Why does NIPH have responsibilities regarding personal data?
Processing other people’s personal data is about showing fundamental respect for privacy and the right to decide over one’s own personal data, as set out in Article 8 of the European Convention on Human Rights (ECHR) and Section 102 of the Norwegian Constitution. To "process" such data is use personal data. Examples of such processing are when FHI collects, registers and organises data, compiles data with other data, or stores or discloses data.
When NIPH processes personal data, we usually act as the “controller”. This means that NIPH (through the Director General) is subject to responsibilities and obligations under the Personal Data Act and the General Data Protection Regulation (GDPR) relating to the personal data that we hold.
NIPH processes personal data in a lawful and secure manner. Personal data must be well-protected at NIPH .
Why does NIPH process personal data?
NIPH processes data about you in order to fulfil our statutory obligations within areas such as infection protection, health preparedness, mental and physical health, environmental factors, drugs and alcohol, tobacco, nutrition, physical activity and other circumstances which impact on health and inequalities in health, health-promoting and preventive measures amongst the general population and international health. We do this in order to maintain and update health registries and to develop, prepare and disseminate registry data.
Data are processed in order to run the organisation. We process correspondence in the form of e-mail and telephone calls, and process and archive data in administrative, filing and archive systems. We process data in connection with public procurements and employment, and through lists of meeting and seminar participants, as well as the intranet. We secure our premises and administrative systems, partly by preparing lists of people who have had access to our premises and activity logs in administrative systems, CCTV surveillance, and in connection with administration, improvements and tasks relating to the website fhi.no.
Laws and regulations when we process personal data
NIPH processes personal data under the provisions of various legislation, including the Personal Data Act, the General Data Protection Regulation, the Personal Health Data Filing System Act, the Health Research Act, the Working Environment Act, the Civil Servants Act and the Archive Act.
We collect and process data either because we have a basis in law or a regulation to do so, or because we have obtained the consent of the person that the data concerns (the data subject).
How NIPH obtains personal data
The manner and method that NIPH uses to collect personal data depends on the origin of the data.
As with most public sector organisations, NIPH must to some extent process personal data in connection with case administration, meetings and visits, the exchange of e-mail and telephone calls, as well as public invitations to tender.
NIPH processes personal data concerning its employees in order to administer salaries and personnel responsibilities. The necessary data is registered to enable the payment of salaries, such as salary level, time recording, tax percentage, tax municipality and trade union membership. Other data concerning employees may include the person’s job description and organisation of the work. We use this data to regulate the employment relationship and to perform our role as an employer. Registration, storage and archiving in this area take place in accordance with the Working Environment Act, the Civil Servants Act, the General Data Protection Regulation, the Personal Data Act and applicable archive legislation.
Personal data at fhi.no
Cookies are small text files which are stored in your browser when you open a website. Under Section 2-7b of the Act on electronic communication (the E-com Act), you are entitled to be told and approve what information is stored about you, what the information is used for, and who is using it. You can control which cookies you allow. For more information, see How to manage cookies at Nettvett.no.
The following cookies are used on fhi.no:
- ARRAffinity_FHI: Used to forward users of pages at fhi.no to the same internal server for the entire session. The cookie will be deleted when the browser window is closed.
- __RequestVerificationToken: Used to guarantee that the form displayed is from this website and is not fake. The cookie will be deleted when the browser window is closed.
- ASP.Net_SessionId: Used to track the pages on the website that you visit. It is for example used to highlight links that you have clicked on in a different colour to those you have not clicked on. The cookie will be deleted when the browser window is closed.
- Google analytics_ga: Used by the Google Analytics web analysis tool to distinguish users and user sessions. The cookie is saved for 14 months. We use Google Analytics for traffic measurement and analysis concerning our website. We have a separate data processing agreement with Google, which governs how they process personal data.
- __gat: Used to improve the performance of the Google Analytics web analysis tool. The cookie is saved for 10 minutes.
- _gid: Used by the Google Analytics web analysis tool to distinguish between different users. The cookie is saved for 24 hours.
- cookie-consent: used so you do not need to see the banner with information about cookies more often than every 14th day. Saved for 14 days.
Newsletters and news feeds
Those who wish to can subscribe to various newsletters and newsfeeds on fhi.no. You enter your e-mail address yourself. We use MailChimp as the processor and only use the e-mail address to distribute the newsletters. You can unsubscribe from the newsletters at any time. The e-mail address will then also be deleted from MailChimp. The address will also be deleted if it is no longer in use. We have a separate data processing agreement with MailChimp, which governs how the company processes personal data.
Information that you enter on the various contact forms at fhi.no is forwarded to the appropriate department here at NIPH as an e-mail. We accept and reply to e-mail via Outlook. Personal data that you provide in e-mails that you send us is covered by what is considered to be archival under the Archive Act and the Archive Regulations, and such enquiries will be stored in the Public 360 archive system. In this context, we process personal data such as name, address, telephone number, e-mail address and other relevant information. This registration, storage and archiving takes place in accordance with applicable archive legislation.
Never use e-mail to send sensitive information to NIPH!
Media enquiries sent to NIPH are logged in the CIM computer system. We do this so that we can follow up and make sure you receive answers to your questions, and to keep a record of media enquiries. Logging is based on the consent of the people who contact us. We enter the name and contact details of the person who contacts us, what the enquiry concerns and who has replied to what. If you do not wish information about you and your enquiry to be logged, or you would like us to delete personal data from the system, please let us know either via firstname.lastname@example.org or by telephone directly to the duty press officer. We delete information from CIM after two years.
Who has access to personal data?
NIPH employees who are responsible for administering NIPH’s tasks in their respective areas will have access to personal data from registries and surveys relating to the task concerned.
Data acquired in connection with case administration and business operations will be available to employees who have had case responsibility.
How NIPH protects personal data
NIPH stores personal data in a number of databases. Access to these databases is strictly access- and need-based.
NIPH is subject to the requirements concerning the appropriate processing of personal data in the General Data Protection Regulation, the Personal Data Act and the aforementioned laws. There are strict conditions regarding the processing of personal data and NIPH is careful to protect data concerning individuals.
Our employees are subject to a confidentiality obligation. Breaches of the confidentiality obligation are punishable by law.
How long does NIPH retain personal data?
The storage period, etc. depends on the basis for the data; see above.
For example, data in the regulation-based health registries are not erased. This is partly because the purpose of the registries would not be achieved if the data were to be erased.
Data that we collect through consent-based surveys are stored in accordance with the relevant consent and basis.
Who does NIPH disclose personal data to?
NIPH makes available personal data for research and other purposes. NIPH always ensures that those who request data have a lawful basis for processing the data pursuant to the General Data Protection Regulation, the Personal Data Act and the aforementioned laws. The general rule is that data are provided in a form which prevents them from being used to identify individuals.
Some processors, particularly subcontractors who provide computer systems, software and technical solutions, will sometimes have access to personal data. These are known as "processors" and are sometimes given access to personal data in order to supply and upgrade systems and correct errors in our systems. There are strict conditions regarding such access, and the work is carried out under the strict supervision of NIPH . The suppliers concerned are subject to a confidentiality obligation.
Your rights as a data subject
Pursuant to the General Data Protection Regulation and the aforementioned laws, data subjects have a number of rights with respect to us as a processor of personal data.
NIPH is obliged to provide general information about the health registries for which it acts as controller. Research administrators, project managers and data managers involved in health surveys and research projects being carried out by NIPH must also ensure transparency concerning the use of health data and the research. As a private individual, you will generally be entitled to be told what data has been registered about you, and you will also have a right to access the data. There are some limitations on rights as regards access, correction and restriction of processing; see Section 17 of the Personal Data Act.
Furthermore, you have the right to access data registered about you in statutory health registries, such as the Norwegian Immunisation Registry (SYSVAK) and the Medical Birth Registry. You are also entitled to be told who has accessed or obtained health data linked to your name or national ID number. The data must be provided free of charge and in an understandable form. NIPH's citizen services at helsenorge.no provide electronic access to a number of health registries. If no provision is made for access via helsenorge.no, you can download the form entitled Electronic application for access to data.
It is important that the health registries contain accurate and complete information, and NIPH allocates substantial resources to the quality assurance of information. If you believe that data that has been recorded about you are still inaccurate or incomplete in spite of this, you can normally ask for them to be corrected.
If you consider data that has been registered about you to be distressing, you can ask for it to be blocked or erased; see Section 25 of the Personal Health Data Filing Act, subject to the limitations that follow from Section 17 of the Personal Data Act.
You will normally be entitled to be told what type of processing of personal data NIPH is carrying out concerning consent-based health surveys and research projects. You also have the right to access information that has been registered about you in research projects; see Article 15 of the General Data Protection Regulation (GDPR) and Section 40 of the Health Research Act. However, there are some exceptions to the right of access; see Section 42 of the Health Research Act.
If you believe that data that has been registered about you in a consent-based health survey or research project is inaccurate or incomplete, you can ask for it to be corrected. In such cases, you should contact the project leader for the research project concerned.
You may withdraw your consent to participate in research projects at any time and without giving a reason; see Section 16 of the Health Research Act. Note that the right to request destruction, erasure or disclosure does not apply if the material or information is anonymised, if the material has been processed, or if the data has already been used in analyses.
In such cases, you should contact the project leader for the research project concerned. The controller must then ensure that your health data is erased or disclosed to you, and that any biological material is destroyed.
You can opt out of biological research
The Regional Committees for Medical and Health Research Ethics may decide that human biological material (blood samples, tissue samples, etc.) collected by the health and care services as part of diagnosis and treatment may or must be used for research purposes without the patient's consent. The patient must be informed in advance that human biological material may be used for research purposes and must be given the opportunity to opt out of the research.
As a patient, you can refuse to allow your biological material collected by the health and care services in connection with your diagnosis or treatment to be used for medical and health research purposes; see Section 28 of the Health Research Act.
Contact NIPH’s data protection officer
You can contact the data protection officer by sending an e-mail to email@example.com, by calling 53 20 40 82 or by sending a letter to the Data Protection Officer, Norwegian Institute of Public Health, PO Box 222 Skøyen, 0213 Oslo.
The Norwegian Data Protection Authority receives complaints
If you believe that NIPH is processing personal data in an unlawful manner, you can contact the Norwegian Data Protection Authority via their website: How to complain to the Norwegian Data Protection Authority.