Implementation of GDPR in health care sector in Norway
How does the Norwegian health care sector work with GDPR?
Legislation process
General Data Protection Regulation (GDPR), given its form as a regulation, has direct applicability and direct effect in all EU member states as from 25th May 2018. Norway is a member of European Economic Area (EEA). GDPR has been deemed to be an EEA-relevant EU legal act, therefore it must be first incorporated into the EEA-Agreement before it can be implemented into national law in Norway. GDPR was adopted in the EEA-Agreement through a Joint Committee Decision on 6th July 2018.
The Personal Data Act (personopplysningsloven) implements GDPR in Norway by reference to incorporation of GDPR into the EEA Agreement. The Personal Data Act, including GDPR, entered into force in Norway on 20th July 2018.
Health care sector specific regulations
Prior to the implementation of GDPR, the Norwegian health care sector regulations had long been accounted for strong protection of health data, individual privacy and information security. While GDPR does not revolutionize the approach to privacy and data protection in the Norwegian health care sector, it does heighten the sector's awareness of the issue and focus on the issue.
GDPR provides for the possibility of implementing national sector specific regulation for as long as these regulations are not contradictory to GDPR. In preparation for the implementation of GDPR in Norway, the Norwegian Ministry of Health and Care Services (Helse- og omsorgsdepartementet) had reviewed all legal acts in health care sector and made necessary amendments to ensure compatibility with GDPR.
Following legal acts have accordingly been amended: the Health Records Act (pasientjournalloven), the Health Personell Act (helsepersonellloven), the Personal Health Data Filing System Act (helseregisterloven), the Health Research Act (helseforskningsloven) and the Patients and Users' Rights Act (pasient- og brukerrettighetsloven).
Supervisory Authority
Norwegian Data Protection Authority (NDPA) (Datatilsynet) oversees and enforces the Personal Data Act. NDPA is an independent administrative body that reports annually to the Parliament (Storting). The decisions made by NDPA can be appealed to Norwegian Data Protection Tribunal (Personvernnemnda).
Notable impacts in health care sector
Strengthening of individuals rights
GDPR strengthen the individual rights. This has led to more focus on patients and users' rights. Limitation to individual rights is only permitted by reference to a specific law. Example: right to deletion (right to be forgotten) is not applicable for patient records since the health personnel has a duty of documentation (dokumentasjonsplikt) under Health Personell Act.
Amendment of code of conduct
GDPR encourages the use of code of conduct. Code of conduct for information security in the health and care sector (Normen) has been amended to ensure compatibility with GDPR. The scope of the code has also been extended to data protection. In line with this, the code is now called the Code of conduct for information security and data protection in the health and care sector in Norway.
Appointment of Data Protection Officer (DPO)
The appointment of a DPO for controllers or processors is mandatory under GDPR where the processing is carried out by a public authority or body, and in case of large-scale processing of sensitive personal data. This has led to appointment of many DPOs in the health care sector.
REK prior approval
Approval from the Regional Committees for Medical and Health Research Ethics (REC) was previously considered as a necessary and adequate legal ground for processing of health personal data for research purposes. After the implementation of GDPR, this approval is no longer be regarded as necessary and adequate legal ground for processing. Legal ground for processing of health personal data for research purposes shall accordingly be limited to the legal grounds provided under GDPR.