Conditions for preservation
The conditions for the processing and treatment of personal information are laid out in Articles 8 and 9 of the Norwegian Personal Data Act. There, it is stated that personal information can only be processed if the data subject has consented, the access to such treatment is provided by law, or the treatment / processing is needed and fulfills a set of specified criteria (cf. Article 8, letters a-f and Article 9, letters a-h).
Regarding the conditions and framework for securing and preserving personal data, the following segments are of particular importance in the Data Protection Act:
1. Information security (cf. Article 13):
The controller and the processor must, through planned and systematic actions, provide satisfactory information with regard to the confidentiality, integrity and availability when processing personal data.
To achieve satisfactory information security, the data controller must document the data processing and the information and security measures.
The data controller must ensure that the following requirements are fulfilled when access are provided to others (e.g. data processors or others involved in the handling and operation of information systems):
· Information security (cf. Section 2-4 of the Personal Data Regulation): the data controller is responsible for setting the acceptable criteria for risk (connected to the processing of personal data), but these decision criteria may, according to Section 2-2 of the Personal Data Regulations, be overruled by the Data Protection Authority. Further, it states that the data controller must carry out risk assessments to identify the likelihood and consequences of possible security breaches.
· Deviations (Section 2-6 of the Personal Data Regulation): security breaches, and any use of the information system that is contrary to the established procedures, will be treated as deviations. The treatment of deviations should aim to restore the normal condition, remove the cause of the deviation, and prevent recurrences. If the discrepancy has resulted in the unauthorized disclosure of personal data (where confidentiality is required) the Data Protection Authority must be notified. Results of the discrepancy procedure must be documented.
· Organisation (Section 2-7 of the Personal Data Regulation: The information system should be configured in such a way as to secure the information satisfactorily. A configuration in this respect means (and includes) information system design, i.e. equipment and software and the linking of these.
· Security measures (Section 2-14 of the Personal Data Regulation): security measures must prevent unauthorized use of the information and make it possible to detect attempts of such use. Security measures should include measures that cannot be affected or bypassed by employees, and not be limited to actions that individuals are assumed to perform.
In other words, the controller must establish measures that act independently of employees' actions. Security measures should be adapted so that a minimum of two independent measures must be affected before a security breach occurs. And since the Regulation requires such protective measures, the Data Inspectorate underlines the necessity of two independent technical measures between the ‘outside world’ and the secured zone. Additionally, such measures are intended as means for securing the other (all) zones in the information system.
· Safeguarding of integrity (Section 2-13 of the Personal Data Regulation): measures must be taken against unauthorized alteration of personal data where integrity is necessary. This provision requires the controller to prevent accidental/random change of personal information.
Measures must be taken to prevent malicious software. As such, data controllers should ensure that the system is protected against destructive programs, such as computer virus, etc.
2. Internal control (Article 14):
The data controller must establish and maintain planned and systematic measures necessary to comply with (or be pursuant to) the Personal Data Act, including the assurance of the quality of the personal information.
The data controller must document these measures. Documentation must be provided to the employees of the data controller and the data processor. The documentation should also be available to the Data Protection Authority and the Norwegian Advisory Board (Personvernnemda).
3. Correction of incomplete personal data (Article 27):
If the personal data that has been processed are inaccurate or incomplete, or their processing is not admitted, the controller shall independently or at the request of the data subject adjust/correct the inadequate data.
According to the Data procetion Act: “The controller shall if possible ensure that the error does not have an effect on the data subject, for instance by notifying recipients of disclosed data.
The rectification of inaccurate or incomplete personal data which may be of significance as documentation shall be effected by marking the data clearly and supplementing them with accurate data (cf. article 27). Under special circumstances the Data Protection Authority may, independent from the subsections described in Article 27, determine that the incomplete or incorrect personal information must be erased or made inaccessible.
4. Prohibition against storing unnecessary personal data (Article 28)
The controller shall not store personal data longer than what is necessary for carrying out the purpose of the processing. Unless the personal information will be stored in accordance to the Archives Act or other legislation, it must be deleted.
Preservation for historical, statistical and scientific purposes
In accordance with the EU Directive 95/46/EC, the Norwegian Personal Data Act allows preservation of personal data for historical, statistical and scientific purposes, on the conditions that the public interests clearly extend the disadvantages for the data subjects (cf. Articles 11 and 28). The main rule in this regard is that long-term storage of personal data should be based on consent, in addition to appropriate safeguards.
The Norwegian Data Protection Authority, in their guidance, emphasize that they find it legislative and ethically problematic to allow processing for new and incompatible research purposes, if the data were originally collected based on the consent of the data subject. This is seen as a breach of the contract (Kvalheim: 2004).
In addition to the above mentioned safeguards, the Personal Data Act requires notification every third year of the processing (including storing) of personal data, as well as the licensing requirements from the Authority prior to processing. The license will normally include requirements with regard to future archiving of personal data. See Requirements to acquire approval from data protection authorities.
The “Bergen Child Study” (BCS)
The Norwegian “Bergen Child Study” (BCS), provides an example of consent-based long term preservation of personal data. The BCS is a longitudinal cohort study that started in 2002 with the aim to follow children born in Bergen 1993 – 95 from early school age to college. The aim of the study is to gain knowledge that can contribute to better mental healthcare for children and adolescents. The Bergen Child Study offers substantial research on children’s mental health and their development. Questions relating to the lifestyle of the participants, such as school functioning, family situation and social life are also included in the study. The study consists of four data collection waves from 2002-2012, including survey data and medical/psychological tests. The consent also includes that collected data can be linked to specific mentioned administrative data regarding health and employment until the end of the project in 2023. The consents were first collected from parents, but from the age of 16 years, the youths have given consent themselves to participating. The study is approved by the Regional Committee for Medical Research Ethics (REC), West-Norway. See Requirements to acquire approval from an ethics committee.
REC’s main issues have concerned providing sufficient information to participants, practicalities around consent and the safeguarding of highly sensitive data.
The Norwegian Advisory Board (Personvernnemda):
Personal Data Regulations (in Norwegian)
Archives Act (in Norwegian)
Kvalheim,V. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Norway. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 289-305.
The Health Research Act, 2008. ACT 2008-06-20 no. 44: Act on medical and health research [pdf] Available at: <http://www.ub.uio.no/ujur/ulovdata/lov-20080620-044-eng.pdf>. [Accessed 24. February 2014].
The Personal Data Act, 2000. Act of 14 April 2000 No. 31 relating to the processing of personal data [pdf] Available at: <http://www.datatilsynet.no/Global/english/Personal_Data_Act_20120420.pdf>. [Accessed 4. April 2014].
Uni Health, 2014. The Bergen Child Study [online] Available at: <http://helse.uni.no/default.aspx?site=28&lg=2> [Accessed 24. February 2014].