General

Digital Iceland f.h. of the Ministry of Finance and Economic Affairs is the operator of the Straumur. The Straumur, based on X-Road, is a data transfer layer between information systems. It ensures secure communication with data and is controlled by the operator. The management involves the operator evaluating and approving the service recipients application for membership in the Straumur and establishing rules and criteria for the use of the Straumur. The operator also maintains a central security server and issues identification documents for the service recipients security servers.

The service recipient operates his own security server for identified and encrypted communications within the Stream. The operator's central security server confirms connections and establishes encrypted communications between parties, registers timing and responses to communication requests.

These terms form an agreement between the service recipient and the operator on quality requirements, accessibility and maintenance for the use of the Straumur.

1. Definitions

In this term, where the context of the text allows, the following terms shall be defined as follows:

Action file: A file in chronological order of what is done in data processing.

Operator: Digital Iceland under the auspices of the Ministry of Finance and Economic Affairs.

ID: An electronic identification document issued by the operator to a service recipient who installs and renews it before its expiry date.

List: List of all parties to the Strategy and security personnel on their behalf.

The stream: A data transfer layer for secure electronic communication between service users. The stream is based on X-Road.

Technical description: Technical description for the Strait, available here.

Dissemination: The transfer of data from the information provider to the recipient (data exchange).

Central Security Server: contains a list of all the parties of the Stream and their security servers, receives connection requests, coordinates, time stamps and records the connections of security servers. ( Central Server).

Service recipient: A party that has been connected to the Straumur; the information provider and/or the recipient.

Web services: Service of a service recipient that connects the security server and the information system of the person concerned.

Service: Dissemination of information

Information provider: a service provider that communicates information to the Straumur members.

Information user: a service user who seeks information through the service provider

Security server: one or more X-Road service users are connected to other security servers within the Strategy through a central security server.

X-Road: An open source software developed by the Nordic Institute for Interoperability Solutions (NIIS). X-Road is a centralised data transfer layer for information systems and is a technical environment and organisational structure that ensures secure data exchange between information systems.

2. Access

The service recipient shall apply for membership of Straumur with the operator. With his application, the service recipient submits to the terms of this.

The operator may refuse an application for access to the Stream if the operator considers, among other things, that the applicant's activities are of a nature that is not in accordance with the scope or function of the Stream or that the applicant does not have sufficient technical infrastructure to use the Stream. The service recipient may withdraw the application without explanation.

On the basis of the parties agreement on access of service users to the Straumur, the service user sets up a security server and notifies the operator who registers the security server to the Straumur central security server.

Once a security server has been installed, the service user shall request the issuance of the necessary identification documents from the operator so that the requests for communication to and from the security server can be confirmed. The stream may not be used with other identification documents than those issued by the operator. All identification and information about the parties concerned are recorded in the central database of the operator.

3. Members' responsibilities

3.1 Operator

The operator ensures the functioning of the Central Security Server and performs its operations, as well as identification services, monitoring the vital signs of all registered security servers within the Straumur and the web services registered in the ecosystem. The operator maintains a register of service recipients and records all communications through the Central Security Server with a time stamp in the operations file. The operator notifies any planned changes or restrictions on the use of the Straumur as soon as possible.

The operator defines and notifies the maintenance window of the Central Security Server of the Straumur for minor maintenance but notifies service users specifically for larger updates that may cause service interruption with due notice.

3.2 The recipient

The recipient shall install a security server and register an ID with the operator.

The service recipient shall monitor and ensure that information about him/her from the operator is always correct. The service recipient shall follow all instructions from the operator; installation, use and security measures on the feed as specified in.

The service recipient is responsible for the update of the security server. The X-Road version of the security server shall never be more than two versions after the central security server version.

The service recipient is responsible for renewing the certificate and it shall be renewed at least every two years.

The service recipient is responsible for the use of the security server.

The service recipient shall maintain an action file. The service recipient shall appoint a service representative who has access to the action file and monitors usage and communication through the Straumur.

The service provider shall implement the necessary security measures, both objective and systemic, to ensure the security of the information system. The security measures shall take into account international best practice criteria.

The recipient of the service is responsible for:

(i) that information is only shared upon request or agreement;

(ii) the extent of the information that is shared is in accordance with the existing data profile;

(iii) that the recipient of the service is allowed to share the relevant information.

3.2.1 Third party - subcontractor

If a service user contracts with a third party to operate a security server or access to X-Road as a service, he shall ensure that the third party knows and operates in accordance with the terms of this contract. The service user shall inform the operator of changes to the structure due to the contract with a third party with at least 30 days notice.

The service agreement with a third party shall be written and clearly define the role and obligations of the parties for the Strategy. It shall clearly specify the services provided to the service recipient, as well as the systems and equipment used for the Strategy.

Notwithstanding outsourcing under this provision, the responsibility for meeting the minimum requirements for the Straumur service lies with the service recipient.

4. Functional tests and/or the provision of services

The timing of functional tests and/or the issuance of service in the real-world environment on Ísland.is is organized in cooperation between the service provider and the relevant service recipient, but shall not take place on Fridays, on weekends or on public holidays.

5. Responsibility

The operator is not responsible for damages caused by the lack of knowledge, misunderstanding or misuse of the service provider. Furthermore, the operator is not responsible for damages caused by the equipment of the service provider not working properly.

The operator is not responsible for damages due to unauthorised use, for example if an unauthorised party has accessed the service recipient, or if the operator has failed to report any misuse of the web service, or suspected misuse.

The operator is not directly or indirectly responsible for damage caused by the unannounced closure of the Straumur, e.g. due to faults that can be attributed to a communications breakdown, communications interruption or other interruptions that may occur in the operation of the web service and are unforeseen or unavoidable due to force majeure. Should there be any errors, interruptions or delays in the Straumur, which can be attributed to the abovementioned circumstances, the operator's responsibility shall be limited to correcting such errors, interruptions or delays as soon as possible.

The operator is solely responsible for the damage caused by the publisher if it is due to gross negligence or intention of the employees of the operator. The operator's liability in such a case only covers direct damage but never any consequential damage that may result from this, such as the cessation of operations, lost transactions or the dissemination of opinions.

The user shall keep the operator safe from any damage, claims, actions, damage, guarantees, fines, penalties and costs (including legal costs) that the operator may suffer as a result of or in connection with the actions or inaction of the publisher, whether it is caused by the publisher's negligence, intention or negligence in connection with the use of the stream or resulting from a breach of the parties' agreement. This non-harm liability does not in any way limit other contractual or statutory rights that the operator may enjoy against the publisher and any compensation or non-harm payments do not justify a breach of the obligations and obligations of the publisher.

Damage in violation of Act No. 90/2018 on Data Protection and the Processing of Personal Data is governed by Article 51 of the Act and Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

6. Payments

The service of Digital Iceland for the operation of a central security server, the issuing of identification documents and software (X-Road) is available to service users free of charge.

7. Operational security

The parties undertake to contribute to the safe operation of the Straumur and work together to repair in the event of operational disruptions.

The recipient and the operator shall notify the counterparty without delay if there is suspicion of unintentional, unauthorized or illegal processing of information or if there is suspicion of any security breach in the handling of information disseminated through Straumur. The notification shall be sent to the general email address of the party concerned (in the case of the publisher, island@island.is). In such notification, the party concerned shall describe the nature of the breach, including the estimated number of registered individuals that it concerns and the use of the information. The party concerned shall then describe the likely consequences of the breach and the measures it has taken or intends to take because of the security breach.

The operator will notify the service recipient if a malfunction or necessary updates concerning the current occur. In the event of the current being suspended for reasons of force majeure, the operator will also notify the publisher of such a situation. The service of the operator generally takes place during office hours, but if a connection to the current is interrupted, the operator shall respond to the notification as soon as possible.

The operator may temporarily interrupt access to the service without warning if there is a reasonable suspicion of unauthorised processing of information, a security breach or if the operator considers it clear that the equipment of the service recipient does not meet the operators requirements for using the Straumur.

If an operator or a service recipient is subject to any obstacles to the agreement with a counterparty on grounds of force majeure, then the obligations concerned shall be suspended until such obstacles have been removed and the parties to the agreement are able to fulfil their agreed obligations.

8. Changes to the terms

The operator reserves the right to make changes to these terms and shall be notified to the publisher in an electronic notice with at least 30 days notice, which shall be sent to the publisher in a verifiable manner before new or changed provisions take effect. In addition, new or updated terms are published on the website of the operator.

However, an operator may make changes to the terms with shorter notice if such changes to the terms are necessary by law or because of the risk of a security breach. In such cases where the notice may be shorter, the operator shall endeavour to notify such changes as soon as possible.

These terms were last updated: 25.01.2023

This text was translated from Icelandic using a machine translation. Be advised that content generated by machine translation can be inaccurate or flawed.