Information security and data protection
What responsibility do the institutions have as regards information security and data protection?
Recently edited : 11. November 2024Information is processed in the interaction between people, processes and technology. Information security is about securing this processing of information and thus the values that the information represents. It is the management of each institution that is responsible for establishing and maintaining satisfactory information security.
Ministry of Education and Research (MER)'s Policy for informasjonssikkerhet og personvern i høyere utdanning og forskning ('Policy on information security and data protection in higher education and research' – in Norwegian only) summarises the most important legal requirements and national guidelines in the field of information security, with a standard for data protection.
The policy is aimed at institutions subject to MER's governance model for information security and data protection, and sets out the following requirements:
- Introduce an information security management system.
- Keep an overview of information assets.
- Conduct risk assessments and establish security measures.
- Establish solutions for incident management, continuity and closure of non-conformities.
- Ensure control of service providers.
- Ensure internal control for the processing of personal data.
- Safeguard the rights of data subjects.
- Appoint a data protection officer.
- Carry out data protection impact assessments.
- Ensure data protection by design and information security.
- Provide training and competence-building.
- Document the work on information security and data protection work.
The requirements for information security and data protection are summarised in the Ministry of Education and Research's (MER) governing document (in Norwegian only) as follows:
MER's subordinate undertakings shall:
- Comply with applicable regulations, including the Public Administration Act with e-Administration Regulations (in Norwegian only), the Freedom of Information Act with pertaining regulations, the Security Act with pertaining regulations, the Personal Data Act with pertaining regulations, the Personal Health Data Filing System Act with pertaining regulations, the Electronic Communications Act with pertaining regulations, the Electronic Signature Act with pertaining regulations and the Regulations on Financial Management in Central Government.
MER's underlying undertakings covered by MER's governance model for information security and data protection in higher education and research shall:
- Follow the requirements set out in Circular F-04-20 Policy for informasjonssikkerhet og personvern i høyere utdanning og forskning ('Policy on information security and data protection in higher education and research' – in Norwegian only)
MER's subordinate undertakings shall/other undertakings in the sector should:
- Establish a comprehensive information security management system.
What are the identified threats and what should be kept in mind in international cooperation?
More and more Norwegian undertakings in the public and private sectors have been exposed to intentional digital attacks and increasingly serious digital security incidents are being recorded. NSM points out that states or state-sponsored threat actors are behind several of the incidents, and that there is also a risk of security incidents outside the digital space. PST has for several years seen that the sector can be exploited by foreign states who wish to map potential sources. The sources can be Norwegian researchers involved in foreign cooperation, or monitoring and influencing their own citizens studying in Norway, or sources who are visiting lecturers or cooperating with Norwegian institutions in Norway. This form of mapping often takes place over a period of time with the goal of building relationships that can lead to access to sensitive information. Another potential threat is covert procurement and illegal knowledge transfer. Covert procurement is the procurement of goods and technology as well as attempts at illegal knowledge transfer. The purpose is to circumvent sanction regimes and export control regulations. Such threats does not only apply to the digital space, but can also affect people and physical procurements.
In their risk and threat assessments, the intelligence, surveillance and security services (NSM (in Norwegian), PST and NIS (in English)) emphasise that threats in Norway have become more serious and point to several specific areas in research and development that may be particularly vulnerable to digital attacks and knowledge espionage.
Countries with which Norway has no security cooperation are particularly highlighted as a present threat. This does not mean that cooperation with what are known as third countries is not possible, but thorough planning and security assessments are required before entering into international cooperation with such countries. Information security and data protection are areas that need to be given attention during the planning phase.
What is personal data?
Personal data is information that can be linked to a person's identity, such as their name, address, contact information, photos and national ID number In addition, there is sensitive personal data (link til spørsmål under om sensitive personopplysninger). Please note also pseudonymised personal data can also be defined as personal data.
All personal data shall be processed in accordance with the basic privacy principles set out in the EU General Data Protection Regulation (in Norwegin) and the Personal Data Act (in Norwegian). MER's governance model has data protection by design and by default. MER's subordinate agencies must follow this policy and will therefore also have data protection by default.
The principles of data protection are:
- The processing of personal data shall be lawful, which means that at least one of the conditions set out in Article 6 must be met in order to process personal data.
- The processing must be limited in purpose. i.e. collected for specified, explicit and legitimate purposes and the data shall not be further processed in a manner that is incompatible with these principles.
- Data minimisation should always be practised. The data collected should be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
- The data collected must be correct and up-to-date at all times. Reasonable measures must be taken to ensure that data that is incorrect in relation to the purpose for which it is processed, is erased or corrected without undue delay.
- Storage limitation must be practised. This means that the data shall be stored in a manner that ensures it is not possible to identify the data subjects for longer than necessary for the purposes for which the personal data is processed. If the data is stored for longer periods, it must be solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, provided that appropriate technical and organisational measures are implemented to safeguard the rights and freedoms of data subjects.
- The data shall be processed with integrity and confidentiality, and with appropriate security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. This is ensured through appropriate technical and organisational measures.
These principles apply to all personal data; in addition, there are some additional considerations that must be taken with respect to sensitive or special categories of personal data.
What is considered personal data?
Some personal data is categorised as sensitive data, to which special rules for processing apply. This applies to data about:
- A person's ethnic background
- Political opinions
- Religion
- Philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Health data
- Information about sex life or orientation.
In principle, it is prohibited to process such data unless special grounds apply in addition to the basis for processing required by law, a data processing agreement or through consent. The special grounds, or exceptions, are subject to reservations. Institutions must familiarise themselves with the text of the regulation before they start processing sensitive personal data. We refer to the General Data Protection Regulation for the full text, as well as the Norwegian Data Protection Authority's pages about this (in Norwegian only).
What is processing of personal data?
Processing of personal data is any use of personal data. This means the collection, recording, alignment, storage and disclosure of personal data, or a combination of these.
You must have a legal basis for processing personal data. This is obtained through legal basis, consent or a data processing agreement, see Article 6 of the General Data Protection Regulation. For the processing of sensitive personal data, see Article 9.
By establishing good documented agreements, with data protection by design and by default in accordance with the law and MER's policy for information security and data protection, it will be possible to establish and further develop safe cooperation within academia abroad.
Who are the data controllers?
The data controller is the person or persons who manage the personal data, regardless of size. The data controller must ensure that the technical solutions, software, apps, infrastructure or algorithms have data protection by design built into their processing.
This also applies to the use of products and services from a third party. Here, the data controller must require, make an assessment of and ensure that third-party data processors meet the requirements for data protection by design.
What assets are covered by information security and data protection?
Information security protects different sets of assets. The assets include the digital systems or services in which information and personal data are processed, the flow of data between the systems or services and who has access to them. It also includes systems or services provided by external service providers, such as cloud services.
The assets are not only in the digital domain or stored information in various databases, they also include properties, physical infrastructure, IT resources and digital infrastructure. The report 'Informasjonssikkerhet og personvern i høyere utdanning' (2022)('Information security and data protection in higher education' – in Norwegian only) identifies 10 main types of information assets in the higher education sector. They include:
- Student administration that processes personal data and information about adaptation
- Information related to education plans, forms of assessment and exam results
- Research data, project planning and patents
- Overview of employees and managers
- Finances and accounts
- Systems for corporate governance and strategy
- Information about properties and physical infrastructure
- IT resources and digital infrastructure
- Media and communication
- Information about alumni
Personal data and special categories of personal data are particularly important assets.
Information security and data protection encompass a broad spectrum of various types of assets, all of which are important to activities or cooperation to varying degrees. The information assets can also have a major impact on external stakeholders such as participants in research projects, funders, partners and public authorities. Therefore, a valuation and value chain assessment must be carried out, so that good safety management can be established for the project. The assets and value chains involved in a cooperation can be research data, digital infrastructure and information about participants and involved researchers.
"The Asset Landscape" – Main Types of Information Assets
The digital shift that has occurred in the higher education (HE) sector during the pandemic means that an increasing amount of institutions' information assets are managed electronically. However, there is no standard way to systematize and categorize the sector's information assets. In Ulven and Wangen (2021: 10-15), however, an overview is provided of ten main types of information assets that are typically involved. The overview is based on a survey conducted at Queensland University of Technology in Brisbane, Australia. It gives an indication of the types of information assets managed by Norwegian HE institutions.
Main Types of Information Assets in higher education institutions
- Student Administration: Information typically processed in student administrative systems. This may include names, personal identification numbers, residential and email addresses, previous education, courses and subjects, semester fees, study progression/credits, adapted teaching, internships, and exam results. It also includes information processed in electronic communication platforms provided to students by the university or college.
- Learning, Assessment, and Teaching: Information related to the execution and administration of teaching and exams or other forms of assessment. This could include teaching plans, course information, reading lists, exam questions and answers, submissions, master’s and bachelor’s theses, library resources, online learning resources, and information about students and instructors processed in learning platforms.
- Research and Development: Information on the content, administration, and execution of research projects. Examples include project descriptions, funding, contracts, participants and partners, data sources, raw data, processed data, research results, publications, and commercial rights (patents)
Employees and Managers: Information on employment relationships, often processed in HR systems. This may include names, personal identification numbers, residential addresses, positions, salaries, bank account numbers, sick leave, vacation, compensatory time, training/courses, special accommodations, etc. It also includes information about individuals who are not employed by the university or college but receive compensation for assignments, such as examiners.
Finance and Accounting: Information on the institution's funding, as well as management and oversight of financial assets. This may include budgets at the organizational and unit levels, annual financial statements, payroll costs, project expenses, orders, disbursements, and financial reports.
Governance and Strategy: Information on key institutional matters and plans for future administrative or academic development, such as development agreements with the ministry. Information important for institutional governance is often collected in various data warehouse solutions. This may include key financial data, student numbers, study credit production, the scope of externally funded research, Ph.D. programs, temporary employment, equality, and gender balance, etc.
Property and Physical Infrastructure: Information about buildings and other parts of the physical environment. This may include information on campus buildings, construction projects, laboratories and equipment, elevator systems, other electrical systems, etc. It may also include various types of sensor data about the physical environment, such as access control, alarm systems (fire, water, moisture), ventilation, heating, and video surveillance.
IT Resources and Digital Infrastructure: Information on the management and administration of the IT portfolio. This may include information on IT acquisitions, computers, software, databases, outsourcing, data processors, network configurations, digital security, access management, and user support.
Media and Communication: Information used in internal and external outreach and communication activities. This may include information on websites, intranets, and social media (Facebook, Instagram, Twitter, etc.). It also includes information on conferences, seminars, workshops, and participants in such events.
Alumni: Contact information for former students and other relevant information, such as subscriptions to newsletters, events, and gatherings.
The categorisation of information assets at universities and colleges could look different. For instance, it could be based on whom the information is valuable to, i.e., a "stakeholder perspective," or a legal perspective—how the processing of the information is legally regulated. However, we believe the overview provides a satisfactory, though not exhaustive, picture of the sector's complex and somewhat unclear "asset landscape."
What must be considered when choosing a digital platform for cooperation?
Common digital platforms are necessary to communicate and interact at startup and during a project. The platform is used for storing project documentation and for holding and documenting project meetings. Data controllers are also responsible for ensuring that third-party data processors, products and services meet the requirements for protection by design and information security.
When choosing a digital platform, an overview of all digital platforms to be used in the cooperation agreement should be included in advance of the project. It must also be documented which personal data is to be processed and, if relevant, stored, as well as how this is to be done, with the correct consents. There must also be a privacy statement on the platform.
If platforms from third countries are to be used, documentation must be provided on what personal data is processed and how it is stored and managed. This must satisfy the requirements of the applicable legislation in Norway and the EU (in Norwegian). You must know the systems in question, how they are managed, what security measures are used and who has access. Procedures for updating or erasing information must also be established and known.
Share information and access with partners
I am going to share information with partners or give them access to the institution's systems, what do I need to consider?
Who should have access, how and why are the key questions that must be answered before sharing information assets with external parties. In this context, external parties such as visiting researchers, visiting lecturers or other partners from foreign institutions in third countries are especially relevant.
Regular asset mapping from the start of an international cooperation project, or prior to welcoming a foreign visiting researcher will provide an overview of what there is and where it is stored.
Established access management procedures must be in place and reviewed regularly, with safety valves for easy removal of access at the end of the collaboration. In addition, the applicable procedures for background checks of partners or visiting researchers from countries that may pose a security risk, or positions that are authorised to make major financial decisions, should be updated in line with the mapping of assets.
Exchanging personal information and GDPR
What must be considered when exchanging personal information and do I have to consider GDPR?
Researcher and student mobility often entails the need for an exchange of personal data. In many cases, the institutions involved in the exchange will have access to the same Learning Management System, such as Canvas, which enables secure processing of such information.
In situations where this is not the case, where the institutions do not have the same systems or are in the Scholars at Risk scheme, it must be considered whether the exchange of personal data is sufficiently secured. Consider using Sikt's web application, which can be used by Norwegian educational institutions to exchange personal data in a secure manner: Nomination Common Student System (FS) (in Norwegian) or the University of Oslo's service Nettskjema for the secure transfer of personal data.
Consideration must also be given to what personal data is shared, in which channels and who has access to it.
Does GDPR only involve limitations, or are there opportunities that make my collaboration projects easier and more secure?
Some may think that GDPR is difficult to relate to and that there are a set of laws and regulations that place great constraints on cooperation. Taking advantage of the opportunities and guidance provided by GDPR will ensure that cooperation can be carried out in a more secure and controlled manner through ensuring that statutory duties and principles are met, and that there is an awareness of what information can be shared and how to share it. This allows for fruitful academic cooperations, where you are in control of the flow of information, are aware of the challenges and, not least, the opportunities you have.
Risk countries
Several of the threat assessments from the intelligence, surveillance and security services point to some specific risk countries. Does this mean that I cannot cooperate with researchers and students from these countries?
It is true that several of the open threat assessments identify a number of countries with which Norway has no security cooperation, such as China, Russia and Iran, as the largest potential threat actors to Norwegian institutions. This does not mean that it is impossible to establish good academic partnerships with institutions or people from these countries. In such cooperations, it is particularly important to establish good cooperation agreements that ensure good planning with regard to information security and data protection. Security is strengthened by conducting good value chain analyses and risk assessments before the cooperation is established. The framework for cooperation should be revised as necessary. With security as a prerequisite for international cooperation, it is possible to carry out successful academic cooperation.
Relevant authorities and resources to contact
The Norwegian Data Protection Agency is both a supervisory authority and an ombudsman. Its task is to oversee that the data protection regulations are complied with and help ensure that individuals are not violated through the use of information that can be linked to them.
The National Security Authority (NSM) is the Norwegian directorate for preventive national security. NSM gives advice on and carries out supervision and other control activities in relation to both civilian and military issues related to securing of information, systems, objects and infrastructure of national importance. It also has a national responsibility to detect, report and coordinate the handling of serious cyberattacks.
The Police Security Service (PST) (in Norwegian) is Norway's domestic intelligence and security service and is subordinate to the Minister of Justice and Public Security. PST’s main task is to prevent and investigate serious crime that threaten national security. PST collects information about individuals and groups that may pose a threat, prepares analyses and threat assessments (pst.no) and provides advice.
Sikt is the knowledge sector's service provider. It develops, procures and delivers products and services for education and research. It offers the knowledge sector infrastructure, data and shared services that provide good user experiences and meets the overarching goals of digitalisation, data sharing and open research. It is also responsible for the role of sectoral response environment relating to ICT events for the higher education and research sector. See also Cyber Security Centre for Research and Education (sikt.no) (in Norwegian only)
Glossary
In Report No 9 to the Storting (2022-2023) "Nasjonal kontroll og digital motstandskraft for å ivareta nasjonal sikkerhet. Så åpent som mulig, så sikkert som nødvendig" ('National control and digital resilience to safeguard national security. As open as possible, as secure as necessary' – in Norwegian only), these threats are described as 'strategies of competition and confrontation below the threshold of direct armed conflict, which may combine diplomatic, informational, military, economic, financial, intelligence and legal means to achieve strategic objectives.
Hybrid threats can occur in security policy grey areas for the purpose of sowing discord and creating destabilisation. A wide range of methods can be employed and combine open, covert and clandestine methods. The methods may be directed at specific activities or situations, or may be more long-term means of giving rise to doubts, undermining trust and thereby weakening our democratic values. Hybrid threats are inherently complex and challenge the possibilities of early warning, unified situational awareness and effective and coordinated management.'
Knowledge security refers to preventing the unwanted transfer of sensitive knowledge and technology with negative consequences for national security and innovation capacity. The term covers activities aimed at influencing and disrupting activities on behalf of foreign state actors within higher education and research. Such activities may lead to censorship and impair academic freedom.
Knowledge security also covers ethical issues related to cooperating with countries where fundamental rights are not respected.
Countries of concern refers to countries identified as high-risk countries in the annual national risk and threat assessments issued by NIS, PST and NSM.
National security is defined as state security and a limited part of the social security area which is essential for a state's ability to safeguard national security interests.
National security interests are a country's sovereignty, territorial integrity and democratic system of government, as well as general political security interests related to (a) the activities, security and freedom of action of the highest state bodies, (b) defence, security and contingency preparedness, (c) relations with other states and international organisations, (d) economic stability and freedom of action, and (e) fundamental societal functions and the basic security of the population.
Public security is the ability of society to protect itself against and deal with events that threaten fundamental values and functions and endanger life and health. Such events may be natural, a result of technical faults or human errors, or of deliberate actions.
State security is the safeguarding of the state's existence, sovereignty, territorial integrity and political freedom of action. State security has traditionally been linked to the defence of the state's territory against armed attacks, but it can also be challenged by various forms of pressure being applied against Norwegian authorities and societal actors.
A vulnerability assessment describes how vulnerable the values/assets are in light of identified threats and forms the basis for preventive and mitigating countermeasures.
On the one hand, 'values' refers to norms and principles, such as academic freedom. However, the term 'values' or 'assets' is also used in the context of valuation and risk analysis. Here, the terms refer to anything that is worthy of protection and can be threatened, such as life and health, information, material assets and reputation.
Valuation is an analysis to identify what information, objects, and other assets (for example life and health, reputation, etc.) are so important that they need to be shielded or protected. A valuation forms the basis for identifying threats that are relevant to the activities in terms of how threat actors can affect the institution's values/assets.