of Sikt's national portfolio of joint services in higher education and research. NVA:

• collects and makes available information about Norwegian research
• simplifies research administrative tasks by facilitating the reuse of research information
• follows up the reporting of scientific publications to the Ministry of Education and Research and the Ministry of Health and Care Services (NVI reporting)

NVA also contains a knowledge archive (MF Open) where articles, student assignments, publication series and other material produced at the institution (the data controller) can be archived and made openly available. The institution registers and maintains the content and configures distribution rules for the material. NVA makes the institution's open material available via open interfaces, with the purpose of making the material known and searchable to the outside world and promoting indexing in search engines and search portals. NVA also imports material belonging to the institution from other data sources.

The Service does not allow the processing of sensitive personal data.

This section describes what information we process about visitors to MF's websites and associated websites that we operate on our servers as well as our processing of personal data on social media.

Purpose and Legal Basis

MF processes personal data on our website and on social media in order to be able to communicate our activities to various target groups, such as potential students, employees, partners, researchers and society in general.

Our legal basis for processing is Article 6 nr. 1 f, which allows processing when it is necessary to safeguard MF's legitimate interests. Our legitimate interests are to conduct good and effective communication and public education in line with our mission as a specialized university.

Information Stored About Visitors to our Websites

We use the following analytics tools to collect information about visitors to our websites:

• Google Analytics
• Facebook

These tools use cookies and store anonymized data about visitors. Click on the provider name to read the privacy policy for these services.

In addition, data is collected by the following tools without the use of cookies:

• Website logs
• Acquia

These tools collect data about which pages are visited, as well as IP addresses, which are considered personal data. The website logs are stored only locally on our web servers and are not shared with any external services, while Acquia anonymizes and continuously deletes the IP addresses it receives. Information is not used for tracking across services and websites for these two tools.

The purpose of this processing is to compile statistics, which are used to further develop and improve the information offered on the website. The data is used, for example, to find out which pages are most used and should therefore be easy to find.

Sharing of Personal Data

If you use the sharing functions on our website, you agree that information about you and the person you share content with will be processed by the services that you use for sharing, such as Facebook or LinkedIn.

We do not store information about this sharing locally with us, but the services (e.g. Facebook or LinkedIn) need to store this information for the sharing to work. You can find information about the processing of personal data by these external services in their privacy statements.

• Facebook
• LinkedIn

Embedded Media From External Sources

Some of our pages may contain embedded information from external sources, such as videos from YouTube or images from Instagram. When these pages are viewed, the external services may store information about your visit. You can find information about the processing of personal data by these external services in the respective privacy statements for these services.

Newsletter

MF uses the e-mail provider Make for sending newsletters. If you sign up for newsletters, you agree that Make stores contact information about you and uses this to send newsletters to you. This information will not be used for any other purpose or shared with others. See separate privacy statement for Make.

You can opt-out of receiving the newsletters at any time. In each individual newsletter, it is stated how to unsubscribe as a recipient.

Online Forms/Registration Forms

When you fill in information in online forms on our website, whether it is registration for courses, events or other types of forms, you agree that this information will be stored and processed by us for the purpose for which the form is intended.

If necessary, this information will also be transferred to external services, such as StudentWeb or EVUweb, for course registration. Please see the separate privacy statements for these applications below.

Answers submitted via our web forms will be deleted when the information is no longer needed.

Advertising

MF advertises the institution's studies and courses, among other things, using Google and Facebook ads.

Information from the analytics tools used to obtain information about visitors to our websites may also be used in connection with our advertisements on Google, Facebook and in other media, both to customize which ads are shown on different websites and social media, and to analyse which ads have received the most response.

Opting out of Cookies

If you do not want information about your visits to our websites to be stored, you can turn off cookies in the websites you use.

For more information about cookies and blocking them, see the guide at nettvett.no.

MF's Social Media Pages

Når du bruker MFs sider på sosiale medier, som Facebook eller Instagram, blir det behandlet personop

When you use MF's pages on social media, such as Facebook or Instagram, personal data about you is processed by both MF and the platform provider. MF does not have access to identify you as an individual based on this information, but the platform provider may use it for various purposes, such as personalizing advertisements, creating statistics or profiling you.

When you use MF's social media pages, you can decide for yourself what personal information you want to share with us and others. For example, you can choose to follow or unfollow a page, write or not write comments, or you can change your privacy settings on the platform. You also have the right to access, correct or delete personal data that MF has about you on social media, as far as possible within the platform's functionality.

MF offers digital instruction to students in several cases. In some cases, this will be a necessary part of the class, e.g. where the learning outcome descriptions require this, or where MF offers online studies. The corona pandemic is also an example of how it may be necessary to make classes digital. In other cases, this may be part of our work with universal adaptation, flexible studies or other pedagogical reasons why teaching is streamed or recorded.

As a general rule, the public interest will be the legal basis when it is necessary to process personal data in connection with live streaming or recording of classes, cf. Article 6 nr. 1 e of the General Data Protection Regulation and Sections 2-1 and 10-2 of the Universities and University Colleges Act. For online classes, consent will also be a legal basis, cf. Article 6 nr. 1 a of the Regulation.

Lecturers and teachers consent to streaming or recording by starting the streaming/recording themselves, or the streaming/recording can be part of the agreement between the teacher and MF, cf. Article 6 nr. 1 b of the Regulation.

MF uses Zoom for recording and streaming classes. If the student logs in with a FEIDE user, the first and last name and the school's email address are sent to Sikt, which delivers Zoom to the school. Our Zoom traffic is primarily on servers in Norway or secondarily the Nordics/EU. Some anonymous statistics may be stored by Zoom outside the EU. Zoom can be set up with "end-to-end" encryption, which means that the communication is completely private. However, this solution is rarely the default choice for normal classes.

MF primarily uses Panopto to produce, store and distribute video recordings for use in teaching.

It is as a rule voluntary for students to participate in the online class with the use of video and/or sound during the streaming. This is controlled by the student with settings when connecting to the teaching stream and can be changed by the student at any time as long as the stream is taking place. Sending text via the chat function is also voluntary. However, sometimes it is necessary to share image and/or sound in order to meet study requirements.

See separate privacy statements for Zoom and Panopto below.

Pursuant to Section 2-1 of the Universities and University Colleges Act, MF is to, among other things, "contribute to the spread and communication of results from research and academic and artistic development work", and "facilitate the participation of the institution's employees and students in public debate". The legal basis for streaming or recording for such purposes will be the public interest, cf. Article 6 nr. 1 e of the General Data Protection Regulation.

Lecturers consent to streaming or recording by starting the streaming/recording themselves, or the streaming/recording can be part of the agreement between the lecturer and MF, cf. Article 6 (1 b) of the regulation.

If others in addition to the speaker will be able to participate in the streaming/recording, information will be provided in advance of or at the beginning of the event about this, and that questions and comments from the audience using audio and video will be part of the streaming or recording.

We use Zoom, Panopto or YouTube for streaming and recording digital events. As a general rule, it is voluntary for the audience if they want to participate with the use of image and/or sound during the streaming/recording of events. This is controlled by the audience with settings when connecting to the event and can be changed at any time for the duration of the stream.
If you want photos or recordings of you to be deleted, you can contact personvern@mf.no.

Normally, photos or video recordings on digital platforms, used on the basis of consent, can be deleted. The use of images or other personal data from the recording on printed material, e.g. for marketing, will not be deleted after it has been used.

See separate privacy statements for Zoom, Panopto and YouTube.

Delegated Responsibility for Processing

The IT manager at MF has been delegated the day-to-day responsibility for the processing of personal data relating to information security, including the processing of personal data in logs from IT systems.

Purpose and Legal Basis

The purpose of logging activity in IT systems is to administer systems, ensure stable operations and uncover and clarify undesirable incidents.

The legal basis for the processing of personal data in logs is MF's legal obligation to ensure information security and ensure the daily operation of IT systems, cf. Article 6 nr. 1 c of the General Data Protection Regulation.

About the Processing

The logs are categorized as follows:

• operational logs – logs that are normally stored in MF's or partners' IT systems and have information about the technical condition of a solution, but can also have information about logins and other activities related to people.
• application logs – logs from services that may contain data that identifies people and activities within applications.

MF has general operational logs and application logs in its IT systems.

There are also flow logs that contain information about which devices are communicating and how much data is being sent. This means that most of the activities that users of the systems undertake leave electronic traces.
Information exists in the logs as part of a larger technical logging activity. They are retrieved from several systems where central machines ensure reliable traffic between users and the systems.

The logs are as a rule not disclosed, as they are intended as technical operational logs to ensure stable operation and uncover unwanted or abnormal events. They can be handed over to the police or public prosecutor’s office on the basis of a court order. MF's Rector or Director may request to be provided with logs in accordance with Articles 32 and 33 of the General Data Protection Regulation as part of security measures.

Logs are only available when necessary to ensure the availability and security of the respective systems. Those who are allowed access to search the logs must have a work-related need to do this. Everyone in the IT department has signed a non-disclosure agreement.

Please note that some digital tools are cloud-based solutions. Some of the personal data processed in such solutions may be accessible outside of the European Economic Area, such as the United States. Personal data may also be transferred to third countries in connection with student exchanges.

In the event of a transfer of personal data to countries outside the EEA, where the European Commission has not determined an adequate level of protection (adequacy decision) pursuant to Article 45 of the GDPR, MF will ensure that the transfer has a legal basis. This may include the use of the EU Standard Contractual Clauses pursuant to Art. 46, the application of exceptions pursuant to Art. 49, or compliance with the Data Privacy Framework for transfers to the United States.

MF has a legitimate interest in preventing dangerous situations from occurring and ensuring the safety of employees and students, cf. Article 6 nr. 1 of the General Data Protection Regulation. We therefore store information about the use of access cards. The operating manager and the IT service have access to the information.

When a card is used in a card reader, various data is processed, such as where the card is used, what time and which cardholder. The IT service and the operating manager are responsible for issuing access cards when needed, and employees are responsible for handing in access cards upon resignation or when the need for an access card no longer exists. Personal data that may be processed in the system are:

• name
• possible function or role for non-employees
• telephone number
• card number
• access rights
• validity period

Entry data is recorded when the card user registers the card in the card reader.

MF also has a BM system (a tool for automated operation of building systems) that controls temperatures and indoor climate. The temperature can be regulated by digital room reservation and when you register on MF's intranet that you want heat in your office. When you reserve rooms or heating for your office, the system will register that you have made the order.

When you use the parking spaces at MF, your name will be registered with us and stored for as long as we need it.