Privacy Policy for the Norwegian Meteorological Institute

Data Controller

The CEO of the Norwegian Meteorological Institute (MET) has the overall responsibility for MET's processing of personal data. The daily follow-up of each service is delegated to the division responsible for the service. 

When does the Norwegian Meteorological Institute collect personal data?

The primary purpose of MET's processing of personal data is to better accommodate our users and partners' experiences when contacting the institute or using our digital services. We mainly process information you have provided to us for one of the following reasons:

• You have accessed weather and climate information on one of our websites or through our APIs.
• You have contacted us with questions about climate and weather.
• You have sent us a complaint.
• You have requested access under the Norwegian Freedom of information Act.
• You are a user of Værio or Luna.
• You have registered for a course or seminar.
• You have applied for a job with us.
• You are visiting our premises.

We also receive information indirectly for the following reasons:

• An employee has listed you as a next of kin.
• A job applicant has listed you as a reference.
• You are listed as a contact person in an agreement where MET is a party.
• You are part of a project, reference group, or similar collaboration with MET.

We encourage everyone not to use post@met.no for sending sensitive personal data to us.

Contact Information

Privacy Officer at the Norwegian Meteorological Institute

• Email: post@met.no
• Phone: 22 96 30 00
• Postal Address: PO Box 43 Blindern, 0313 Oslo

Processing of personal data on met.no

Our Communications Manager is responsible for processing personal data for the website. The website is operated by Enonic. A data processing agreement between MET and Enonic regulates what information the provider has access to and how it should be processed.

Cookies

MET collects information about visitors on some of our websites. Cookies are used to improve the user experience and optimize the websites.

We differentiate between necessary cookies, which ensure basic functions like navigation and access to secure areas of the website. The websites cannot function optimally without these cookies, and they cannot be turned off.

We also use cookies to collect anonymized statistics to help us understand how you, as a visitor, use our website, so we can improve our sites. For websites that use such cookies, they can be opted out of.

Traffic Logs

Network traffic in and out of MET's network is logged by various infrastructure such as firewalls, DNS servers, VPN, Wi-Fi, log servers, and authentication services. The logs may contain information that can be linked to individuals, such as IP addresses. The purpose of the logs is to prevent misuse of MET's services and manage data attacks. MET shares such information with certain Norwegian authorities in anonymized form to prevent data attacks or other undesirable behavior.

Email Lists

Email lists are used for information about services, events, changes, or feedback, and not for advertising. Your address will not be used for any other purpose. The legal basis for processing is "consent." You can unsubscribe from the list whenever you wish. See also the section "Processing of Personal Data for Inquiries to MET." MET has entered into necessary data processing agreements with external providers

Course Registration and Information about Completed Courses

MET uses the tool LetsReg.no for registration and payment for courses organized by us. Here, names, organization, phone numbers, email addresses, and possibly job titles and dietary preferences are recorded. Data not covered by accounting obligations are deleted after 6 months. In some cases, Google Forms are used as a tool for course registration. Information about completed courses is stored in MET's archive system and is retained for the lifetime of the service.

Processing of Personal Data on Our Websites

This applies to the websites api.met.no, arcticdata.met.no, arctic-rcc.org, drifty.met.no, frost.met.no, klimaservicesenteret.no, thredds.met.no, wiki.met.no, værio.no, luna.met.no, and other websites for research projects. The system owner for each service is responsible for processing personal data for that service. 

The legal basis for processing is consent from the individual who wishes to use the service. To access certain services, users may be required to provide an email address and, in some cases, their name, title, and phone number to create a user account with a password. In some of these services, user information is retrieved from other external actors (such as ID-porten, Vipps, and Microsoft). In these cases, the password is stored with the external actor. Logging into these services is necessary to ensure stable and fast access for all users, enable efficient use of the service, and control access to data that is not openly available to everyone.

The email address will be used to contact users with information about the service, maintenance, and changes. The information is stored for the lifetime of the service unless otherwise specified.

MET logs the use of these services, including the user’s IP address. See the sections on Cookies and Traffic Logging. The purpose of logging usage is to detect unwanted activities, troubleshoot, and prepare statistics that we use to improve and further develop the services. Examples of what the statistics reveal include the number of requests for various data or products and response times. Usage statistics are anonymized and are not disclosed by MET to other parties.

IP addresses may also be used for traffic management.

MET also operates several websites for research projects we lead or participate in. In some cases, it is necessary to create a user to access data. The project leader is the data controller.

MET operates websites with meteorological data that do not require login. For such websites, IP addresses are stored for up to 90 days. This information is used to ensure capacity in line with usage demands and to detect data attacks or other operational issues.

Information collected in connection with the operation of the websites is stored on servers operated by MET. There is one exception: for drifty.met.no, data is stored in Microsoft Azure. A data processing agreement between MET and Microsoft regulates what information the provider has access to and how it should be processed. The information is stored on servers in Europe.

Processing of Personal Data in Recruitment Tools

The system owner is responsible for processing personal data for the recruitment tool. The legal basis for processing is consent from the individual who wishes to apply for a position at MET. JobbNorge is our provider of the recruitment tool. A separate data processing agreement between MET and JobbNorge regulates what information the provider has access to and how it is processed.

Applications are deleted after 120 days. Job applications are not  registered in the public electronic post journal (archive), except for the person who is hired. Other documents, such as the list of applicants and recommendations, are retained. Journal information is not deleted but is restricted in the public electronic post journal (i.e., the applicant's name does not appear).

Processing of Personal Data in Case Processing and Archives

MET uses the Elements as our electronic archive (MET’s public electronic post journal) and case processing system from the provider Sikri AS. Sikri AS is our operations provider and data processor for Elements. A data processing agreement between MET and Sikri AS regulates what information the provider has access to and how it should be processed. The archive manager has delegated system responsibility and is responsible for the archive function, ensuring that necessary updated procedures are available and offering training in the use of the system and procedures. Respective department directors follow up to ensure that actual case processing complies with the procedures.

MET processes personal data to fulfill statutory tasks under the Personal Data Act, the Public Administration Act, the Freedom of Information Act, and the Archives Act.

MET's document center is located at the Norwegian Environment Agency. When contacting the document center, the information is stored in the Environment Agency's ticket system, Topdesk. MET uses the same ticket system as the Environment Agency for its own case handling for incident follow-up. The Environment Agency and MET have entered into a data processing agreement with the relevant provider.

Various types of personal data are registered in the archive and case processing system. This includes information such as name, address, phone number, and email address (metadata). Case documents may also contain sensitive personal data, such as health information. In the case of access requests, any personal data is disclosed in accordance with the Personal Data Act, the Freedom of Information Act, and the Public Administration Act.

MET is required to make its public post journals accessible to the public. A journal is a systematic and continuous registration of all incoming and outgoing case documents. These journals are made available at www.met.no.

Video Surveillance on MET's Property

Video surveillance is installed on MET's property in Oslo. This is marked according to the current regulations. The system owner is responsible for processing personal data from the surveillance. The purpose of video surveillance is to protect MET's assets on the property and ensure the general safety of MET's employees. Recordings are stored on servers operated by MET and are deleted after 7 days.

Visits to MET's Premises

All visitors to MET's premises are registered. In some locations, this is done by signing a visitor log, while in others, it is recorded in our electronic visitor register, Visitor. The systems retain information such as names, company, and who you are visiting. The purpose of visitor registration is to protect MET's assets. The electronic visitor register, Visitor, deletes data annually.

Inquiries to MET

MET receives inquiries via email and phone. If follow-up is needed, information related to the inquiry is logged in ticket systems, case processing systems, or similar, often in an unstructured form. The system owner for each service is responsible for processing personal data for that service. 

We urge you not to send confidential, sensitive, or other private information via email.

MET uses Google Workspace as an email and collaboration tool. A data processing agreement between MET and Google regulates what information the provider has access to and how it is processed. Transfer to third countries is managed through an agreement on the transfer of information to third countries (MCC) with Google. The information is primarily stored on servers in Europe.

Yr.no

Yr.no is a collaboration between NRK and MET. NRK is responsible for the frontend. For information regarding privacy on yr.no, please refer to NRK's privacy page.

Consultants, Guest Researchers, Partners, and Observers

All guest researchers (including students), consultants, partners, and weather observers are registered in our personnel system SAP, provided by the Directorate for Administration and Financial Management (DFØ), and in our central access register RI, provided by SIKT, regardless of whether you are granted IT access to MET's internal systems. Here, names, personal identification numbers/D-numbers, phone numbers, and email addresses are registered.

All agreements/contracts are stored in our archival solution, Elements, provided by Sikri AS.(see above) If the agreement is entered through our competitive system, names of contract partners/providers can be found both in our archival system, Elements, and in our procurement system, Mercell. Your name and phone number may appear unstructured in documents related to tasks carried out for MET. Our collaboration platform is Google Workspace.

Observers and Inspection Personnel

All observers are additionally registered in our crisis and alert system Metcim. Here, contact information such as phone number, name, position, residence, email address, and possibly where you are employed is stored. The provider for METCIM is F24. A data processing agreement between MET and the provider regulates what information the provider has access to and how it is processed. Stinfosys is operated by MET itself, and the data is located on our premises.

The observation station database Stinfosys contains the position (GPS coordinates) and equipment list belonging to the station, contact info for the station owner and maintenance personnel, as well as a history of submitted observations. The data is stored at MET.

Kro.met.no is used by MET's administrators of the observation network. Here, information about events in the observation network is recorded. This information is unstructured, meaning sensitive personal data may occur even though procedures indicate this should not be registered. The inquiries are logged by MET's technical personnel and observation network administrators. The data is stored at MET.

Rettinn.met.no is used by MET's technical personnel related to the observation network. Here, images and documents, including agreements linked to the stations, are recorded. The information is stored in MET's central file archive internally at MET.

Guest Researcher

By guest researcher, we mean Master's and PhD students, partners, retirees, and similar individuals who have agreements for access to MET. As a guest researcher, you are treated the same as consultants.

Consultant with Access to MET's Systems and Buildings

Many consultants at MET have access to MET's systems and buildings. As soon as you gain access to our systems, you will receive a user identification (ID) from us. The ID will be created through our central access register, Rapid Identity, and in our identity registers, local AD, local LDAP, and FEIDE, provided by SIKT. You use SIKT's FEIDE solution to set and change passwords. If you use your own equipment, you will use VPN to access MET's solutions. MET uses security logs in connection with the use of all our services. Here, usernames, timestamps, and IP addresses will be recorded.

If you, as a consultant, will work with collaboration and documents in any form, you will also receive an email account. This is provided by Google. In these cases, the privacy policy for employees applies. This will be presented to you at the start of the assignment in connection with setting the password for your account.

Your Rights

You have the right to basic information about the processing of personal data in an organization. MET has provided this information in this declaration and will refer to it for any inquiries. If you are registered as a user in one of our services, you have the right to access your own information. You have the right to correct and delete personal data. Even if you have previously consented to the storage of personal data, you have the right to change your mind. You have the right to complain to the Data Protection Authority if you believe the processing is in violation of the regulations.

The privacy policy will be updated as needed.