Privacy Policy for Competence center for lived experience and service development – KBT

This Privacy Policy discloses how the Competence center for lived experience and service development KBT gathers and uses personal data. By personal data we mean data and information that directly or indirectly can be tied to an individual. Our Privacy Policy is meant to provide you with information about our processing of personal data, both collection, registration, compilation, storage and delivery, or a combination of these.

1. Who are we?

Competence center for lived experience and service development (KBT) is a nonprofit organization. KBT works to promote the use of patient and service user experiences to improve services.

We work with methods for service development and user involvement, such as the User Interviews User method, courses, lectures, education, dialogue meetings and other projects in collaboration with patients/users of municipal services and specialist healthcare, municipalities and health care in general.

KBT handles all personal data in accordance with current regulations from the Norwegian Data Protection Authority, EU’s Privacy Regulation, relevant legislations and guidelines from other authorities. All employees at KBT have a responsibility to comply with the regulations and laws KBT’s operations are subject to.

2. When does Competence center for lived experience and service development – KBT collect personal data?

We mainly process data that you have provided to us for one of the following reasons:

  • You have send us an inquiry via email, social media, telephone and/or other channels
  • You have signed up for a course, lecture, seminar, dialogue meeting or similar
  • You subscribe to our newsletter
  • You participate as informant in one of our projects
  • You have applied for a job or are employed at KBT

We also receive data indirectly for the following reasons:

  • We have asked a company for a statement and your information appears in the statement
  • We receive information about you from a partner
  • An employee has identified you as the next of kin
  • A job applicant has pointed you out as reference

3. Your rights

Below you find a list of your rights regarding your personal data. You can exercise your rights by emailing:
post@kbtmidt.no

or by contacting our Data Protection Official Ingvild M. Kvisle at:

ingvild.kvisle@kbtmidt.no

You are entitled a response without undue delay and within 30 days.

Ingvild M. Kvisle is KBT’s Data Protection Official and therefore responsible for the processing of personal data at KBT. 

Our Data Protection Official has been voluntarily appointed by KBT to strengthen our ability to comply with regulations for processing personal data. The role and tasks of the Data Protection Official follow from Articles 37, 38 and 39 of the General Data Protection Regulation. 

Access to your own information
You can request a copy of all your personal information that we process in accordance with Article 15 of the General Data Protection Regulation.

Correction of personal data
You can ask us to correct or supplement any information that is incorrect or misleading in accordance with Article 16 of the General Data Protection Regulation. 

Deletion of personal data
In certain situations, you can ask us to delete information about you in accordance with Article 17 of the General Data Protection Regulation. 

Limitation of processing personal data
In certain situations, you can also ask us to restrict the processing of information about you in accordance with Article 18 of the General Data Protection Regulation.

Protest against processing personal data
If we process information about you on the basis of our tasks or a balance of interests, you have the right to object to our processing of your personal information in accordance with Article 21 of the General Data Protection Regulation. 

Data portability
If we process information about you on the basis of consent or a contract, you can ask us to transfer your personal information to another controller in accordance with Article 20 of the General Data Protection Regulation. 

You can complain about our processing of personal data
We hope you will let us know if you believe we do not comply with the rules of The Personal Data Act. Please contact our Data Protection Official Ingvild M. Kvisle first. 

You can also complain about our processing of personal data. You do this to the Data Protection Authority, but the complaint will be forwarded to the Ministry of Local Government and Modernisation.

5. What kind of information is collected when you use our website?

Web analytics
Competence center for lived experience and service development is responsible for the websites www.kbtmidt.no, www.recoveryknutepunkt.no and www.kbtfagskole.no. Our websites are run in the WordPress platform.

Competence center for lived experience and service development is responsible for the websites www.kbtmidt.no, www.recoveryknutepunkt.no and www.kbtfagskole.no. Our websites are run in the WordPress platform.

All sites are hosted by Webhuset’s web hotel. We refer to Webhuset’s Privacy Policy.

The purpose of the websites is to give you knowledge and information about our activity. KBT wants to spread knowledge about mental health, substance abuse, service development and innovation.

We use the Google Analytics tool to analyze your use of our website. The purpose of this is to compile statistics that we use to improve our website. Such statistics can be how many people visit different pages, how long the visit lasts, which websites the users referred from and which browsers are used.

The information is processed in de-identified and aggregated form. De-identified means we cannot track the information we collect back to individual users. We collect the entire IP address, but the IP address is then de-identified so that only the first three groups in the address are used to generate statistics. That is, if the IP address consists of the numbers 195.159.103.82, only 195.159.103.xx is used. In addition, IP addresses are processed on the aggregated level, meaning all data is merged into a group and not processed individually. Information from Google Analytics is stored on Google’s servers in accordance with the General Data Protection Regulation (GDPR). Google LLC is processor for this data. See Google’s information on privacy and terms.

The basis for this is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary to protect a legitimate interest that outweighs the privacy of individuals. The legitimate interest is to improve our services.

Cookies
A cookie is a small text file. When you visit one of our websites, the website will ask you browser to save a cookie on your machine. This allows the website to remember your actions or preferences over time, as well as how often you have been on the website (see datatilsynet.no/en/).

Collected information will never be used to identify individuals. It will only be used internally, and data will under no circumstance be sold to other parties.

The revised ekomloven (Norwegian Act on Electronic Communications) of July 1, 2013 has a new provision on the conditions relating to storage of information in communication equipment – the so called “Cookie section” in § 2-7b. The provision is a statue of what was previously regulated in the ekom-regulations section § 7-3, but in some extended and amended form.

  • 2-7b Use of cookies

Storage of information in the user’s communication equipment, or access to such, is not permitted without the user being informed of the information being processed, the purpose of the processing, who processes the information, and without the the user’s consent. The first sentence does not prevent technical storage or access to information:

  1. exclusively for the purpose of transmitting communication in an electronic communication network
  2. which is required to provide an information society service according to the user’s explicit request.

This is a standardized technology that is used on most websites today, and most modern browsers (Google Chrome, Firefox, Internet Explorer, Safari, Opera, etc.) are set to accept cookies automatically.

We collect information automatically and save it as log files on our servers. This is information such as the type of browser used on our websites, operating systems on the devices used to visit, as well as data about navigation and the visit. This information is solely used to look at trends and development over time – and to help us improve our websites for you as an end-user.

By using our website kbtmidt.no you agree to the storage of cookies. If you do not want to accept the storage of cookies, you can change the settings in your browser. We note that this may cause websites (ours included) to not work optimally.

KBT never uses cookies for the purpose of mapping the individual users usage patterns or other information that could violate privacy.

KBT uses cookies for the following purposes:

  • to save user settings – such as display language
  • to handle login and sessions
  • to collect statistics in order to improve our websites

The basis for this is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary to protect a legitimate interest that outweighs the privacy of individuals. The legitimate interest is getting services on the website to work.

How to clear and manage cookies
If you want to delete cookies or make sure no more cookies are saved, you can change the settings in your web browser:

Embedded content from other websites
Articles on this website can include embedded content (eg videos, images, articles etc.). Embedded content from other websites behave in the exactly same way as if the visitor had visited the website which the embedded content comes from.

These websites can collect information about you, use cookies or build third-party tracking systems and monitor your actions through the embedded content. This also includes tracking your actions via the embedded content if you have an account and are logged in on the website.

5. What kind of information is collected when you contact us?

Telephone
When you dial our office number +47 73 84 23 75 (this number has a redirection to +47 982 66 684) information about the call will be stored temporarily in our ICE telephone switchboard system. The information that is stored is limited to the time and duration of the call, whether the call was answered and your phone number. The log will be stored in ICE’s system for two days. In addition to this there is a call log on the phone that will be emptied yearly. Furthermore employees that have office phones will have information about their calls on their respective phones. See ICE’s documentation on security and privacy policy.

A systematic registration of incoming phone calls is done in a document, and here callers can be identified. We do this to ensure correct follow-up of inquiries. This is because there may be a need to clarify who should follow up the inquiry and in what way. In addition we want to be able to use aggregated statistics from this when reporting to our financiers/commissioners.

The basis for this is Article 6 (1) ( f) of the General Data Protection Regulation, which allows us to process information that is necessary to protect a legitimate interest that outweighs the privacy of individuals. The legitimate interest is to manage and operate our telephone system.

Email
We use TLS encryption to secure our email communication which runs through the Google G Suite email system. Most webmail services support this, and your email communication with us will then be secured. However, we ask that you do not send us sensitive information by email as we cannot guarantee that your email provider supports TLS.

We scan all incoming and outgoing emails for viruses and malware.

The basis for this is Article 6 (1) ( f) of the General Data Protection Regulation, which allows us to process information that is necessary to protect a legitimate interest that outweighs the privacy of individuals. The legitimate interest is to secure KBT’s IT infrastructure.

Camera in stairway
A camera is mounted in the staircase at KBT’s offices in Kjøpmannsgata 33. The camera is in operation only at night and records only when it detects movement in the room.

The basis for this is Article 6 (1) (f) of the General Data Protection Regulation, which allows us to process information that is necessary to protect a legitimate interest that outweighs the privacy of individuals. The legitimate interest is to secure access to the Data Protection Authority’s premises.

6. Processing of information when you are in contact with us

Newsletter
KBT sends out a newsletter by email to those who sign up for it. Our newsletter contains news and information about courses, activities and events. The newsletter is send out every two months.

In order for us to send you the newsletter, you must sign up with an email address, and you can choose to register your name as well. Your email address will only be used to send out newsletters and possibly user surveys about the newsletter to get feedback on what readers find interesting.

Your email address is stored in a separate database, will not be shared with others, and is deleted when you unsubscribe by clicking the link for this newsletter or by contacting us. KBT uses Mailchimp as a system for managing and sending out the newsletter, and the database with information about subscribers is kept in KBT’s Mailchimp account. See Mailchimp’s Privacy Policy.

The basis for processing your email address in connection with our newsletter is Article 6 (1) (a) of the General Data Protection Regulation, ie consent.

Surveys
When conducting surveys, we will always inform about the purpose of the survey and whether it is anonymous or not. KBT will not share the information with others or use the information for purposes other than those specified.

KBT uses SurveyMonkey as a system for conducting surveys. You will find SurveyMonkey’s Privacy Policy here.

Anonymous surveys
If the survey is anonymous, KBT or SurveyMonkey will not be able to collect any information that can be linked to you.

Identifiable surveys
If the survey is not anonymous, KBT can identify those who have answered the survey. We can also use SurveyMonkey to send out the survey, in which case your email address will be shared with SurveyMonkey.

The basis for this is Article 6 (1) (a) of the General Data Protection Regulation where you consent to our processing of your information.

Participation in User Interviews User evaluations and other research- and evaluation projects
Competence center for lived experience and service development carries out User Interviews User projects – which are projects based on User Interviews User methodology, and other research/evaluation projects. Interviews with you as patient/service user/relative/service provider can happen in two ways:

  1. Participants in interviews are recruited by the service being evaluated, and prior to the interview personal information will only be handled by the service itself. KBT will not receive participants’ personal information. Interviews are conducted by KBT’s employees who have signed a confidentiality agreement. The interview is audio recorded if the participant(s) agree to this. Audio recording is processed in accordance with KBT’s internal procedures for data processing, and will be deleted as soon as an anonymous transcript/record of the interview has been written. Transcripts are only stored by KBT on KBT’s equipment.
  2. Participants sign up directly to KBT. We process personal information such as name, e-mail address and phone number of participants. This information is only stored by KBT on KBT’s equipment, and according to internal routines, this information is stored in a password protected document on a PC that is not connected to an internal network or the Internet. Information about participants will be deleted as soon as an interview has been completed. The exception is if the participant agrees to receive a report/the results sent by email. Personal information will then be deleted after the report has been sent.

Participation in KBT’s project is voluntary. You can withdraw from KBT’s projects at any time.

When participating in KBT’s projects you may be asked to give a written consent that anonymous qualitative data from your interview can be used in publications/journals. This is also entirely voluntary. Consent is given by signature on a paper form. This forms are stored by KBT on KBT’s equipment according to internal routines for data processing. Consent can be withdrawn.

The basis for this is Article 6 (1) (a) of the General Data Protection Regulation where you consent to our processing of your information.

Registration or participation in courses, dialogue meetings, seminars and other events
KBT uses registration forms for events.

If you register for a course held by us you will be asked to consent to us using your personal information to send you information and an evaluation of the course you signed up for.

When you attend our events, you can be asked to provide us with information about your name, title/function and email address. This personal information will be used to send you and abstract from the meeting and a survey for post-evaluation. It is completely voluntary to receive this.

Information related to event participants is stored in our SurveyMonkey account and on KBT’s equipment. This information is kept until the post-evaluation is completed.

See SurveyMonkey’s Privacy Policy.

The basis for this is Article 6 (1) (a) of the General Data Protection Regulation where you consent to our processing of your information.

Webinar og video calls
KBT offers webinars via Zoom. If you would like to attend a webinar organized by us, you will sign up according to the chapter above. You will then connect to the webinar via a link sent by email from us. In order to connect to the webinar room, you need to download software from Zoom. You will only have to enter a “name” when you connect to the webinar room, and you can choose freely what that name is. See Zoom’s privacy policy.

KBT may use Skype calls to communicate with partners or customers. You will then share information about yourself with us in the form of email and Skype identity. See Skype’s information about privacy and security.

The basis for this is Article 6 (1) (a) of the General Data Protection Regulation where you consent to our processing of your information.

7. Information about employees and job applicants

Employees
KBT processes employees’ information to administer payroll and employments. We collect the necessary information for payment of wages, hereunder basic information and contact information, salary levels, time registration, tax rates, tax municipalities and union memberships. Other information that is collected about employees includes work instructions and the organization/facilitation of his/her work.

The basis for this is Article 6 (1) (b) of the General Data Protection Regulation where processing is necessary to fulfill an agreement of the registered party.

Information related to the access control and keys to our office building, and access control in the IT systems, is registered. Information is obtained from the employees themselves. The Information is only provided in connection with salary payments and other statutory extraditions. Deletion procedures for personal information comply with the Accounting Act. Information about employees’ names, positions and tasks is considered to be public information and can be published on our website.

All employees have a staff folder in our system. Here the job application is filed/stored. Employee folders are cleared within 18 months after an employment relationship has ended.

Job applicants
If you are applying for a job at KBT, we need to process information about you to consider your application.

The basis for this is Article 6 (1) (b) of the General Data Protection Regulation- processing is necessary to fulfill an agreement of the registered party, or to take action on the subject’s request before entering into an agreement. If your application contains specific categories of personal data, the basis for this is Article 9 (2) (b) (h) of the General Data Protection Regulation.

All applications are logged in KBT’s system for inquiries. These are stored in our electronic archive for about a year before being shredded.

Non-staff that receive wages and/or refunds
KBT processes information about non-staff that receive wages and/or refunds from us. We collect the necessary information for payment of the wages and refunds, such as the salary levels, tax rates, tax municipalities, bank account number, name, address and documentation of what is being refunded.

The Information is only provided in connection with salary payments and other statutory extraditions. Deletion procedures for personal information comply with the Accounting Act.

The basis for this is Article 6 (1) (b) of the General Data Protection Regulation where processing is necessary to fulfill an agreement of the registered party.

8. Data security and data processors in KBT

KBT’s use of data processors
KBT currently has an IT operating model where we operate part of our systems ourselves, but we have left the operation of some systems to external parties.

We have a local file server system which we operate ourselves.

For payroll and accounting systems we use services from Økonomisenteret AS that run on their servers, and software including Visma Business, Huldt og Lillevik and Maestro Årsoppgjør.

24onoff is used as a system for managing working hours, overtime and absence. We operate our administrative account in the system ourselves, but 24onoff may retain information in accordance with 24onoff’s Privacy Policy: and 24onoff’s Terms of use.

KBT’s websites are hosted by Webhuset Webhotell, which is a Norwegian supplier, and a Norwegian data center is used. The websites are developed and operated by KBT. See Webhuset’s Privacy Policy.

Our email system is G suite. See Google’s information on Privacy and Terms.