Act of 18 May 2001 No. 24 on Personal Health Data Filing Systems and the Processing of Personal Health Data (Personal Health Data Filing System Act)

Published under: Bondevik's 2nd Government

Publisher Ministry of Health and Care Services

Act of 18 May 2001 No. 24 on Personal Health Data Filing Systems and the Processing of Personal Health Data (Personal Health Data Filing System Act)

(with amendments made previous to 1. November 2002)

Chapter 1Purpose, definitions, substantive scope and extent of the Act

Section 1 Purpose of the Act

The purpose of this Act is to contribute towards providing public health services and the public health administration with information and knowledge without violating the right to privacy, so as to ensure that medical assistance may be provided in an adequate, effective manner. Through research and statistics, the Act shall contribute towards information on and knowledge of the state of public health, causes of impaired health and illness trends for administration, quality assurance, planning and management purposes. The Act shall ensure that personal health data are processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and respect for private life and ensure that personal health data are of adequate quality.

Section 2 Definitions

For the purposes of this Act, the following definitions shall apply:

  1. personal health data: any information subject to the duty of confidentiality pursuant to the Health Personell Act section 21 and other information and assessments regarding health matters or that are significant for health matters, that may be linked to a natural person,
  2. de-identified personal health data: personal health data from which the name, personal identity number and other characteristics serving to identify a person have been removed, so that the data can no longer be linked to a natural person, and where the identity can only be traced through alignment with the same data that were previously removed,
  3. anonymous data: data from which the name, personal identity number and other characteristics serving to identify a person have been removed, so that the data can no longer be linked to a natural person,
  4. pseudonymous health data: personal health data in which the identity has been encrypted or otherwise concealed, but nonetheless individualized so that it is possible to follow each person through the health system without his identity being revealed,
  5. processing of personal health data: any use of personal health data for a specific purpose, such as collection, recording, alignment, storage and disclosure or a combination of such uses,
  6. personal health data filing systems: filing systems, records, etc. where personal health data are systematically stored so that information concerning a natur person may be retrieved,
  7. health data filing system established for therapeutic purposes: a system of patient records and information or other personal health data filing system for the purpose of providing a basis for acts that have preventive, diagnostic, therapeutic, health-preserving or rehabilitative objective in relation to the individual patient and that are performed by health personnel, and the administration of such acts,
  8. data controller: the person who determines the purpose of the processing of personal health data and which means are to be used, unless responsibility for such data control is specially prescribed in the Act or in regulations laid down pursuant to the Act,
  9. data processor: the person who processes personal health data on behalf of the controller,
  10. the data subject: the person to whom personal health data may be linked,
  11. consent: any freely given, specific and informed declaration by the data subject to the effect that he or she agrees to the processing of personal health data relating to him or her.

Section 3 Substantive scope of the Act

This Act shall apply to

  1. processing of personal health data in the public health administration and public health services that takes place wholly or partly by automatic means to achieve the purposes set out in section 1, and
  2. other processing of personal health data in the public health administration and public health services for such purposes, when the personal health data are part of or are intended to be part of a personal health data filing system.

This Act shall apply to both public and private activities.

The King in Council may by regulations decide that this Act or parts of this Act shall apply to the processing of personal health data outside the public health administration and public health services in order to fulfil the purposes set out in section 1.

Section 4 Territorial extent of the Act

This Act shall apply to data controllers who are established in Norway. The King may by regulations decide that the Act shall wholly or partly apply to Svalbard and Jan Mayen, and lay down special rules regarding the processing of personal health data for these areas.

This Act shall also apply to data controllers who are established in states outside the territory of the EEA if the controller makes use of technical equipment in Norway. However, this shall not apply if such equipment is used only to transfer personal health data through Norway.

Controllers such as are mentioned in the second paragraph shall have a representative who is established in Norway. The provisions that apply to the controller shall also apply to the representative.

Chapter 2. Permission to process personal health data, establishment of personal health data filing systems, collection of data, etc.

Section 5 Processing of personal health data, obligation to obtain a licence, etc.

Personal health data may only be processed by automatic means when this is permitted pursuant to sections 9 and 33 of the Personal Data Act, or it is so provided by statute and is not prohibited on other special legal grounds. The same applies to other processing of personal health data, if the data are part of or are intended to be part of a personal health data filing system.

The obligation to obtain a licence pursuant to section 33 of the Personal Data Act shall not apply to the processing of personal health data that takes place pursuant to regulations laid down pursuant to sections 6 to 8. Before personal health data may be obtained for processing pursuant to the first paragraph, the data subject must give his consent, unless otherwise provided by or pursuant to statute.

Sections 4-3 to 4-8 of the Patients’ Rights Act shall apply correspondingly to consent pursuant to this Act. Children between 12 and 16 years of age may themselves make decisions regarding consent if, for reasons that should be respected, the patient does not wish the data to be made known to his parents or other persons with parental responsibility.

Section 6 Personal health data filing system established for therapeutic purposes

Personal health data filing systems established for therapeutic purposes may be kept by automatic means. It shall be evident from the filing system who has recorded the data. This may be done by means of an electronic signature or corresponding secure documentation.

Regional health enterprises and health enterprises, municipalities and other public or private establishments which make use of personal health data filing systems established for therapeutic purposes shall be data controllers. The enterprise and the municipality may delegate responsibility for controlling the data.

The King may by regulations prescribe further rules regarding the processing of personal health data in personal health data filing systems established for therapeutic purposes, including rules regarding the approval of software and other matters as mentioned in section 16, fourth paragraph.

Section 7 Regional and local personal health data filing systems

No regional or local personal health data filing systems may be established other than those authorized by this Act or another statute.

The King in Council may by regulations prescribe further rules regarding the establishment of regional personal health data filing systems and the processing of personal health data in such filing systems in order to perform functions pursuant to the Communicable Diseases Control Act, the Specialized Health Services Act and the Dental Health Services Act. The name, personal identity number or other characteristics that directly identify a natural person may only be processed with the consent of the data subject. The latter’s consent is not necessary if the regulations provide that the personal health data may only be processed in pseudonymized or de-identified form. The regulations shall state the purpose of the processing of the personal health data, which data may be processed, and, if appropriate, prescribe further rules as to who shall effect the pseudonymization and principles for how this shall be done. The regional health enterprise is the data controller, unless otherwise provided by the regulations. Responsibility for controlling the data may be delegated.

The King in Council may by regulations prescribe further rules regarding the establishment of local personal health data filing systems and the processing of personal health data in such filing systems in order to perform functions pursuant to the Municipal Health Services Act and the Communicable Diseases Control Act. The name, personal identity number or other characteristics that directly identify a natural person may only be processed with the consent of the data subject. The latter’s consent is not necessary if the regulations provide that the personal health data may only be processed in pseudonymized or de-identified form. The regulations shall state the purpose of the processing of the personal health data, which data may be processed, and if, appropriate, prescribe further rules as to who shall effect the pseudonymization and principles for how this shall be done. The municipality is the data controller, unless otherwise provided by the regulations. Responsibility for controlling the data may be delegated.

Section 8 Central personal health data filing systems

No central personal health data filing systems may be established other than those authorized by this Act or another statute.

The King in Council may by regulations prescribe further rules regarding the establishment of central personal health data filing systems and the processing of personal health data in such filing systems in order to perform functions pursuant to the Pharmacies Act, the Municipal Health Services Act, the Dental Health Services Act, the Communicable Diseases Control Act and the Specialized Health Services Act, including the general management and planning of services, quality improvement, research and statistics. The name, personal identity number or other characteristics that directly identify a natural person may only be processed with the consent of the data subject. The latter’s consent is not necessary if the regulations provide that the personal health data may only be processed in pseudonymized or de-identified form. If appropriate the regulations shall prescribe further rules regarding who shall effect the pseudonymization and principles for how this shall be done.

In the following personal health data filing systems , the name, personal identity number and other characteristics that directly identify a natural person may be processed without the consent of the data subject insofar as this is necessary to achieve the purpose of the filing system :

  1. The Causes of Death Registry
  2. The Cancer Registry
  3. The Medical Birth Registry
  4. The System of Surveillance of Infectious Diseases
  5. The Central Tuberculosis Surveillance Registry
  6. The System for Immunization Surveillance and Control (SYSVAK)

The King in Council may by regulations prescribe further rules regarding the processing of the personal health data in the personal health data filing systems.

Pursuant to the second and third paragraphs, the regulations shall state the purpose of the processing of the personal health data and which data shall be processed. Moreover, the regulations shall state who shall be data controller.

Responsibility for controlling the data may be delegated. The regulations should also prescribe rules regarding the duty of the data controller to make data available so that the purposes may be achieved.

Section 9 Particularly concerning the collection of personal health data for central, regional and local personal health data filing systems, notification requirements, etc.

Establishments and health personnel who offer or provide services in accordance with the Pharmacies Act, the Municipal Health Services Act, the Communicable Diseases Control Act, the Specialized Health Services Act or the Dental Health Services Act have an obligation to disclose or transfer data as prescribed in regulations pursuant to sections 7 and 8 and to this section.

The King may prescribe regulations regarding the collection of personal health data pursuant to sections 7 and 8, including rules regarding who shall give and receive data and regarding time limits, requirements as regards the form in which the data is to be provided and reporting forms. The recipient of the data shall notify the person sending the data if the data are deficient.

Section 10 Particularly concerning the duty to report data for statistical purposes

The Ministry may by regulations or by administrative decision order regional health enterprises and health enterprises, counties and municipalities to report de-identified or anonymous data for statistical purposes, including issuing further rules regarding the use of standards, classification systems and coding systems.

Chapter 3General rules regarding the processing of personal health data

Section 11 Requirements regarding specification of purpose, objectiveness, relevance, etc.

All processing of personal health data shall have an explicitly stated purpose that is objectively justified by the activities of the data controller. The controller shall ensure that the personal health data that are processed are relevant to and necessary for the purpose of the processing of the data.

Personal health data may only be used for purposes other than the provision of medical assistance for the individual patient or for the administration of such assistance when it is necessary for the person to be identifiable in order to achieve these purposes. Reasons shall always be given for why it is necessary to use data relating to an identifiable person. Pursuant to section 31, the supervisory authority may require that the data controller present the reasons.

Personal health data may not be used for purposes that are incompatible with the original purpose of the collection of the data without the consent of the data subject.

Section 12 Alignment of personal health data

Personal health data in personal health data filing systems established for therapeutic purposes may be aligned with data relating to the same patient in another personal health data filing system established for therapeutic purposes to the extent that the personal health data may be disclosed pursuant to sections 25, 26 and 45 of the Health Personnel Act. The said personal health data may also be aligned with data from the national population register relating to the data subject.

Personal health data collected pursuant to section 9 may be aligned in accordance with further rules prescribed in regulations laid down pursuant to sections 7 and 8.

Beyond what is authorized by the first and second paragraphs, personal health data may only be aligned when this is authorized pursuant to sections 9 and 33 of the Personal Data Act.

Section 13 Access to personal health data in the data controller’s and the data processor’s institution

Only the data controller, the data processors and persons working under the instructions of the controller or the processor may be granted access to personal health data. Access may only be granted insofar as this is necessary for the work of the person concerned and in accordance with the rules that apply regarding the duty of confidentiality

Section 14 Disclosure of personal health data

Personal health data may be disclosed or transferred for alignment that is authorized pursuant to section 12. Aligned personal health data may, after the name and personal identity number have been removed, be disclosed or transferred to an enterprise as decided by the Ministry, when the purpose is to de-identify or anonymize the data.

Personal health data may, moreover, be disclosed or transferred when disclosure or transfer is authorized by or pursuant to statute, and the recipient of the data is authorized to process them pursuant to the Personal Data Act.

Section 15 Duty of confidentiality

Any person who processes personal health data pursuant to this Act has a duty of confidentiality pursuant to sections 13 to 13 e of the Public Administration Act and the Health Personnel Act.

The duty of confidentiality pursuant to the first paragraph also applies to the patient’s place of birth, date of birth, personal identity number, pseudonym, nationality, civil status, occupation, residence and place of work. Data may only be given to other administrative agencies pursuant to section 13 b, nos. 5 and 6, of the Public Administration Act when this is necessary to facilitate the fulfilment of tasks pursuant to this Act, or to prevent significant danger to life or serious injury to a person’s health.

Section 16 Ensuring confidentiality, integrity, quality and accessibility

The data controller and the data processor shall by means of planned, systematic measures, ensure satisfactory data security with regard to confidentiality, integrity, quality and accessibility in connection with the processing of personal health data.

To achieve satisfactory data security, the controller and the processor shall document the data system and the security measures. Such documentation shall be accessible to the employees of the controller and of the processor. The documentation shall also be accessible to the supervisory authorities.

Any controller who allows other persons to have access to personal health data, e.g. a data processor or other persons performing tasks in connection with the data system, shall ensure that the said persons fulfil the requirements set out in the first and second paragraphs.

The King may prescribe regulations regarding data security in connection with the processing of personal health data pursuant to this Act. The King may for instance set further requirements as regards electronic signatures, communication and long-term storage, the authorization of software and the use of standards, classification systems and coding systems, and which national or international system of standards shall be followed.

Section 17 Internal control

The data controller shall establish and maintain such planned and systematic measures as are necessary to fulfil the requirements laid down in or pursuant to this Act, including measures to ensure the quality of personal health data.

The controller shall document the measures. The documentation shall be accessible to the employees of the controller and of the processor. The documentation shall also be accessible to the supervisory authorities.

The King may by regulations prescribe further rules regarding internal control.

Section 18 The data processor’s right of disposition over personal health data

No data processor may process personal health data in any way other than that which is agreed in writing with the data controller. Nor may the data be handed over to another person for storage or manipulation without such agreement. It shall also be stated in the agreement with the controller that the processor undertakes to carry out such security measures as ensue from section 16.

Section 19 Time limit for replying to inquiries, etc.

The data controller shall reply to inquiries regarding access or other rights pursuant to sections 21, 22, 26 and 28 without undue delay and not later than 30 days from the date of receipt of the inquiry.

If special circumstances should make it impossible to reply to the inquiry within 30 days, implementation may be postponed until it is possible to reply. In such case, the controller shall give a provisional reply stating the reason for the delay and when a reply is likely to be given.

Chapter 4The data controller’s duty to provide information and the data subject’s right to access

Section 20 Information to the general public regarding the processing of personal health data pursuant to sections 7 and 8 of this Act

When personal health data are processed in accordance with regulations laid down pursuant to sections 7 and 8, the controller shall on his own initiative inform the general public about what kind of processing of personal health data is being carried out.

Section 21 Right to general information on personal health data filing systems and processing of personal health data

Any person who so requests shall be informed of the kind of processing of personal health data a data controller is performing, and may demand to receive the following information as regards a specific type of processing:

  1. the name and address of the controller and of his representative, if any,
  2. who has the day-to-day responsibility for fulfilling the obligations of the controller,

3.the purpose of the processing of the personal health data,

4.descriptions of the categories of personal health data that are processed,

  1. the sources of the data, and
  2. whether the personal health data will be disclosed, and if so, the identity of the recipient.

The information may be demanded from the controller or from his processor as mentioned in section 18.

Section 22 Right of access

Any person who so requests has a right of access to personal health data filing systems established for therapeutic purposes insofar as this is authorized by section 5-1 of the Patients’ Rights Act and section 41 of the Health Personnel Act.

When personal health data are processed pursuant to sections 5, 7 and 8, the data subject has the right, upon inquiry, in addition to the information specified in section 21, first paragraph, to be informed of:

  1. the categories of data concerning the data subject that are being processed, and
  2. the security measures implemented in connection with the processing insofar as such access does not prejudice security.

The data subject may also demand that the data controller elaborate on the information in section 21, first paragraph, to the extent that this is necessary to enable the data subject to protect his or her own interests.

Information pursuant to the first and second paragraphs may be demanded in writing from the controller or from his processor as mentioned in section 18. The person who is requested to grant access may demand that the data subject submit a written, signed request.

The King may by regulations issue further rules regarding the right of access to the processing of personal health data pursuant to the second and third paragraphs. If special reasons make this necessary, the King may issue regulations to the effect that the data subject must pay compensation to the controller. The compensation may not exceed the actual costs of complying with the demand.

Section 23 Obligation to provide information when data is collected from the data subject

When personal health data is collected from the data subject himself, the data controller shall on his own initiative first inform the data subject of

  1. the name and address of the data controller and of his representative, if any,
  2. the purpose of the processing of the personal health data,
  3. whether the data will be disclosed and if, so, the identity of the recipient,
  4. the fact that the provision of data is voluntary, and
  5. any other circumstances that will enable the data subject to exercise his rights pursuant to this Act in the best possible way, such as information on the right to demand access to data, cf. section 22, and the right to demand that data be rectified and erased, cf. sections 26 and 28.

Notification is not required if there is no doubt that the data subject already has the information in the first paragraph.

Section 24. Obligation to provide information when data is collected from persons other than the data subject

A data controller who collects personal health data from persons other than the data subject shall on his own initiative inform the data subject of the data which are being collected and provide such information as is mentioned in section 23, first paragraph, as soon as the data have been obtained. If the purpose of collecting the data is to communicate them to other persons, the controller may wait to notify the data subject until such disclosure takes place.

The data subject is not entitled to notification pursuant to the first paragraph if

  1. the collection or communication of data is expressly authorized by statute,
  2. notification is impossible or disproportionately difficult, or
  3. there is no doubt that the data subject already has the information which shall be contained in the notification.

When notification is omitted pursuant to the second paragraph, no. 2, the information shall nonetheless be provided at the latest when the data subject is contacted on the basis of the data.

Section 25 Exceptions to the right to information and access

Access to personal health data filing systems established for therapeutic purposes may be denied pursuant to the provisions of section 5-1 of the Patients’ Rights Act.

The right to access pursuant to sections 21 and 22, second paragraph, and the obligation to provide information pursuant to sections 20, 23 and 24 do not encompass data

  1. which, if known, might endanger national security, national defence or the relationship to foreign powers or international organizations,
  2. regarding which secrecy is required in the interests of the prevention, investigation, exposure and prosecution of criminal acts,
  3. which it must be regarded as inadvisable for the data subject to gain knowledge of, out of consideration for the health of the person concerned or for the relationship to persons close to the person concerned,
  4. to which a statutory obligation of professional secrecy applies,
  5. which are solely to be found in texts drawn up for internal preparatory purposes and which have not been disclosed to other persons,
  6. regarding which it will be contrary to obvious and fundamental private or public interests to provide information, including the interests of the data subject himself.

A representative of the patient is entitled to access to information to which the data subject is denied access pursuant to the first paragraph and second paragraph, no. 3, unless the representative is considered unfit thereto. A medical practitioner or lawyer may not be denied access, unless special grounds so indicate.

Any person who refuses to provide access to data pursuant to the first or second paragraph must give the reason for this in writing with a precise reference to the provision governing exceptions.

Chapter 5Special rules regarding rectification and erasure of personal health data

Section 26 Rectification of deficient personal health data

If personal health data which are inaccurate, incomplete or of which processing is not authorized are processed pursuant to sections 5, 7 and 8, the data controller shall on his own initiative or at the request of the data subject rectify the deficient data. The controller shall if possible ensure that the error does not have an effect on the data subject. If the personal health data have been disclosed, the controller shall notify recipients of disclosed data.

The rectification of inaccurate or incomplete personal health data which may be of significance as documentation shall be effected by marking the data clearly and supplementing them with accurate data.

If weighty considerations relating to protection of privacy so warrant, the Data Inspectorate may, notwithstanding the second paragraph, decide that rectification shall be effected by erasing or blocking the deficient personal health data. If the data may not be destroyed pursuant to the Archives Act, the Director General of the National Archives of Norway shall be consulted prior to making an administrative decision regarding erasure. This decision shall take precedence over the provisions of sections 9 and 18 of the Archives Act of 4 December 1992 No. 126.

Erasure should be supplemented by the recording of accurate and complete data. If this is impossible, and the document that contained the erased data therefore provides a clearly misleading picture, the entire document shall be erased.

Sections 42 to 44 of the Health Personnel Act shall apply to rectification and erasure of personal health data in personal health data filing systems established for therapeutic purposes. The second and third sentences of the first paragraph apply correspondingly.

Section 27 Prohibition against storing unnecessary personal health data

The data controller shall not store personal health data longer than is necessary to carry out the purpose of the processing of the data. If the personal health data shall not thereafter be stored in pursuance of the Archives Act or other legislation, they shall be erased.

In regulations laid down pursuant to sections 6 to 8, it may be decided that personal health data may be stored for historical, statistical or scientific purposes, if the public interest in the data being stored clearly exceeds the disadvantages this may entail for the person concerned. In this case, the controller shall ensure that the data are not stored longer than necessary in ways that make it possible to identify the data subject.

Section 28. Erasure or blocking of personal health data which are regarded as disadvantageous by the data subject

The data subject may demand that personal health data processed pursuant to sections 5, 7 and 8 shall be erased or blocked if the processing is considered to be strongly disadvantageous to the data subject and there are no strong general considerations that warrant processing the data. The demand for the erasure or blocking of such data shall be made to the data controller.

After the Director General of the National Archives of Norway has been consulted, the Data Inspectorate may decide that the right to erase data pursuant to the first paragraph shall take precedence over the provisions of sections 9 and 18 of the Archives Act of 4 December 1992 No. 126. If the document that contained the erased data gives a clearly misleading picture after the erasure, the entire document shall be erased.

Demands for erasure of personal health data in personal health data filing systems established for therapeutic purposes shall be decided pursuant to section 43 of the Health Personnel Act.

Chapter 6Supervision, control and sanctions

Section 29 Obligation to notify the Data Inspectorate

The data controller shall notify the Data Inspectorate before processing personal health data by automatic means and before establishing a manual personal health data filing system.

Notification shall be given not later than 30 days prior to commencement of the data processing. The Data Inspectorate shall give the controller a receipt of notification. New notification must be given prior to processing of personal health data that exceeds the limits for processing provided for in section 30. Even if no changes have taken place, new notification shall be given three years after the previous notification was given.

The King may prescribe regulations to the effect that certain methods of personal health data processing or data controllers are exempted from the obligation to give notification or are subject to a simplified obligation to give notification.

Section 30 Content of the notification

The notification to the Data Inspectorate shall provide information regarding

  1. the name and address of the data controller and of his representative, if any, and the data processor,
  2. when the processing of the personal health data will begin,
  3. who has the day-to-day responsibility for fulfilling the obligations of the controller,
  4. the purpose of the processing of the personal health data,
  5. an overview of the categories of personal health data that are to be processed,
  6. the sources of the personal health data,
  7. the legal basis for collecting the personal health data,
  8. the persons to whom the personal health data will be disclosed, including recipients in other countries, if any, and
  9. the security measures related to the processing of the personal health data.

The King may prescribe regulations regarding the data that notifications shall contain and implementation of the obligation to give notification.

Section 31 The supervisory authorities

The Data Inspectorate supervises that the provisions of the Act are complied with and that errors or deficiencies are rectified, cf. section 42 of the Personal Data Act, unless responsibility for supervision lies with the Norwegian Board of Health or the chief county medical officer pursuant to Act of 30 March 1984 No. 15 on government supervision of public health services.

The supervisory authorities may demand any data necessary to enable them to carry out their functions.

In connection with its verification of compliance with statutory provisions, the supervisory authorities may demand admittance to places where personal health data filing systems, personal health data that are processed automatically and technical aids for such processing are located. The supervisory authorities may carry out such tests or inspections as they deem necessary and may demand such assistance from the personnel in such places as is necessary to carry out the tests or inspections.

The right to demand information or admittance to premises and aids pursuant to the second and third paragraphs shall apply notwithstanding any obligation of professional secrecy.

The supervisory authorities and other persons who are in the service of the supervisory authorities shall be subject to provisions of professional secrecy pursuant to section 15. The obligation of professional secrecy shall also apply to information concerning security measures.

The King may prescribe regulations regarding exemptions from the first to fourth paragraphs in the interests of the security of the realm. The King may also issue regulations concerning the reimbursement of expenses incurred in connection with inspections. Recovery of any amount outstanding in the reimbursement of such expenses may be enforced by execution.

Section 32. Authorization to issue orders

The Data Inspectorate may issue orders to the effect that the processing of personal health data which is contrary to provisions laid down in or pursuant to this Act shall cease, or impose conditions which must be fulfilled in order for the processing of the personal health data to be in compliance with this Act. If, furthermore, it must be assumed that the processing of personal health data may have adverse consequences for patients, the Norwegian Board of Health may issue such orders as mentioned. When the Data Inspectorate has issued an order, the Norwegian Board of Health shall be informed accordingly. When the Norwegian Board of Health has issued an order, the Data Inspectorate shall be informed accordingly.

Orders pursuant to the first paragraph shall include a time limit for compliance with the order.

Decisions made by the Data Inspectorate in pursuance of sections 26, 28, 31, 32 and 33 may be appealed to the Privacy Appeals Board.

Section 33 Coercive fine

In connection with orders pursuant to section 32, the Data Inspectorate may impose a coercive fine which will run for each day from the expiry of the time limit set for compliance with the order until the order has been complied with.

The coercive fine shall not run until the time limit for lodging an appeal has expired. If the administrative decision is appealed, the coercive fine shall not run until so decided by the appeals body.

The Data Inspectorate may waive a coercive fine that has been incurred.

Section 34 Penalties

Anyone who wilfully or through gross negligence

  1. processes personal health data contrary to sections 16 or 18,
  2. omits to provide information to the data subject pursuant to sections 23 or 24,
  3. omits to send notification to the Data Inspectorate pursuant to section 29,
  4. omits to provide information to the supervisory authorities pursuant to section 31, or
  5. omits to comply with orders of The supervisory authorities pursuant to section 32,

shall be liable to fines or imprisonment for a term not exceeding one year or both.

In particularly aggravating circumstances, a sentence of imprisonment for a term not exceeding three years may be imposed. In deciding whether there are particularly aggravating circumstances, emphasis shall be placed, inter alia on the risk of great damage or inconvenience to the data subject, the gain sought by means of the violation, the duration and scope of the violation, manifest fault, and on whether the data controller has previously been convicted of violating similar provisions.

An accomplice shall be liable to similar penalties.

In regulations issued pursuant to this Act, it may be prescribed that any person who wilfully or through gross negligence violates such regulations shall be liable to fines or imprisonment for a term not exceeding one year or both.

Section 35 Compensation

The data controller shall compensate damage suffered as a result of the fact that personal health data have been processed contrary to provisions laid down in or pursuant to this Act, unless it is established that the damage is not due to error or neglect on the part of the controller.

The compensation shall be equivalent to the financial loss incurred by the injured party as a result of the unlawful processing of the personal health data. The controller may also be ordered to pay such compensation for damage of a non-economic nature (compensation for non-pecuniary damage) as seems reasonable.

Chapter 7Relationship to other statutes. Commencement.

Section 36 Relationship to the Act relating to the Processing of Personal Data

Insofar as it is not otherwise provided by this Act, the Personal Data Act and appurtenant regulations shall apply as supplementary provisions.

Section 37 Commencement

This Act shall enter into force from the date decided by the King. The King may decide that the individual provisions of the Act shall enter into force on different dates.

Section 38 Amendments to other statutes

1. Section 3-4, first paragraph, of Act of 19 November 1982 No. 66 relating to Municipal Health Services shall read as follows:

Obligation to notify the municipal administration etc.

The municipality may order health personnel who work within the framework of this Act to provide information for use in planning, management and development of municipal health services. Disclosure of data subject to the duty of confidentiality pursuant to the first sentence shall take place with the consent of the person whom the data concerns, unless otherwise provided by or pursuant to statute.

2. Section 3-4, first paragraph, of Act of 3 June 1983 No. 54 relating to Dental Health Services shall read as follows:

Obligation to notify the county administration, etc.

The county may order health personnel who work within the framework of this Act to provide information for use in planning, management and development of county dental health services. Disclosure of data subject to the duty of confidentiality pursuant to the first sentence shall take place with the consent of the person whom the data concerns, unless otherwise provided by or pursuant to statute.

3. Act of 4 December 1992 No. 126 relating to Archives shall be amended as follows:

Section 9, litera c, third sentence, shall read:

Personal data filing systems or parts of a personal data filing system may however be erased pursuant to the provisions of the Personal Data Act, the Personal Health Data Filing System Act and provisions laid down pursuant to sections 7 and 8 of the Personal Health Data Filing System Act.

Section 9, litera d, second sentence, shall read:

Provisions regarding erasure prescribed pursuant to section 27, third and fifth paragraphs, and section 28, fourth paragraph, of the Personal Data Act and sections 7, 8 and 26, third paragraph, and section 28, second paragraph, of the Personal Health Data Filing System Act shall however apply in full.

Section 18, second sentence, shall read:

The provisions of the Personal Data Act and the Personal Health Data Filing System Act regarding rectification and erasure of data shall however apply in full.

4. Section 2-3 of Act of 5 August 1994 No. 55 relating to Control of Communicable Diseases shall read:

Section 2-3. The duty of medical practitioners to report cases. The duty of nurses and midwives to give notification.

A medical practitioner who discovers that a person is infected has a duty to report the case in accordance with regulations laid down pursuant to the fourth paragraph, notwithstanding the statutory duty of secrecy. A nurse or a midwife who in the course of her activities discovers that a person is infected has a duty to give notification in accordance with regulations laid down pursuant to the fourth paragraph, notwithstanding the statutory duty of secrecy.

Any person who pursuant to the first paragraph receives information which is subject to the duty of secrecy has the same duty of secrecy as the person who provides the information.

When a medical practitioner who has a duty to report pursuant to the provision in the first paragraph submits a report identifying a person, the medical practitioner shall inform the person concerned whom the report will be given to and what it will be used for.

The King in Council may prescribe regulations regarding the processing of personal health data, including the use of names, personal identity number or other characteristics that identify a natural person in accordance with the Personal Health Data Filing System. The regulations shall state the purpose of the data processing, and which communicable diseases shall be subject to reporting or notification. The King in Council may also prescribe regulations regarding the duty to report the side effects of preventive measures, and regarding examination, treatment and other measures pursuant to the Act. The King may issue further provisions regarding who shall report or give notification, and regarding requirements as regards the form in which the data are to be reported, reporting forms and time limits for reports and notifications, including who may or shall receive reports and notifications.

Neither private nor public bodies may implement systems for the reporting of communicable diseases in humans without the consent of the Ministry. This shall not apply to internal systems.

In the event of an outbreak of a communicable disease that is hazardous to public health, or when there is a danger of such an outbreak, and when it is necessary in order for the control of communicable diseases, the Norwegian Board of Health may with immediate effect impose on such persons as are mentioned in the first paragraph temporary duties of reporting and notification which deviate from regulations pursuant to the fourth paragraph notwithstanding the statutory duty of secrecy.

Section 3-8, fifth paragraph, shall read:

The King in Council may by regulations prescribe that health care personnel, notwithstanding the statutory duty of secrecy, shall provide information necessary for the implementation of a control system based on vaccination registers, and lay down rules for such registers, cf. the Act relating to Personal Health Data Filing Systems.

Section 7-11, second paragraph, first sentence, shall be repealed.

5. Act of 2 July 1999 No. 64 relating to Health Personnel shall be amended as follows:

Section 35, fourth paragraph, shall read:

Medical practitioners or midwifes shall notify the Medical Birth Registry of deliveries and termination of pregnancies following the twelfth week of pregnancy in accordance with regulations laid down pursuant to the Personal Health Data Filing Systems Act.

Section 37 shall read:

Section 37 Report to personal health data filing systems, etc.

The King may order health personnel holding an authorisation or licence to provide information to health registers in accordance with regulations laid down pursuant to the Act relating to Personal Health Data Filing Systems.