Scheduled maintenance Thursday 29.09.22

Due to a technical upgrade, Helsedata.no will be unavailable from 09.00-15.00 on Thursday 29.09.2022. We apologize for any inconvenience this may cause.

NB! There are currently major delays in processing applications for personally identifiable data.

Personally identifiable information (PII), also known as personal data and personal information, is any information relating to an identifiable person. This means that the information is of such a nature that it is possible to identify individuals. For example, a personal identity number is known or identities can be deduced through combinations of data items.

PII is primarily used for health analyses or research. Other terms that are often used for PII are microdata or research data.

As a rule, the information provided to an applicant is processed so that it is not possible to directly identify individuals. However, it is seldom possible to ensure that a data set is completely anonymous. If you request variables and information at a level that makes the individuals indirectly identifiable, the application may have to be adjusted to safeguard privacy.

You can only obtain access to health information from registries and population-based health surveys if there is a legal basis for the use and processing of the information. All requests for access will be assessed by the organizations responsible for managing the data (the "data custodians"), in accordance with their obligations and responsibilities under Norwegian law.

Ikon

Familiarize yourself with the application process

Using personally identifiable information in a project can be very useful, but the process you have to go through to gain access to the data is complicated. We recommend that you familiarize yourself thoroughly with everything that is required of you before you start on the application itself.

Explore the contents of data sources and the regulations

If you want access to personally identifiable information, you need to spend time exploring what relevant data sources exist, and the options and restrictions that apply to accessing them and using the data they contain.

In many research projects, it is necessary to request access to information from multiple data sources. If you are requesting data from different sources, you must communicate this clearly in your application and describe what data you want to link.

Please note, it will probably take longer to gain access to the data if you request data from multiple sources. This is because different pieces of legislation regulate access to different data sources, and whether and how their contents may be linked and processed.

All requests for access will be assessed by the individual data custodians in accordance with their obligations and responsibilities under Norwegian law. So, when planning a project, you will find it useful to determine the specific data sources and data you wish to access and familiarize yourself with the applicable rules and regulations as early as possible.

Specific access requirements for the different data sources are given in the Data Access section of the data source pages. You will find an overview with descriptions of the data sources you can request access to here (in Norwegian).

Ikon

Data sources in the application form on helsedata.no

Using the application form on helsedata.no, you can apply for access to information from data sources managed by the Norwegian Institute of Public Health (NIPH)the Norwegian Directorate of Health and the Cancer Registry of Norway. If you need data from other sources, you will find here a link to a separate application form for each data source .

Provide clearly defined research questions and a study design

Clearly defined research questions and a study design will help the caseworkers understand the purpose of your project – and what kind of data is relevant to it – much more quickly. This makes it easier for them to advise you which data sets to request, and to help you in the application procedure.

Be as clear as possible and justify the assessments you make when describing the purpose of using the data, your study design and which data you are requesting access to, both in the application and in the research protocol. This will make it easier for the caseworkers to find the appropriate data and to assess whether the purpose for which you wish to use it falls within the purpose of the data source. This will save both you and your caseworker time and effort.

Describe your study design

The more clearly you describe and justify your chosen study design, the greater the chances of receiving the data you require from the outset.

Examples of study designs that use health data from registries are:

  • Cohort studies
  • Case control studies
  • Natural experiments
  • Registry follow-up of clinical studies

Write the research protocol

If the purpose of the project is research, you are required to submit a research protocol with the application. This helps the caseworkers gain a deeper insight into the project and will give them a good foundation for assessing your request.

Some of the questions in the application form cover points that you will have already explained in the research protocol. It is important that the points you make in the application do not differ from the points set out in the research protocol. To avoid this, you may wish to use wording from the project description or research protocol in the application.

There are different templates for research protocols, but they usually contain:

  • scientifically designed project plan
  • list of research participants
  • purpose for processing health information
  • research ethics challenges
  • sources of funding and dependencies
  • plan for publication
  • utilization of research results
Ikon

Contact the relevant data custodians

Contact the relevant data custodians to ensure that the information you require can be provided, before you complete your research protocol.

You need to give a precise definition of the target population and the study population in your application. The target population is the group of individuals that the research questions concern. The study population or sample is the group of individuals you select as representatives of the target population in your research project.

The challenge is often to find a study population that is representative of the target population. You need to calculate how large the study population must be to answer the research questions and explain in detail how the study population will be selected, with inclusion and exclusion criteria.

Will the project use a control group?

A control group is a group of individuals that you use to compare the effect of a treatment or other measures/factors against.

How the control group is selected is of great importance for the validity of the research. Consequently, it is important to be aware of any sources of error and bias when defining the group.

Ikon

Tip

If you plan to use the Norwegian Population Register to extract a control group, you must apply for permission from the Norwegian Tax Administration.

If the research project is to use information from the Norwegian Population Register and/or draw a sample or control population from the register, it must be accompanied by a permit from the Norwegian Tax Administration.

More information and a link to the application form can be found here.

The data sources have different purposes and are regulated by different laws and regulations. In order to gain access to information from a data source, the purpose of the project must be compatible with the purpose(s) of the data source. The reason for this is the key personal data protection principle known as purpose limitation (ico.org.uk). This means that personal information must not be reused for other purposes than its original intended use.

It is important to be aware of this when formulating your objectives and reasons for using the information. You can find the purpose of the data sources in the description of the data sources. You will find the data sources in this list view (in Norwegian).

Ikon

REC application and purpose

You must ensure that the purpose you describe in the research protocol and in the application to the REC (Research Ethics Committee) corresponds to the defined purpose of the data sources you are requesting information from. In other words, the purpose must match in all three places.

When compiling the list of variables you require, we recommend that you use the variable names from the variable documentation provided by the data custodian. This will make it easier for the caseworkers to find the information you are looking for, which in turn will help streamline the application procedure.

You’ll find a tool for creating lists of variables and descriptions of variables from selected data sources here. Information about variables from other sources will, in most cases, be linked in the description of the data sources.

Can't find the variables you are looking for?

Describe the information you are looking for as precisely as possible and contact the data custodian if there are no descriptions of the variables available.

How specifically you need to describe the information you want to access varies in different phases of the application process. For example, it is not necessary to upload a complete variable list with your application for pre-approval from the REC. Rather, you should describe and explain the information and variables necessary for the project. This will make it easier if you need to make minor adjustments later.

Example of high-level (coarse) variables:

"Age","type of cancer","drug use","place of residence"

Examples of low-level (specific) variables:

"60-70 years", "lung cancer", "opioids", "name of city"

You should carefully consider whether the information you are requesting access to is relevant and necessary for your study. The scope and level of detail in the study population/samples and the number of variables you request access to will affect the rest of your application procedure.

The more variables you request access to, the greater the risk that individuals can be identified. Your application may then fail to be approved when applying for data from various data sources or for ethical assessment and pre-approval from the Norwegian Regional Committees for Medical and Health Research Ethics (REC). You should therefore consider carefully the information you require and justify its necessity and relevance for your study in your applications.

It is a good idea to consider whether the variables you are requesting can be moderated or limited:

  • Is gender necessary and/or relevant?
  • Do you need to know the place of treatment or would a health region be sufficient?
  • Can you group residence by county rather than municipality?

You can read more about requirements for data minimisation on ico.org.uk.

Particularly sensitive variables

Dates can be particularly sensitive because they may make it possible to identify individuals. For example, date of birth, date of death, date of discovered illness etc.

When data from different data sources are to be linked, the data custodians may require reference dates to be used to avoid indirect identification. In that case, they will agree on another date (reference date) against which to recode the real dates.

The intervals between the different dates in the data should correspond to those between the real dates so that your analysis will be correct. This requires coordination between data custodians and can be time-consuming.

Ikon

Tip

Reducing as far as possible the number of variables in your application increases the probability of it being approved.

If you are planning to link information from multiple data sources, there are a number of factors you should be aware of before starting the application procedure.

Different sources have different purposes and regulations

Be aware that different rules and regulations apply to different data sources. The purposes of the data sources may also differ. For you to gain access to the information you want, it is crucial that your project complies with the regulations and purposes of the data sources in question. You should therefore familiarize yourself with the regulations of all the sources you want to access and contact the individual data custodians if you are unsure.

Please note that de-identified registries, such as NOIS, NORM, RAVN and the Abortion Register, cannot be linked to other sources, self-collected data or biological material.

Costs and timing

Requests for data linkage will affect the case-processing time and probably also the cost.

In addition to writing scripts and extracting data, the caseworker will need to spend time in dialogue with the other registries. If, for example, you have an approved application for a cancer diagnosis from the Cancer Registry linked to suicide from the Cause of Death Register (NIPH), the caseworker will take responsibility for linking the information. This requires time and coordination between the different data managers.

You can also expect the application procedure to take longer if you want to link data from pseudonymous registries with data from other sources. Pseudonymous registries do not store information such as name, address or national identity number, but replace the national identity number with a pseudonym. This affects the complexity of linking data with other sources and hence also the application procedure.

Ikon

Make a visual representation of the data linkage process

The clearer your description of the linkage process between the various data sources/data sets, the easier it is for the caseworkers to understand your project and compile the data appropriately. A visual presentation is often easier to understand than a written one.

The process of linking data sets can be performed in different ways. This depends on whether you want to:

  • Use one or more data sources to establish/define the sample. A data source can be data that you yourself have collected.
  • Link information from a pseudonymous registry.
  • Link the information with data from Statistics Norway (The Central Bureau of Statistics) or the Norwegian Patient Registry (NPR).

As a rule, health information is not made available with personal identity numbers. The Norwegian national identity number is an 11-digit personal identifier. Linkage between different sources is possible because the personal identifier is replaced by a project-specific serial number.

Ikon

Linking with de-identified data

NOIS, NORM, RAVN and the Norwegian Abortion Register are de-identified registries and cannot be linked to other sources, self-collected data or biological material.

Distributed linkage

Distributed linkage is the most efficient model for aligning data from different sources. You receive data consecutively from the various data sources and link the information yourself using common project-specific serial numbers in the files.

EN_Distrubert kobling_text.svg

Centralized linkage

With centralized linkage, all the information is gathered at one source and given a series of new serial number that goes across all data sources. You do not receive the files consecutively, but at the same time. The linking itself you usually have to take care of yourself.

There are different forms of centralized linking:

Linkage where multiple sources are used to define the sample

EN_Sentralisert kobling A_text.svg

Linkage where one source is used to define the selection

EN_Sentralisert kobling B_text.svg

Linkage with pseudonymous register where one data source or own data defines the sample

EN_Sentralisert kobling D_text.svg

* The file is encrypted with an encryption key that only the pseudonym manager has access to. Software for preprocessing the file is provided by a pseudonymous registry on request.

Linkage with pseudonymous register where several sources are used to define the sample

EN_Sentralisert kobling C_text.svg

In order for you to access and process personally identifiable information (PII), your application must contain a number of attachments which, among other things, document that:

  • You have a legal basis for processing the information you are requesting access to.
  • Necessary assessments have been made with regard to privacy and data processing.
  • An exemption from the duty of confidentiality has been granted.
  • A pre-approval from the Regional Committee for Medical and Health Research Ethics (REC) has been granted (if the purpose of the project is medical/health research).

You are responsible for familiarizing yourself with all the conditions for gaining access to and processing PII and for documenting that all such conditions have been met for all data sources, and that your application contains all relevant attachments.

We recommend that you contact the custodians of each data source if you need advice and guidance.

Examples of relevant attachments

The table below shows an overview of relevant attachments for the applications. The table is broadly categorized and is intended as a guide only. You need to assess which attachments are needed. For example, you do not need to attach a research protocol if the purpose of processing the information is not research.

Attachments

Required for medical and health research Required for other purposes
Research protocol, cf. Norwegian Health Research Act § 6 (In Norwegian) X X
Applications sent to the Regional Ethics Committee (REC) X X
Applications sent to the Norwegian Directorate of Health (in Norwegian)   X
Ethical assessment (or pre-approval) received from Regional Ethics Committee (REC) X  
Exemption from the duty of confidentiality received from the Regional Ethics Committee (REC), cf. the Norwegian Health Research Act § 35 X  
Assessment from the data protection officer (DPO) who documents that the legal basis for the data processing is fulfilled (cf. GDPR art. 6(1) (a-f) and art. 9(2) (a-j))  X X
Information letter and template for consent form (for consent-based projects) X X
Any previous licence applications sent to the Norwegian Data Protection Authority X X
Any previous licences received from the Norwegian Data Protection Authority X X
Exemption from the duty of confidentiality received from the Regional Ethics Committee (REC), cf. the Norwegian Health Personnel Act § 29 or from the Norwegian Directorate of Health, cf. the Norwegian Health Personnel Act § 29b   X
Ikon

Tip

Make sure that all attachments have names that explain what the document contains.

You are responsible for consulting your research institution to assess whether Data Protection Impact Assessments (DPIAs) is required or not.

Most medical and health research projects will require a DPIA where risks and measures to minimize risk are described.

If there are several institutions involved in the project, the collaboration between these must be well described.

If the data sets is to be sent to research institutions abroad, it is important that there is a data processor agreement (datatilsynet.no) between the institutions involved. Your organisation’s data protection officer (DPO) or data controller should help you get the agreement in place.

Guidance on DPIA

The Norwegian Data Protection Authority (DPA) has published information, which can help you with the assessment of whether a DPIA should be carried out, and how you should proceed.

NSD - Norwegian Centre for Research Data (nds.no) provides data protection services for approximately 140 research and educational institutions, including all the Norwegian universities, university colleges, several hospitals, and a number of independent research institutions. If your organization receives services from NSD they will provide guidance and assistance with carrying out a DPIA.

Data management plan

It is important that you document how basic privacy principles (datatilsynet .no) is handled in the project. Data minimization is key, but also what measures will be implemented to safeguard privacy in data processing.

NSD has published a data management planning tool (nsd.no), which provides guidance based on the information you give.

If a DPIA has not been carried out for your project, you will be asked to state the following in the application form on helsedata.no:

  • How the privacy principle of storage limitation will be safeguarded. That is, how and for how long the information is stored and planned deletion routines.
  • How the principle of integrity and confidentiality is maintained. You will be asked to describe the measures that will be taken to protect the data against accidental or unlawful destruction, loss or alteration, as well as unauthorized disclosure or access.

Personally identifiable information from health registries and health surveys is confidential and subject to confidentiality. In order to gain access to this information, there must therefore be an exception from the duty of confidentiality. The exception may be:

When applying for information from health registries or health surveys, the exception will often be a dispensation from the duty of confidentiality granted by REC.

Exemption granted by REC or the Norwegian Directorate of Health

Exemption from the duty of confidentiality is necessary in order to study health information that has already been collected, without asking for consent. Application for exemption from the duty of confidentiality is processed by:

  • REC if the purpose research. This applies to both medical and health research (the Norwegian Health Research Act §§ 15, 28 and 35) and to other research.
  • The Norwegian Directorate of Health if the purpose is quality assurance, administration, planning or management of the healthcare service.
Ikon

Tip

If you apply for pre-approval from REC, you normally apply for an exemption from the duty of confidentiality at the same time.

Consent

Consent is a legal basis that is often used in order to process health data and personal data. Consent is usually required, if you are planning on linking data from registries or health surveys with self-collected data.

For consent to be valid, several conditions must be met. Consent must be:

  • voluntary
  • specific to the processing to be carried out and to the personal data to be used
  • provided with adequate information to the individual
  • a clear confirmation and statement from the individual
  • possible to document
  • comprehensible and have an easily accessible form, a clear and simple language must be used

If the individual has consented to several types of processing of their health and personal data, this must be separable from each other and clearly stated in the consent.

In the REC-portal there are templates for information letters and consent forms (rekportalen.no).

Consent (Norwegian Center for Research Data - nsd.no)

If the purpose you state in the application for personally identifiable information is medical and health research, there is a requirement for ethical pre-approval of the project. As a rule, an application for pre-approval must be sent to the Regional Committees for Medical and Health Research ethics (REC), together with the research protocol.

It is the purpose of the project that is decisive for whether you need a pre-approval from REC according to the Norwegian Health Research Act. The Norwegian Health Research Act (lovdata.no) applies to medical and health research on humans, human biological material and health information, and only covers research with the purpose of obtaining new knowledge about health and disease.

Studies using patient/health information for purposes other than those covered by the Norwegian Health Research Act, for example social science purposes, is regulated by the Norwegian Personal Data Act (forskningsetikk.no) and does not require pre-approval from REC.

You´ll find more information on when you need to apply for pre-approval from REC here (helseforskning.etikkom.no). If in doubt, you can contact REC for a pre-assessment (submission assessment).

Required documentation of pre-approval from REC

If you are applying for access to personal information for medical/health research, your application must contain the following:

  • Copy of REC application
  • Copy of REC approval
  • Copy of relevant dialogue, interim decisions and feedback

Please note that REC also processes applications for exemption from the duty of confidentiality for all studies using health information or human biological material. This applies regardless of whether the purpose is medical/health research or other research (which is not covered by the Health Research Act). If you apply for pre-approval from REC, you normally apply for a dispensation from exemption from the duty of confidentiality at the same time.

Ikon

Tip

It is not necessary to upload a complete variable list with your application for pre-approval from REC. Rather, describe and explain what information and variables are necessary for the project. This will make it easier if you need to make small adjustments later.

Use the application form on helsedata.no to request information from data sources managed by the Norwegian Institute of Public Health, the Norwegian Directorate of Health or the Norwegian Cancer Registry. We recommend that you sign into your account before you begin filling out the application.

Other data sources that you find on helsedata.no have their own application forms. These forms can be found in the data source descriptions (in Norwegian).

We are continuously working to include all data sources on helsedata.no in the same application form.

Find data sources from:

All requests for access will be assessed by the individual data custodians in line with their information requirements and responsibilities under Norwegian law. 

Application processing at Helsedataservice

If you use the application form on helsedata.no, your application will be sent to Helsedataservice.

Helsedataservice is an organizational unit, temporarily located in The Norwegian Directorate for eHealth, which coordinates the processing of applications submitted through helsedata.no. Helsedataservice also offers guidance on filling out the application form on helsedata.no.

An application coordinator at Helsedataservice will review your application and verify that all necessary attachments have been submitted. The application will then be forwarded to case processing at the responsible data custodians.

Subsequently, the data custodians or Helsedataservice will contact you by e-mail.

Case processing

The data custodians have caseworkers who will process your application. They will contact you to clarify what kind of data you require, and to help make sure that the requested data are relevant to the purpose of your project.

The data custodian will process your application according the regulations of the individual data sources, health registries or health surveys.

In most cases, a decision is made for the application with a subsequent release of the data set within an agreed timeline.

Ikon

Be available to the caseworker

The caseworker who receives your application may contact you if there are any ambiguities in the application.

The cost of access to data may vary. In general, you have to pay for the time it takes to process your case.

According to the the Norwegian Health Register Act or the regulations of the individual data sources; health registries or health surveys, the data custodians may charge for actual expenses in connection with administration, processing and delivery of data. The cost may vary between different data custodians.

Complex applications may have a longer processing time. To reduce processing time, please be as detailed as possible when describing the data, you require.

For biological material, NIPH will in addition charge for the biobank's work on withdrawing, processing, shipping and possibly returning the material.

Expected processing time

Processing time depends on the scope of your project, the processing time of the individual register, and the amount of preparation and administrative work that must be done before the data can be delivered to you.

In the last part of the case processing, your caseworker will arrange the data you have requested. Linking data from multiple sources may increase the processing time.

Ikon

Contact data custodians for prices

We recommend that you contact the individual data custodians to get a price estimate for your project.

Deadlines

When your application is approved for processing, the data custodian has a 30-working day deadline to provide access to the requested data.

If your project involves linking data from multiple sources, the data custodians have a 60-working day deadline to provide access to the requested data.

The deadlines apply from the time the data custodian receive a complete application. The application is considered complete when it contains all the information, approvals and attachments that are necessary to assess and make decisions on granting access to the data requested.

If you need to report changes or amend your application after it has been submitted, we recommend that you contact Helsedataservice or the data custodians for guidance. Some changes may require you to submit a new application or submit updated documentation.

Describe the change you need and include the current case number. 

Send your request to service@helsedata.no or directly to the relevant data custodians:

The Norwegian Institute of Public Health (NIPH): datatilgang@fhi.no
The Norwegian Directorate of Health: helseregistre@helsedir.no
The Cancer Registry of Norway: datautlevering@kreftregisteret.no

The requested data can be provided to you in various ways, but will typically be sent by e-mail. Check that the table actually contains the data you have applied for.

Ikon

Missing data?

If you find that the files you receive are missing data, you should contact the last caseworker you were in contact with. This will help you obtain the missing data more quickly.

Please remember to let the caseworker know when you have received the data.

REC has a mandate to grant exemption from the duty of confidentiality. Remember that this exemption is personal. Therefore, it is important that persons who are listed as research staff in the REC application, and will have access to the data sets, correspond with the list of names sent with the application to data custodians.