We recommend that you upgrade to the latest version of your browser.

Privacy Policy Refapp

Helse Nord uses the digital solution Refapp to collect references from job seekers and to plan the execution of reference interviews. This privacy statement provides information about the personal data we collect, how the information is processed, and what rights you have under data protection legislation.

Follow the link to Privacy to find contact information and more details about privacy at SKDE.

Who is responsible for the personal data collected in Refapp?

The company that has advertised the relevant position is the data controller and is responsible for complying with data protection regulations.

The companies have also appointed their own data protection officers whose role is to provide advice and guidance on data protection regulations, and who can assist you if you have questions about privacy.

Purpose and basis for processing personal data in Refapp

In the public sector, employers are obliged to hire the applicant who is best qualified for the position. This is referred to as the qualification principle. Interviews and reference checks are part of the manager's assessment in the hiring process.

What is recorded when we use Refapp in the reference check process?

  • The job applicant's name, email address, and phone number are sent from Webcruiter to Refapp. The job applicant then receives an SMS and email inviting them to complete a reference form in Refapp.

  • The job applicant fills out a form in Refapp with contact information for their references (name, mobile number, and email address) and the relationship the applicant has with the reference. The form will also include the job applicant's name and the title of the relevant position.

  • The references receive an SMS and email inviting them to a questionnaire in Refapp. They can then request a telephone interview or respond to the questionnaire digitally.

  • The following information about the reference is processed when the reference interview form is filled out and submitted: Name, mobile number, and email address. References can choose to verify their identity using Vipps. This is voluntary. We will then retrieve the name and email address from Vipps.

  • The following information about the job applicant is processed when the reference interview form is filled out and submitted: The job applicant's name, relationship to the references, and title of the relevant position. Additionally, the references' responses to questions about the job applicant in the questionnaire will be recorded.

  • The questionnaire contains only questions that are relevant for assessing candidates in a recruitment process. This means that the amount of collected information is limited to what is necessary to achieve the purpose of the collection. We do not ask for information of a special category (sensitive personal data).

  • When the questionnaire for the references is completed, an email is sent to the case handler with a link to a report showing the responses from the job applicant and the responses from the references. Only the case handler for the relevant position has access to the report.

  • The basis for processing personal data about the job applicant in connection with the reference check is the General Data Protection Regulation (GDPR) Article 6(1)(b). The regulation allows the employer to process personal data when it is necessary to take steps at the request of the job applicant prior to entering into a potential employment contract.

  • The basis for processing personal data about the reference is GDPR Article 6(1)(f). The regulation allows the employer to process personal data that is necessary to pursue a legitimate interest – to find the right candidate for the position. The same basis applies if the reference chooses to verify their identity using Vipps.

How long will your personal data be stored?

The personal data collected in the reference process will be retained for as long as the case processing is ongoing, and up to 24 months after the recruitment/reference process has started, to ensure that no application information is deleted before the process is completed and concluded. Deletion will then be carried out automatically.

You can request that your data be deleted earlier by contacting the company that has advertised the position.

Your rights

You have several rights under data protection regulations that you can request to be fulfilled, as described below.

You can exercise your rights by contacting the company that has advertised the relevant position. You are entitled to a response without undue delay and no later than within 30 days.

  • Access to your own information: You can request access to your personal data and obtain a copy of all information about you that we process.
  • Correction of personal data: You can ask us to correct or supplement information that is incorrect or misleading.
  • Deletion of personal data: In certain situations, you can request that we delete information about yourself.
  • Restriction of processing of personal data: In certain situations, you can request that we restrict the processing of information about you.
  • Object to the processing of personal data: If we process information about you based on our tasks or on the basis of a balancing of interests, you have the right to object to how we process information about you.
  • Data portability: If we process information about you based on consent or a contract, you can request that we transfer information about you to you or to another data controller.

You can read more about your rights on the information pages of the Data Protection Authority.

Information security and data processors

The companies currently have an ICT operational model where Health North ICT operates a large part of the systems, but we have also entrusted the operation of certain systems to external parties. Refapp is a system operated by external parties. Health North ICT and Talentech AS are data processors. All information is stored encrypted with the highest security. All processing is carried out within the EU, which has the same protection for the processing of personal data as in Norway.

We comply with data protection legislation and the norm for information security and privacy in health and care services, and work systematically to ensure that personal data is processed in a manner that meets the requirements for confidentiality, integrity, availability, and robustness. The norm is a set of requirements for information security based on legislation.

You can complain about the processing of personal data

We hope you will inform us if you believe we are not following the rules in the Data Protection Act. Contact the data protection officer at the company that has advertised the relevant position.

You also have the right to complain to the Data Protection Authority if you believe we are violating data protection regulations. You can read more about how to file a complaint on the Data Protection Authority's website: Complaint to the Data Protection Authority | Data Protection Authority.

Last updated 2/27/2026