Policy for data ethics

Introduction

Data ethics policy for NIRAS Group and its subsidiaries

This Data ethic policy describes how NIRAS Group and its subsidiaries (“NIRAS, we, us”), complies with data ethics.

For NIRAS, it is a key parameter in running our business that our partners can trust us and be confident in our handling of data. Therefore we are dedicated to protecting data in three ways.

1) NIRAS has a strong focus on assessing risks, addressing them through pertinent measures, and thereby maintaining a high level of information security.

2) NIRAS has a strong focus on always complying with the rules of personal data laws and users' rights when processing data.

3) NIRAS has established internal ethical rules, when processing, in order to ensure that we maintain the trust that our partners have put in us, both from an individual perspective and from the perspective of society at large.  

This policy applies to all processing operations in NIRAS. Furthermore, the policy also applies to the processing of data of selected partners, to the extent that we can exercise any influence over them. Finally, the policy also applies to all technologies and processes that are under the influence of NIRAS.

Ethical principles of data

The following principles form the basis for NIRAS' responsible processing of data and complement the security and personal data law measures we already comply with:

Dedication to data ethics

The Management has appointed a data ethics officer and a panel has been set up to make data ethics assessments.

The Management takes the lead and helps to ensure that the principles are integrated into the daily work.

The Management also ensures that a data ethics policy has been developed and approved and that it is balanced against the other interests of NIRAS.

Responsibility for the data process

NIRAS takes responsibility for the processing of data. Therefore ensures that the processing of partners' data is only done, when necessary and for clearly defined purposes.

The data is in accordance with laws, regulations and conventions in order to minimize the risks of unintended consequences from the use of data.

Guidelines and control of third-party data processing

It must be ensured that IT suppliers act under instruction and have the right security level for processing the data.

The IT-suppliers are dedicated to ensuring ethical handling of data, and that they have a data ethics policy themselves.

As a rule, data is not sold and disclosed unless required.

The use of new IT suppliers must be assessed based on these data ethics principles.

Value, transparency, and security for clients

Data is used to create value for customers, so that they in the most efficient manner get access to the right solutions.

Transparency is designed into the solution, and thereby the customers have access to data about themselves, as well as information about the processing that is being carried out.

The customers can be confident that their data is protected in the best possible manner.

Assessments are carried out as to whether there might be any negative consequences (e.g. monitoring, exclusion, or stigma) ,for customers when new processing of personal data is initiated – including when new technologies are being used.

Employees are trained and the data processing is checked

All relevant employees are obligated to receive training in data ethics annually.

Revision

This policy is reviewed and approved at least annually by NIRAS' management.

Compliance with the policy is assessed in the form of management-approved controls. The policy forms the basis of the data ethics statement in connection with the management's report in the annual report.