How to apply for access to data from health registries and health studies
Article
|Updated
The Norwegian Institute of Public Health (NIPH) can provide access to data from health registries and population-based health surveys, after application for data is approved.
All applications for the release of data must be sent via the application form at helsedata.no. If you have any questions about the application form or if you need guidance when applying, contact Helsedataservice.
Transfer of decision-making authority to Health Data Service for NIPH's health registries
From 15 March 2023, the Health Data Service (HDS) at the Directorate for e-Health took over the authority to make decisions about making health data available from the following health registers at NIPH: Medical Birth Registry (MFR), Cause of Death Registry (DÅR), SYSVAK, MSIS, Medicines Registry (LMR) and the Cardiovascular Registry (HKR). All questions relating to the processing of applications for these registers submitted after 14 March 2023 must be directed to Helsedataservice. Helsedataservice also assumes the authority to make decisions on exemption from the duty of confidentiality when accessing health information from the registries mentioned above. See more information at helsedata.no. The Norwegian Institute of Public Health will still be responsible for arranging and making available the information from the health registries in line with decisions from the Health Data Service.
In certain exceptional cases, the Norwegian Institute of Public Health can still decide on access to information from the aforementioned health registers, cf. regulation on national solution for making health data available § 10 third paragraph letters a and b. Applications to be processed by the NIPH must also be submitted via the application form for helsedata.no, and is further distributed from HDS to NIPH for processing.
Terms and conditions concerning anonymous data
Anonymous data fall outside the scope of the data protection regulations. There is therefore no requirement for a lawful basis for processing or dispensation from the duty of confidentiality in order to gain access to anonymous data from a health registry or survey, such as statistics or data files where the content cannot be linked to individuals.
In practice, ensuring that a data set is anonymous is very difficult. A truly anonymous data set will need to have a small number of coarsely categorised variables and will therefore often be of limited value for research and health analyses. It is also not possible to determine in advance that a data set is actually anonymous. See also the Norwegian Data Protection Authority’s website on the anonymisation of personal data. In most cases, data from health registries and health surveys are therefore considered to be indirectly identifiable data, if they is not available in the form of an aggregated table.
Terms and conditions concerning personally identifiable health data
Lawful basis
The disclosure of directly or indirectly identifiable health data requires a lawful basis under Article 6(1) of the General Data Protection Regulation (GDPR), as well as the fulfilment of one of the conditions in Article 9(2) of the same regulation. This applies both to the disclosure of individual data files and to disclosure for linkage. In the case of a lawful basis in Article 6(1)(c) or (e) or Article 9(2)(g), (h), (i) or (j), a national supplementary lawful basis is also required.
Examples of lawful basis
In the case of research projects, the lawful basis may be consent; see Article 6 (1)(a) of the GDPR, with the exception of Article 9(2)(a). This presupposes that consent has been obtained in accordance with the requirements of Article 4 (11) and Article 7 of the GDPR.
As regards research, the lawful basis may also for example, be Article 6(e). It will then be necessary to have a supplementary lawful basis; see Article 6(3). If the research project includes health data or other special categories of personal data, the exceptions in Article 9(2)(j) may be relevant. Such a national supplementary lawful basis (see Article 6(3) or Article 9 (2)(j)) may be authorised in law or a decision concerning exemption from the duty of confidentiality, etc. (see below).
Exemption from the duty of confidentiality
The data stored in NIPH’s health registries and health surveys are confidential, so an exemption from the duty of confidentiality must be obtained. Exemptions from the duty of confidentiality may be obtained through the consent of the data subject or via another exemption, e.g. a decision concerning exemption from the duty of confidentiality from:
- For health registries, the Health Data Service has decision-making authority for:
- The Directorate for e-Health at Health Data Service (for research and other purposes).
- Register manager, cf. Section 19b of the Health Registry Act, for projects where only information from health registries authorised in Section 11 of the Health Register Act shall be included.
- For health registries, the Health Data Service does not have decision-making authority for:
- Regional Committees for Medical and Health Research Ethics (REC), for research on health data
- Norwegian Directorate of Health, for other projects
- Register controller, cf. Section 19b of the Health Register Act, for projects where only information from health registries authorized in Section 11 of the Health Register Act shall be included.
Advance ethical approval from a Regional Committee on Medical and Health Research Ethics (REC)
The disclosure of health data for medical or health research with a Norwegian controller presupposes that the research project is organised in accordance with the Health Research Act. All medical and health research projects must normally be pre-approved by a Regional Committee on Medical and Health Research Ethics (REC); see Section 9 of the Health Research Act. Projects with a controller outside of Norway should have a corresponding ethical preapproval from the controller’s country.
Other conditions
The controller for the project must document that the conditions for disclosure in the individual regulations and in the Health Registry Act are met. This particularly applies to conditions concerning the limitation of purpose, data minimisation, limitation of storage, accuracy, integrity and confidentiality, as well as any ethical considerations. The health data may only be used for purposes which are in accordance with the purposes of the relevant health registry/health survey.
Other assessments that applicants must make
The applicant is responsible for addressing all requirements in accordance with the GDPR, including whether it is necessary to conduct a Data Protection Impact Assessment (DPIA) (see Article 35 of the GDPR) or consult the Data Protection Authority in advance (see Article 36 of the GDPR).
NIPH recommends that anyone applying for access to personally identifiable health data from NIPH contacts their own data protection officer before applying for access to data. See also the Norwegian Data Protection Authority’s website for guidance for Norwegian controllers.
Deadlines
The regulations stipulate various deadlines for the disclosure of health data. In most cases, the following deadlines will apply:
- Statistics based on data from one health registry/health survey will be made available within 30 days
- Statistics based on data from multiple health registries/health surveys will be made available within 60 days
- Data files from one health registry/health survey will be made available within 30 days
- Data files containing linked health data from multiple health registries/health surveys will be made available within 60 days.
The deadline will be calculated from the date on which all documents are received and approved, and the case officer for the registry concerned has received everything that is necessary in order to make the data available.
If health data cannot be made available by the deadline stipulated in the regulation, the deadline for disclosure may be deferred until disclosure is possible. NIPH must inform the applicant in the event of delay.
Overview of projects that have received data
NIPH maintains an overview of who is given access to personal data from health registries and health surveys, what the data will be used for and the lawful basis for the disclosure. The overview contains the project title and the name of the project leader/principal investigator and the research institution concerned, and is made publicly available at fhi.no.
Payment for access to health data
The NIPH may decide that the applicant must pay all or a proportion of the actual costs incurred in connection with the extraction, linkage and preparation of the health data that is made available.
