Privacy Policy

Norsk versjon: Personvernerklæring

Sikt (Norwegian Agency for Shared Services in Education and Research) is the provider of Feide in collaboration with Udir (the Norwegian Directorate for Education and Training). Feide is a centralized identity management solution for the educational and research sector of Norway. The solution is widely used by universities, university colleges, high schools and lower education.

Sikt is responsible for ensuring that the personal data we process about you is used in accordance with data protection legislation, including the GDPR and the Norwegian Personal Data Act. This Privacy Policy provides information regarding how we handle your Personal Data when you use the Feide login solution or are in contact with us through our channels, as well as your rights as a Data Subject.

Feide login solution

General information

Sikt hold both Data Controller and Data Processor responsibilities for this service, see article 4 GDPR. For information about how personal data is processed in the services that use Feide as a login solution, you must contact each individual Service Provider directly.

Definitions

Definitions of the terms used in this privacy policy are provided in article 4 GDPR.

Other definitions:

Home Organisation: An educational institution that uses Feide as a login solution for its systems and services. Universities, colleges, municipalities, county authorities, private school owners, and research institutes can become home organisations.
Service Provider: A provider of applications, services or systems within the knowledge sector that students, teachers, lecturers and others affiliated with the controller can log on to via Feide.
External login service: Google (Google Workspaces/Google-account), Microsoft Entra ID and ID-porten.

Categories of data subjects

The processing includes the following categories of data subjects:

Pupils in primary and secondary education
Students in higher education
Teachers and lecturers
Others affiliated with the controller

Data Controller

The Home Organizations are Data Controllers of the majority of the personal data being processed within Feide.

Sikt is mainly a Data Processor, but has Data Controller responsibility for the processing of the following personal data.

Users affiliated with a home organisation*	Guest users
Which home organisation they are affiliated with	Techincal identifiers
IP addresses	Browser information
Technical identifiers	Usage and activity data
Browser information
Usage and activity data

* This also applies to foreign pupils and students.

Where is the information obtained from

The data is obtained from various sources:

Information about users affiliated with a Norwegian home organisations is obtained from the home organisations.
Information about guest users is obtained from ID-porten (Norwegian national identity number) and the National Population Register (name).
Information about users at foreign institutions is obtained from the institutions to which they are affiliated.

If you use external login services, data is obtained from the providers of these login services:

Google (Google Workspaces/Google-account): E-mail address associated with the Google-account and organisational domain (for example @yourorganisation.com).
Microsoft Entra ID: User name (UPN) and e-mail address.
ID-porten: Norwegian national identity number and, where applicable, name and other basic information associated with your electronic ID.

The purpose of processing the information

The processing has the following main purpose:

To provide and manage a secure login and data sharing solution that offers simple and safe access to digital services for students, researchers and staff in education and research.

The processing has the following additional purposes:

Security purposes: To identify and detect security incidents or misuse, with the aim of disclosing event data and logs when necessary.
Further development and improvement of the service: To analyse anonymous usage statistics with a view to improving Feide’s functionality and user experience.
Customer support and administration: To process contact details and organisational data in connection with the administration of the customer relationship.
Statistics for sector purposes: To prepare aggregated statistics on the use of Feide, for research purposes for national education authorities and for statutory public duties.

The legal basis for processing personal data

The legal basis for providing and managing the solution is article 6 (1) (f) GDPR, which allows us to process data which is necessary for the purposes of legitimate interests, provided that the legitimate interest is not overridden by the data subject’s interests or fundamental rights and freedoms.

The legitimate interest for processing of personal data in Feide is to offer a secure and reliable login solution for the educational and research sector. The processing of the data is essential in order to provide the service. We consider that the interest in providing this service outweighs the privacy impact for the data subjects. In this assessment, we have emphasised that, although a large number of data subjects are concerned, including minors, Feide has extensive security measures in place, does not share data with third parties except in aggregated form for statistical purposes, and that our provision of this solution entails significant benefits for both the sector and the data subjects.

The legal basis for sharing aggregated data for statistics for sector purposes is article 6 (1) (e) GDPR, which allows us to process data that is necessary for the performance of a task carried out in the public interest. The supplementary legal basis is § 8 of the Norwegian Personal Data Act.

Disclosure to third parties

We may share aggregated statistics on the use of Feide for research purposes for national education authorities and for the performance of legally mandated public duties.

If we share data collected in connection with your use of Feide, this data will be aggregated in such a way, as a general rule, that it no longer qualifies as personal data. In cases where the statistics are derived from a limited number of individuals or from small, clearly delimited environments, there may nevertheless be some risk that the context in which the data is presented could make it possible to link the information to identifiable individuals.

Transfer or processing in countries outside the EU/EEA

We use Amazon Web Services (AWS) for certain data processing activities. Sikt has conducted a legal assessment, and has concluded that the use of AWS complies with GDPR and applicable Norwegian regulations. Our full assessment can be found here (Norwegian).

Processing of personal data in our channels

Below you will find information about how your personal data is processed in our communication channels. You can click on each individual heading to read more.

feide.no

Feide.no uses the analytics tools Matomo and Siteimprove to analyse how the website is used. When you visit www.feide.no, we collect information about:

IP address
Which device you are using
The operating system you are using
The continent, country or city you are in
Which pages you have clicked on
Which website you came from and, where applicable, navigated to afterwards
How long you spent on the website

The purpose is to improve and further develop the content on feide.no, in order to provide good information to customers and partners. The information collected about you is anonymisied.

Cookies

Feide.no uses cookies for statistics, analytics and form solutions. Here you can see which cookies we use and what they are used for (Norwegian).

Feide customer portal (kundeportal)

In the Feide customer portal, we use Skyra to measure user experience on the website. Skyra helps us understand why the website is visited so that we can create better services and increase user satisfaction. This is done through surveys and feedback forms that appear in your browser window.

Skyra's pop-up surveys use functional cookies to ensure the tool works as intended and behaves as users expect. The cookies have a duration of up to 365 days.

If you consent to providing feedback on your use of the portal, we collect information about the URL where you submitted your response, browser name and version, operating system, device used (mobile/desktop etc.), the city you are located in, derived from your IP address (processed momentarily and deleted immediately), your connection speed, and the content of your feedback. This information cannot be linked back to you.

If you consent to joining a user testing module, the following information is collected:

First and last name
Email address
Phone number
Other responses you have provided in the same survey

We use this information solely to contact you if we wish to invite you to user testing, or to follow up on feedback you have provided. The legal basis for this processing is consent, cf. article 6 (1) (a) GDPR. You may withdraw your consent at any time.

Application forms, contact forms and email

If you contact us via an application form, contact form or email, your enquiry will always be registered in our case management system/records system.

We store the personal data you choose to enter in each individual form. When you send us an email, we store your name, email address and the content of the email. We recommend that you do not include sensitive information.

The purpose of processing this information is to be able to respond to the enquiry you have submitted. The legal basis is article 6 (1) (f) GDPR, as we have a legitimate interest in being able to contact you and follow up on the enquiry you have submitted.

Due to statutory archiving obligations, we are required to retain some enquiries in our records system. The legal basis for this is article 6 (1) (c) GDPR, cf. the Norwegian Archives Act § 5.

Newsletter

Feide sends a newsletter by email to those who wish to receive it.

By subscribing to our newsletter, you consent to us storing your email address. The email address is used to send out news and invitations to our events, and for anonymised measurement and statistics related to newsletter usage. The email address will be stored with us until you unsubscribe from the newsletter.

The legal basis is article 6 (1) (a) GDPR. You may withdraw your consent at any time by unsubscribing from the newsletter.

We use third-party solutions to manage the distribution of our newsletters. This means that the information distributed, including your email address, may be stored by the third party for as long as they retain distribution logs. Feide uses Make to send out newsletters. Make stores all personal data in Norway.

Events

When you register for one of our events, we will ask for information such as your name, contact details and place of work. If food is being served at the event, we will also ask about any dietary requirements.

The purpose of collecting this information is to provide information to participants, administer and facilitate the event, and compile participant lists for attendees. The information is stored until the event has concluded.

The legal basis is article 6 (1) (b) GDPR, as the processing is necessary for the performance of a contract.

Data Security

Feide employs technical and organizational measures to protect personal data, including:

Encryption during data transmission
Secure storage of authentication data
Access control
Regular security audits and assessments

Your rights as a Data Subject

You have the following rights under GDPR:

Access to Personal Data (Article 15). Data subjects can view the personal data registered about them through the Feide "Innsyn" service (Norwegian).
Correction of inaccurate data (Article 16)
Erasure of your data (Article 17)
Restriction of processing (Article 18)
Data Portability (Article 20)
Object to Processing (Article 21)

If you have questions or wish to exercise your rights, our contact details are listed below.

Questions and complaints

We encourage you to contact us if you have any questions, concerns or complaints regarding the processing of your personal data. You can contact us at kontakt@sikt.no or contact our Data Protection Officer directly:

Marita Ådnanes Helleland
Postal address: Professor Brochs gate 8A, NO-7030 Trondheim
Telephone: +47 73 98 40 40
Email: personvernombud@sikt.no
Please note: Email is not secure. Please do not send sensitive information.

If you believe your personal data has been processed in violation of the GDPR, you have the right to file a complaint with the relevant data protection authority.

For users based in Norway, the relevant authority is:

Norwegian Data Protection Authority (Datatilsynet)
Website: https://www.datatilsynet.no (Norwegian)
Email: postkasse@datatilsynet.no
Phone: +47 22 39 69 00

If you are located in another EU/EEA country, you can file a complaint with your local supervisory authority. List of EU/EEA data protection authorities.

Last updated 26.01.26.