Act on a Health Sector Database nº. 139/1998
(Passed by Parliament at 123rd session, 1998-99)
Section I – General terms
Section II – Licence and committee on the creation and operation of a health sector database
Section III – Collection of information
Section IV – Access to the database and utilisation of data, etc.
Section V – Monitoring
Section VI – Penalties
Section VII – Various provisions
SECTION I. General terms
Art. 1. Objectives
The objective of this legislation is to authorise the creation and operation of a centralised database of non-personally identifiable health data with the aim of increasing knowledge in order to improve health and health services.
Art. 2. Scope
This legislation extends to the creation and operation of a centralised health sector database. The legislation does not apply to the medical record systems of individual health and research institutions, data collections made in connection with scientific research into individual diseases or groups of diseases, nor to records kept by health and social security authorities on users of the health service and operation of the health service. The legislation does not apply to the storage or handling of, or access to, biological samples.
Art. 3. Definitions
In this legislation the following definitions apply:
1. Health sector database: A collection of data containing information on health and other related information, recorded in a standardised systematic fashion on a single centralised database, intended for processing and as a source of information.
2. Personal data: all data on a personally identified or personally identifiable individual. An individual shall be counted as personally identifiable if he can be identified, directly or indirectly, especially by reference to an identity number, or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
3. Non-personally identifiable data: data on a person who is not personally identifiable as defined in clause 2.
4. Coding: the transformation of words or numbers into an incomprehensible series of symbols.
5. One-way coding: the transformation of words or series of digits into an incomprehensible series of symbols which cannot be traced by means of a decoding key.
6. Health data: information on the health of individuals, including genetic information.
7. Genetic data: any data; of whatever type, concerning the heriditary characteristics of an individual or concerning the pattern of inheritance of such characteristics within a related group of individuals. It also refers to all data on the carrying of any genetic information (genes) in an individual or genetic line relating to any aspect of health or disease, whether present as identifiable characteristics or not.
SECTION II. Licence and committee on the creation and operation of a health sector database
Art. 4. Grant of operating licence and payments by licensee
The creation and operation of a health sector database are only permitted to those who have an operating licence by the terms of this legislation.
When an application has been received, the Minister of Health may grant an operating licence to create and operate a health sector database subject to the further terms of this legislation.
The licensee shall pay a fee for the grant of the licence in order to meet the costs of preparing and issuing the licence. The licensee shall also pay a yearly fee equivalent to the costs of the work of the committee under the terms of Art. 6, and other costs pertaining to service and monitoring of the operation, including monitoring by the Data Protection Commission under the terms of legislation on the recording and handling of personal data, and costs of publication and publicity cp. Art.8.
The licensee shall pay all costs of processing information for entry onto the database, cp. Clause 8, Art 5.
The minister and licensee may agree on further payments to the Treasury, which shall be devoted to promoting the health service, research and development.
Art. 5. Conditions of licence etc.
An operating licence for the creation and operation of a health sector database is contingent upon the following conditions:
1. The database must be located exclusively here in Iceland.
2. Technical, security and organisational standards meet the requirements of the Data Protection Commission.
3. The recording and processing of health data shall be carried out by, or under the supervision of, people who are professionally qualified in the health sector.
4. Detailed information shall be available on the area of activity and projects of the applicant for a licence.
5. A detailed work plan from the applicant shall be available, which shall fulfil the conditions and objectives of this Act regarding working arrangements and progress.
6. The operation of the database shall be financially separate from the licensee’s other business.
7. The Ministry of Health and Social Security and the Director General of Public Health shall at all times have access to statistical data from the database in accessible form, so that they will be of use in statistical processing for compiling health reports and planning, policy-making and other projects of the parties specified.
8. The licensee shall pay all costs of processing data from health institutions and self-employed health workers for entry onto the database. The data shall be processed in a manner that fulfils the needs of the relevant institution or self-employed health worker for a standardised information system, the needs of medical specialist fields and the requirements of health authorities, cp. Clause 7, and so that it can be used in scientific research.
9. The licence shall be temporary, and it shall not be granted for more than 12 years at a time.
10. The licensee shall hand over to the committee cp. art. 6 a copy of the database, which shall be updated regularly, to be further specified in the licence. A copy of the database shall always be stored in a bank safety deposit box, or in some other secure manner, to be further specified in the licence.
11. The licensee shall ensure that after the expiry of the period of the licence, the Minister of Health and Social Security, or the party assigned by the Minister to operate the database, shall receive indefinite use of all software and right required for the maintenance and operation of the database.
The Minister may make the licence subject to further conditions than those specified above.
At the end of the period of the licence by the terms of the licence, the Minister shall make a decision on the operation of the database, after receiving the opinion of the committee cp. art. 6 and the Data Protection Commission. The same applies if the licence is revoked or if the licence is withdrawn from the licensee by the terms of this legislation.
The licence and database under the terms of this legislation cannot be transferred, nor can they be subjected to attachment for debt. Neither the licence nor the database may be used as collateral for financial liabilities.
Art. 6. Committee on the creation and operation of a health service database
The Minister shall appoint a committee on the creation and operation of a database under the terms of this legislation. The committee shall comprise three people and three substitutes, appointed for four years at a time. One shall be a health sector worker with a knowledge of epidemiology, another shall have knowledge of information technology and/or computer science, and the third shall be a lawyer, and shall chair the committee. Their substitutes shall fulfil the same conditions.
The role of the committee is to ensure that the creation and operation of the database are in keeping with the terms of this legislation, regulations made on the basis of the legislation, and conditions laid down in the operating licence, in so far as this does not fall within the ambit of the Data Protection Commission. The committee shall supervise the negotiation of contracts between the licensee on the one hand and health institutions and self-employed health workers on the other. It shall protect the interests of health authorities, health institutions, self-employed health workers and scientists in the drawing up of agreements. The sum to be paid by the licensee under the terms of para.3 art. 4. shall be negotiated by the committee, as shall recompense in the form of access to data from the database for health institutions, self-employed health workers and their staff for purposes of scientific research.
The committee shall advise the Ministry of Health and the Director General of Public Health on the utilisation of data from the database. Should the operating licence be revoked or the licence withdrawn from the licensee, the database shall be operated by the committee until the Minister has reached a decision on its long-term operation, cp. Para. 3, Art. 5.
The committee shall be provided with staff and working facilities. The committee shall seek specialist assistance as deemed necessary.
The committee shall inform the Minister and the Data Protection Commission without delay if it believes that there is some defect in the operation of the database.
The committee shall, no later than 1 March each year, submit a report to the Minister on the operations of the past year
SECTION III. Collection of information
Art. 7. Access to data from health records
With the consent of health institutions or self-employed health workers, the licensee may be provided with data derived from medical records for entry onto a health sector database. The health institutions shall confer with the physicians’ council and specialist management of the relevant institution before contracts are concluded with the licensee.
In the handling of records, other data and information, the conditions deemed necessary by the Data Protection Commission at any time shall be complied with. Personal identification shall be coded before entry on the database, so that it is ensured that the licensee’s staff work only with non-personally identifiable data. The staff of the relevant health institution or self-employed health workers shall prepare the data for entry on the health-sector database. Health data shall be transferred in coded form in order to ensure their security. Personal identification shall be coded one-way, i.e. by coding that cannot be traced using a decoding key. The Data Protection Commission shall carry out further coding of personal identification, using those methods that the commission deems to ensure confidentiality best.
With regard to access to data from medical records, this shall otherwise be subject to the Acts on the rights of patients, on physicians, on the health service and on the recording and handling of personal data.
Art. 8. Rights of patients
A patient may request at any time that information on him/her not be entered onto the health-sector database. The patient’s request may apply to all existing information on him/her or that which may be recorded in the future, or to some specific information. Such a request must be complied with. The patient shall inform the Director General of Public Health of his/her wish. The Director General of Public Health shall produce forms for giving such notice, and shall ensure that these are available at health institutions and at the premises of self-employed health workers. The Director General of Public Health shall ensure that a coded register of the relevant patients is always accessible for those who carry out the entry of data onto the health-sector database.
The Director General of Public Health shall ensure that information on the health-sector database and on the rights of patients cp. para. 1 shall be accessible to the public. Health institutions and self-employed health workers shall have this information available to patients on their premises.
SECTION IV. Access to the database and utilisation of data, etc.
Art. 9. Access by health authorities to data on the health-sector database
The Ministry of Health and Director General of Public Health shall always be entitled to statistical data from the health sector database so that it may be used in statistical processing for the making of health reports and planning, policy-making and other projects of these bodies. This information to the specified parties shall be provided free of charge.
Art. 10. Utilisation of the health sector database
Data recorded or acquired by processing on the health-sector database may be used to develop new or improved methods of achieving better health, prediction, diagnosis and treatment of disease, to seek the most economic ways of operating health services, and for making reports in the health sector.
The licensee shall be authorised to process data on the health sector database from the health data recorded there, provided that data are processed and connected in such a way that they cannot be linked to identifiable individuals. The licensee shall develop methods and protocols that meet the requirements of the Data Protection Commission in order to ensure confidentiality in connecting data from the health-sector database, from a database of genealogical data, and from a database of genetic data. With regard to linking the data on the health-sector database with other databases than those specified here, the Act on recording and handling of personal data shall apply. It is not permissible to give information on individuals, and this shall be ensured e.g. by limitation of access.
The licensee may not grant direct access to data on the database.
The licensee is authorised during the period of the licence to use the data on the database for purposes of financial profit, under the conditions laid down in this legislation and the licence.
The health service database may not be transported out of Iceland, and processing of it may only be carried out here in Iceland.
Art. 11. Confidentiality
Employees of the licensee, including contractors, are bound by an obligation of confidentiality on matters that they become aware of in their work which should remain confidential, by law or by their nature. They shall sign an oath of confidentiality before they begin work. The obligation of confidentiality remains in force, even if employment ceases.
SECTION V. Monitoring
Art. 12. Monitoring of the creation and operation of a health-sector database
The Data Protection Commission shall monitor the creation and operation of the health sector database with regard to recording and handling of personal data and the security of data on the database, and is responsible for monitoring compliance with conditions laid down by the commission.
The committee on the operation of the database, cp. Art. 6, shall be responsible for monitoring the compliance in every way of the activities of the health sector database with the terms of this legislation, regulations issued under the terms of this legislation, and the conditions of the licence. The committee shall monitor all questions to and processing from the database. It shall regularly send to the Science Ethics Committee a record of all questions processed on the database, together with information on the enquirers.
The minister shall issue regulations on an interdisciplinary ethics committee which shall assess studies carried out within the licensee’s company and questions which are received. The committee’s evaluation must reveal that there is no scientific or ethical reason to prevent the study in question being carried out, or the questions processed from the database.
SECTION VI. Penalties
Art. 13. Revocation of licence
The Minister may revoke the licence under the terms of this legislation if the licensee or the licensee’s employees violate the terms of legislation, if the conditions of the licence are not fulfilled, or if the licensee becomes unable to operate the database. Should the licensee violate the terms of this legislation or not comply with the conditions of the licence, the Minister shall give the licensee a written warning, allowing a reasonable period of grace to rectify matters. Should the licensee not comply with such a warning, the licence shall be revoked. In the case of deliberate violation or gross negligence, the Minister may revoke the licence without notice and without allowing time for rectification.
Art. 14. Penalties
Violation of the terms of this legislation entails fines or imprisonment for up to three years, unless a more severe penalty is prescribed in other legislation.
The same penalties apply to failure to comply with the conditions for granting of an operating licence under the terms of this legislation, or government regulations under the terms of the legislation, or failure to comply with a command or prohibition under the terms of the legislation, or government regulations under the terms of the legislation.
A legal entity may be sentenced to pay fines due to violation of this Act or regulations based on it. A legal entity may be fined regardless of the guilt of its employees. The legal entity shall be responsible for payment of a fine imposed upon an employee of the legal entity, provided that the offence is connected to the employee’s work for the legal entity.
Art. 15. Withdrawal of licence etc.
The licensee may, in addition to the penalties specified in Art. 14, be subject to revocation of the licence by legal verdict, in the case of deliberate violation or gross negligence.
Equipment which has been used for serious violation of this legislation may be confiscated, together with the profits of the violation, cp. Art. 69 of the Penal Code nº 19/1940.
Attempted violation, and participation in violation, of this legislation are subject to penalties as stated in section III of the Penal Code, nº 19/1940.
Art. 17. Compensation
Should the licensee, an employee of the licensee or a person assigned to process data violate the provisions of this Act with regard to confidentiality, regulations issued on the basis of them, or the conditions laid down by the Data Protection Commission, the licensee shall compensate the person to whom the data relate for financial loss which this has caused.
The licensee, however, is not obliged to compensate for loss which the licensee proves not to be attributable to a mistake or negligence on the licensee’s part, or that of an employee or processor.
SECTION VII. Various provisions
Art. 18. Regulations
The Minister may prescribe further terms on the practice of this Act by issuing regulations.
The Minister shall issue regulations on the activity of the committee on operation of a health sector database under Art. 6, and on limitation of access under para. 2 art. 10.
Art. 18. Enactment
This Act shall take force immediately.
This Act shall be reviewed no later than 10 years after its enactment.
The licensee’s licence fee under para. 3, Art. 4 shall for the first year be based upon estimated costs pertaining to the preparation and monitoring of the operations of the health sector database.
The entry of data onto the health-sector database shall not commence until six months after the enactment of this Act.
Before processing begins on the health-sector database, the committee on the operation of the database cp. art. 6 shall ensure that the assessment of an independent expert on the security of information systems has been sought.
Passed by the Alþingi 17 December 1998.