The full title of the Personal Data Act is the Act of 14 April 2000 No. 31 relating to the processing of personal data (available at http://app.uio.no/ub/ujur/oversatte-lover/data/lov-20000414-031-eng.pdf: opens in a separate window).
"This Act shall apply to the processing of personal data wholly or partly by automatic means, and other processing of personal data which form part of or are intended to form part of a personal data filing system" (Section 3 first paragraph, a) and b)).
"Processing of personal data" is defined as "any use of personal data, such as collection, recording, alignment, storage and disclosure or a combination of such uses" (Section 1-2 (2)).
The Personal Data Act contains provisions concerning
- conditions for processing general personal data (Section 8), and sensitive personal data (Section 9),
- data security (Section 13) and internal control (Section 14),
- when it is necessary to apply for a licence to process personal data (Section 33) and when notification is sufficient (Section 31).
If the project is to process personal data by electronic means or process sensitive data manually (without electronic data processing), notification of the project must be given to the Norwegian Data Protection Authority (Section 31).
If the project is to process sensitive personal data (see Section 2 (8) of the Personal Data Act), the project must apply to the Data Protection Authority for a licence (Section 33).
The Authority can stipulate conditions for the processing of the data. The Authority often requires that personal data be processed in pseudonymised form. This means that those who are registered can only be identified by means of a randomly assigned reference number. The reference number may be linked to a list of names to which only the project manager has access, and the list must be treated as sensitive material.
Certain types of processing are exempt from the licensing and notification obligation. The Personal Data Regulations (Regulations of 15 December 2000 No. 1265 relating to the processing of personal data, available at http://app.uio.no/ub/ujur/oversatte-lover/data/lov-20001215-1265-eng.pdf; opens in a separate window). Central requirements in the regulations are:
- Data security: All personal data must be protected in accordance with how sensitive they are regarded as being. This is determined by the project manager personally on the basis of an overall risk evaluation, but the Data Protection Authority may require that further security measures are implemented if the Authority regards this as necessary.
- Exemption from the licensing and notification obligation: The regulations contain a number of provisions that exempt processors of personal data from the obligation to apply for a licence or to give notification of the processing to the Data Protection Authority. One of these exceptions applies to the use of personal data for research (Section 7-27), where one of the conditions for exemption is that the project has been recommended for research by a data protection officer.
(See also Personal data, Protection of privacy and Duty of secrecy)