Health data can be made available as a single data file or statistics from one health registry/survey, or for linkage with other data.

Application for data

How to apply:

• Use one of the two online application forms at helsedata.no (scroll down on the front page to find the application forms). For applications concerning directly or indirectly identifiable health data ("individata") you will be asked to log in with a Norwegian electronic ID. For aggregated data (tabular data) no log in is required.
• If you do not have a Norwegian electronic ID and want to apply for directly or indirectly identifiable health data, you will have to use the NIPH online application form for access to data

The applicant is responsible for correct completion and inclusion of all necessary attachments.

Upon receiving an application, NIPH will consider whether the project meets the applicable conditions for access to data and, if so, which data. If the application is approved, NIPH may impose requirements on the disclosure.

All enquiries regarding the disclosure of health data should be directed to the e-mail address:

• .

For an overview of health data sources from Norway, including health registries and health surveys outside NIPH, see helsedata.no/datakilder/ (Norwegian only).

For some of NIPH’s health registries, statistics are available in NIPH's statistical databases:

• Norhealth - available in Norwegian and English

NIPH also acts as controller for the Norwegian Surveillance System for Antimicrobial Drug Resistance (NORM), but applications for data disclosure from NORM must be submitted to the University Hospital of North Norway (UNN).

Terms and conditions concerning anonymous data

Anonymous data falls outside the scope of the data protection regulations. There is therefore no requirement for a lawful basis for processing or dispensation from the duty of confidentiality in order to gain access to anonymous data from a health registry or survey, such as statistics or data files where the content cannot be linked to individuals.

In practice, ensuring that a data set is anonymous is very difficult. A truly anonymous data set will need to have a small number of coarsely categorised variables and will therefore often be of limited value for research and health analyses. It is also not possible to determine in advance that a data set is actually anonymous. See also the Norwegian Data Protection Authority’s website on the anonymisation of personal data.  In most cases, data from health registries and health surveys is therefore considered to be indirectly identifiable data, if it is not available in the form of an aggregated table.

Terms and conditions concerning personally identifiable health data

Lawful basis

The disclosure of directly or indirectly identifiable health data requires a lawful basis under Article 6(1) of the General Data Protection Regulation (GDPR), as well as the fulfilment of one of the conditions in Article 9(2) of the same regulation. This applies both to the disclosure of individual data files and to disclosure for linkage. In the case of a lawful basis in Article 6(1)(c) or (e) or Article 9(2)(g), (h), (i) or (j), a national supplementary lawful basis is also required.

Examples of lawful basis

In the case of research projects, the lawful basis may be consent; see Article 6 (1)(a) of the GDPR, with the exception of Article 9(2)(a). This presupposes that consent has been obtained in accordance with the requirements of Article 4 (11) and Article 7 of the GDPR.

As regards research, the lawful basis may also for example, be Article 6(e). It will then be necessary to have a supplementary lawful basis; see Article 6(3). If the research project includes health data or other special categories of personal data, the exceptions in Article 9(2)(j) may be relevant. Such a national supplementary lawful basis (see Article 6(3) or Article 9 (2)(j)) may be authorised in law or a decision concerning exemption from the duty of confidentiality, etc. (see below).

Exemption from the duty of confidentiality

The data stored in NIPH’s health registries and health surveys is confidential, so an exemption from the duty of confidentiality must be obtained. Exemptions from the duty of confidentiality may be obtained through the consent of the data subject or via another exemption, e.g. a decision concerning exemption from the duty of confidentiality from:

• Regional Committees for Medical and Health Research Ethics (REC), for research on health data
• Norwegian Directorate of Health, for other projects

• Registry controller, for projects where only data from health registries authorised pursuant to Section 11 of the Health Register Act will be used, see the Health Register Act Section 20 (Lov om helseregistre og behandling av helseopplysninger, 20 June 2014/43).

Advance ethical approval from a Regional Committee on Medical and Health Research Ethics (REC)

The disclosure of health data for medical or health research with a Norwegian controller presupposes that the research project is organised in accordance with the Health Research Act. All medical and health research projects must normally be pre-approved by a Regional Committee on Medical and Health Research Ethics (REC); see Section 9 of the Health Research Act. Projects with a controller outside of Norway should have a corresponding ethical preapproval from the controller’s country.

Other conditions

The controller for the project must document that the conditions for disclosure in the individual regulations and in the Health Registry Act are met. This particularly applies to conditions concerning the limitation of purpose, data minimisation, limitation of storage, accuracy, integrity and confidentiality, as well as any ethical considerations. The health data may only be used for purposes which are in accordance with the purposes of the relevant health registry/health survey.

Other assessments that applicants must make

The applicant is responsible for addressing all requirements in accordance with the GDPR, including whether it is necessary to conduct a Data Protection Impact Assessment (DPIA) (see Article 35 of the GDPR) or consult the Data Protection Authority in advance (see Article 36 of the GDPR).

NIPH recommends that anyone applying for access to personally identifiable health data from NIPH contacts their own data protection officer before applying for access to data. See also the Norwegian Data Protection Authority’s website for guidance for Norwegian controllers.

Other relevant information about disclosure

Deadlines

The regulations stipulate various deadlines for the disclosure of health data. In most cases, the following deadlines will apply:

• Statistics based on data from one health registry/health survey will be made available within 30 days
• Statistics based on data from multiple health registries/health surveys will be made available within 60 days
• Data files from one health registry/health survey will be made available within 30 days
• Data files containing linked health data from multiple health registries/health surveys will be made available within 60 days. 

The deadline will be calculated from the date on which all documents are received and approved, and the case officer for the registry concerned has received everything that is necessary in order to make the data available.

If health data cannot be made available by the deadline stipulated in the regulation, the deadline for disclosure may be deferred until disclosure is possible. NIPH must inform the applicant in the event of delay.

Overview of projects with access to data

NIPH maintains an overview of who is given access to personal data from health registries and health surveys, what the data will be used for and the lawful basis for the disclosure. The overview contains the project title and the name of the project leader/principal investigator and the research institution concerned, and is made publicly available at fhi.no.

Payment for access to health data

FHI may decide that the applicant must pay all or a proportion of the actual costs incurred in connection with the extraction, linkage and preparation of the health data that is made available.

For more information, see the article Prices for access to data and biological material.