Summary
The Norwegian Digitalisation Agency (Digdir) has chosen to conduct a Data Protection Impact Assessment (DPIA) in connection with the selection of a cloud service provider for the operation of Altinn 3. Altinn is in a transitional phase from the existing solution (Altinn II) to a new version that is developed and operated in the cloud, and is based on open source (Altinn 3).
In chapter 1, we write more about Altinn and the cloud journey we have embarked on. Then, in chapter 2, we provide a systematic description of the processing of personal data in Altinn, and what the purpose and legal basis for this are. Altinn acts mostly in the role of data processor on behalf of the many public entities that use the solution for development and operation of their digital services. Therefore, it is also important to specify that these public entities – which we refer to as service owners in Altinn – must make their own assessments for their specific services, in their role as data controllers.
In chapter 3, we address certain legal issues that are particularly relevant for the use of cloud services. We make it clear that we do not plan to transfer personal data out of Norway / EU / EEA and we discuss our assessments regarding the choice of data processor.
We address the rights and freedoms of the registered (users) in chapter 4, and assess the necessity and proportionality of the processing that takes place in Altinn – against the risks, benefits, and effects of digitalization and the use of cloud services.
In chapter 5, we go into detail about the information security in Altinn, risks, and what measures we take in Altinn to reduce the risks. There are also significant advantages for the registered’s privacy associated with the use of cloud services, including that, in our assessment, one will receive the best protection of information security against major known threat actors.
Our assessments lead us to the conclusion that the choices and measures we have implemented in Altinn mean that we believe the registered overall receive the best privacy by using our digital services, as we use a professional, serious, and internationally recognized cloud service provider that relies on trust in the market. And this trust also means that privacy in Norway and Europe will be respected.
Digdir will continue to make ongoing assessments of risk, information security, and data protection impacts for Altinn. We will stay updated on the threat landscape and the emergence of new technology, and will continue to work for responsible and safe digitization of Norway, in accordance with directives from the Storting and the Government.
This version is updated as a result of the adequacy decision dated July 10, 2023, which applies to the transfer of personal data between the EU/EEA and the USA. Some editorial changes have also been made.