Introduction
General information
Sikt (Norwegian Agency for Shared Services in Education and Research) is the provider of Feide and hold both Data Controller and Data Processor responsibilities for this service, see article 4 GDPR.
As the Data Controller, we are responsible for ensuring that the personal data we process about you is used in accordance with data protection legislation, including the GDPR and the Norwegian Personal Data Act. This Privacy Policy provides important information regarding how we process, use, collect, disclose and protect Personal Data when you use Feide, as well as your rights as a Data Subject.
This privacy policy only applies to the processing of personal data in the Feide login solution. For information about how personal data is processed in the services that use Feide as a login solution, you must contact each individual Service Provider directly.
About Feide
Feide is a centralized identity management solution for the educational and research sector of Norway. The solution is widely used by universities, university colleges, high schools and lower education. With Feide, students and employees in the educational sector get one digital identity that gives them access to web services in the educational and research field.
Feide is technology and platform independent. A Feide identity (FeideID) is valid throughout the Norwegian educational and research sector and can be used to login to all Feide services a person has access to. The Feide identity can be used for single sign on (SSO) to an increasing number of services connected to the central login service operated by Feide.
Feide is managed in collaboration between Sikt (Norwegian Agency for Shared Services in Education and Research) and Udir (the Norwegian Directorate for Education and Training.)
Definitions
Definitions of the terms used in this privacy policy are provided in article 4 GDPR.
Other definitions:
- Home Organisation: An educational institution that uses Feide as a login solution for its systems and services. Universities, colleges, municipalities, county authorities, private school owners, and research institutes can become home organisations.
- Service Provider: A provider of applications, services or systems within the knowledge sector that students, teachers, lecturers and others affiliated with the controller can log on to via Feide.
Categories of data subjects
The processing includes the following categories of data subjects:
- Pupils in primary and secondary education
- Students in higher education
- Teachers and lecturers
- Others affiliated with the controller
Data Controller
The Home Organizations are Data Controllers of the majority of the personal data being processed within Feide.
Sikt is mainly a Data Processor, but has Data Controller responsibility for the processing of the following personal data.
| Users affiliated with a home organisation* | Guest users |
| Username (FeideID)** | Name |
| User profile** | Norwegian national identity number |
| Email address** | IP adresses |
| Which home organisation they are affiliated with | Techincal identifiers |
| IP addresses | Browser information |
| Technical identifiers | Usage and activity data |
| Browser information | |
| Usage and activity data |
* This also applies to foreign pupils and students.
** Processed only in connection with administration in the Customer Portal.
Where is the information obtained from
The data is obtained from various sources:
- Information about users affiliated with a Norwegian home organisations is obtained from the home organisations.
- Information about guest users is obtained from ID-porten (Norwegian national identity number) and the National Population Register (name).
- Information about users at foreign institutions is obtained from the institutions to which they are affiliated.
- Information users choose to share when they register information about themselves in our customer portal.
The purpose of processing the information
The processing has the following main purpose:
- To provide and manage a secure login and data sharing solution that offers simple and safe access to digital services for students, researchers and staff in education and research.
The processing has the following additional purposes:
- Security purposes: To identify and detect security incidents or misuse, with the aim of disclosing event data and logs when necessary.
- Further development and improvement of the service: To analyse aggregated usage statistics with a view to improving Feide’s functionality and user experience.
- Customer support and administration: To process contact details and organisational data in connection with the administration of the customer relationship, including sending operational notices, change notifications and other necessary information related to the service.
- Statistics for sector purposes: To prepare aggregated statistics on the use of Feide, for research purposes for national education authorities and for statutory public duties.
The legal basis for processing personal data
The legal basis for providing and managing the solution is article 6 (1) (e) GDPR, which allows us to process data which is necessary for the purposes of legitimate interests, provided that the legitimate interest is not overridden by the data subject’s interests or fundamental rights and freedoms.
The legitimate interest for processing of personal data in Feide is to offer a secure and reliable login solution for the educational and research sector. The processing of the data is essential in order to provide the service. We consider that the interest in providing this service outweighs the privacy impact for the data subjects. In this assessment, we have emphasised that, although a large number of data subjects are concerned, including minors, Feide has extensive security measures in place, does not share data with third parties except in aggregated form for statistical purposes, and that our provision of this solution entails significant benefits for both the sector and the data subjects.
The legal basis for sharing aggregated data for statistics for sector purposes is article 6 (1) (e) GDPR, which allows us to process data that is necessary for the performance of a task carried out in the public interest. The supplementary legal basis is § 8 of the Norwegian Personal Data Act.
Disclosure to third parties
We may share aggregated statistics on the use of Feide for research purposes for national education authorities and for the performance of legally mandated public duties.
If we share data collected in connection with your use of Feide, this data will be aggregated in such a way, as a general rule, that it no longer qualifies as personal data. In cases where the statistics are derived from a limited number of individuals or from small, clearly delimited environments, there may nevertheless be some risk that the context in which the data is presented could make it possible to link the information to identifiable individuals.
Transfer or processing in countries outside the EU/EEA
We use Amazon Web Services (AWS) for certain data processing activities. Sikt has conducted a legal assessment, and has concluded that the use of AWS complies with GDPR and applicable Norwegian regulations. Our full assessment can be found here (Norwegian).
Data Security
Feide employs technical and organizational measures to protect personal data, including:
- Encryption during data transmission
- Secure storage of authentication data
- Access control
- Regular security audits and assessments
Your rights as a Data Subject
You have the following rights under GDPR:
- Access to Personal Data (Article 15). Data subjects can view the personal data registered about them through the Feide "Innsyn" service (Norwegian).
- Correction of inaccurate data (Article 16)
- Erasure of your data (Article 17)
- Restriction of processing (Article 18)
- Data Portability (Article 20)
- Object to Processing (Article 21)
If you have questions or wish to exercise your rights, our contact details are listed below.
Questions and complaints
We encourage you to contact us if you have any questions, concerns or complaints regarding the processing of your personal data. You can contact us at kontakt@sikt.no or contact our Data Protection Officer directly:
Marita Ådnanes Helleland
Postal address: Professor Brochs gate 8A, NO-7030 Trondheim
Telephone: +47 73 98 40 40
Email: personvernombud@sikt.no
Please note: Email is not secure. Please do not send sensitive information.
If you believe your personal data has been processed in violation of the GDPR, you have the right to file a complaint with the relevant data protection authority.
For users based in Norway, the relevant authority is:
Norwegian Data Protection Authority (Datatilsynet)
Website: https://www.datatilsynet.no (Norwegian)
Email: postkasse@datatilsynet.no
Phone: +47 22 39 69 00
If you are located in another EU/EEA country, you can file a complaint with your local supervisory authority. List of EU/EEA data protection authorities.
Last updated 26.01.26.
