How Can We Help?
Privacy Policy
- Purpose of this Policy
This Privacy Policy explains how Romerike International School collects, uses, stores, and
protects personal data of students, parents, guardians, staff, and external partners. It reflects
the requirements of:
● Personopplysningsloven (Norwegian Personal Data Act 2018)
● General Data Protection Regulation (GDPR, EU 2016/679)
● Guidance from Datatilsynet (Norwegian Data Protection Authority)
Our goal is to ensure that all personal data is handled lawfully, fairly, transparently, and
securely. - Categories of Data We Process
RIS may process the following categories of data:
● Student data: Name, age, gender, contact details, assessment records, attendance,
health notes (where necessary).
● Parent/guardian data: Contact details, relationship to student, consents.
● Staff data: Employment records, performance, professional qualifications.
● Images & recordings: Photos, videos, and audio recordings used for educational or
promotional purposes (with explicit consent).
● Technical data: Log-ins, cookies, and device usage for school platforms. - Lawful Basis for Processing
We process personal data under one or more of the following legal bases:
● Legal obligation (education regulations, safeguarding).
● Contractual necessity (student enrolment, staff employment).
● Consent (use of images, third-party apps not essential to curriculum).
● Legitimate interest (school improvement, IT security). - Consent Management
● Consent is obtained separately for optional activities through the Application
Contract (e.g., photography, third-party platforms, extracurricular tools).
● Parents and guardians can withdraw consent at any time by contacting the school
in writing.
● RIS maintains a central consent register, accessible to staff, to ensure compliance
held in Open Apply. - Data Minimization & Purpose Limitation
● Only data strictly necessary for educational or administrative purposes is collected.
● Sensitive categories (e.g., health) are stored separately and with restricted access
within Open Apply .
● Where initials or anonymization suffice (e.g., internal reports), full identifiers will not
be used. Such as WW73 - Storage & Retention
RIS follows a defined retention schedule:
| Category of Data | Proposed Retention Period | Legal / Regulatory Basis / Rationale | Notes / Caveats |
| Academic / student records (grades, transcripts, enrolment data) | 5 years after student leaves / graduates | Common practice in Norwegian schools; aligns with Asker International School policy (“student records: stored for up to 5 years after leaving”) Asker International School | If a national or municipal education regulation mandates longer, you must extend. |
| Safeguarding / child protection / incident reports – This includes all §9a & §12 | Until student is at least 23 years old, or longer if statutory requirement | Because these files often relate to legal claims, child welfare, or claims that may arise later (youth protection). Many organizations retain for longer than general records to ensure protection or legal compliance. | In case of criminal or disciplinary proceedings, longer retention may be required. |
| Health / medical information (as used by school nurse, disability accommod ations) | 5 years, unless law requires longer | The Norwegian Health Records Act (pasientjournalloven) often uses a 5-year reference in various contexts as a minimum; absence of explicit school health context means using conservative standard practice. | For certain health conditions or special education accommodation s, you may need to retain longer—assess on a case-by-case basis. |
| Staff / employment records (contracts, evaluations , payroll, disciplinary records) | 10 years after employment ends | Common practice in Norway (e.g. Asker International keeps staff records 10 years) Asker International School; also aligns with labor law and tax/documentation obligations | For pension or insurance claims, some records may need longer retention (e.g. documentation that supports long-term benefit claims) |
| Payroll, salary, tax documenta tion, accounting records | 5 years | Under Norwegian Bookkeeping Act: primary accounting documents must be kept 5 years; secondary documentation, 3.5 years. Altinn+2Skatteetaten+ 2 | If there is a longer requirement in law (for special sectors) or a pending audit / litigation, retain longer |
| Photos, videos, audio recordings (for marketing, school publication s, events) | As long as valid consent is in place; otherwise delete or anonymize | Under GDPR / Norwegian personal data rules, processing must respect purpose limitation and not be indefinite. | Consent withdrawal must trigger deletion / removal. |
| Data about prospective students / applicants (applications, interviews, etc.) | 5 years | If a prospective applicant is never enrolled, you should not hold data indefinitely; often 2 years is normal for recruitment. | If the applicant later becomes a student, move the record into student archive and apply that retention. |
| Communications / email logs / internal messages | 5 years | For operational, legal, or evidentiary reasons, most institutions retain email and message logs for a few years | After expiration, purge or archive in anonymized form. |
| Backup data CCTV | Rotating basis (e.g. 30–90 days) with retention aligned with primary storage | Backups are to ensure continuity, not to override retention rules for live data | Do not allow backups to resurrect deleted data beyond its retention period |
| Consent records / withdrawal logs | At least as long as the processing they pertain to + an additional small buffer (e.g. 1 year) | You need to document when consent was given / withdrawn, to demonstrate compliance | Even if the main data is deleted, the log about consent must remain to show you complied historically |
● Annual data purge procedures ensure timely deletion takes place in Week 37
- Data Security & Access Control
● All staff accounts require two-factor authentication (2FA).
● Role-based access ensures staff can only access data relevant to their duties.
● Regular audits of access rights are conducted.
● All portable devices (laptops, tablets) are encrypted.
- Data Breach Response
At Romerike International School, a data breach is any incident where personal data is
accidentally or unlawfully lost, accessed, disclosed, altered, or destroyed. This includes
situations such as:
● Sending student or staff information to the wrong person,
● Unauthorized access to records,
● Loss of devices containing unencrypted data, or
● Data being unavailable due to technical failure or cyberattack.
All suspected breaches must be reported immediately to the Data Protection Officer.
In the event of a data breach: - Staff must report immediately to the Data Protection Officer (DPO).
- The DPO will assess the breach within 24 hours.
- Where required, Datatilsynet will be notified within 72 hours.
- Affected individuals will be informed if there is a high risk to their rights.
- Children’s Data & Safeguarding
● RIS treats children’s data with the highest level of protection.
● Photographs/videos are only published with explicit parental consent.
● An opt-out register is maintained and circulated to all staff.
● When consent is withdrawn, content is removed where feasible. - Third-Party Providers & Data Processors
Romerike International School permits the use of only approved third-party platforms for
teaching, learning, communication, and administration. The list of approved platforms is
maintained by the school’s leadership and reviewed annually.
● RIS uses third-party educational platforms listed on Jamf
● Each provider signs a Data Processing Agreement (DPA) ensuring GDPR
compliance.
● Data is stored within the EEA unless an adequate transfer mechanism is in place
(e.g., EU Standard Contractual Clauses).
● Annual Audit: All approved platforms will be audited once per year, at the same time
as the annual data purge, to ensure continued compliance with GDPR and
Norwegian data protection law.
● Unapproved Tools: Teachers and staff may not introduce or use new digital
platforms, apps, or services involving student or staff data without prior review and
approval by the school’s Data Protection Officer (DPO) and leadership team.
● Staff Responsibilities: Every staff member is responsible for protecting personal
data when using digital tools. This includes:
○ Only sharing information through approved platforms.
○ Respecting student and parent consents.
○ Reporting any suspected misuse or data breach immediately to the DPO. - Rights of Data Subjects
Students, parents, guardians, and staff have the right to:
● Access their personal data (Subject Access Request).
● Rectify inaccurate or incomplete data.
● Request erasure (“right to be forgotten”), unless legal obligations apply.
● Restrict or object to processing in certain cases.
● Data portability (when data is processed based on consent or contract).
Requests can be made to the DPO (see Section 13). - Transparency & Communication
● RIS provides a plain-language summary of this policy for students and parents.
● All policy updates are communicated via the school website.
● Training sessions are held annually to ensure staff understand their responsibilities. - Contact Information
Data Protection Officer (DPO):
Email: sbm@romerikeis.no
Address: Romerike International School, Melkevegen 3, 2165 Hvam, Norway - Review Cycle
● This policy is reviewed annually by the Senior Leadership Team and presented to
the Board .
● Interim reviews may occur after audits or legal changes.