Personally identifiable information (PII), also known as personal data and personal information, is any information relating to an identifiable person. This means that the information is of such a nature that it is possible to identify individuals. For example, a personal identity number is known or identities can be deduced through combinations of data items.
PII is primarily used for health analyses or research. Other terms that are often used for PII are microdata or research data.
As a rule, the information provided to an applicant is processed so that it is not possible to directly identify individuals. However, it is seldom possible to ensure that a data set is completely anonymous. If you request variables and information at a level that makes the individuals indirectly identifiable, the application may have to be adjusted to safeguard privacy.
You can only obtain access to health information from registries and population-based health surveys if there is a legal basis for the use and processing of the information. All requests for access will be assessed by the organizations responsible for managing the data (the "data custodians"), in accordance with their obligations and responsibilities under Norwegian law.
Familiarize yourself with the application process
Using personally identifiable information in a project can be very useful, but the process you have to go through to gain access to the data is complicated. We recommend that you familiarize yourself thoroughly with everything that is required of you before you start on the application itself.
Explore the contents of data sources and the regulations
If you want access to personally identifiable information, you need to spend time exploring what relevant data sources exist, and the options and restrictions that apply to accessing them and using the data they contain.
In many research projects, it is necessary to request access to information from multiple data sources. If you are requesting data from different sources, you must communicate this clearly in your application and describe what data you want to link.
Please note, it will probably take longer to gain access to the data if you request data from multiple sources. This is because different pieces of legislation regulate access to different data sources, and whether and how their contents may be linked and processed.
All requests for access will be assessed by the individual data custodians in accordance with their obligations and responsibilities under Norwegian law. So, when planning a project, you will find it useful to determine the specific data sources and data you wish to access and familiarize yourself with the applicable rules and regulations as early as possible.
Specific access requirements for the different data sources are given in the Data Access section of the data source pages. You will find an overview with descriptions of the data sources you can request access to here (in Norwegian).
Data sources in the application form on helsedata.no
Using the application form on helsedata.no, you can apply for access to information from data sources managed by the Norwegian Institute of Public Health (NIPH), the Norwegian Directorate of Health and the Cancer Registry of Norway. If you need data from other sources, you will find here a link to a separate application form for each data source .
Provide clearly defined research questions and a study design
Clearly defined research questions and a study design will help the caseworkers understand the purpose of your project – and what kind of data is relevant to it – much more quickly. This makes it easier for them to advise you which data sets to request, and to help you in the application procedure.
Be as clear as possible and justify the assessments you make when describing the purpose of using the data, your study design and which data you are requesting access to, both in the application and in the research protocol. This will make it easier for the caseworkers to find the appropriate data and to assess whether the purpose for which you wish to use it falls within the purpose of the data source. This will save both you and your caseworker time and effort.
Describe your study design
The more clearly you describe and justify your chosen study design, the greater the chances of receiving the data you require from the outset.
Examples of study designs that use health data from registries are:
- Cohort studies
- Case control studies
- Natural experiments
- Registry follow-up of clinical studies
Write the research protocol
If the purpose of the project is research, you are required to submit a research protocol with the application. This helps the caseworkers gain a deeper insight into the project and will give them a good foundation for assessing your request.
Some of the questions in the application form cover points that you will have already explained in the research protocol. It is important that the points you make in the application do not differ from the points set out in the research protocol. To avoid this, you may wish to use wording from the project description or research protocol in the application.
There are different templates for research protocols, but they usually contain:
- scientifically designed project plan
- list of research participants
- purpose for processing health information
- research ethics challenges
- sources of funding and dependencies
- plan for publication
- utilization of research results
Contact the relevant data custodians
Contact the relevant data custodians to ensure that the information you require can be provided, before you complete your research protocol.
You need to give a precise definition of the target population and the study population in your application. The target population is the group of individuals that the research questions concern. The study population or sample is the group of individuals you select as representatives of the target population in your research project.
The challenge is often to find a study population that is representative of the target population. You need to calculate how large the study population must be to answer the research questions and explain in detail how the study population will be selected, with inclusion and exclusion criteria.
Will the project use a control group?
A control group is a group of individuals that you use to compare the effect of a treatment or other measures/factors against.
How the control group is selected is of great importance for the validity of the research. Consequently, it is important to be aware of any sources of error and bias when defining the group.
If you plan to use the Norwegian Population Register to extract a control group, you must apply for permission from the Norwegian Tax Administration.
If the research project is to use information from the Norwegian Population Register and/or draw a sample or control population from the register, it must be accompanied by a permit from the Norwegian Tax Administration.
More information and a link to the application form can be found here.
The data sources have different purposes and are regulated by different laws and regulations. In order to gain access to information from a data source, the purpose of the project must be compatible with the purpose(s) of the data source. The reason for this is the key personal data protection principle known as purpose limitation (ico.org.uk). This means that personal information must not be reused for other purposes than its original intended use.
It is important to be aware of this when formulating your objectives and reasons for using the information. You can find the purpose of the data sources in the description of the data sources. You will find the data sources in this list view (in Norwegian).
REC application and purpose
You must ensure that the purpose you describe in the research protocol and in the application to the REC (Research Ethics Committee) corresponds to the defined purpose of the data sources you are requesting information from. In other words, the purpose must match in all three places.
When compiling the list of variables you require, we recommend that you use the variable names from the variable documentation provided by the data custodian. This will make it easier for the caseworkers to find the information you are looking for, which in turn will help streamline the application procedure.
You’ll find a tool for creating lists of variables and descriptions of variables from selected data sources here. Information about variables from other sources will, in most cases, be linked in the description of the data sources.
Can't find the variables you are looking for?
Describe the information you are looking for as precisely as possible and contact the data custodian if there are no descriptions of the variables available.
How specifically you need to describe the information you want to access varies in different phases of the application process. For example, it is not necessary to upload a complete variable list with your application for pre-approval from the REC. Rather, you should describe and explain the information and variables necessary for the project. This will make it easier if you need to make minor adjustments later.
Example of high-level (coarse) variables:
"Age","type of cancer","drug use","place of residence"
Examples of low-level (specific) variables:
"60-70 years", "lung cancer", "opioids", "name of city"
You should carefully consider whether the information you are requesting access to is relevant and necessary for your study. The scope and level of detail in the study population/samples and the number of variables you request access to will affect the rest of your application procedure.
The more variables you request access to, the greater the risk that individuals can be identified. Your application may then fail to be approved when applying for data from various data sources or for ethical assessment and pre-approval from the Norwegian Regional Committees for Medical and Health Research Ethics (REC). You should therefore consider carefully the information you require and justify its necessity and relevance for your study in your applications.
It is a good idea to consider whether the variables you are requesting can be moderated or limited:
- Is gender necessary and/or relevant?
- Do you need to know the place of treatment or would a health region be sufficient?
- Can you group residence by county rather than municipality?
You can read more about requirements for data minimisation on ico.org.uk.
Particularly sensitive variables
Dates can be particularly sensitive because they may make it possible to identify individuals. For example, date of birth, date of death, date of discovered illness etc.
When data from different data sources are to be linked, the data custodians may require reference dates to be used to avoid indirect identification. In that case, they will agree on another date (reference date) against which to recode the real dates.
The intervals between the different dates in the data should correspond to those between the real dates so that your analysis will be correct. This requires coordination between data custodians and can be time-consuming.
Reducing as far as possible the number of variables in your application increases the probability of it being approved.
In order for you to access and process personally identifiable information (PII), your application must contain a number of attachments which, among other things, document that:
- You have a legal basis for processing the information you are requesting access to.
- Necessary assessments have been made with regard to privacy and data processing.
- An exemption from the duty of confidentiality has been granted.
- A pre-approval from the Regional Committee for Medical and Health Research Ethics (REC) has been granted (if the purpose of the project is medical/health research).
You are responsible for familiarizing yourself with all the conditions for gaining access to and processing PII and for documenting that all such conditions have been met for all data sources, and that your application contains all relevant attachments.
We recommend that you contact the custodians of each data source if you need advice and guidance.
Examples of relevant attachments
The table below shows an overview of relevant attachments for the applications. The table is broadly categorized and is intended as a guide only. You need to assess which attachments are needed. For example, you do not need to attach a research protocol if the purpose of processing the information is not research.
|Required for medical and health research||Required for other purposes|
|Research protocol, cf. Norwegian Health Research Act § 6 (In Norwegian)||X||X|
|Applications sent to the Regional Ethics Committee (REC)||X||X|
|Applications sent to the Norwegian Directorate of Health (in Norwegian)||X|
|Ethical assessment (or pre-approval) received from Regional Ethics Committee (REC)||X|
|Exemption from the duty of confidentiality received from the Regional Ethics Committee (REC), cf. the Norwegian Health Research Act § 35||X|
|Assessment from the data protection officer (DPO) who documents that the legal basis for the data processing is fulfilled (cf. GDPR art. 6(1) (a-f) and art. 9(2) (a-j))||X||X|
|Information letter and template for consent form (for consent-based projects)||X||X|
|Any previous licence applications sent to the Norwegian Data Protection Authority||X||X|
|Any previous licences received from the Norwegian Data Protection Authority||X||X|
|Exemption from the duty of confidentiality received from the Regional Ethics Committee (REC), cf. the Norwegian Health Personnel Act § 29 or from the Norwegian Directorate of Health, cf. the Norwegian Health Personnel Act § 29b||X|
Make sure that all attachments have names that explain what the document contains.
When applying for access to directly or indirectly identifiable health or personal data, you must identify and document an appropriate legal basis (or bases) for processing the data in accordance with GDPR Article 6(1). At least one of the conditions must apply.
In addition to having a legal basis (or bases) for processing the personal data, at least one of the conditions under Article 9(2) must be met in order to process special categories of personal data, including health data.
In the application form on helsedata.no, you will be asked to state which letter(s) under Article 6(1) (a-f) and under Article 9(2) (a-j) constitute(s) the legal basis (or bases) for the processing of personal data that will occur in your project. If multiple bases apply for the processing, you need to explain which parts of the project’s personal data processing is covered by which bases.
Contact your organization's data protection officer (DPO) or the data controller for the project to request an assessment of and justification for the legal basis (or bases) for the processing of the information.
GDPR Article 6(1) - legal basis for processing personal data
The legal bases under Article 6(1) that are most relevant for processing health data are (a), (c) and (e).
This legal basis for processing applies if valid consent to the processing has been obtained from the person or persons to whom the information applies. The person(s) must have consented to the processing of their data for one or more specific purposes.
For consent to be valid, it must be given voluntarily, it must be specific, informed, and unambiguous. Furthermore, it must be given through an active action, documentation must be feasible, and it must be possible to withdraw consent as easily as it was given.
A consent may be obtained by you or it may have been obtained through a consent-based health survey.
(c) Compliance with a legal obligation
This legal basis for processing applies if the processing of the personal data is necessary in order for the data controller to comply with a legal obligation. For example, a company may be required to process certain personal data. This requirement must be stipulated in law or by regulation.
(e) Perform a task in the public interest or in the exercise of official authority
This legal basis for processing implies that the processing of the personal data is necessary in order to perform a task in the public interest or to exercise official authority.
In principle, both alternatives refer to official authority, but the basis for processing can also apply to any organization that explicitly exercises official authority or carries out tasks in the public interest.
The processing must be based in law or regulation. This means that the legal basis for processing must be established in a law to which the person responsible for processing is subject.
In contrast to the legal basis "compliance with a legal obligation", an organization or company is not required to be subject to an obligation.
Other legal bases for processing under Article 6 (1)
The following legal bases may also be relevant:
(b) Perform a contract to which the data subject is party
This legal basis for processing means that the processing of the personal data is necessary to fulfil a contract to which the person in question is a party, or it is necessary to implement measures that the individual has requested before entering into the agreement. It is a requirement that the processing is actually necessary to perform a service the individual has requested.
(d) Vital interests
This basis for processing is used in very few cases and means that the processing of the personal data is necessary to protect the vital interests of the data subject or another physical person’s vital interests. Vital interests might be, for example, acute danger to someone's life and health that makes it necessary to process or disclose personal data.
(f) Legitimate interest
This legal basis can be used if it is necessary to process personal data in order to safeguard a legitimate interest that outweighs the consideration of the individual's privacy. A specific balancing of interests must be made where the data controller’s interests in the processing of the data are weighed against the individual's privacy interest.
You can read more about legal basis for processing personal data on ico.org.uk.
GDPR Article 9(2) - Legal basis for processing special categories of personal data
For processing health information, at least one of the conditions of GDPR Article 9(2) must apply. The most common conditions under Article 9(2) in health research are (a), (g), (h), (i) and (j).
This basis for processing can be used if valid consent to the processing has been obtained from the person or persons to whom the information applies. The person(s) must have consented to the processing of their data for one or more specific purposes.
(g) Substantial public interest
The condition implies that the processing is necessary for the sake of important public interests and has a lawful basis.
(h) Provision or management of health services
This condition implies that the processing is necessary for the purposes of preventive or occupational medicine, in connection with medical diagnosis, the provision of health and social services, the treatment or management of health or social services and systems on the basis of national law.
However, the lawful basis for processing can only be used if the personal data is processed by a professional expert who has an obligation of professional secrecy, and the processing of personal data must be based on law or as a result of an agreement with health personnel.
(i) Public interest in the area of public health
This condition means that the processing is necessary for public health reasons.
(j) Archives, research and statistics
This condition implies that the processing is necessary for archival purposes in the public interest, for purposes related to scientific or historical research or for statistical purposes. Certain conditions apply and the condition presupposes that the processing has a legal basis.
You can read more about the legal basis for processing special category data on ico.org.uk.
If the legal basis for the processing of personally identifiable data is GDPR Article 6(1) (c) or (e), or Article 9(2) (b), (g), (h), (i) or (j), you must also state a supplementary legal basis.
Ask for assistance from your organization’s data protection officer (DPO) or the data controller for the project if you do not know what constitutes the supplementary legal basis for your application.
Nationally, in Norway, supplementary legal bases may be decisions pursuant to the Norwegian Health Personnel Act and the Norwegian Health Research Act on exemption from the duty of confidentiality or a basis in law or by regulation.
Exemption from the duty of confidentiality from the REC or the Norwegian Directorate of Health may constitute the necessary supplementary legal basis under both GDPR Article 6 and Article 9.
You are responsible for consulting your research institution to assess whether Data Protection Impact Assessments (DPIAs) is required or not.
Most medical and health research projects will require a DPIA where risks and measures to minimize risk are described.
If there are several institutions involved in the project, the collaboration between these must be well described.
If the data sets is to be sent to research institutions abroad, it is important that there is a data processor agreement (datatilsynet.no) between the institutions involved. Your organisation’s data protection officer (DPO) or data controller should help you get the agreement in place.
Guidance on DPIA
The Norwegian Data Protection Authority (DPA) has published information, which can help you with the assessment of whether a DPIA should be carried out, and how you should proceed.
NSD - Norwegian Centre for Research Data (nds.no) provides data protection services for approximately 140 research and educational institutions, including all the Norwegian universities, university colleges, several hospitals, and a number of independent research institutions. If your organization receives services from NSD they will provide guidance and assistance with carrying out a DPIA.
Data management plan
It is important that you document how basic privacy principles (datatilsynet .no) is handled in the project. Data minimization is key, but also what measures will be implemented to safeguard privacy in data processing.
NSD has published a data management planning tool (nsd.no), which provides guidance based on the information you give.
If a DPIA has not been carried out for your project, you will be asked to state the following in the application form on helsedata.no:
- How the privacy principle of storage limitation will be safeguarded. That is, how and for how long the information is stored and planned deletion routines.
- How the principle of integrity and confidentiality is maintained. You will be asked to describe the measures that will be taken to protect the data against accidental or unlawful destruction, loss or alteration, as well as unauthorized disclosure or access.
Personally identifiable information from health registries and health surveys is confidential and subject to confidentiality. In order to gain access to this information, there must therefore be an exception from the duty of confidentiality. The exception may be:
- Consent from the data subjects.
- Exemption from the duty of confidentiality granted by REC or the Norwegian Directorate of Health.
- Exemption from the duty of confidentiality for disclosure of indirectly identifiable information pursuant to the Norwegian Health Register Act § 20. This exception only applies to health registries authorized in the Norwegian Health Register Act § 11 (lovdata.no)(In Norwegian).
When applying for information from health registries or health surveys, the exception will often be a dispensation from the duty of confidentiality granted by REC.
Exemption granted by REC or the Norwegian Directorate of Health
Exemption from the duty of confidentiality is necessary in order to study health information that has already been collected, without asking for consent. Application for exemption from the duty of confidentiality is processed by:
- REC if the purpose research. This applies to both medical and health research (the Norwegian Health Research Act §§ 15, 28 and 35) and to other research.
- The Norwegian Directorate of Health if the purpose is quality assurance, administration, planning or management of the healthcare service.
If you apply for pre-approval from REC, you normally apply for an exemption from the duty of confidentiality at the same time.
Consent is a legal basis that is often used in order to process health data and personal data. Consent is usually required, if you are planning on linking data from registries or health surveys with self-collected data.
For consent to be valid, several conditions must be met. Consent must be:
- specific to the processing to be carried out and to the personal data to be used
- provided with adequate information to the individual
- a clear confirmation and statement from the individual
- possible to document
- comprehensible and have an easily accessible form, a clear and simple language must be used
If the individual has consented to several types of processing of their health and personal data, this must be separable from each other and clearly stated in the consent.
In the REC-portal there are templates for information letters and consent forms (rekportalen.no).
If the purpose you state in the application for personally identifiable information is medical and health research, there is a requirement for ethical pre-approval of the project. As a rule, an application for pre-approval must be sent to the Regional Committees for Medical and Health Research ethics (REC), together with the research protocol.
It is the purpose of the project that is decisive for whether you need a pre-approval from REC according to the Norwegian Health Research Act. The Norwegian Health Research Act (lovdata.no) applies to medical and health research on humans, human biological material and health information, and only covers research with the purpose of obtaining new knowledge about health and disease.
Studies using patient/health information for purposes other than those covered by the Norwegian Health Research Act, for example social science purposes, is regulated by the Norwegian Personal Data Act (forskningsetikk.no) and does not require pre-approval from REC.
You´ll find more information on when you need to apply for pre-approval from REC here (helseforskning.etikkom.no). If in doubt, you can contact REC for a pre-assessment (submission assessment).
Required documentation of pre-approval from REC
If you are applying for access to personal information for medical/health research, your application must contain the following:
- Copy of REC application
- Copy of REC approval
- Copy of relevant dialogue, interim decisions and feedback
Please note that REC also processes applications for exemption from the duty of confidentiality for all studies using health information or human biological material. This applies regardless of whether the purpose is medical/health research or other research (which is not covered by the Health Research Act). If you apply for pre-approval from REC, you normally apply for a dispensation from exemption from the duty of confidentiality at the same time.
It is not necessary to upload a complete variable list with your application for pre-approval from REC. Rather, describe and explain what information and variables are necessary for the project. This will make it easier if you need to make small adjustments later.
Use the application form on helsedata.no to request information from data sources managed by the Norwegian Institute of Public Health, the Norwegian Directorate of Health or the Norwegian Cancer Registry. We recommend that you sign into your account before you begin filling out the application.
Other data sources that you find on helsedata.no have their own application forms. These forms can be found in the data source descriptions (in Norwegian).
We are continuously working to include all data sources on helsedata.no in the same application form.
Find data sources from:
All requests for access will be assessed by the individual data custodians in line with their information requirements and responsibilities under Norwegian law.
Application processing at Helsedataservice
If you use the application form on helsedata.no, your application will be sent to Helsedataservice.
Helsedataservice is an organizational unit, temporarily located in The Norwegian Directorate for eHealth, which coordinates the processing of applications submitted through helsedata.no. Helsedataservice also offers guidance on filling out the application form on helsedata.no.
An application coordinator at Helsedataservice will review your application and verify that all necessary attachments have been submitted. The application will then be forwarded to case processing at the responsible data custodians.
Subsequently, the data custodians or Helsedataservice will contact you by e-mail.
The data custodians have caseworkers who will process your application. They will contact you to clarify what kind of data you require, and to help make sure that the requested data are relevant to the purpose of your project.
The data custodian will process your application according the regulations of the individual data sources, health registries or health surveys.
In most cases, a decision is made for the application with a subsequent release of the data set within an agreed timeline.
Be available to the caseworker
The caseworker who receives your application may contact you if there are any ambiguities in the application.
The cost of access to data may vary. In general, you have to pay for the time it takes to process your case.
According to the the Norwegian Health Register Act or the regulations of the individual data sources; health registries or health surveys, the data custodians may charge for actual expenses in connection with administration, processing and delivery of data. The cost may vary between different data custodians.
Complex applications may have a longer processing time. To reduce processing time, please be as detailed as possible when describing the data, you require.
For biological material, NIPH will in addition charge for the biobank's work on withdrawing, processing, shipping and possibly returning the material.
Expected processing time
Processing time depends on the scope of your project, the processing time of the individual register, and the amount of preparation and administrative work that must be done before the data can be delivered to you.
In the last part of the case processing, your caseworker will arrange the data you have requested. Linking data from multiple sources may increase the processing time.
Contact data custodians for prices
We recommend that you contact the individual data custodians to get a price estimate for your project.
When your application is approved for processing, the data custodian has a 30-working day deadline to provide access to the requested data.
If your project involves linking data from multiple sources, the data custodians have a 60-working day deadline to provide access to the requested data.
The deadlines apply from the time the data custodian receive a complete application. The application is considered complete when it contains all the information, approvals and attachments that are necessary to assess and make decisions on granting access to the data requested.
If you need to report changes or amend your application after it has been submitted, we recommend that you contact Helsedataservice or the data custodians for guidance. Some changes may require you to submit a new application or submit updated documentation.
Describe the change you need and include the current case number.
Send your request to email@example.com or directly to the relevant data custodians:
The requested data can be provided to you in various ways, but will typically be sent by e-mail. Check that the table actually contains the data you have applied for.
If you find that the files you receive are missing data, you should contact the last caseworker you were in contact with. This will help you obtain the missing data more quickly.
Please remember to let the caseworker know when you have received the data.
REC has a mandate to grant exemption from the duty of confidentiality. Remember that this exemption is personal. Therefore, it is important that persons who are listed as research staff in the REC application, and will have access to the data sets, correspond with the list of names sent with the application to data custodians.