Tranfer of personal data to Ladok when using federated login

Description of Ladok

Ladok is a central service for study administration aimed at students and study administrative staff at higher education institutions in Sweden.

The system is owned by the higher education institutions together through the Ladok Consortium. At present, 37 higher education institutions are part of the consortium, as well as the Swedish Board of Student Finance (CSN).

Management and operation is common for all higher education institutions, but each higher education institution owns and is responsible for the contents of its own register.

Processing of personal data

Transfer of personal data

Personal data is transferred from the identity provider (your login service) to the service to ensure that the service knows who you are and what permissions you should have.

In connection with logging in to this service, the following personal information is requested from the identity issuer you use:

Ladok for students

Personal data Purpose Technical representation
Unique identifier To identify your higher education institution eduPersonPrincipalName
Personal identity number To give you access to your information norEduPersonNIN
Assurance level To verify the identification of you eduPersonAssurance
Organisation affiliation To categorise your employment status eduPersonScopedAffiliation

Ladok for employees

Personal data Purpose Technical representation
Unique identifier To give you access to your information and roles eduPersonPrincipalName
Name To name your identity in the service givenName, sn
Assurance level To verify the identification of you eduPersonAssurance
Organisation affiliation To categorise your employment status eduPersonScopedAffiliation

In addition to direct personal data, indirect personal data are also transferred, such as which organisation the user belongs to and which identity provider has been used when logging in. In combination with the above personal data, these can be used to uniquely identify a person.

Other processing of personal data within the service

All processing of personal data in Ladok relates either to Förordning (1993:1153) om redovisning av studier m.m. vid universitet och högskolor or to employees at higher education institutions. The table below shows which personal data is processed and which category each data belongs to.

Personal data Category
Name Student data
Personal identity number Student data
Registered address Student data
Contact information: phone number, e-mail address, temporary address Student data
In case of protected identity; data regarding pseudonym and interim personal identity number Student data
Access Student data
Selection criterion Student data
Obligation to pay application fees and tuition fees Student data
Payment of application fees and tuition fees Student data
Admission Student data
Participation in study and examination Student data
Study results Student data
Grades Student data
Credited education or other credited activities Student data
Qualification criterion Student data
Data for presentiation of results Student data
Student cases- decisions Student data
Name Employment
User identity Employment
Contact information: phone number and e-mail address Employment
User roles Employment
Course connection as a reporter and a certifier Employment

Personal data is also stored in log files at the service in order to maintain traceability and to simplify troubleshooting.

Transfer of personal data to third parties

Ladok transfers personal data to third parties according to Förordning (1993:1153) om redovisning av studier m.m. vid universitet och högskolor 2 kap 6 §.

Lawful basis

The processing of personal data in Ladok is regulated within the Swedish legislation Förordning (1993:1153) om redovisning av studier m.m. vid universitet och högskolor. The processing of personnel’s personal data and personal data transferred from identity issuers in connection with login is processed within the framework of public interest and the exercise of authority as this takes place by staff assigned rights within the framework of their employment within the authorities.

Right of access, right of rectification and right of erasure of personal data

For access, rectification and deletion of your personal data, contact the personal data controller at the higher education institution where the data is registered.

Correction of personal data transferred from your identity provider during login is done at your identity provider.

Purging of personal data

In accordance with Förordning (1993:1153) om redovisning av studier m.m. vid universitet och högskolor 2 kap 7 § och 8 § only some information related to students that never begun their studies after registration are purged.

Log files with personal data are cleared when they are no longer deemed necessary for traceability or troubleshooting.

Personal data controller

Personal data controller for student data is the the respective higher education institution where the student are registered. Contact information of the personal data controllers are available at the respective higher education institution.

The data protection coordinator within the Ladok Consortium is Gunnar Råhlén, gunnar.rahlen@bth.se.

GÉANT Data Protection Code of Conduct

This service complies with the international framework GÉANT Data Protection Code of Conduct (http://www.geant.net/uri/dataprotection-code-of-conduct/v1) for the transfer of personal data from identity providers to the service. This framework is intended for services in Sweden, the EU and the EEA that are used in research and higher education.

2020-11-16 | Kina Nilsson