Norway - Data Protection
History of Data Protection in NORWAY
The first piece of data protection legislation in Norway was the Data Registers Act of 1978. This was considered to be one of the most restrictive privacy acts in Europe. The Norwegian Data Inspectorate was set up in 1980 to ensure the Act was complied with.
Following the introduction of Directive 95/46/EC, in the autumn of 1995 the Norwegian Ministry of justice appointed a committee to examine what amendments were required to the Data Registers Act in order to bring Norway into line with EU standards.
The result of this was the Norwegian Personal Data Act, which came into force on 1 January 2001. The Act is EC-compatible, and in many respects it goes beyond the Directive, offering an even greater level of protection.
Summary of Data Protection in NORWAY
| Title of Data Protection Legislation | Personal Data Act 2000 |
| Name of supervisory authority | The Data Inspectorate |
| General Powers of supervisory authority |
Section 42 of the Act sets out the Inspectorate's duties
and powers:
"The Data Inspectorate shall 1) keep a systematic, public record of all processing that is reported pursuant to section 31 or for which a licence has been granted pursuant to section 33, with information such as is mentioned in section 18, first paragraph, cf. section 23, 2) deal with applications for licences, receive notifications and assess whether orders shall be made in cases where this is authorized by law, 3) verify that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified, 4) keep itself informed of and provide information on general national and international developments in the processing of personal data and on the problems related to such processing, 5) identify risks to protection of privacy, and provide advice on ways of avoiding or limiting such risks, 6) provide advice and guidance in matters relating to protection of privacy and the protection of personal data to persons who are planning to process personal data or develop systems for such processing, including assistance in drawing up codes of conduct for various sectors, 7) on request or on its own initiative give its opinion on matters relating to the processing of personal data, and 8) submit an annual report on its activities to the King." |
| Who has standing to notify the supervisory authority of breaches? | Anybody |
| What are the penalties for data controllers if they breach the law? | Sections 47 and 48 of the Personal Data Protection Act 2000 state that fines, imprisonment or both may be imposed on data controllers who breach the law. |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Section 12 of the 2000 Act deals with the use of personal identity numbers. It states that: "Personal identity numbers and other clear means of identification may only be used in the processing when there is a objective need for certain identification and the method is necessary to achieve such identification. The Data Inspectorate may require a controller to use such means of identification as are mentioned in the first paragraph to ensure that the personal data are of adequate quality. The King may by regulations prescribe further rules regarding the use of personal identity numbers and other clear means of identification". |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably necessary to get consent when is not impracticable or inappropriate. |
| Does the Data Protection Legislation cover the deceased? | No |
| Who is able to indirectly identify the data subject? | Anybody |
Laws and Regulations
- Personal
Data Act 2000
Norwegian version - Personopplysningsloven
- Regulation relating to the processing of personal health data in the national causes of death data filing system - Forskrift om innsamling og behandling av helseopplysninger i Dødsårsaksregisteret (Dødsårsaksregisterforskriften)
- Act relating to procedure in cases concerning the public administration. [Public Administration Act] - Lov om behandlingsmåten i forvaltningssaker. [Forvaltningsloven]
- Act of 2nd July 1999,no 64 relating to health personnel - Lov om helsepersonell m.v. (helsepersonelloven)
- Act on personal health data filing systems and the processing of personal health data - Lov om helseregistre og behandling av helseopplysninger (helseregisterloven) (in English)
- Regulation relating to the processing personal health data in the national cancer data filing systems - Forskrift om innsamling og behandling av helseopplysninger i Kreftregisteret (Kreftregisterforskriften)
- Regulation relating to the processing of personal health data in the Medical Birth Registry of Norway (MBRN)- Medisinsk fødselsregister forskriften
- The Statistics Act - Lov om offisiell statistikk og Statistisk Sentralbyrå (statistikkloven)
- Act on medical use of biotechnology - LOV 1994-08-05 nr 56: Lov om medisinsk bruk av bioteknologi
- Code of Ethics for Doctors (in English)
- Acts
concerning biotechnology - Norske reguleringer innenfor bioteknologi (in English)
Institutions
- Data Inspectorate - Datatilsynet (in English)
- The National Committees for Research Ethics in Norway - Forskningsetiske komiteer(in English)
- The Norwegian Medical Association - Den norske lægeforening
- The Norwegian Biotechnology Advisory Board - Bioteknologinemda (in English)
- Norwegian Social Science Data Services - Norsk samfunnsvitenskapelig (in English)
- The Privacy Issue Unit - Datafaglig sekretariat (in English)