Privacy policy

The purpose of processing personal data for employees at BI is to manage salaries and personnel responsibilities, system access, and hiring necessary staff. The processing of personal data is necessary to fulfill a mutual employment agreement. BI processes personal data about you in order to manage the employer's personnel and financial responsibilities, such as payroll, tax deductions, an overview of working hours, absence, holidays and leave of absence.

The basis for the processing of personal data on employees is the Personal Data Protection Regulation (GDPR), Article 6 (1) (a), (b), (c) (c) (3) (b) or (f), Article 9 (2) (a) or (b), Article 88, and the Working Environment Act.

BI uses employee data in daily operations to be able to give employees access to basic services such as e-mail, payroll, internal systems and portals. In addition, employees will be registered in different systems to be able to perform work for BI in the specific position.

BI uses analysis of employee data to achieve strategic goals, for example to:

• regulate employee relations in order to comply with BI's interests and duties in relation to having an overview and compiling data as a basis for improving existing programmes / courses.
• follow developments in terms of positions and staffing to carry out strategic staffing planning.

Personal data about employees are mainly processed in BI's personnel and finance system (Agresso). BI has a legitimate interest in retaining information that can document the employment relationship. This means that the information is not deleted, but stored in this system. When you leave BI, your personal folder is reviewed and only necessary data are stored. BI will continue to store data about who has worked in the organisation, how long and in what position. Payroll information will also be stored, since this is relevant for later purposes, such as pensions.

To fulfill the requirements BI has as an employer for paying wages, creating user access in IT systems and physical access to BI's premises, it is necessary to process the following information (not an exhaustive list):

• Regular personal data, such as name, address, phone, e-mail address, and national identity number.
• Salary-related data, such as account number, salary, and taxation.
• Employee union membership. This is necessary because BI manages the payment of union fees for employees and ensures that this is reported as a deduction item to the authorities.
• For academic staff, information about teaching and exam results is processed, as well as information on academic roles that are used in annual workload compensation arrangements.
• For part-time lecturers and external examiners, data on teaching and grading assignments in BI's student administration system are processed, among other things, as a basis for salary payments.
• For exam supervisors, personal data on exam supervisors’ assignments in BI's student administration system are processed as a basis for salary payments.

Information about name, position and work area is considered to be public information and can be published on BI’s website. A portrait photo of you as an employee is published upon your approval.

Your personal folder contains information about, for example:

• Employment contract
• Non-disclosure agreements
• Documents on pensions and wage placement
• Special agreements in the employment relationship
• Documentation of placement in academic positions
• Documentation related to resignation
• Warnings
• Leave of Absence

Before the start of a research project at BI, the project must have a defined purpose and which personal data are necessary to fulfil the purpose must be clarified. The legal basis must also be clarified in order for the processing to be legal. Personal data you collect for a research purpose, cannot be used for other purposes without consent.

Personal data are processed in accordance with the Personal Data Act §§ 8-10, cf. GDPR articles 5, 6 and 9, and article 89. The Personal Data Act provides access to processing personal data for research purposes, provided that the privacy of the participants is safeguarded through technical and organizational measures implemented by the data controller, that the privacy implications have been assessed, and the data protection officer has been consulted where necessary.

BI has an agreement with the Norwegian Centre for Research Data (NSD) for advice on privacy issues in research, and all research projects containing personal data must be reported to and assessed by NSD. As a researcher, and before processing personal data, a risk assessment must be carried out. This will help prevent unwanted incidents or deficiencies in the processing of personal data. Measures should be implemented regarding the research data that are in proportion to actual risk based on the risk assessment. Key elements of the risk assessment are the scope of the project, the sensitivity of the information, the risk related to where the information is processed and stored, and the duration of the project. Even when all reporting from the project is anonymous, the project must be reported to NSD if, during the work on the project, personal data are processed electronically.

CRIStin (Current Research information system in Norway) is a database for research results and information for the documentation of scientific activity. If the project of a researcher affiliated with BI contains personal data, this will appear in the description of the project in Cristin. In relation to publishing, results and projects will be available in CRIStin, and the following personal information about the researcher is processed: Name, address, e-mail, phone number and national identity number.

Information that is necessary for treating cases where irregularities or offenses are revealed will be disclosed to the relevant committee. This means that the necessary information in connection with individual cases related to, for example, scientific dishonesty will be submitted to the Research Ethics Committee.

BI processes personal data in order to control who has access to the building. This is done by students, employees and others being registered and photographed when they receive access cards. The name, user name, date of birth and possibly the library user number are stored. In addition, some technical information is stored, such as what access is given to the card. Personal data are obtained from the administrative system or personnel and finance system.

Outside main working hours, card users must enter a PIN code. Which card is used on which card terminal and time of the pass are logged when using your PIN code. The information is stored in BI's access control systems. The log is deleted after 90 days.

BI has placed cameras that monitor outdoor areas and entrance areas. The cameras film continuously and the recordings are stored for 7 days before they are deleted.

Users are disabled when they no longer need an access card. Personal data such as name and date of birth are not deleted for students as they can take new courses and employees often return after certain periods when they do not work at BI. If a user has not had an admission card in 1 year, personal data related to access is deleted.