This is a privacy statement and overview for AURORA on what personal information it uses, how it is handled, who is
responsible for the handling and which rights you have and who to contact about your personal information. It also gives you an
overview of what information are stored in cookies, what the aim of that storage is and who is handling that information.
When you use the AURORA-system you accept that cookies are being stored in your browser. If you do not accept this, you have
to adjust the settings of your browser to deny or revoke this acceptance. Please note, that if you do revoke cookies for this site
it will be impossible to use the AURORA web client.
Personal information are all forms of data, information, assessments that can be used to identify you as an individual. It can be
things like an email address, name, phone number, address etc (or any combination of these). The deciding criteria for what is
personal information is if this information can directly or indirectly identify an actual individual.
Cookies are small information packages that are stored by the browsers locally on your computer and can be accessed by the site that
created them. Any kind of information can be stored in a cookie, but these are the purposes of cookie in AURORA:
- To store login information. This is related to who logged in to the AURORA web-client as a random string or id. Because it is a
random identifier it is anonymized in the web browser and locally on the computer, but this information can be used internally on
the AURORA-server to identify who this session information is related to.
- Session information. This is session data (such as search settings, accepting this privacy notification and so on). All of this
information is anonymous and cannot definitely identify any given user or individual (only in combination with the random string or
id mentioned previously).
No information because of these cookies are fed into Google Analytics or similar analytical and/or tracking solutions.
The purpose of storing personal information is because in order for AURORA to do its work it needs to know who has logged into
the system using a universal identifier, which happens to be the users email address. In addition it needs to know the full name
of that email address. Without this information it is impossible to give users access to creating datasets and managing them or
offering any kind of security related features.
The full overview of information used and how are as follows:
- Email address and full name in order to identify individual users in the system and allow for management- and security
related features. Please also note that email and full name are available to any user with access to AURORA, because it is needed to
be so in order to allow for any kind of management. This is also the case for users of AURORA that comes from external entities outside
the organization. The information about the users name and email address are open information inside the system.
- Local login-services' username. AURORA can utilize several forms of login services and one such is the OAuth SSO-scheme. In such
cases it might be that the various login services store information about the user that is related to its user identity on
local systems where the user works or access. This information is tracable to the users email- and full name.
- Textual name or other personal information (such as email) about the user might be stored in a datasets metadata in order to
identify who contributed to it, created it and so on. This is considered fair use within the AURORA-system and it is not something
that the system does as a default. This is up to the administrators and creators of the datasets to define. This information, such
as full name, might also not uniquely identify anyone (eg. many may have the same name) and are not attached to any user accounts
within AURORA itself.
The data in the AURORA-system are stored for the following durations:
- Email and full name are stored as long as the user is using the system, still has a relationship with the organization offering the
AURORA-system and have not requested to be anonymized (please note that complete anonymization might not be possible or required by
the organization). If the user looses his or her relationship with the organization or stops using the AURORA-system (in the case of
no relationship), the account information will be anonymized/wiped within a year afterwards. No user-accounts in AURORA are deleted,
the personal information is removed/anonymized.
- Login- and session information are stored as long as the browser keeps the information updated or the user keeps updating its
content by using the AURORA-system. The server-side session information of AURORA are usually only kept for a couple of weeks until
the server-side cache times out and/or are deleted. Please also note that the server-side session information is anonymized upon
logging out.
- Metadata information about datasets are kept indefinitely because of management-, usage- and statistics purposes, even after the
dataset has been deleted. Please note, however, that as long as the metadata does not contain any personal information, it is not
tracable to any individual user, if the user who created it has had his or her account anonymized. The link between a dataset and a
users account is in the form of a numbered identifier and as soon as the USER-account has been anonymized, it is impossible to know
exactly who created that dataset (barring metadata identifiers). The dataset will, however, be tracable to the AURORA-group where the
dataset was created and if any user in that group remembers who created it, then that is not within the powers of the AURORA-system
and/or its administrators, algorithms, procedures or design to deal with (try calling the MIB).
The legal basis for processing your information in AURORA is the EU GDPR and the Norwegian law based upon the GDPR
(Personopplysningsloven). Of specific support is the Personopplysningsloven §6 and §8, which clearly states that
the processing of personal informations is acceptable as long as necessary for work related functions and/or for research- and
scientific purposes of public interest.
You can contact the AURORA administrators and ask to know which personal information that the system are processing about you,
where they come from and why it has them. You can also ask for a copy of this information. You cannot ask for this same information
about other people than yourself.
If you, after gaining access to your personal information used by AURORA, discover incorrect, incomplete or inaccurate information, you
can ask to have it corrected.
AURORA have procedures for removing user information upon a user ending his or hers relationship to the organization or stops using the
system. However, you can still ask for your information to be deleted. As the user-information is not vital for the long term storage of
the datasets, we will usually accept your information being removed. This entails anonymizing the information stored in the user-account, as
we cannot remove the account itself of design and usage reasons. After anonymizing the account, the datasets that you created cannot any longer
be traced to any personal information within them. Note, however, as we covered in the section "Storage Duration" that some of your personal
information might be stored in the datasets metadata and are considered fair use.
Also if we have the right according to law, or a law denies us to remove this information, or you do not have any substantial reason to demand
the total deletion of personal information (beyond the user account), we can still retain this information within the system.
You can demand that we temporarily suspend the use of your personal information. You can demand this if the information we
have about you is inaccurate or we do not have sufficient reason to process it. We will then stop the processing until we
have investigated your injections.
If the AURORA or the organization processes your personal information based on your
consent or an agreement we have with you, and the treatment is transferred automatically
(eg. that the data is calculated automatically or machines analyze the information), you can
demand that we transfer several of your personal details to you or to a third party.
If you are in a unique situation where the processing of personal information by AURORA creates special challenges to you, you can protest
the processing. If your interests weighs heavier than the usage by the organization, AURORA will not process your personal information
any longer.