menu Open menu Close menu
Contentexpand_more

Office Store og Add-ins

Office Store is a place where you can find many additions to various Microsoft products (Outlook, Word, Excel, Powerpoint, Teams, etc). Many of the supplements are made by third-party companies, and when used, the supplement will have different rights to USN content. Due to the Personal Data Act (GDPR), USN cannot provide free access to the use of USN user accounts in connection with all additions in the Office Store and therefore access to the Office Store is closed.

Rights required by Office Store add-ons

An example of an add-on is "Grammarly for Microsoft Word". This is a supplement that many people probably find useful. It can help with spelling and grammar in Word.

If you look at the information about the supplement, it says the following:


--- quote ---
Add-in capabilities
When this add-in is used, it

  • Can read and make changes to your document
  • Can send data over the Internet

--- end of quote ---

Each supplement therefore needs different kinds of rights to things. In this case, we see that the Grammarly add-on needs rights to see everything you write in the documents you have up in Word and make changes to the document. This is logical, since it is a spell check supplement.

Other additions also require rights to various things. There may be rights to content in the USN mailbox / calendar, or there may be rights to read content in the USN OneDrive folder.

The Personal Data Act

Excerpt from https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/om-personopplysningsloven-og-nar-den-gjelder/:  "Personopplysningsloven handler om behandling – altså innsamling og bruk – av personopplysninger.". 
(In English: "The Personal Data Act is about the processing - ie collection and use - of personal information . ".)

Personal information is further defined as "all information and assessments that can be linked to you as an individual" (https://www.datatilsynet.no/rettigheter-og-plikter/personopplysninger/)

Personal information may be in USN mailboxes / calendars, and also in USN OneDrive folders. When editing a Word document, it is also conceivable that things that are personal information are written / inserted. The USN username itself can also be considered as personal information, since it can be linked to a single person.

This triggers the need to comply with the Personal Data Act.

Datatilsynet has made a lot of good information regarding this. On the website https://www.datatilsynet.no/rettigheter-og-plikter/personvernprinsippene/ you can read about the privacy principles that form the basis of the Personal Data Act.

Data minimization

One of the sections on the Data Inspectorate's website on privacy principles deals with data minimization. Based on what is written there, one can read that "The principle of data minimization means limiting the amount of personal data collected to what is necessary to realize the purpose of the collection. If personal data is not necessary to achieve the purpose, it should not be collected. "

It is thus a matter of collecting / storing as little personal information as possible in order to achieve a defined purpose. Then you also have to look at what kind of purpose you want to achieve, and what you may already have of services. If, for example, the purpose is to be able to communicate within USN and with the rest of the world by email, you do not need to have two email services.

Should access to an Office Store add-on be opened?

If you wish to use a supplement that covers a purpose that is not covered by any of the other supplements USN already uses, we may consider opening up to use the desired supplement. In that case, a process must be made on this, which i.a. involves the following:

Need

The need to use the supplement should be such that it is appropriate for USN to use the supplement. It should then preferably be more (employees or students) who have this need.

The right plugin for the purpose?

It should be investigated whether there are other supplements that cover the same purpose that may be better suited.

Privacy implications

USN is obliged to make an assessment of the privacy consequences by using the program supplement.

Risk assessment

USN is also obliged to carry out a risk assessment before personal data is processed and before using an information system. This is to assess whether the personal information and other information values ​​can be handled in a satisfactory manner.

Data Processor Agreement

All companies that use a subcontractor have a duty to have a data processor agreement. A data processor agreement shall ensure that personal data is processed in accordance with laws and regulations, and determines how the data processor may process the information.

If an Office Store add-on is to be used together with a USN user account and thus automatically stores some information, where some of the information can be considered personal information, then USN must have a data processor agreement with the company responsible for the relevant add-on.

Where in the world is the data stored?

... and can they be stored there?

GDPR sets requirements for a transfer basis for the transfer of personal data to countries outside the EU / EEA (third countries). The transfer basis shall ensure that the personal data will have the same protection if they are transferred to a third country. (Source: https://www.youtube.com/watch?v=iCOIExqilA8).

The so-called "Schrems I judgment" from 2015, and the "Schrems II judgment" from 2020 mean that both the "Safe Harbor" and "Privacy Shield" agreements that the EU / EEA had with the USA are no longer valid.

These rulings make it very demanding for USN to be able to use new services where the data is stored outside the EU / EØS

 

For the interested (in Norwegian):