Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Norway - Data Protection

History of Data Protection in NORWAY

The first piece of data protection legislation in Norway was the Data Registers Act of 1978. This was considered to be one of the most restrictive privacy acts in Europe. The Norwegian Data Inspectorate was set up in 1980 to ensure the Act was complied with.

Following the introduction of Directive 95/46/EC, in the autumn of 1995 the Norwegian Ministry of justice appointed a committee to examine what amendments were required to the Data Registers Act in order to bring Norway into line with EU standards.

The result of this was the Norwegian Personal Data Act, which came into force on 1 January 2001. The Act is EC-compatible, and in many respects it goes beyond the Directive, offering an even greater level of protection.

Summary of Data Protection in NORWAY

Title of Data Protection Legislation Personal Data Act 2000
Name of supervisory authority The Data Inspectorate
General Powers of supervisory authority Section 42 of the Act sets out the Inspectorate's duties and powers: "The Data Inspectorate shall
1) keep a systematic, public record of all processing that is reported pursuant to section 31 or for which a licence has been granted pursuant to section 33, with information such as is mentioned in section 18, first paragraph, cf. section 23,
2) deal with applications for licences, receive notifications and assess whether orders shall be made in cases where this is authorized by law,
3) verify that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified,
4) keep itself informed of and provide information on general national and international developments in the processing of personal data and on the problems related to such processing,
5) identify risks to protection of privacy, and provide advice on ways of avoiding or limiting such risks,
6) provide advice and guidance in matters relating to protection of privacy and the protection of personal data to persons who are planning to process personal data or develop systems for such processing, including assistance in drawing up codes of conduct for various sectors,
7) on request or on its own initiative give its opinion on matters relating to the processing of personal data, and
8) submit an annual report on its activities to the King."
Who has standing to notify the supervisory authority of breaches? Anybody
What are the penalties for data controllers if they breach the law? Sections 47 and 48 of the Personal Data Protection Act 2000 state that fines, imprisonment or both may be imposed on data controllers who breach the law.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Section 12 of the 2000 Act deals with the use of personal identity numbers. It states that: "Personal identity numbers and other clear means of identification may only be used in the processing when there is a objective need for certain identification and the method is necessary to achieve such identification. The Data Inspectorate may require a controller to use such means of identification as are mentioned in the first paragraph to ensure that the personal data are of adequate quality. The King may by regulations prescribe further rules regarding the use of personal identity numbers and other clear means of identification".
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably necessary to get consent when is not impracticable or inappropriate.
Does the Data Protection Legislation cover the deceased? No
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations