Last modified: Apr 22, 2024

1. Introduction

1.1 About the Assessment of Data Protection Impacts

As Digdir interprets documents from the European Data Protection Board (EDPB), it often appears necessary to conduct a Data Protection Impact Assessment (DPIA) when transitioning to the cloud due to «…the possible sensitive nature and large amounts of data processed by public bodies…»1. Therefore, Digdir has chosen to carry out a DPIA due to the shift from a local operational provider in Norway to an international cloud service provider.

The focus of this DPIA is the assessment of data protection impacts related to transitioning to a cloud service provider for the operation of Altinn 3 and mainly concerns what changes in terms of processing, risk and vulnerability assessments, necessary measures, etc., by moving the operation of Altinn to an international cloud service provider.

The work with the DPIA is a continuous process. There will be a need for continuous updates and changes to the DPIA for Altinn, for example, due to regulatory changes, new products being developed, etc. The reason for this latest update of the DPIA is the adequacy decision dated July 10, 2023, which applies to the transfer of personal data between the EU/EEA and the USA.

The obligation to ensure assessments of data protection impacts rests with the data controller, including the manager who has the daily responsibility for the particular processing. The task itself can be delegated to others.

1.2 About Altinn

Altinn is an important public common solution that all state agencies, municipalities, county councils, and other public enterprises can use to develop digital services for their users. Altinn also facilitates the need for digital dialogue between public enterprises, citizens, the business community, and the voluntary sector.

Altinn is further developed, operated, and managed by the Altinn collaboration, consisting of several public agencies. Digdir was established on January 1, 2020, following a merger of Altinn and Difi. Digdir is responsible for the management of Altinn and decides how the technical solution should be further developed.

Altinn started as a collaboration between the Tax Administration, Statistics Norway, and the Brønnøysund Register Centre in 2002, and was meant to be an alternative reporting channel for economic data. Altinn was officially opened by former Finance Minister Per-Kristian Foss and Minister of Trade and Industry Ansgar Gabrielsen on December 4, 2003.

Since the portal www.altinn.no was launched, it has been growing continuously. The collaboration has been significantly expanded and consists of 71 different service owners as of December 2023.

Today, Altinn is a well-established and extensive platform, experiencing strong growth in terms of data volumes, associated public enterprises, and the number of electronic end-user services.

The Altinn solution is also continuously further developed with improvements to existing functionality and new functionality.

Altinn also contains a lot of useful information for entrepreneurs and small/medium-sized businesses under “Start and run a business” on altinn.no. Here is also an overview of all state support schemes for the business sector.

Over 4 million private individuals have an inbox (including «archive») in Altinn through their social security number, and over 1 million businesses are registered as users through an organization number. From the start in 2003 until November 2023, over 223 million electronic forms have been submitted through Altinn, while 559 million messages have been sent to users’ inboxes. This has led to savings in the billions for both the public sector and the business community. And the use of services in Altinn is continuously increasing.

As a protective-worthy object, Altinn is subject to the Security Act, and thus strict conditions for the security of the solution. In addition, Altinn is subject to the Personal Data Act and several other regulations that provide guidelines for, among other things, security and processing of personal data.

Since its establishment 20 years ago, Altinn has, to a greater or lesser extent, used private providers for operation, application operation, management, and further development. If the provider processes personal data as part of its contractual relationship, a data processor agreement is also concluded with the provider. Through the Department of User Experience and Data Sharing (BOD), the directorate follows up and controls the providers. Through everything from the daily operational dialogue to contractual control and audit opportunities.

1.3 Altinn’s Cloud Journey

Altinn is on a journey from today’s “on-prem” operation and application operation of Altinn II, to a cloud-based solution for Altinn 3. Digdir has an agreement to use Microsoft’s public cloud solution Azure. The processing responsibility, purposes, or legal bases for the processes do not change in principle by cloud operation of Altinn. Digdir has chosen a data center in Norway as far as possible, and the rest are located in the EU.

Altinn is a large IT solution with many dependencies both internally and towards external stakeholders. Therefore, it is important that a transition to the cloud can be done in several stages without disruptions or interruptions of existing end-user services.

For Altinn to comply with long-term goals and strategies, the solution must primarily be able to offer a new service development solution and be able to interact with other solutions and platforms in the public and private sectors. In addition, the solution must be managed and further developed more quickly and efficiently than today’s “on-prem” solution.

The first delivery included a new service development solution consisting of development tools (Altinn Studio), runtime environments (Altinn Apps), and a new platform with reusable micro-services (Altinn Platform). The new service development solution utilizes the possibilities and features available in a pure cloud-based infrastructure.

Concept
Altinn 3 concept

Altinn is intended to support cross-sectoral collaboration, which is also related to this new service development solution, and introduces the need for a range of other and new collaboration functions. A cloud-based solution ensures Altinn’s opportunities to support future needs for digitalization in Norway.

The first version of Altinn 3 was put into production in June 2020. Furthermore, the goal is that functionality will be further developed, and the services running on Altinn II will be re-established on Altinn 3 by June 2026 at the latest. There is a need for a hybrid model during this transition period, with both an “on-prem” solution and solutions in the public cloud.

Benefits and opportunities related to the transition to the cloud include:

  • Reduced downtime and more self-service
    More efficient use of resources. Not least due to higher developer productivity, fewer handovers, and overhead (opportunity for self-service). Faster realization of value from investments (shorter time from investment is made to the value of the investment is realized). Reduced time from need/idea arises, to solution is exposed to users.

  • Pay for what you use
    More efficient resource utilization and the opportunity for dynamic scaling, combined with only paying for the resources one actually uses, leads to increased cost efficiency.

  • Increased efficiency in operations and delivery capability
    By using better tools and increasing the degree of automation, resources used for operations will be reduced.

  • Increased opportunities for innovation - both internal and external innovation. The cloud provides access to new and updated technology.

  • Access to new technology


  1. edpb_20230118_cef_cloud-basedservices_publicsector_en.pdf (europa.eu) Page 2 and 10 in particular. ↩︎