Social Insurance Administration
Privacy policy
The Social Insurance Administration places great emphasis on the protection of personal data, but the processing of personal data is an essential part of TR’s operations. In connection with the statutory role of the Administration, it is necessary to register and work with various personal and health information of applicants. All handling and preservation of identifiable information is in accordance with applicable laws and regulations on the handling of personal data.
Data protection shall be observed in the treatment of personal data in all activities of the institution and services provided by TR, whether it is in the course of work for themselves, statistical information or professional audits.
Data protection considerations shall be taken into account in all computer systems and software owned by or operated by TR.
Data protection shall be observed in the collection and dissemination of information to partners and professional bodies through secure electronic means.
The director, the personal data protection officer, the quality manager, the information security manager, the directors of departments and the district commissioners (as agents of TR) ensure that the personal data protection policy is followed.
TR staff and agents, contractors and service providers are required to work according to the Data Protection Policy.
The management of TR promotes the implementation of this policy through measures in accordance with the work and responsibilities of the relevant staff, contractors and service providers.
That personal data is only collected, stored and processed is considered necessary to meet the conditions of the law that TR is charged with enforcing.
To protect the personal data of TR customers in a structured manner.
To further protect sensitive health personal data, so that access to them is controlled by special access controls. Access controls are such that no one can access them except those who need it directly for their work.
Ensuring the protection, accuracy, transparency and accessibility of individuals to their own data and information held by TR
To ensure that personal data is not passed on to the unaccountable.
To promote active personal protection awareness of employees, colleagues, customers and guests.
Objectives
That personal data is only collected, stored and processed is considered necessary to meet the conditions of the law that TR is charged with enforcing.
To protect the personal data of TR customers in a structured manner.
To further protect sensitive health personal data, so that access to them is controlled by special access controls. Access controls are such that no one can access them except those who need it directly for their work.
To ensure the protection, accuracy, transparency and accessibility of individuals to their own data and information held by TR.
To ensure that personal data is not passed on to the unaccountable.
To promote active personal protection awareness of employees, colleagues, customers and guests.
More about the processing of personal data
TR is the controller of the processing of personal data by the institution.
TR works with various service providers, among other things, for its duty as the executor of social insurance, information security and the publication of data in the government's digital mailbox. Processing agreements are made with the relevant processors, if applicable. There are strong requirements for processors to meet the requirements of data protection rules and ensure the reliability of personal data through appropriate technical and organisational security measures.
The processing of personal data is a prerequisite for TR to fulfil its statutory role. In general, it is not possible to request exemption from such processing.
The main laws that TR operates by are:
Social Security Act, no. 100/2007.
Social assistance law, no. 99/2007.
Act on Additional Social Assistance for the Elderly, No. 74/2020.
Law on payments to parents of chronically ill and severely disabled children, no. 22/2006.
Law on the affairs of the elderly, no. 125/1999.
Act on the Protection of Privacy and the Processing of Personal Data, no. 90/2018.
Law on the rights of living donors to temporary financial assistance, no. 40/2009.
Law on the Rights and Obligations of State Employees, No. 70/1996.
Administrative Law, No. 37/1993.
According to the data protection legislation, individuals have certain rights, e.g. to know which personal data TR processes about them and to have access to them.
You can request to exercise the rights by sending a request to the email address or send a message to TR by other means.
TR has up to one month to respond to such matters but the deadline can be extended by two months if the request is particularly extensive.
If individuals believe that TR has not processed their personal data lawfully, a complaint can be sent to the Data Protection Authority.
TR ensures the protection of personal data through the information security management system in accordance with the rules no. 299/2001 on the security of personal data.
TR has established a information security policy (information security policy TR), has carried out a risk assessment and has implemented appropriate security measures to ensure the security of the institution's systems.
TR on Facebook
TR uses the communication tool Facebook for the purpose of facilitating information sharing to the public.
If individuals use the Facebook page of TR to submit suggestions to TR, it must be taken into account that this information is also shared with Facebook.
TR on Instagram
TR uses the social networking tool Instagram to facilitate information sharing to the public.
If individuals use the TR Instagram page to make suggestions to the TR, it must be taken into account that that information is also shared with Instagram.
TR on YouTube
TR uses YouTube to share educational videos to the public. You can register as a subscriber and TR can then see the username of the person but does not save it.
Questions and answers
The SIA is obligated to obtain personal data on the basis of the laws under which the institution operates. For example, the SIA obtains personal data from the following parties:
The data subject, e.g., when they submit an application, inquiry, suggestion, or other communication, or participate in surveys conducted by the SIA.
Pension funds.
Service providers who provide services related to rehabilitation in order to promote continuity of allowance for individuals who require services from more than one party.
Service providers are the SIA, the Directorate of Labor, VIRK Vocational Rehabilitation Fund, municipalities, and providers of primary healthcare and social services throughout the country.
The SIA also retrieves information from other government institutions, such as tax authorities, Registers Iceland, district commissioners, the Prison and Probation Administration (PPA), the Directorate of Immigration, the National Commissioner of the Icelandic Police, the Icelandic Transport Authority, medical institutions, residential and nursing homes, municipalities, recognized parties responsible for rehabilitation plans, The Icelandic Student Loan Fund, recognized educational institutions within the general education system, universities, and the Housing & Construction Authority.
The SIA's foreign sister institutions.
TR processes personal data solely for the purpose of fulfilling its statutory role. Personal data is collected digitally or otherwise from various parties, both private and public, for example when:
The person concerned applies for rights or payments, sends an inquiry or other communication.
The person concerned has requested access to data in accordance with the Administrative Procedure Act,
the Information Act or the Privacy Act.The person concerned has registered for a seminar/presentation organized by TR
The person concerned responds to surveys organized by TR.
The person concerned has applied for a job or internship at TR.
When visiting and agreeing to the use of cookies on the TR website at island.is.
Regarding the processing of information in connection with a coordination team.
For the purpose of ensuring continuity, progress, and a comprehensive approach in rehabilitation services, the Social Insurance Administration may decide to refer your case to a coordination team composed of representatives from service providers and the Social Insurance Administration. The service providers are VIRK Vocational Rehabilitation Fund, municipal social services, the Directorate of Labor, hospitals, and primary healthcare centers. If the Social Insurance Administration decides to refer your case to a coordination team, the institution is responsible for the processing of personal data generated at or in connection with the team's meetings, and you will be informed of this and given the option to decline the team's services.
Regarding processing in connection with the service portal.
The Social Insurance Administration may retrieve certain sensitive personal data from service providers through a service portal, e.g., rehabilitation certificates, medical certificates, information about maintenance, and confirmations. The Social Insurance Administration temporarily stores metadata in its records about the personal data transmitted via the service portal. Metadata refers to data that points to other information but does not specify its content.
TR collects and processes various types of personal data about its clients and their representatives, if an individual has authorised another person to communicate with the institution. The processing of personal data may, for example, concern:
Personal identifiers, e.g. name, national ID number, gender and citizenship.
Place of residence, postal address, home address, email address, telephone number and rental agreements.
Information about residence in Iceland and insurance periods.
Relationships with others based on family number, such as next of kin/parents, marital status, spouse, former spouse and children.
Information related to children, such as residence, school attendance, adoption of a child and information about the death of a parent.
Financial information, e.g. about income, assets and debts.
Sensitive personal data, e.g. health information, ethnicity, trade union membership.
Information about social circumstances.
Information from criminal records for job applications.
Information from the vehicle register, such as information about vehicle ownership and driving licences.
Information about rulings and judgments, such as rulings on child support payments, paternity cases and information about custody or imprisonment.
TR also processes information about staff and job applicants:
Certain information is necessary to be able to pay salaries, such as contact information, salary category, time sheets, tax bracket, trade union membership, bank details, pension fund information and debts to the State Treasury Collection Agency. The actions of employees in the institution's case file system are also recorded in an activity log. Other information is related to the employee's job description.
Certain information is necessary for the assessment of applications, such as contact information, CV, cover letter, information about education, results from job interviews, third-party references and other communication with applicants.
The processing of personal data includes, among other things, TR collecting, recording, storing, deleting, disclosing and cross-referencing information. TR strives to only record the personal data necessary for the processing of the tasks assigned to TR by law.
Privacy officer
The Data Protection Officer of TR monitors compliance with applicable laws and regulations on personal data protection. Inquiries, comments or suggestions relating to the processing of personal data can be addressed to the Data Protection Officer by sending an email to the email address.
You can also send a letter and the envelope must then be marked to the data protection officer.
This policy is reviewed every 12 months or as appropriate