Is your personal data safe with Lånekassen? 

Sist oppdatert: 21.02.2019
Keeping your personal data safe is a priority for Lånekassen and we are constantly working to protect your personal data and other confidential information. To be able to do this, we need to take a holistic approach to data security. 

Lånekassen works in several ways to safeguard your rights and your data:

  • Employees – We are working systematically to develop knowledge, attitudes and awareness in order to reduce human vulnerabilities.
  • Technology – We are working to ensure that our systems are robust enough to withstand external cyber threats and reduce vulnerabilities that occur when interacting with third parties and when employees use the systems.
  • Organisation – We are working to ensure that there are clear lines of responsibility, that risk management is an integral part of what we do, and that procedures and guidelines are drawn up to ensure secure information management.

Our commitment to security also means that we regularly review factors such as risk exposure, available technologies, business needs and regulatory requirements. In sum, this means we have up-to-date and effective security measures in place designed to eliminate threats to your data and rights.

Below is a more detailed description of how we work and the steps we have taken to protect your data.

Data protection

When your data is transmitted over the internet it is protected by encryption, be it between your browser and Lånekassen’s services or between Lånekassen’s physical offices. This prevents third parties from gaining unauthorised access to the data during transmission.

When we handle information about you (e.g. processing and storage) we do so in a dedicated and separate network zone in our data centre, known as a secure zone. This is in line with the Norwegian Data Protection Authority’s guidelines on security architecture. In the secure zone your personal data is isolated from the internet and from other administrative systems used by Lånekassen. Below is a description of some of the main security mechanisms that support this isolation.

Access control

Lånekassen employees, external consultants and other outside partners are legally obliged to observe confidentiality. They are granted access on a need-to-know basis. This involves creating different roles with different levels of access. When someone requests access, their need to know will be assessed. If the authorisation gives them access to sensitive information, two independent persons must first verify that they have a legitimate need to know.

Lånekassen also performs an annual review of the authorisations in order to identify and, if necessary, correct any non-conformities.

Technology

Lånekassen’s IT infrastructure is divided into three security zones: secure, internal and external zone. The external zone contains all services accessible over the internet. The internal zone contains all administrative services, networks and PCs, while all customer data and Lånekassen’s core systems are in the secure zone. The secure zone is protected by layers of different security levels:

  • The secure zone is not exposed directly to or directly from the internet.
  • Only authorised PCs are able to connect to Lånekassen’s network.
  • Only authorised users can access the secure zone.
  • A number of different network barriers and technologies are in place to prevent accidental or uncontrolled transmissions of data from the secure zone to other zones.
  • Case officers and other authorised users are not able to copy customer data or other information from the case processing system in the secure zone to one of the other zones, e.g. to a workstation in the internal zone.
  • Two-factor authentication has been introduced to reduce the risk of usernames and passwords going astray.
  • Our premises have physical perimeter security.
  • PCs and servers are configured in accordance with best security practices (e.g. malware protection, encrypted hard discs, managed and administered through security policies, application control systems etc.).

Detecting and preventing incidents

Lånekassen has established mechanisms for detecting and preventing intrusion and misuse of our systems and services. These mechanisms serve multiple purposes and are designed to protect your data from external threats and prevent empoyees from abusing the trust placed in them.

All logs used for this type of analysis and troubleshooting – and which can identify individuals either directly or indirectly – are stored in the secure zone and protected in the same way as personal data.

Continuity and responding to incidents

Even with robust preventive measures in place, there will always be a residual risk. Lånekassen has therefore established procedures for dealing with such incidents. The objective is to be able to understand, mitigate, deal with and recover the situation as quickly as possible if an incident were to occur.

Customers also have the right to access their data. We therefore have backup processes in place to quickly restore services in the event of an operating incident without the loss of data.

Security testing

Lånekassen conducts regular security tests to ascertain that our data security measures are working as intended. The testing is carried out by professional third parties and gives Lånekassen a good idea of whether we are vulnerable to external threats.