1. Governing Texts

Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018 (only available in Norwegian here) ('the Personal Data Act') implements the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') into Norwegian law. Prior to the implementation of the GDPR, Norway already had in place several statutes which protected the privacy rights of data subjects, particularly in relation to the health and pharmaceutical sector. Following the implementation of the GDPR, these sectoral-specific laws, outlined in more detail below, have been amended to supplement and complement the GDPR.

1.1. Legislation

In Norway, the following sectoral specific acts apply to the health and pharmaceutical sector in the context of privacy and data protection:

• The Patients' Health Records Act 2015 (only available in Norwegian here) ('the Health Records Act');
• The Health Personnel Act 2001 (only available in Norwegian here) ('the Health Personnel Act');
• The Personal Health Data Filing System Act 2001 ('the Health Filing System Act') ;
• The Treatment Biobank Act 2003 (only available in Norwegian here) ('the Treatment Biobank Act');
• The Health Research Act 2009 (only available in Norwegian here) ('the Health Research Act'); and
• The Patients and Users Rights Act 2001 (only available in Norwegian here) ('the Patients and Users Rights Act').

1.2. Supervisory authorities

The Norwegian data protection authority ('Datatilsynet') is responsible for enforcing data protection regulations, as well as specific sections pertaining to personal data contained in the abovementioned sectoral acts.

In addition, the Norwegian Board of Health Supervision ('Helsetilsynet'), a sub-agency of the Ministry of Health and Care Services, has the overall responsibility for the supervision of health and social services in Norway.

1.3. Guidelines

Datatilsynet has issued several guidelines which are applicable to any organisation which processes personal data within the health and pharmaceutical sectors.

The following guidelines, accessible on Datatilsynet's website, contain information applicable to both data subjects and service providers acting as data controllers, or processors, within the health sector:

• Guidelines on research, health, and welfare (only available in Norwegian here);
• Guidelines on developers and suppliers to the health and care sector (only available in Norwegian here);
• Guidelines on data protection officer ('DPO') and research (only available in Norwegian here); and
• Frequently Asked Questions ('FAQs') on matters relating to the processing of data within the health sector (only available in Norwegian here).

Given Datatilsynet's role as a data protection supervisory authority, Helsetilsynet does not publish general guidelines related to the GDPR. However, Helsetilsynet does publish yearly reports which typically include information on GDPR implemented measures across the Norwegian health sector.

Additionally, there are other government agencies which publish general guidelines related to the processing of data within the health and pharmaceutical sector. Most notably, the Norwegian Directorate of eHealth ('NDE'). In addition, the NDE has established an industry Code of Conduct for Information Security and Data Protection in the Healthcare and Care Services ('the Code of Conduct'). The Code of Conduct details the technical, organisational, and security requirements set out in the GDPR and Norwegian health legislation. Most Norwegian entities within the health and pharmaceutical sector rely on the Code of Conduct, inter alia to document their compliance with the GDPR and Norwegian health legislation.

Notable Decisions:

Datatilsynet issued on 18 December 2019 an administrative fine of NOK 500,000 (approx. €52,100) on the  Municipality of Oslo, the Nursing Home Agency, for storing patient data originating from the city's health centres and nursing homes outside the electronic health record system (the designated data retention system) from 2007 to 2018. Datatilsynet concluded that the Nursing Home Agency's practice of storing identifiable patient data outside the electronic health record system violated the requirements for security and internal controls provided under Article 32 of the GDPR and Sections 22 and 23 of the Health Records Act.

Similarly, in 2021, Datatilsynet issued a fine of NOK 750,000 (approx. €78,200) to St. Olvas Hospital for lack of access controls to files wherein patients' data were recorded, as the files were in practice accessible to all health personnel at Central Norway Regional Health Authority (Helse Midt-Norge). Datatilsynet concluded that St. Olavs Hospital violated Article 32 of the GDPR on the security of processing demands, as well as Sections 22 and 23 of the Health Records Act, notwithstanding that St. Olavs Hospital had implemented measures in light of the relevant complaint.

In a separate decision, the Datatilsynet fined the Municipality of Rælingen NOK 800,000 (approx. €83,400) after the health information of 15 children with physical and mental disabilities was processed in the digital learning platform 'Showbie'. The Datatilsynet noted that the Municipality of Rælingen had not conducted any risk assessments and Data Protection Risk Assessments ('DPIAs') and that the level of security was insufficient considering the type personal data that was shared via the application.

In 2017 Datatilsynet fined nine regional health trusts for infringing the security requirements under the now-repealed Personal Data Act 2000, only available in Norwegian here, ('the old Act'), in connection with the health trusts outsourcing IT services to countries outside of Norway. Each of the health trusts received a fine of NOK 800,000 (approx. €83,400). The maximum administrative fine under the old Act was, at the time, approximately NOK 900,000 (approx. €93,700).

1.4. Definitions

Special categories of personal data: The racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (Article 9(1) of the GDPR).

Genetic data: The inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (Article 4(13) of the GDPR).

In addition, Datatilsynet has issued a guideline detailing the challenges an organisation may face when processing genetic, as well as biometric, data (only available in Norwegian here) ('the Genetic Data Guideline'). The Genetic Data Guideline contains a report which elaborates on Norwegian organisations compliance with the legislative framework when processing such data for the purposes of genetic examinations.

Biometric data: The 'personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data' (Article 4(14) of the GDPR).

Datatilsynet has issued a guideline detailing what biometric data is and how such data may be processed (only available in Norwegian here) ('the Biometric Data Guideline'). The Biometric Data Guideline provides that biometric data includes a data subject's fingerprint, handprint, the shape of one's face as well as data generated from retina and iris recognition technology.

Biobank: even though the Treatment Biobank Act regulates the use of biobanks, it does not contain a general definition of a 'biobank'. However, the Treatment Biobank Act defines 'diagnostic biobanks' as collections of human biometric material submitted for medicinal examination, diagnosis, and treatment purposes.

In addition, Section 4 of the Health Research Act defines the term 'research biobank' as 'a collection of human biological material that is used in a research project or used for research purposes'.

Research: The GDPR adopts a broad definition of 'research', encompassing both the activities of public and private entities (Recital 159 of the GDPR). In addition, 'medical and health research' is defined as the activities that are performed with scientific methodologies for the purposes of obtaining new knowledge regarding health and disease (Section 4 of the Health Research Act).

Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(1) and 7 of the GDPR). The GDPR further clarifies the conditions for valid consent under Article 7 and Recital 32 of the GDPR. In short, consent must be freely given (i.e. on a voluntary basis), specific, informed, and unambiguous.

Norwegian data protection laws do not deviate from the GDPR's definition and requirements for consent. Norwegian health legislation, such as Section 13 of the Health Research Act, echoes the conditions enshrined in Article 7 of the GDPR.

2. Clinical Research and Clinical Trials

The clinical research projects must apply for approval prior to commencing such projects (Chapter 3 of the Health Research Act). Such applications are to be sent to the Regional Committees for Medical and Health Research Ethics ('REK').

 Any major amendments to the scope of the project must also be approved by the REK (Section 11 of the Health Research Act). Upon the discontinuation of the project, where  the organisation must provide to the REK the project's conclusions and how such conclusions must be presented to the REK (Section 12 of the Health Research Act).

Generally, such conclusions must be presented in an objective manner in which the organisation presents the project's positive and negative findings. The REK may impose onto the organisation an obligation to report regularly to the committee.

The clinical research trials of humans may only take place if there are no other viable alternatives that are equally effective (Section 22 of the Health Research Act). Before any such trials, the organisation must thoroughly perform a risk assessment as well as evaluate any possible effects the trial may cause on participating individuals. In the event of any adverse consequences or unexpected medical consequences, the project leader must notify Helsetilsynet (Section 23 of the Health Research Act).

The project leader must notify the participants of the clinical research if such individuals are inflicted with any damage, or if the project has resulted in unforeseen complications as a result of the research project (Section 24 of the Health Research Act).

2.1. Data collection and retention

The nature of data collection and processing necessitates a case-by-case analysis of each collection and processing operation. This means that processing entities must self-assess their operations and take the necessary steps to comply with the GDPR on an ongoing basis, ensuring that the level of compliance is proportional to the level of risk associated with the processing operations.

Norwegian law does not establish any clear restrictions on the retention of health data. Such data must be processed, retained, and deleted in line with the provisions of the GDPR. This means that the data cannot be stored for longer than necessary and that data is deleted upon the request of the data subject unless prolonged data retention is allowed under peremptory law.

Retention limitations contained in the GDPR are reaffirmed in Norwegian health law, such as Section 43 of the Health Personnel Act, Section 25 of the Patients and Users Rights Act, Section 5-2 of the Patients and Users Rights Act, and Section 38 of the Health Research Act.

2.2. Consent

All participants in medical research projects must consent to their data being gathered and processed for the purposes of such projects. The consent given must be based on specific information related to the research project in order for the consent to be validly formed (Chapter 4 of the Health Research Act).

However, participants of health research projects may give consent for the processing of human biological material and health information with the scope and nature of such processing to be determined at a later date (Section 14 of the Health Research Act and Recital 33 of the GDPR). In such a case, the data subject must regularly be provided with information regarding the project.

The consent may be withdrawn at any time. If withdrawn, research using the data subject's personal information (biologic or health data) must cease. Moreover, if consent is withdrawn, the data subject can demand that their biological material be deleted and that all the health data be deleted, or delivered to the data subject, within 30 days (Section 16 of the Health Research Act).

The capacity to give consent in the context of clinical research is regulated under Section 17 of the Health Research Act and it stipulates that individuals above the age of 18 have the capacity to give consent.

Individuals between the age of 16 and 18 may also give consent unless when prohibited by law (Section 17(b) of the Health Research Act). However, parents or guardians can give consent on behalf of individuals that are below the age of 16, moreover, it is sufficient that one of the parents, or the guardians to provide the consent (Section 4-4 of the Patients and Users Rights Act).

Data subjects' next of kin may consent on behalf of individuals who lack the capacity to give consent (Section 4-3 of the Patients and Users Rights Act). This would apply whereby, for example, the individual lacks the capacity to provide consent by reason of physical or psychological reasons (e.g., senility, dementia, or physical handicaps prevents the individual from understanding what the consent encompasses).

Further, research pertaining to individuals who lack the capacity to consent may only take place if (Section 18 of the Health Research Act) if:

• any potential risk or disadvantage for the individual is insignificant;
• the individual does not oppose the data processing; and
• it can be reasonably assumed that the research will be of use to the individual in question or other individuals with the same age-specific disease or condition.

It should be noted that for situations regarded as emergencies, the requirements relating to consent differ from the abovementioned sections (Section 19 of the Health Research Act).

Moreover, consent is not required for the use of anonymised human biological material or other anonymous data. However, consent must nonetheless be given if the data is to be anonymised at a later stage during the research project (Section 20 of the Health Research Act).

2.3. Data obtained from third parties

Human biologic material collected via healthcare services by reason for diagnosing and treating diseases may be used for research purposes without the need for consent from the patient (Section 28 of the Health Research Act).

However, such processing is subject to the REK's approval. Moreover, the processing of such information obtained via third parties will only be allowed if the research is of essential interest to society at large and the individual's welfare and integrity are maintained.

3. Pharmacovigilance

As per the Norwegian Medicines Agency ('Legemiddelverket'), the reporting of adverse drug reactions occurring in Norway should be in line with the requirements of Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to medicinal products for human use (as amended) and Regulation (EC) No 726/2004 of 31 March 2004 laying down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency (as amended), as well as Module VI of the European Medicines Agency ('EMA') Guidelines on Good Pharmacovigilance Practices ('GVP').

The marketing authorisation holder (i.e., an organisation that has been granted authorisation to market a specific medicinal product) can report all serious and non-serious adverse drug reactions occurring in Norway directly to EudraVigilance. Adverse drug reactions occurring in other EU/EEA countries should also be reported to EudraVigilance, in line with the aforementioned legislation and Module VI of the GVP. Norwegian adverse drug reactions reported by marketing authorisation holders to the EudraVigilance will be re-directed to Legemiddelverket.

Questions pertaining to pharmacovigilance may be directed to Legemiddelverket by contacting the agency at [email protected] or +47 22 89 77 00.

4. Biobanking

The Ministry of Health and Care Services must be notified when establishing a biobank which is to be used for diagnosing and treating diseases (Section 5 of the Treatment Biobank Act). The notification must be sent within two months following the establishment of the biobank.

The notification must contain the following information:

• the purpose of the establishment;
• the type of material the biobank will contain and how such material is collected;
• the type and number of individuals the material will be collected from;
• the form of consent is to be given and the information to be given in advance of any such consent;
• how long the biobank will be established and what happens to the material when the biobank is discontinued;
• information on the safety measures implemented to ensure the integrity of the biobank;
• information on the data protection officer ('DPO') or the responsible person in charge as per the Personal Data Act and the Patient's Journal Act; and
• information regarding the financing of the biobank and whether the material contained within the biobank may give rise to economic gain.

General information, in English, on how to establish a research biobank can be found on Oslo University Hospital's website.

The materials contained in the biobank must be kept in a safe manner and in line with supplementary legislation that may be applicable (Section 9 of the Treatment Biobank Act).

The Health Research Act governs the establishment of biobanks containing human biologic material used for research purposes. The establishment of such biobanks is contingent on the REK's prior approval (Section 25 of the Health Research Act).

Research biobanks must designate a person of responsibility for the biobank (Section 26 of the Health Research Act). Additionally, materials contained in the biobank must be stored and processed in a safe manner (Section 27 of the Health Research Act).

Collection of samples and information attached to them

Apart from the general requirements of consent and that samples must be safely stored, there are no requirements under Norwegian law specifically applicable to the collection of samples. However, samples imported or exported to or from Norway requires the REK's prior consent (Section 29 of the Health Research Act).

Biobank registers

The Biobank Norway, which is a national biobank infrastructure for global research collaboration, has prepared a register of biobanks in Norway.

Rights of registered individuals

As biobanks predominantly contain personal data and human material, the rights of individuals contained in data protection laws will be applicable to individuals who consent to their data or material being used to form part of biobanks.

5. Data Management

Obligations and responsibilities regarding data management are governed by the Personal Data Act and, by extension, the GDPR. Moreover, data controllers are required to both comply with the six principles when processing personal data (Article 5(1) of the GDPR) and demonstrate compliance with all the six principles (Article 5(2) of the GDPR). This requires the data controller to, for example, implement appropriate security measures, and not use the data for other purposes than which the data was collected.

Norwegian health laws do not require the appointment of a DPO. However, as mentioned above, Norwegian health legislation generally requires that an individual is appointed as the person in charge of the, e.g., research project or the establishment of a biobank. However, the processing of such special categories of data (Article 9, GDPR) may necessitate the appointment of a DPO (Article 37(1)(b) of the GDPR).

Medical professionals may set aside their duties of non-disclosure in certain cases. For example, medical professionals may owe reporting duties to medical agencies in the relevant municipality and the Helsetilsynet (Chapter 6 of the Health Personnel Act).

6. Outsourcing

A supplier may handle health and other personal data either as a data processor on behalf of the controller or by providing a service such as maintenance. Suppliers who may encounter special categories of data must adhere to, and not prevent, the obligations of the data controller. For example, any such supplier, to which tasks are outscored, may be exposed to data subject's health information. Hence, suppliers have a duty to ensure that it has in place routines and measures which prevent the disclosure of confidential information.

It is the responsibility of the data controller to ensure that requirements pertaining to IT security and privacy are complied with. As further described in the section on Guidances above. Most entities within the Norwegian health and pharmaceutical sector rely on the Code of Conduct to document their compliance with the GDPR and Norwegian health legislation.

For the delivery of e.g., services, machines, or systems, the supplier and the data controller must agree on, in writing, the security measures which are to be implemented in order to ensure that the data controller meets their obligation (Section 5.7.2 of the Code of Conduct). Also, such agreements must consider the general commitments imposed by the Code of Conduct.

Outsourcing of IT functions or other functions pertaining to IT security or privacy must at a minimum include the following provisions (Section 5.7.3 of the Code of Conduct):

• a documented risk evaluation which illustrates that an appropriate level of IT security will be maintained;
• the tasks the supplier will be performing and how the supplier's service will be integrated into the systems of the buyer; and
• the buyer must have a right to perform regular audits.

Entities within the Norwegian health and pharmaceutical sector will normally outsource services based on the NDE's template data processing agreement, only available in Norwegian here.

Data processors shall only process health and other personal data, as well as other confidential information, upon the instructions of the data controller. The regulation of such an engagement must be regulated in the form of a written agreement, typically a data processing agreement.

 In line with the provisions of the GDPR, the data processor must be responsible for the engagement of additional sub-processors by the data processor. The agreement with such sub-processors must include the same rights and obligations as the data processing agreement between the data controller and the data processor (Section 5.7.4.1 of the Code of Conduct).

7. Data Transfers

All member states within the EU/EEA area have implemented the GDPR. Consequently, this ensures that personal data transferred within the EU/EEA is processed in a way which maintains the rights of data subjects. In addition, the European Commission has recognised that certain countries, outside the EU/EEA, have implemented adequate levels of protection for personal data and, therefore, allow the transfer of personal data to such countries.

Nonetheless, the GDPR restricts the transfer of personal data outside the EU (to so-called 'third countries') in order to ensure that the data subjects' level of protection afforded by the GDPR is not undermined. Transfers of personal data to third countries require that the conditions for transfer set out under Chapter V (Article 44 to 50) of the GDPR are met.

Moreover, following Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), exporters of personal data to third countries must ensure that the transferred personal data is subject to a level of protection which is essentially equivalent to the level of protection within the EU/EEA. To this effect, the European Data Protection Board ('EDPB') has published Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data.

Under the Archives Act of 1992 (only available in Norwegian here) ('the Archives Act') entities within the public health and pharmaceutical sector are required to archive documentation that is considered valuable and concerns the relevant public sector body's responsibilities or operations.  The documents subject to the Archives Act may, as a rule, not be transferred or stored outside of Norway (Section 9(b) of the Archives Act).

Thus, entities within the public health and pharmaceutical sector are required to store health and personal data included in documents which must be archived on servers in Norway. However, pursuant to the National Archives of Norway's guidelines (only available in Norwegian here) it is permitted to store backup copies of documents (which must be archived) on servers outside Norway. Furthermore, it is lawful to use cloud-based services which process documents (which must be archived), as long as the relevant documents are archived in Norway (e.g., on servers in Norway).

8. Breach Notification

Under the Health Personnel Act, health personnel must inform applicable authorities, chiefly Datatilsynet and Helsetilsynet, of circumstances that may infringe the patient's or user's security (Section 17 of the Health Personnel Act). This may be interpreted to include health personnel's concerns regarding the lack of IT-security measures in place at the organisation, as well as the possibility of potential data breaches. In addition, Section 22 of the Patient's Records Act 2015 (only available in Norwegian here) reaffirms the GDPR's provisions regarding IT security measures.

9. Data Subject Rights

The rights of the data subjects are primarily regulated by the GDPR. Norwegian health legislation further reaffirms the rights of data subjects contained in the GDPR. In particular, these rights include:

• data processors and controllers being bound by a duty of confidentiality;
• providing easily accessible information to the data subject (for example in the form of a privacy policy);
• the right of access (both under Norwegian health laws and data protection laws;
• the right of correction and erasure;
• the right of data portability;
• the right to object to the disclosure of the data;
• the implementation of adequate safety measures; and
• the right of having the data stored for no longer than necessary.

10. Penalties

Breach of an organisation's GDPR-commitments may result in administrative fines of up to €10 million or 2% of the data controller's annual global turnover, whichever is higher (Article 83 of the GDPR). In addition, the reference to Article 83 of the GDPR is included in Section 29 of the Health Filing System Act.

Moreover,  anyone who establishes a biobank without permission destroys material contrary to the Treatment Biobank Act, or negligently collects, stores, or processes biobank material unlawfully may be punished with imprisonment of up to one year and/or administrative fines (Section 19 of the Treatment Biobank Act).

Furthermore, organisations may be punished with imprisonment of up to one year and/or administrative fines for the infringement  (Section 54 of the Health Research Act).

Under both the Treatment Biobank Act and the Health Research Act, organisations may be liable for compensation to individuals who have suffered damage as a result of breaching applicable laws.

It should also be mentioned that breach of medical personnel's non-disclosure obligations may lead to penalties being imposed in-line with Section 209 of the Norwegian Penal Code of 20 May 2005 (only available in Norwegian here). This effectively means that those medical personnel may be subject to an administrative fine or imprisonment up to one year for breaching their duty of non-disclosure.

11. Other Areas of Interest

Digital Health Records

The NDE, a subordinated directorate to the Department of Health, implemented a summary care record ('the Summary Care Record') which is an online service that contains Norwegian citizen's health information. Both permanent residents in Norway and healthcare professionals have access to the information in this service. The Summary Care Record service is available in all hospitals in Norway and has been introduced across every municipality and county. The Summary Care Record does not replace records held by local General Practitioners or hospitals but acts as a supplementary health registry in addition to these.

Telemedicine

The adoption of telemedicine in Norway is high, with all health regions and most Norwegian hospitals using telemedicine. The Norwegian Centre for Integrated Care and Telemedicine ('NST') has contributed to the integration of care between different levels of the health sector since 1993. A report on the adoption of routine telemedicine in Norwegian hospitals, the US National Library of Medicine National Institute of Health, has published a report on the adoption of routine telemedicine in Norwegian hospitals, titled - Adoption of routine telemedicine in Norwegian hospitals: progress over 5 years.

Medical devices

Legemiddelverket is the competent authority for medical devices and has administrative and advisory responsibilities related to legislation and supervisory authority over manufacturers, distributors, and notified bodies. Regulatory information regarding medical devices can be accessed via the Legemiddelverket's website here.

Christopher Sparre-Enger Partner
[email protected]
Uros Tosinovic Partner
[email protected]
Nikolai Rekman Senior Associate
[email protected]
Advokatfirmaet Thommessen AS, Oslo