List of active policies
Name | Type | User consent |
---|---|---|
Privacy Notice | Privacy policy | All users |
Summary
Privacy Notice Summary
The INTOSAI Development Initiative (IDI) is committed to protecting your privacy and ensuring compliance with the EU General Data Protection Regulation (GDPR). We collect and process personal data to support Supreme Audit Institutions (SAIs) in capacity development initiatives, online learning, and event management.
This policy outlines what personal data we collect, how we use it, where it is stored, and your rights regarding data privacy. Personal information is handled securely and only shared when necessary for educational, administrative, and operational purposes.
For more details, please refer to the full Privacy Notice.
Full policy
Privacy Notice
The INTOSAI Development Initiative (IDI) is committed to protecting your privacy. Where we ask you to provide us with any information by which you can be identified, you can be assured that it will only be used in accordance with this privacy statement, and in line with EU General Data Protection Regulation 2016/679 (“GDPR”).
Who we are and how to contact us?
IDI is a non-profit organisation based in Norway. We support Supreme Audit Institutions in developing countries to sustainably enhance their performance and capacities. In our engagement with you, we are responsible for the usage of your personal data. If you have any questions, please feel free to send an e-mail to Jianhua Qian, Senior Coordinator with GDPR Compliance Responsibility: jianhua.qian@idi.no
Why and what personal data we collect from you?
In short, IDI collects your personal data in order to meet our goals in supporting SAIs with performance development and capacity building. Your personal data is collected when you interact with us, including our capacity building initiatives, recruitment process, website and other communications.
Personal data collected for most of the purposes:
- Name, gender (for reporting purpose)
- Country, SAI/organisation, e-mail address
Personal data collected for initiatives with qualification requirements:
- Educational background
- Working experience
In addition to the above, some personal data is collected based on a specific purpose:
Onsite events – for travel, accommodation and meeting arrangements
- Language
- Job title
- Date of birth
- mobile phone numbers (for airport pickups and air ticket booking)
- departure city/arrival city
- food restrictions (for meals arrangement)
- special needs, if there are, due to disabilities
- next of kin contact details
- banking details (only when you are entitled to reimbursements or any other fees)
- itineraries/air tickets
- hotel check in/out information
eLearning courses – for IDI LMS IDI Learning Management System
- Username
- Users logs
- Assignments you submit
- Discussion forum records
Webinars, online meetings and other online synchronous activities
- Audio
- Video
*Normally all webinars are recorded and shared publicly. Please note that if you have been sharing your audio or video during the sessions, such data will be collected.
Publications: articles, training materials, GPGs, reports
- photos taken during events
Archiving, future communications, collaboration, analytics and evaluation
- name, organisation, gender, job title, phone numbers, e-mail addresses
- photos taken during onsite events
- result of tests *
- eLearning course grades, completion rate *
- record of certificates/diplomas *
- course/event attendance history, incl. role in attended events, attendance mode, names, dates, locations of events.
- Opt-in preferences
- Feedback and surveys
- Communications through e-mails and letters
*By collecting and storing the above information, we can maintain a comprehensive database of past and potential attendees, enabling targeted communication and informed decision making for future events.
Recruitment Process
- Date of birth
- Physical address
- Answers to questions in job application form
- CV
- Cover letter
- References
- Certificates/diplomas
Website
When you visit our website, some information is automatically collected by Cookies, details see ‘’Cookies’’ section.
Communications
When you contact us by e-mail, phone call or via social media account, your contact information revealed will also be automatically collected.
Where do we store your personal data?
We use Microsoft office 365 cloud solution for data storage. All data collected by us are stored in Microsoft data centers within EU.
https://privacy.microsoft.com/en-gb/privacystatement
What are the lawful basis for our processing?
We process your personal data based on legitimate interests, performance of a contract, compliance with a legal obligation and consent.
For example, in order to admit you into an capacity building initiative/a training event, or during a recruitment process, we process your contact information, educational background, working experience etc.. This is our legitimate interest.
We process your contact information, account details in order to sign and fulfill a contract. This is based on ‘performance of a contract’ lawful base.
We keep the payment transaction record for a longer period of time, this is based on a legal obligation. (see ‘’How long do we keep your personal data?’’)
We may also ask you for your consent to process some of your personal data. For instance:
Whether it is OK to keep your personal data for archiving, future communications, collaboration, analytics and evaluation purpose for as long as our organisation exists.
Our lawful basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which it is collected.
How do we collect the personal data from you?
We collect your personal data through the following channels:
- Online registration forms (Google Forms, Microsoft Forms, Zoom and other online tools)
- Nominations from your Supreme Audit Institution (SAI) via e-mail or other means
Who has access to your personal data?
- Various Initiatives
To the minimum extent, we share your personal data with various suppliers and partners for different purposes. E-mails containing personal data are encrypted. All parties are obligated to keep your personal data confidential and are subject to appropriate safeguards to prevent from unauthorised disclosure.
Service providers for onsite events
In terms of onsite events, your relevant personal data (details see “onsite events”) may be shared with our travel agency, hotels, airport transportation companies and host SAIs/cooperation partners to arrange for your travel, accommodation and meals.
Travel agency – we mainly use G Travel to book your air travels. Here is their privacy policy: https://gtravel.no/eng/privacy-statement/
Personal data shared with the travel agency is: name, gender, birth date, mobile phone number with country code, e-mail address, travel schedule, departure and arrival places, food restrictions and special needs due to disabilities. Sometimes passport copies are also shared if your name is too long for the ticket booking system.
Hotels – we only share what is necessary to make sure your stay is comfortable, such as your name, gender, airport arrival/departure date and time, food restrictions and special needs due to disabilities.
Airport transportation companies – most of the time this is handled by hotels, but in some cases, we may hire a separate company to do this. Personal information shared: Name, gender, airport arrival/departure date and time.
Host SAIs/cooperation partners– meaning the supreme audit institutions who host our events. We share what is needed with host SAIs/cooperation partners, depending on the areas they will be supporting and involved.
Your organization
As you are, as a participant, normally attending IDI initiatives on behalf of your organization or on nomination by your organization, participation status to an onsite event or an online course, as well as test results, may be shared with your organization, and if necessary, with regional secretariats as well.
IDI LMS (Learning Management System)
The software used by IDI for its Learning Management System (LMS) which including eLearning courses and other Digital Education Initiatives is based in Moodle Workplace 4.1 Moodle is an open source LMS, here is their privacy policy: https://moodle.com/privacy-notice/
The IDI LMS mobile app available for free for android and apple devices is based on Moodle Mobile Application. Moodle Mobile application does not collect or process any personal data. https://stats.moodle.org/mod/page/view.php?id=32
IDI LMS is hosted in Sweden using Amazon Web Services (AWS), which has also committed to GDPR. All personal data hosted in AWS is encrypted.
IDI website
The software used by IDI for its website is Joomla. Joomla is an open source Content Management System (CMS). Joomla has incorporated the very latest Version 3.9 to provide users with a ‘Privacy Tool Suite’, which indicates its compliance with GDPR: https://www.joomla.org/about-joomla/the-project/media-and-press-contact/5750-joomla-3-9-s-privacy-tools-drive-gdpr-and-regulatory-compliance.html
IDI website
IDI website is hosted by Surpasshosting.com, which has its servers located in USA. Its privacy policy can be found here: https://www.surpasshosting.com/privacy-policy.php
The IDI CMS does not store personal information other than from the IDI staff who have administrator’s rights over the website and its external web developer (full name, email, username and password).
The navigation inside the webpage does not require any authentication. Some content could be protected by using a generic password.
IDI staff remote access
When IDI staff travel or work in another country, your personal information may be accessed from ‘’third countries’’ (countries which are not covered by GDPR). However, secured log in and data handling process is followed.
Meeting participants
Participants lists are normally shared among people who attend the same meeting/workshop (incl. online meeting/workshop). Such lists normally include your name, country, organization and e-mail address.
In event like webinars, participants list is shared with speakers if they ask for it.
Reports
We report on aggregated data such as number of people attending our events/initiatives per gender, role in events/initiatives, organization type and region.
- Recruitment Process
When you apply for a position in IDI, following groups of staff will have access to your information:
- Human Resource Department
- Staff who are involved in your recruitment process
If you have a protected identity, please contact the person listed in the ad. You should also be careful about what information you share in the application. Please only provide information that is relevant to the position in question.
How do we use Cookies?
The use of cookies is common practice on modern websites. A cookie is a small text file which is placed on your computer’s hard drive by a website. When you visit our website, your browser checks to see if it has any cookies for it and sends the information contained in those cookies back to the site in order to tailor and improve your experience.
We use Google Analytics cookies to collect anonymous usage and visitor behaviour information – this includes:
- IP address (IP Anonymization applied)
- operating system
- browser type
- pages visited
- links you click on
For instance, in order to provide you with an optimal learning experience, our LMS system requires that cookies are enabled in the web browser. Our cookies record information such as whether you are currently logged into your LMS account, to ensure you’re given the right access on each page. They make sure the display settings you’ve selected before, or the settings associated with your account permissions, are activated correctly. They also record how long since the last time you accessed our online course/working space. For more information regarding cookies for LMS system, please refer to https://moodle.com/cookies-policy/ .
Our LMS mobile app uses Google Analytics for Firebase which is a free app analytics solution that provides insight on app usage and user engagement. Google Analytics for Firebase has successfully completed the ISO 27001 evaluation process. https://firebase.google.com/support/privacy. In this case, some usage data is sent to Google servers, but no personal data is included (by "personal," we refer to data that can be used to identify an individual, such as an email address). The app does not send any user information to Firebase Analytics, only usage statistics.
More information about the Privacy Notice for the Moodle Mobile Application is available at:
https://stats.moodle.org/mod/page/view.php?id=32
How to refuse cookies
You can use your browser settings to disable cookies. Different browsers offer different levels of control – for example you may be able to accept certain cookies and reject others, such as third-party cookies.
If you refuse cookies, please be aware that certain features of our website may not function properly without the aid of cookies.
You can delete the cookies stored on your computer at any time.
Security of your personal data
We have implemented appropriate controls to protect your personal data against unauthorised access or accidental loss.
How long do we keep your personal data?
We do not keep your information for longer than necessary.
Retention period of your personal data depends on data type and purpose of collectionSensitive personal data such as food restrictions and handicap needs, is deleted after events. Passport copies are also deleted once the indicated needs are fulfilled.
Whenever you withdraw your consent or request to be forgotten by uswe will delete your personal data.
IDI will regularly delete users who have not been active in IDI LMS for more than two years.
In the meantime, users can also remove their own personal data by deleting their user account at any time. LMS users who want to delete their account can do so by going to their profile, selecting Settings, and finally choosing the Delete My Account option.
Documents and records stored in IDI financial system follow the Norwegian State Regulations in Financial Management. They are to be stored for 3 years and 6 months to 10 years after the end of the financial year, depending on the nature of the documents. (source: https://www.regjeringen.no/globalassets/upload/fin/vedlegg/okstyring/reglement_for_okonomistyring_i_staten.pdf )
However, personal data collected for “ archiving, future communications, collaboration, analytics and evaluation” purpose will be stored for as long as our organisation exists. Proper security measures will be taken to ensure the safety of your data.Personal data collected during a recruitment process: all personal data will be deleted from IDI database within 12 months after your last application.We keep your information up to date
We want to make sure that any personal information we hold about you is accurate and up to date. Please contact us to correct or remove information you think is inaccurate.
Your rights related to the personal data we collect
You can contact our Senior Coordinator with GDPR Compliance Responsibilities with regard to the following rights over your personal data:
- Right to be informed: you have the right to be told how your personal data will be used. This Notice is intended to provide you with a clear and transparent description of how your personal data may be used.
- Right of access: you can write to us to ask for confirmation of what information we hold on you and to request a copy of your own information.
- Right to rectification: you have the right to ask us to update inaccurate personal data on you. You can also ask us to check the personal data that we hold about you if you are unsure whether it is up to date or not.
- Right to erasure: at your request we will delete your personal data from our records as far as we don't have an overriding legitimate reason for holding on to it (e.g. to comply with a legal obligation).
- Right to restrict processing: you have the right to ask us to restrict the processing of your personal data if there is disagreement about its accuracy or whether our use is legitimate or not.
- Right to data portability: you have the right to receive the personal data concerning yourself, which you have provided to us, and to transmit those data to another organisation without hindrance from us.
- Right to object: you have the right to object to processing of your personal data at any time as long as we have no compelling legitimate grounds we can rely on to continue with that processing.
When making any of these requests, we may need information from you to help us confirm your identity.
Other websites
Our website contains links to other websites which are not run by IDI. This privacy notice only applies to IDI website. Therefore when you link to other websites, we advise you to read their own privacy policies.
Where to complain
We work to high standards when it comes to processing your personal information. If you would like to send a complaint to Norwegian Data Protection Authority, who oversees personal data protection in the country, please write to postkasse@datatilsynet.no .
Changes to our privacy notice
We review our privacy notice regularly and we will place any updates on this web page. This privacy notice was last updated on 27 February 2025.