6. Summary and conclusion

Digdir has conducted a review of the legal situation and made assessments of the possible privacy implications of using a cloud service provider for the operation of Altinn.

Digdir mostly operates in the role of a data processor in Altinn. The service owners participating in the Altinn cooperation are each data controllers for their services. Therefore, they must make their own assessments for their specific services in Altinn.

However, Digdir is also the data controller for personal data processed in the common functionality of Altinn, and we have accounted for risks and measures related to the processing of these – as well as the processing we do for service owners in the role of data processor.

We have assessed the intelligence risk and the supplier’s standard terms. We have looked at the likelihood and consequence of breaches of information security that would have led to privacy implications. In addition, we have assessed the rights and freedoms of the registered individuals. Especially against the European Convention on Human Rights.

Choosing to use a cloud service provider has some unique risks for information security and privacy, but we have assessed that the risk picture does not change compared to Altinn II, which is operated and managed “on-prem”. There are also many advantages to using a cloud service provider.

Regarding the risks, we have briefly accounted for some selected risk-reducing measures. However, it is important to compare the risks of using a cloud service provider against the risks that arise if one chooses other, and perhaps more local, service providers to operate Altinn. Entities such as the National Security Authority, the Norwegian Police Security Service, the Intelligence Service, and others, publish their threat assessments annually. There, threats are largely attributed to national-supported actors from some identified countries. Digdir’s assessment is that the information security and privacy of the population, after an overall assessment, are better safeguarded with a chosen contractual partner and international cloud service provider associated with a close ally – than the alternatives currently available on the European and Norwegian market.

Digdir will continue to make ongoing assessments of risk, information security, and privacy implications for Altinn. We will stay updated on the threat landscape and the emergence of new technology. And will continue to work for responsible and safe digitization of Norway, in line with directives from the Storting and the Government.