The nature of the data
The need for protection of privacy often depends on how sensitive the information is. As we are all different, the Norwegian Personal Data Act (which is partly based on the EU Data Protection Directive) stipulates what are to be regarded as "sensitive personal data". These are:
- information relating to racial or ethnic origin, or political opinions, philosophical or religious beliefs;
- the fact that a person has been suspected of, charged with, indicted for or convicted of a criminal act;
- sex life; and
- trade-union membership.
Information of this kind must be processed in such a way as to cause no harm or disadvantage to any person's integrity, rights, health, reputation or financial situation. (See Personal data.)
"Protection of privacy" can be said to be a general expression for our need for protection of our personal data.
Personal data is used in many different connections: most frequently for various kinds of administration, management and planning, but also for research. (See Confidentiality.) Fundamental principles of protection of privacy are that
- the information shall be used for the specific purpose for which it has been collected, and only for this;
- the contents shall be commensurate with the purpose and
- unauthorised persons shall not have access to the information.
In addition we include fundamental, individual privacy protection interests, which are
- the right of access to information that describes us
- the right to have incorrect information corrected or deleted and
- the right to have the information used in a fair and appropriate manner.
Personal data and consent
The question of who is to have access to data must be determined by you through consent, or by a legislator deciding through a democratic legislatory process that data are only to be used for purposes that are accepted by the public.
Everyone is registered without any requirement of consent in registers of events such as the Medical Births Registry and the Cause of Death Registry, or in disease registers such as the Cancer Registry of Norway and the Norwegian Cardiovascular Disease Registry. This is a statutory requirement. These data can also be used in research on certain conditions.
If you are asked to take part in research projects, you must be asked whether you consent to this. Your consent must be "freely given, informed and specific", which are the basic requirements for a valid consent. In other words, no pressure must be exerted on you to persuade you to take part in anything you are not certain about, you must have sufficient knowledge to be able to make a decision in an appropriate manner, and it must be possible to document your consent.
The legislator sets requirements for the processing of sensitive personal data: The duty of confidentiality applies to them; permission from a regional research ethics committee (REC) or authorisation from the Norwegian Data Protection Authority is required to process them; see the Health Research Act and the Personal Data Act.
As a consequence of the privacy protection requirements, various measures are also required to protect the data (information security).
Information security (also incorrectly called data security) consists of various measures implemented to protect personal data. These are traditionally divided into organisational and technical measures.
Organisational measures include duty of confidentiality, authorisation, key administration, quality and internal control procedures etc.
Technical measures include hardware and software that are used to ensure that the organisational measures are implemented, i.e. authentication (the computer checks that you are who you claim to be) to ensure authorisation and key administration, logging of use of computers, passwords and firewalls to prevent unauthorised persons gaining access to information etc.
Such measures must be proportionate, i.e. they must be appropriate to the medium in which the data are stored, and proportionate to the data contained in the system.
The Directorate of Health has drawn up guidelines on information security in research projects that apply to all projects that process personal data. Decisions by the Regional Research Ethics Committees (REC), make the measures prescribed in the guidelines mandatory for researchers whose projects are approved by REC. (Available on the internet (www.shdir.no) from 1 July 2009.)
This article has been translated from Norwegian by Beverley Wahl, Akasie språktjenester AS.