The legal and institutional framework for data access in Norway CESSDA Expert Seminar October 2006 Siv Midthassel - Adviser Norwegian Social Science Data Services
Legislation Personal Data Act (2001) Personal Health Data Filing System Act (2002) Biobank Act (2003) Biotechnology Act (2004) Act on Health Personnel (1999) Act on Public Administration (1967)
Independent bodies that review research ETHICAL REVIEW Regional Research Ethics Committee LEGAL REVIEW Data Protection Official for Research Data Inspectorate Privacy Appeal Board Directorate of Health and Social Affairs Ministry of Health Committee for Confidentiality and Research Norwegian Medicines Agency Norwegian Social Science Data Services
Independent bodies that review research Researcher Directorate of Health and Social Affairs Ombudsman for Privacy in Research NSD Data Inspectorate Committee for Confidentiality and Research Regional Research Ethics Committee Norwegian Medicines Agency Privacy Appeal Board Ministry of Health Norwegian Social Science Data Services
Historical Perspective Amendment; exemption from the obligation of obtaining license 2005 March: NSD is formally appointed Ombudsman for Privacy in Research May: The first official review of the Directive (96/46/EC) 2003 Recommends appointment of a data protection officer 2001 The Personal Data Act and Regulations § 7-12 Privacy Ombudsman The Data Protection Directive (96/46/EC) 1995 The Privacy Issue Unit at NSD is etablished The first notifications are received 1981 The Data Register Act 1978
NSD is Ombudsman for over 130 institutions The Norwegian universities and colleges Private colleges University hospitals and other hospitals Research institutes Personvernombudet for forskning
Ombudsman for Privacy in Research The institutions: Appoint the Ombudman for Privacy in Research Inform on regulation and procedures for notification and prior review of research Appoint a contact person responsible for communication with the Ombudman for Privacy in Research
Ombudsman for Privacy in Research Review research projects against the requirements of the Personal Data Act and the Act on Personal Health Data Filing Systems Resommend necessary changes, advocating possible solutions to the project design When projects need prior authorisation from the Data Inspectorate, to make recommendations Teach, inform and provide guidance to institutions, researchers and students on legal and procedural requirements
Ombudsman for Privacy in Research Keep a systematic, public record of processings made Assist data subjects, attending to their legal rights On suspicion of breaches of the principles of protection, point this out to the researcher (and the institution) On inquiry from the Data Inspectorate, inform of possible breaches of the principles of protection
When is notification necessary? When processing personal data with automatic means All use of sensitive personal data. Ombudsman for Privacy in Research
Appropriate safeguards Notification/approval – The Ombudsman for Privacy Prior Licensing - Data Inspectorate
The Personal Data Act – Individuals’ rights are enhanced Consent and information the most important measures to safeguard privacy Notification and prior checks to safeguard privacy
Legal grounds for processing personal data Consent:Participants in research must give their consent to the processing of personal data Alternative legal grounds: Public interest (non-sensitive data) Substantial public interest (sensitive) and subject to the provision of suitable safeguards
Why formal regulation and systems for mandatory review Participants in research need protection Researchers need protection Institutions need protection Society need access
Do regulations prevent research? No, but the non-consent alternatives are exeptions to the rule The importance of an adequate legal framework to safeguard privacy as well as access to rich data The existent systems for review of research ensures information privacy as well as use