Chapter 1 Purpose, definitions, substantive scope and extent of the Act
Section 1 Purpose of the Act
The purpose of this Act is to contribute towards providing public health services and the public health administration with information and knowledge without violating the right to privacy, so as to ensure that medical assistance may be provided in an adequate, effective manner. Through research and statistics, the Act shall contribute towards information on and knowledge of the state of public health, causes of impaired health and illness trends for administration, quality assurance, planning and management purposes. The Act shall ensure that personal health data are processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and respect for private life and ensure that personal health data are of adequate quality.
Section 2 Definitions
For the purposes of this Act, the following definitions shall apply:
1. personal health data: any information subject to the duty of secrecy pursuant to section 21 of the Act relating to Health Care Personnel and other information and assessments regarding health matters or that are significant for health matters, that may be linked to a natural person,
2. de-identified personal health data: personal health data from which the name, national identity number and other characteristics serving to identify a person have been removed, so that the data can no longer be linked to an individual person, and where the identity can only be traced through alignment with the same data that were previously removed,
3. anonymous data: data from which the name, national identity number and other characteristics serving to identify a person have been removed, so that the data can no longer be linked to an individual person,
4. pseudonymous health data: personal health data in which the identity has been encrypted or otherwise concealed, but nonetheless individualized so that it is possible to follow each person through the health system without his identity being revealed,
5. processing of personal health data: any use of personal health data for a specific purpose, such as collection, recording, alignment, storage and disclosure or a combination of such uses,
6. personal health data filing systems: filing systems, records, etc. where personal health data are systematically stored so that information concerning a natural person may be retrieved,
7. health data filing system established for therapeutic purposes: a system of medical records and information or other personal health data filing system for the purpose of providing a basis for actions that have preventive, diagnostic, therapeutic, health protective or rehabilitating aims in relation to the individual patient and that are carried out by health care personnel, and the administration of such actions,
8. data controller: the person who determines the purpose of the processing of personal health data and which means are to be used, unless responsibility for such data control is specially prescribed in the Act or in Regulations laid down pursuant to the Act,
9. data processor: the person who processes personal health data on behalf of the controller,
10. the data subject: the person to whom personal health data may be linked,
11. consent: any freely given, specific and informed declaration by the data subject to the effect that he or she agrees to the processing of personal health data relating to him or her,
Section 3 Substantive scope of the Act
This Act shall apply to
1. processing of personal health data in the public health administration and public health services that takes place wholly or partly by automatic means to achieve the purposes set out in section 1, and
2. other processing of personal health data in the public health administration and public health services for such purposes, when the personal health data are part of or are intended to be part of a personal health data filing system.
This Act shall apply to both public and private activities.
The King in Council may by regulations prescribe that this Act or parts of this Act shall apply to the processing of personal health data outside the public health administration and public health services in order to fulfil the purposes set out in section 1.
Section 4 Territorial extent of the Act
This Act shall apply to data controllers who are established in Norway. The King may by regulations prescribe that the Act shall wholly or partly apply to Svalbard and Jan Mayen, and lay down special rules regarding the processing of personal health data for these areas.
This Act shall also apply to data controllers who are established in states outside the EEA territory if the controller makes use of technical aids in Norway. However, this shall not apply if such aids are only used to transfer personal health data through Norway.
Controllers such as are mentioned in the second paragraph shall have a representative who is established in Norway. The provisions that apply to the controller shall also apply to the representative.
Chapter 2. Permission to process personal health data, establishment of personal health data filing systems, collection of data, duty to report, etc.
Section 5 Processing of personal health data, duty to obtain a licence, etc.
Personal health data may only be processed by automatic means when this is permitted pursuant to sections 9 and 33 of the Personal Data Act, or it is so provided by statute and is not prohibited on other special legal grounds. The same applies to other processing of personal health data, if the data are part of or are intended to be part of a personal health data filing system.
The duty to obtain a licence pursuant to section 33 of the Personal Data Act shall not apply to the processing of personal health data that takes place pursuant to regulations laid down pursuant to sections 6 to 8. Before personal health data may be obtained for processing pursuant to the first paragraph, the data subject must give his consent, unless otherwise provided by or pursuant to statute.
Sections 4-3 to 4-8 of the Act relating to Patients’ Rights and Duties shall apply correspondingly to consent pursuant to this Act. Children between 12 and 16 years of age may themselves make decisions regarding consent if, for reasons that should be respected, the patient does not wish the data to be made known to his parents or other persons with parental responsibility.
Section 6 Personal health data filing system established for therapeutic purposes
Personal health data filing systems established for therapeutic purposes may be kept by automatic means. It shall be evident from the filing system who has recorded the data. This may be done by means of an electronic signature or corresponding secure documentation.
Regional health enterprises and health enterprises, municipalities and other public or private establishments which make use of personal health data filing systems established for therapeutic purposes shall be data controllers. The enterprise and the municipality may delegate responsibility for controlling the data.
The King may by regulations prescribe further rules regarding the processing of personal health data in personal health data filing systems established for therapeutic purposes, including rules regarding the approval of software and other matters as mentioned in section 16, fourth paragraph.
Section 7 Regional and local personal health data filing systems No regional or local personal health data filing systems may be established other than those authorized by this Act or another statute.
The King in Council may by regulations prescribe further rules regarding the establishment of regional personal health data filing systems and the processing of personal health data in such filing systems in order to perform functions pursuant to the Communicable Diseases Act, the Specialized Health Services Act and the Dental Health Services Act. The name, national identity number or other characteristics that directly identify a natural person may only be processed with the consent of the data subject. The latter’s consent is not necessary if the regulations provide that the personal health data may only be processed in pseudonymized or de-identified form. The regulations shall state the purpose of the processing of the personal health data, which data may be processed, and, if appropriate, prescribe further rules as to who shall effect the pseudonymization and principles for how this shall be done. The regional health enterprise shall be the data controller, unless otherwise provided by the regulations. Responsibility for controlling the data may be delegated.
The King in Council may by regulations issue further rules regarding the establishment of local personal health data filing systems and the processing of personal health data in such filing systems in order to perform functions pursuant to the Municipal Health Services Act and the Communicable Diseases Act. The name, national identity number or other characteristics that directly identify a natural person may only be processed with the consent of the data subject. The latter’s consent is not necessary if the regulations prescribe that the personal health data may only be processed in pseudonymized or anonymized form.
The regulations shall state the purpose of the processing of the personal health data, which data may be processed, and if, appropriate, lay down further rules as to who shall effect the pseudonymization and principles for how this shall be done. The municipality is the data controller, unless otherwise provided by the regulations. Responsibility for controlling the data may be delegated.
Section 8 Central personal health data filing systems
No central filing systems for personal health data may be established other than those authorized by this Act or another statute.
The King in Council may by regulations prescribe further rules regarding the establishment of central personal health data filing systems and the processing of personal health data in such filing systems in order to perform functions pursuant to the Pharmacies Act, the Municipal Health Services Act, the Dental Health Services Act, the Communicable Diseases Act and the Specialized Health Services Act, including the general management and planning of services, quality improvement, research and statistics. The name, national identity number or other characteristics that directly identify a natural person may only be processed with the consent of the data subject. The latter’s consent is not necessary if the regulations provide that the personal health data may only be processed in pseudonymized or anonymized form. If appropriate, the regulations shall prescribe further rules regarding who shall effect the pseudonymization and principles for how this shall be done.
In the following registers, the name, national identity number and other characteristics that directly identify a natural person may be processed without the consent of the data subject insofar as this is necessary to achieve the purpose of the register:
1. Causes of Death Registry
2. Cancer Registry
3. Medical Birth Registry
4. System of notification of infectious diseases*
5. The Central Tuberculosis Register*
6. System for Vaccination Control (SYSVAK)*
The King in Council may by regulations issue further rules regarding the processing of the personal health data in the personal health data filing systems.
Pursuant to the second and third paragraphs, the regulations shall state the purpose of the processing of the personal health data and which data shall be processed. Moreover, the regulations shall state who shall be data controller.
Responsibility for controlling the data may be delegated. The regulations should also prescribe rules regarding the duty of the data controller to make data available so that the purposes may be achieved.
Section 9 Particularly concerning the collection of personal health data for central, regional and local personal health data filing systems, the duty to report, etc.
Establishments and health care personnel who offer or provide services in accordance with the Pharmacies Act, the Municipal Health Services Act, the Communicable Diseases Act, the Specialized Health Services Act or the Dental Health Services Act have a duty to disclose or transfer data as prescribed in regulations pursuant to sections 7 and 8 and to this section.
The King may issue regulations regarding the collection of personal health data pursuant to sections 7 and 8, including rules regarding who shall give and receive data and regarding time limits, requirements as regards the form in which the data is to be provided and reporting forms. The recipient of the data shall notify the person sending the data if the data are deficient.
Section 10 Particularly concerning the duty to report data for statistical purposes
The Ministry may by regulations or by administrative decision order regional health enterprises and health enterprises, counties and municipalities to report de-identified or anonymous data for statistical purposes, including issuing further rules regarding the use of standards, classification systems and coding systems.
Chapter 3 General rules regarding the processing of personal health data
Section 11 Requirements regarding specification of purpose, objectiveness, relevance, etc.
All processing of personal health data shall have an explicitly stated purpose that is objectively justified by the activities of the data controller. The controller shall ensure that the personal health data that are processed are relevant to and necessary for the purpose of the processing of the data.
Personal health data may only be used for purposes other than the provision of medical assistance for the individual patient or for the administration of such assistance when it is necessary for the person to be identifiable in order to achieve these purposes. Reasons shall always be given for why it is necessary to use data relating to an identifiable person. Pursuant to section 31, the supervisory authority may require that the data controller present the reasons.
Personal health data may not be used for purposes that are incompatible with the original purpose of the collection of the data without the consent of the data subject.
Section 12 Alignment of personal health data
Personal health data in personal health data filing systems established for therapeutic purposes may be aligned with data relating to the same patient in another personal health data filing system established for therapeutic purposes to the extent that the personal health data may be disclosed pursuant to sections 25, 26 and 45 of the Health Care Personnel Act. The said personal health data may also be aligned with data from the national population register relating to the data subject.
Personal health data collected pursuant to section 9 may be aligned in accordance with further rules prescribed in regulations laid down pursuant to sections 7 and 8.
Beyond what is authorized by the first and second paragraphs, personal health data may only be aligned when this is authorized pursuant to sections 9 and 33 of the Personal Data Act.
Section 13 Access to personal health data in the data controller’s and the data processor’s institution
Only the data controller, the data processors and persons working under the instructions of the controller or the processor may be granted access to personal health data.
Access may only be granted insofar as this is necessary for the work of the person concerned and in accordance with the rules that apply regarding the duty of secrecy.
Section 14 Disclosure of personal health data
Personal health data may be disclosed or transferred for alignment that is authorized pursuant to section 12. Aligned personal health data may, after the name and national identity number have been removed, be disclosed or transferred to an enterprise as decided by the Ministry, when the purpose is to de-identify or anonymize the data.
Personal health data may, moreover, be disclosed or transferred when disclosure or transfer is authorized by or pursuant to statute, and the recipient of the data is authorized to process them pursuant to the Personal Data Act.
Section 15 Duty of secrecy
Any person who processes personal health data pursuant to this Act has a duty of secrecy pursuant to sections 13 to 13 e of the Public Administration Act and the Health Care Personnel Act.
The duty of secrecy pursuant to the first paragraph also applies to the patient’s place of birth, date of birth, personal identity number, pseudonym, nationality, civil status, occupation, residence and place of work. Data may only be given to other administrative agencies pursuant to section 13 b, nos. 5 and 6, of the Public Administration Act when this is necessary to facilitate the fulfilment of tasks pursuant to this Act, or to prevent significant danger to life or serious injury to a person’s health.
Section 16 Ensuring confidentiality, integrity, quality and accessibility
The data controller and the data processor shall by means of planned, systematic measures, ensure satisfactory data security with regard to confidentiality, integrity, quality and accessibility in connection with the processing of personal health data.
To achieve satisfactory data security, the controller and the processor shall document the data system and the security measures. Such documentation shall be accessible to the staff of the controller and of the processor. The documentation shall also be accessible to the supervisory authorities.
Any controller who allows other persons to have access to personal health data, e.g. a data processor or other persons performing tasks in connection with the data system, shall ensure that the said persons fulfil the requirements set out in the first and second paragraphs.
The King may prescribe regulations regarding security in connection with the processing of personal health data pursuant to this Act. The King may for instance set further requirements as regards electronic signatures, communication and long-term storage, the authorization of software and the use of standards, classification systems and coding systems, and which national or international system of standards shall be followed.
Section 17 Internal control
The data controller shall establish and maintain such planned and systematic measures as are necessary to fulfil the requirements laid down in or pursuant to this Act, including measures to ensure the quality of personal health data.
The controller shall document the measures. The documentation shall be accessible to the staff of the controller and of the processor. The documentation shall also be accessible to the supervisory authorities.
The King may by regulations issue further rules regarding internal control.
Section 18 The data processor’s right of disposition over personal health data
No data processor may process personal health data in any way other than that which is agreed in writing with the data controller. Nor may the data be handed over to another person for storage or manipulation without such agreement. It shall also be stated in the agreement with the controller that the processor undertakes to carry out such security measures as ensue from section 16.
Section 19 Time limit for replying to inquiries, etc.
The data controller shall reply to inquiries regarding access or other rights pursuant to sections 21, 22, 26 and 28 without undue delay and not later than 30 days from the date of receipt of the inquiry.
If special circumstances should make it impossible to reply to the inquiry within 30 days, implementation may be postponed until it is possible to reply. In such case, the controller shall give a provisional reply stating the reason for the delay and when a reply is likely to be given.
Chapter 4 The data controller’s duty to provide information and the data subject’s right to access
Section 20 Information to the general public regarding the processing of personal health data pursuant to sections 7 and 8 of this Act
When personal health data are processed in accordance with regulations laid down pursuant to sections 7 and 8, the controller shall on his own initiative inform the general public about what kind of processing of personal health data is being carried out.
Section 21 Right to general information on personal health data filing systems and processing of personal health data
Any person who so requests shall be informed of the kind of processing of personal health data a data controller is performing, and may demand to receive the following information as regards a specific type of processing:
1. the name and address of the controller and of his representative, if any,
2. who has the day-to-day responsibility for fulfilling the duties of the controller,
3. the purpose of the processing of the personal health data,
4. descriptions of the categories of personal health data that are processed,
5. the sources of the data, and
6. whether the personal health data will be disclosed, and if so, the identity of the recipient.
The information may be demanded from the controller or from his processor as mentioned in section 18.
Section 22 Right of access
Any person who so requests has a right of access to personal health data filing systems established for therapeutic purposes insofar as this is authorized by section 5-1 of the Patients’ Rights Act and section 41 of the Health Care Personnel Act.
When personal health data are processed pursuant to sections 5, 7 and 8, the data subject has the right, upon inquiry, in addition to the information specified in section 21, first paragraph, to be informed of:
1. the categories of data concerning the data subject that are being processed, and
2. the security measures implemented in connection with the processing insofar as such access does not prejudice security.
The data subject may also demand that the data controller elaborate on the information in section 21, first paragraph, to the extent that this is necessary to enable the data subject to protect his or her own interests.
Information pursuant to the first and second paragraphs may be demanded in writing from the controller or from his processor as mentioned in section 18. The person who is requested to grant access may demand that the data subject submit a written, signed request.
The King may by regulations issue further rules regarding the right of access to the processing of personal health data pursuant to the second and third paragraphs. If special reasons make this necessary, the King may issue regulations to the effect that the data subject must pay compensation to the controller. The compensation may not exceed the actual costs of complying with the demand.
Section 23 Duty to provide information when data is collected from the data subject
When personal health data is collected from the data subject himself, the data controller shall on his own initiative first inform the data subject of
1. the name and address of the data controller and of his representative, if any,
2. the purpose of the processing of the personal health data,
3. whether the data will be disclosed and if, so, the identity of the recipient,
4. the fact that the provision of data is voluntary, and
5. any other circumstances that will enable the data subject to exercise his rights pursuant to this Act in the best possible way, such as information on the right to demand access to data, cf. section 22, and the right to demand that data be rectified and erased, cf. sections 26 and 28.
Notification is not required if it is evident that the data subject already has the information in the first paragraph.
Section 24. Duty to provide information when data is collected from persons other than the data subject
A data controller who collects personal health data from persons other than the data subject shall on his own initiative inform the data subject of the data which are being collected and provide such information as is mentioned in section 23, first paragraph, as soon as the data have been obtained. If the purpose of collecting the data is to transmit them to other persons, the controller may wait to notify the data subject until such disclosure takes place.
The data subject is not entitled to notification pursuant to the first paragraph if
1. the collection or communication of data is expressly authorized by statute,
2. notification is impossible or disproportionately difficult, or
3. it is evident that the data subject already has the information which is to be contained in the notification.
When notification is omitted pursuant to the second paragraph, Nº 2, the information shall nonetheless be provided at the latest when the data subject is contacted on the basis of the data.
Section 25 Exceptions to the right to information and access
Access to personal health data filing systems established for therapeutic purposes may be denied pursuant to the provisions of section 5-1 of the Act relating to Patients’ Rights.
The right to access pursuant to sections 21 and 22, second paragraph, and the duty to provide information pursuant to sections 20, 23 and 24 do not encompass data
1. which, if known, might endanger national security, national defence or the relationship to foreign powers or international organizations,
2. regarding which secrecy is required in the interests of the prevention, investigation, exposure and prosecution of criminal acts,
3. which it must be regarded as inadvisable for the data subject to gain knowledge of, out of consideration for the health of the person concerned or for the relationship to persons close to the person concerned,
4. to which a statutory duty of secrecy applies,
5. which are solely to be found in texts drawn up for internal preparatory purposes and which have not been disclosed to other persons,
6. regarding which it will be contrary to obvious and fundamental private or public interests to provide information, including the interests of the data subject himself.
A representative of the patient is entitled to access to data to which the data subject is denied access pursuant to the first paragraph and second paragraph, Nº 3, unless the representative is regarded as being unsuitable for this purpose. A medical practitioner or lawyer may not be denied access, unless special reasons warrant doing so.
Any person who refuses to provide access to data pursuant to the first or second paragraph must give the reason for this in writing with a precise reference to the provision governing exceptions.
Chapter 5 Special rules regarding rectification and erasure of personal health data
Section 26 Rectification of deficient personal health data
If personal health data which are incorrect, incomplete or of which processing is not authorized are processed pursuant to sections 5, 7 and 8, the data controller shall on his own initiative or at the request of the data subject rectify the deficient data. The controller shall if possible ensure that the error does not have an effect on the data subject. If the personal health data have been disclosed, the controller shall notify recipients of disclosed data.
The rectification of incorrect or incomplete personal health data which may be of importance as documentation shall be effected by marking the data clearly and supplementing them with correct data.
If weighty considerations relating to protection of privacy so warrant, the Data Inspectorate may, notwithstanding the second paragraph, decide that rectification shall be effected by erasing or blocking the deficient personal health data. If the data may not be destroyed pursuant to the Archives Act, the Director General of the National Archives of Norway shall be consulted prior to making an administrative decision regarding erasure. This decision shall take precedence over the provisions of sections 9 and 18 of the Archives Act of 4 December 1992 Nº 126.
Erasure should be supplemented by the recording of correct and complete data. If this is impossible, and the document that contained the erased data therefore provides a clearly misleading picture, the entire document shall be erased.
Sections 42 to 44 of the Health Care Personnel Act shall apply to rectification and erasure of personal health data in personal health data filing systems established for therapeutic purposes. The second and third sentences of the first paragraph apply correspondingly.
Section 27 Prohibition against storing unnecessary personal health data
The data controller shall not store personal health data longer than is necessary to carry out the purpose of the processing of the data. Unless the personal health data shall thereafter be stored in pursuance of the Archives Act or other legislation, they shall be erased.
In regulations laid down pursuant to sections 6 to 8, it may be decided that personal health data may be stored for historical, statistical or scientific purposes, if the public interest in the data being stored clearly exceeds the disadvantages this may entail for the person concerned. In this case, the controller shall ensure that the data are not stored longer than necessary in ways that make it possible to identify the data subject.
Section 28. Erasure or blocking of personal health data which are regarded as disadvantageous by the data subject
The data subject may demand that personal health data processed pursuant to sections 5, 7 and 8 shall be erased or blocked if the processing is considered to be strongly disadvantageous to the data subject and there are no strong general considerations that warrant processing the data. The demand for the erasure or blocking of such data shall be made to the data controller.
After the Director General of the National Archives of Norway has been consulted, the Data Inspectorate may decide that the right to erase data pursuant to the first paragraph shall take precedence over the provisions of sections 9 and 18 of the Archives Act of 4 December 1992 Nº 126. If the document that contained the erased data gives a clearly misleading picture after the erasure, the entire document shall be erased.
Demands for erasure of personal health data in personal health data filing systems established for therapeutic purposes shall be decided pursuant to section 43 of the Health Care Personnel Act.
Chapter 6 Supervision, control and sanctions
Section 29 Duty to notify the Data Inspectorate
The data controller shall notify the Data Inspectorate prior to processing personal health data by automatic means and prior to establishing a manual personal health data filing system.
Notification shall be given no later than 30 days prior to commencement of the data processing. The Data Inspectorate shall give the controller a receipt of notification. New notification must be given prior to processing of personal health data that exceeds the limits for processing prescribed in section 30. Even if no changes have taken place, new notification shall be given three years after the previous notification was given.
The King may issue regulations to the effect that certain methods of personal health data processing or data controllers are exempted from the duty to give notification or are subject to a simplified duty to give notification.
Section 30 Content of the notification
The notification to the Data Inspectorate shall provide information regarding
1. the name and address of the data controller and of his representative, if any, and the data processor,
2. when the processing of the personal health data will begin,
3. who has the day-to-day responsibility for fulfilling the duties of the controller,
4. the purpose of the processing of the personal health data,
5. an overview of the categories of personal health data that are to be processed,
6. the sources of the personal health data,
7. the legal basis for collecting the personal health data,
8. the persons to whom the personal health data will be disclosed, including recipients in other countries, if any, and
9. the security measures related to the processing of the personal health data.
The King may issue regulations regarding the data that notifications shall contain and implementation of the duty to give notification.
Section 31 The supervisory authorities
The Data Inspectorate supervises that the provisions of the Act are complied with and that errors or deficiencies are rectified, cf. section 42 of the Personal Data Act, unless responsibility for supervision lies with the Norwegian Board of Health or the chief county medical officer pursuant to Act of 30 March 1984 Nº 15 on government supervision of public health services.
The supervisory authorities may demand any data necessary to enable them to carry out their functions.
In connection with its verification of compliance with statutory provisions, the supervisory authorities may demand access to places where personal health data filing systems, personal health data that are processed automatically and technical aids for such processing are located. The supervisory authorities may carry out such tests or inspections as they deem necessary and may demand such assistance from the personnel in such places as is necessary to carry out the tests or inspections.
The right to demand data or access to premises and aids pursuant to the second and third paragraphs shall apply notwithstanding any duty of secrecy.
The supervisory authorities and other persons who are in the service of the supervisory authorities shall be subject to the duty of secrecy pursuant to section 15. The duty of secrecy shall also apply to information regarding security measures.
The King may prescribe regulations regarding exemptions from the first to fourth paragraphs in the interests of national security. The King may also issue regulations regarding the reimbursement of expenses incurred in connection with inspections. Recovery of any amount outstanding in the reimbursement of such expenses may be enforced by execution.
Section 32. Authorization to issue orders
The Data Inspectorate may issue orders to the effect that the processing of personal health data which is contrary to provisions laid down in or pursuant to this Act shall cease, or impose conditions which must be fulfilled in order for the processing of the personal health data to be in compliance with this Act. If, furthermore, it must be assumed that the processing of personal health data may have adverse consequences for patients, the Norwegian Board of Health may issue such orders as mentioned. When the Data Inspectorate has issued an order, the Norwegian Board of Health shall be informed accordingly. When the Norwegian Board of Health has issued an order, the Data Inspectorate shall be informed accordingly.
Orders pursuant to the first paragraph shall include a time limit for compliance with the order.
Decisions made by the Data Inspectorate in pursuance of sections 26, 28, 31, 32 and 33 may be appealed to the Privacy Appeals Board.
Section 33 Coercive fine
In connection with orders pursuant to section 32, the Data Inspectorate may impose a coercive fine which shall run for each day from the expiry of the time limit set for compliance with the order until the order has been complied with.
The coercive fine shall not run until after the time limit for lodging an appeal has expired. If the administrative decision is appealed, the coercive fine shall not run until so decided by the appeals body.
The Data Inspectorate may waive a coercive fine that has been incurred.
Section 34 Penalties
Any person who wilfully or through gross negligence
1. processes personal health data contrary to sections 16 or 18,
2. omits to provide information to the data subject pursuant to sections 23 or 24,
3. omits to send notification to the Data Inspectorate pursuant to section 29,
4. omits to provide information to the supervisory authorities pursuant to section 31, or
5. omits to comply with orders of the Data Inspectorate pursuant to section 32, shall be liable to fines or imprisonment for a term not exceeding one year or both.
In particularly aggravating circumstances, a sentence of imprisonment for a term not exceeding three years may be imposed. In deciding whether there are particularly aggravating circumstances, emphasis shall be placed, inter alia on the risk of great damage or inconvenience to the data subject, the gain sought by means of the violation, the duration and scope of the violation, manifest fault, and on whether the data controller has previously been convicted of violating similar provisions.
An accomplice shall be liable to similar penalties.
In regulations issued pursuant to this Act, it may be prescribed that any person who wilfully or through gross negligence violates such regulations shall be liable to fines or imprisonment for a term not exceeding one year or both.
Section 35 Compensation
The data controller shall compensate damage suffered as a result of the fact that personal health data have been processed contrary to provisions laid down in or pursuant to this Act, unless it is established that the damage is not due to error or neglect on the part of the controller.
The compensation shall be equivalent to the financial loss incurred by the injured party as a result of the unlawful processing of the personal health data. The controller may also be ordered to pay such compensation for damage of a non-economic nature (compensation for non-pecuniary damage) as seems reasonable.
Chapter 7 Relationship to other statutes. Commencement.
Section 36 Relationship to the Act relating to the Processing of Personal Data
Insofar as it is not otherwise provided by this Act, the Personal Data Act and appurtenant regulations shall apply as supplementary provisions.
Section 37 Commencement
This Act shall enter into force from the date decided by the King. The King may decide that the individual provisions of the Act shall enter into force on different dates.
Section 38 Amendments to other statutes
1. Section 3-4, first paragraph, of Act of 19 November 1982 Nº 66 relating to Municipal Health Services shall read as follows:
Duty to notify the municipal administration etc.
The municipality may order health care personnel who work within the framework of this Act to provide information for use in planning, management and development of municipal health services. Disclosure of data subject to the duty of secrecy pursuant to the first sentence shall take place with the consent of the person whom the data concerns, unless otherwise provided by or pursuant to statute.
2. Section 3-4, first paragraph, of Act of 3 June 1983 Nº 54 relating to Dental Health Services shall read as follows:
Duty to notify the county administration, etc.
The county may order health care personnel who work within the framework of this Act to provide information for use in planning, management and development of county dental health services. Disclosure of data subject to the duty of secrecy pursuant to the first sentence shall take place with the consent of the person whom the data concerns, unless otherwise provided by or pursuant to statute.
3. Act of 4 December 1992 Nº 126 relating to Archives shall be amended as follows:
Section 9, litera c, third sentence, shall read:
Personal data filing systems or parts of a personal data filing system may however be erased pursuant to the provisions of the Personal Data Act, the Personal Health Data Filing System Act and provisions laid down pursuant to sections 7 and 8 of the Personal Health Data Filing System Act.
Section 9, litera d, second sentence, shall read:
Regulations regarding erasure prescribed pursuant to section 27, third and fifth paragraphs, and section 28, fourth paragraph, of the Personal Data Act and sections 7, 8 and 26, third paragraph, and section 28, second paragraph, of the Personal Health Data Filing System Act shall however apply in full.
Section 18, second sentence, shall read:
The provisions of the Personal Data Act and the Personal Health Data Filing System Act regarding rectification and erasure of data shall however apply in full.
4. Section 2-3 of Act of 5 August 1994 Nº 55 relating to Control of Communicable Diseases shall read:
Section 2-3. The duty of medical practitioners to report cases. The duty of nurses and midwives to give notification.
A medical practitioner who discovers that a person is infected has a duty to report the case in accordance with regulations laid down pursuant to the fourth paragraph, notwithstanding the statutory duty of secrecy. A nurse or a midwife who in the course of her activities discovers that a person is infected has a duty to give notification in accordance with regulations laid down pursuant to the fourth paragraph, notwithstanding the statutory duty of secrecy.
Any person who pursuant to the first paragraph receives information which is subject to the duty of secrecy has the same duty of secrecy as the person who provides the information.
When a medical practitioner who has a duty to report pursuant to the provision in the first paragraph submits a report identifying a person, the medical practitioner shall inform the person concerned whom the report will be given to and what it will be used for.
The King in Council may issue regulations regarding the processing of personal health data, including the use of names, national identity number or other characteristics that identify a natural person in accordance with the Personal Health Data Filing System. The regulations shall state the purpose of the data processing, and which communicable diseases shall be subject to reporting or notification. The King in Council may also prescribe regulations regarding the duty to report the side effects of preventive measures, and regarding examination, treatment and other measures pursuant to the Act. The King may issue further provisions regarding who shall report or give notification, and regarding requirements as regards the form in which the data are to be reported, reporting forms and time limits for reports and notifications, including who may or shall receive reports and notifications.
Neither private nor public bodies may implement systems for the reporting of communicable diseases in humans without the consent of the Ministry. This shall not apply to internal systems.
In the event of an outbreak of a communicable disease that is hazardous to public health, or when there is a danger of such an outbreak, and when it is necessary in order for the control of communicable diseases, the Norwegian Board of Health may with immediate effect impose on such persons as are mentioned in the first paragraph temporary duties of reporting and notification which deviate from regulations pursuant to the fourth paragraph notwithstanding the statutory duty of secrecy.
Section 3-8, fifth paragraph, shall read:
The King in Council may by regulations prescribe that health care personnel, notwithstanding the statutory duty of secrecy, shall provide information necessary for the implementation of a control system based on vaccination registers, and lay down rules for such registers, cf. the Act relating to Personal Health Data Filing Systems.
Section 7-11, second paragraph, first sentence, shall be repealed.
5. Act of 2 July 1999 Nº 64 relating to Health Care Personnel shall be amended as follows:
Section 35, fourth paragraph, shall read:
A medical practitioner or midwife shall report a birth or termination of pregnancy after the twelfth week to the Medical Birth Registry in accordance with regulations laid down pursuant to the Act relating to Personal Health Data Filing Systems.
Section 37 shall read:
Section 37 Report to personal health data filing systems, etc.
The King may order authorized or licensed health care personnel to provide data to personal health data filing systems in accordance with regulations laid down pursuant to the Act relating to Personal Health Data Filing Systems.