What is personal information?
Personal information is information or assessment that can be linked to you as an individual, such as, for example, name, address, telephone number, e-mail address, car number, pictures, etc.
Sensitive personal information is information about racial or ethnic background, or political, philosophical or religious opinion, that a person has been suspected, charged or convicted of a criminal act, health condition, sexual relationship or membership in trade unions.
Reference:
https://www.datatilsynet.no/om-personvern/personopplysninger/
What personal information is stored in Didac?
Didac offers functionality for conducting and following up courses and training in companies. In order to offer this, the application needs to be able to store and handle the following information that can be linked to an individual:
- Name, phone number, e-mail. Optionally profile picture, employee date, description and invoice address.
- Information collected at login, such as user agent, time and IP address.
- Information related to the implementation and approval of training, as well as related results.
- Information related to communication with other users of the system in connection with the implementation of training.
- Information related to which parts of the organization a person belongs to.
- If the customer chooses to use local authentication with Didac, passwords are also stored. The passwords are stored in encrypted form (one-way "salted" hash).
The information is not considered sensitive. the Personal Data Act §2.
Reference:
https://lovdata.no/dokument/NL/lov/2000-04-14-31/KAPITTEL_1#§1
Who has access to personal information?
The personal data stored in Didac can be made available either directly via the application's interface, or indirectly via the underlying operating platform.
Access via the application interface, regulated by the customer himself, using Didac's built-in access control. The information can be made available via monitor or firewall via programmatic interface (API).
Access to Didac's operating platform is reserved for technical personnel from Didac and Didac's subcontractors. This access is necessary to ensure stable operation of the solutions. Basically, subcontractors only include technical personnel from Orange Business (form. Basefarm AS). If additional services have been agreed, such as integration with other systems, development of support APPs for mobile platforms or the like, it will be relevant to also provide access to other suppliers. As of today, this type of access is only given to Evidi AS in connection with the development of integration solutions.
How is access to personal information secured?
Access to the application's interface is secured by using. industry-standard technology for authentication and authorization in modern web applications (Owin / OpenId). All traffic between client and server is encrypted using https / SSL. See separate documentation for details.
Access to the operating platform for technical personnel is ensured both by physical limitations such as access control to operating halls, workplace, and technological limitations such as VPN, IP filtering and the like. The work stations of technical personnel are secured by means of automatic screen lock and password that change periodically.
Securing databases is limited. by customer data being stored in separate databases, one per customer. Where access is needed, this is also provided per customer, so that integration suppliers only get access to data for the customer in question.
Deletion of personal information in Didac
If you want to remove personal data from Didac, a combination of anonymization and deletion is used. This is done in order to maintain statistics on the implementation of training.
When a user is anonymized, the value is overwritten in all fields that can be used to identify the user. This includes name, email, telephone number, descriptions, login name, reference ID, employee date and profile picture. Any comments written by or until the user is overwritten. Any messages sent from the user are overwritten.
The following will be deleted:
- Membership in or responsibility for groups
- All coordinator assignments
- All files that user has uploaded
- All files that the administrator has uploaded in connection with the user
- All messages that have been sent to the user.
- All login attempts that can be linked to the user
Please note that the deletion and/or anonymization of individual users present in your own solution is your responsibility as the customer, unless otherwise agreed.
Upon termination of the contract, all data and information related to the customer's installation, including all personal data, will be deleted at the time agreed upon with the customer. The agreement ensures that the customer has the right and the opportunity to export necessary data before deletion. The actual deletion of customer documents, files, and data is carried out automatically. After the deletion is completed, it will take an additional 30 days before all data is deleted from the backup.
Comments
0 comments
Please sign in to leave a comment.