Privacy Notice

The INTOSAI Development Initiative (IDI) is committed to protecting your privacy. Where we ask you to provide us with any information by which you can be identified, you can be assured that it will only be used in accordance with this privacy statement, and in line with EU General Data Protection Regulation 2016/679 (“GDPR”).

IDI is a non-profit organisation based in Norway. We support Supreme Audit Institutions in developing countries to sustainably enhance their performance and capacities. In our engagement with you, we are responsible for the usage of your personal data. If you have any questions, please feel free to send an e-mail to Jianhua Qian, Coordinator with GDPR Compliance Responsibility: [email protected]

In short, IDI collects your personal data in order to meet our goals in supporting SAIs with performance development  and capacity building.

Personal data collected for all initiatives (including programmes, courses, e-learning, learning events and other activities to support SAIs as described):

• Name, gender (for reporting purpose), language, designation
• SAI/organisation, office address, postal code, e-mail address

Personal data collected for initiatives with qualification requirements:

• Educational background
• Working experience

In addition to the above, some personal data is collected based on how a specific event is organised:

Onsite events – for travel, accommodation and meeting arrangements

• passport copy
• mobile phone numbers (airport pickups)
• departure city/arrival city
• food restrictions (for meals arrangement)
• needs of persons with disabilities
• next of kin contact details
• banking details (only when you are entitled to reimbursements)
• itineraries/air tickets
• hotel check in/out information

eLearning courses – for IDI LMS IDI Learning Management System

• Username
• Users logs
• Assignments you submit
• Discussion forum records

Webinars, online meetings and another online synchronous activities

• Audio
• Video

*Normally all webinars are recorded. Please note that if  you have been sharing your audio or video during the sessions, this  data will be collected.

Publications: articles, training materials, GPGs, reports

• photos taken during onsite events

Reporting and archiving

• name, SAI/organisation, gender, e-mail address
• photos taken during onsite events
• result of tests *
• eLearning course grades, completion rate *
• record of certificates/diplomas *
• course/event attendance record

*not in all eLearning courses.

When you contact us by email, letter or on the phone, we may also store such information to help us process your request efficiently.

Where do we store your personal data

We use Microsoft office 365 cloud solution for data storage. All data collected by us are stored in Microsoft data centers within EU.

https://privacy.microsoft.com/en-gb/privacystatement

We process your personal data based on legitimate interests, performance of a contract, compliance with a legal obligation and consent.

For example, in order to admit you into an capacity building initiative/a course, we process your contact information, educational background, working experience etc. This is our legitimate interest.

We process your contact information, account details in order to sign and fulfill a contract. This is based on ‘performance of a contract’ lawful base.

We keep the payment transaction record for a longer period of time, this is based on a legal obligation. (see ‘’How long do we keep your personal data?)

We may also ask you for your consent to process some of your personal data. For instance: - whether it is okay to keep your contact information and attendance record to initiatives/events and for as long as our organisation exists.

Whether it is okay to use photos taken during the events in our communication materials, or food restrictions for conference package arrangements.

We collect your personal data through the following channels:

• Online registration forms (Google Forms, Microsoft Forms, Limesurvey, and other online tools)
• Nominations from your Supreme Audit Institution (SAI) via e-mail or other means

Based on your consent, and to the minimum extent, we share your personal data with various suppliers and partners for different purposes. E-mails containing personal data are encrypted. All parties are obligated to keep your personal data confidential and are subject to appropriate safeguards to prevent from unauthorised disclosure. 

Service Providers for Onsite events

In terms of onsite events, your relevant personal data (details see “onsite events”) may be shared with our travel agency, hotels, airport transportation companies and host SAIs to arrange for your travel, accommodation and meals. 

Travel agency – we mainly use American Express Global Business Travel company  to book your air travels. Here is their privacy policy:  https://privacy.amexgbt.com/statement

Personal data shared with the travel agency is: passport copy, travel schedule, departure and arrival places, food restrictions and special needs due to disabilities. 

Hotels – we only share what is necessary to make sure your stay is comfortable, such as your name, gender, airport arrival/departure date and time, food restrictions and special needs due to disabilities.

Airport transportation companies – most of the time this is handled by hotels, but in some cases, we hire a separate company to do this. Personal information shared: Name, gender, airport arrival/departure date and time. 

Host SAIs – meaning the supreme audit institution that host our events. Normally we share your name, gender/title, job title, name of your office and your e-mail address with host SAI. We may share your airport arrival/departure information, mobile phone number and special needs due to disabilities if airport transportation is arranged by host SAI. We may also share your food restrictions if any meals are arranged by the host SAI. 

Your organization.  As you are, as a participant, normally attending IDI initiatives on behalf of or on nomination by your organization, participation status to an onsite event or an online course, as well as test results, may be shared with your organization, and if necessary, with regional secretariats as well.

 IDI LMS (Learning Management System)

The software used by IDI for its Learning Management System (LMS) which including eLearning courses and other Digital Education Initiatives is based in Moodle 3.11.  Moodle is an open source LMS, here is their privacy policy: https://moodle.com/privacy-notice/

IDI LMS is hosted in Sweden using Amazon Web Services (AWS), which has also committed to GDPR. All personal data hosted in AWS is encrypted.

IDI website

The software used by IDI for its website is Joomla. Joomla is an open source Content Management System (CMS). Joomla has incorporated the very latest Version 3.9 to provide users with a ‘Privacy Tool Suite’, which indicates its compliance with GDPR: https://www.joomla.org/about-joomla/the-project/media-and-press-contact/5750-joomla-3-9-s-privacy-tools-drive-gdpr-and-regulatory-compliance.html

IDI website is hosted by Surpasshosting.com, which has its servers located in USA.  Its privacy policy can be found here: https://www.surpasshosting.com/privacy-policy.php

The IDI CMS does not store personal information other than from the IDI staff who have administrator’s rights over the website and its external web developer (full name, email, username and password).

The navigation inside the webpage does not require any authentication.  Some content could be protected by using a generic password.  

Cooperation partners

In the case of initiatives in cooperation with other INTOSAI bodies or other organisations, we may also share your information with them. Detailed list of information involved depending on the role this organisation has in a particular initiative/event.

The use of cookies is common practice on modern websites. A cookie is a small text file which is placed on your computer’s hard drive by a website. When you visit our website, your browser checks to see if it has any cookies for it and sends the information contained in those cookies back to the site in order to tailor and improve your experience.

We use Google Analytics cookies to collect anonymous usage and visitor behaviour information – this includes:

• IP address (IP Anonymization applied)
• operating system
• browser type
• pages visited
• links you click on

For instance, in order to provide you with an optimal learning experience, our LMS system requires that cookies are enabled in the web browser. Our cookies record information such as whether you are currently logged into your LMS account, to ensure you’re given the right access on each page. They make sure the display settings you’ve selected before, or the settings associated with your account permissions, are activated correctly. They also record how long since the last time you accessed our online course/working space. For more information regarding cookies for LMS system, please refer to o https://moodle.com/cookies-policy/ .

Our LMS mobile app uses Firebase Analytics which is a free app analytics  solution that provides insight on app usage and user engagement. Google Analytics for Firebase has successfully completed the ISO 27001 evaluation process. https://firebase.google.com/support/privacy/

For the purpose of gathering organizational statistics for reporting purpose, in the meantime improve user experience, this app collects following personal data:

• Number of users and sessions
• Session duration
• Operating systems
• Device models
• Locations
• First launches
• App opens
• App updates
• In-app purchases (currently our app does not provide any in-app purchases)

User consent will be asked when you log into our LMS mobile app.

You can use your browser settings to disable cookies. Different browsers offer different levels of control – for example you may be able to accept certain cookies and reject others, such as third-party cookies.

If you refuse cookies, please be aware that  certain features of our website may not function properly without the aid of cookies.

You can delete the cookies stored on your computer at any time.

We have implemented appropriate controls to protect your personal data against unauthorised access or accidental loss.

We do not keep your information for longer than necessary.

Retention period of your personal data depends on the purpose of which information was collected. The specific time span is indicated in each data consent form. Once your personal data is no longer needed, or you withdraw your consent, we will delete your personal data.

IDI will regularly delete users who have not been active in IDI LMS for more than two years.  

In the meantime, users can also remove their own personal data by deleting their user account at any time.  A video tutorial on how to delete user account is available at: https://drive.google.com/file/d/1KVXh8Mm7nUyzWqvDUzYdeVnZ3FMn8Cqq/view

Documents and records stored in IDI financial system follow the Norwegian State Regulations in Financial Management. They are to be stored for 3 years and 6 months to 10 years after the end of the financial year, depending on the nature of the documents. (source: https://www.regjeringen.no/globalassets/upload/fin/vedlegg/okstyring/reglement_for_okonomistyring_i_staten.pdf )

However, personal data collected for “archiving and reporting” purpose will be stored for as long as our organisation exists. Proper security measures will be taken to ensure the safety of your data.

We want to make sure that any personal information we hold about you is accurate and up to date. Please contact us to correct or remove information you think is inaccurate.

You can contact our coordinator with GDPR Compliance Responsibilities with regard to the following rights over your personal data:

• Right to be informed: you have the right to be told how your personal data will be used. This Notice is intended to provide you with a clear and transparent description of how your personal data may be used.

• Right of access: you can write to us to ask for confirmation of what information we hold on you and to request a copy of your own information. 

• Right to rectification: you have the right to ask us to update inaccurate personal data on you. You can also ask us to check the personal data that we hold about you if you are unsure whether it is up to date or not.

• Right to erasure: at your request we will delete your personal data from our records as far as we don't have an overriding legitimate reason for holding on to it (e.g. to comply with a legal obligation).

• Right to restrict processing: you have the right to ask us to restrict the processing of your personal data if there is disagreement about its accuracy or whether our use is legitimate or not.

• Right to data portability: you have the right to receive the personal data concerning yourself, which you have provided to us, and to transmit those data to another organisation without hindrance from us.

• Right to object: you have the right to object to processing at any time as long as we are processing your personal information on the basis of the legitimate interests ground and we have no compelling reason we can demonstrate to continue with that processing.

When making any of these requests, we may need information from you to help us confirm your identity.

Our website contains links to other websites which are not run by IDI. This privacy notice only applies to IDI website. Therefore when you link to other websites, we advise you to read their own privacy policies.

We work to high standards when it comes to processing your personal information. If you would like to send a complaint to Norwegian Data Protection Authority, who oversee personal data protection in the country, please write to [email protected] .

We review our privacy notice regularly and we will place any updates on this web page. This privacy notice was last updated on 1 February 2023.