Regulation on a Helth Sector Database
on a Health Sector Database
CHAPTER I
General Provisions
Article 1
Scope
This Regulation applies to the creation and operation of a centralised Health Sector Database, cf. Article 2 of Act No. 139/1998 on a Health Sector Database.
Article 2
Definitions
In this Regulation, the following terms shall have the respective meanings indicated below:
Operating Licence: An operating licence for the creation and operation of a centralised Health Sector Database pursuant to Act No. 139/1998 on a Health Sector Database, issued by the Minister for Health and Social Security.
Monitoring Committee: A committee on the creation and operation of a centralised Health Sector Database pursuant to Article 6 of Act No. 139/1998.
Science Ethics Committee: The Science Ethics Committee pursuant to Article 1 of Government Regulation No 552/1999 on scientific health research, cf. Article 29 of Act No.74/1997, on Patients' Rights.
Technology, Security and Organization Terms: The technology, security and organization terms of the Data Protection Commission pursuant to Article 5, Paragraph 1, Sub-Section 2 of Act No. 139/1998 on a Health Sector Database.
Query layer: Software intended to process research or queries in the Health Sector Database.
Query Classes: Specific types of queries which are comparable and processed using the software in the query layer in the Health Sector Database.
Article 3
Assessment of Conditions
The issue of the Operating Licence for the creation and operation of a Health Sector Database is subject to the provisions of Act No. 139/1998 on a Health Sector Database. The Minister for Health and Social Security shall assess whether the conditions laid down in Paragraph 1 of Article 5 of the Act are met before issuing an Operating Licence. Prior to the issue of the Operating Licence the Technology, Security and Organisation Terms of the Data Protection Commission shall be available, cf. Article 5, Paragraph 1, Sub-Section 2 of the Act.
Article 4
Further Conditions in the Operating Licence and Monitoring of Compliance
The Minister may attach further conditions to the Operating Licence beyond the conditions established in Paragraph 1 of Article 5 of the Act. The Minister may set the condition in the Operating Licence that individual work components in the preparation, creation and operation of the Health Sector Database shall not begin until such time as certain conditions further elaborated in the Operating Licence have been met. The Monitoring Committee and Data Protection Commission shall be responsible for monitoring that conditions established in the Operating Licence regarding individual work components are met as further provided in the Operating Licence and in accordance with the division of tasks among the Monitoring Committee and Data Protection Commission pursuant to Act No. 139/1998 and this Regulation.
The Minister may, at a later stage, e.g. on the recommendation of the Monitoring Committee, the Data Protection Commission, the Interdisciplinary Ethics Committee or the Licensee, establish new conditions in addition to the conditions stipulated in the Operating Licence regarding the security of data in the Database, its creation and other aspects in the event of issues or difficulties requiring action.
Article 5
Assessment of an Independent Systems Security Expert
Processing in the Health Sector Database shall not begin until an assessment has been performed by an independent expert on the security of information systems. The Monitoring Committee shall ensure that such an assessment is conducted.
Article 6
Rules on Science Ethics
The collection, transfer and processing of data in the Health Sector Database shall at all times be conducted in full compliance with recognised international rules on science ethics and rules established on their basis and current in Iceland at any time.
CHAPTER II
Financial Segregation
Article 7
Segregated Accounts
The operation of the Health Sector Database shall be financially segregated from other activities of the Licensee, cf. Paragraph 2 of Article 14 of the Competition Act No. 8/1993. The operation of the Health Sector Database shall be conducted within a separate operating unit or department, and keep separate accounts. Accounting shall be conducted pursuant to the Act on Financial Accounts. A separate Initial Balance Sheet shall be made. Assets regarded as pertaining to the activities covered by the Operating Licence shall be appraised at market value where possible, or at the replacement value following reasonable depreciation. Liabilities of the activities covered by the Operating Licence shall include only liabilities connected with such activities alone.
Article 8
Pricing of Joint Use and Day-to Day Management
All joint use of the operation subject to the Operating Licence and the competitive operations of the Licensee, such as use of real estate, machinery and human resources, shall be valued at market price on an arm's length basis. In the event that market price is not available, the value shall be based on cost price plus a reasonable mark-up. Similarly, business between the operation subject to the Operating Licence and other departments shall be conducted on an arm's length basis.
When the utilisation of the Health Sector Database has begun, the party responsible for the day-to-day administration of the operation subject to the Operating Licence shall not be responsible for the administration of the departments of the Licensee engaged in competitive activities.
CHAPTER III
Collection, Handling and Processing of Information
Article 9
Licensed Health-Care Professionals
The employees of the health institutions in question or self-employed health service workers shall prepare data for transfer to the Health Sector Database and such work shall be performed or managed by employees who are licensed health-care professionals. The handling of health data by the Licensee shall also be performed or managed by personnel who are licensed health-care professionals. Those employees of health institutions and self-employed health service workers who are directly employed in the transfer of health data to the Health Sector Database shall not be involved in the Licensee's operation of the Database. The Operating License shall be accompanied by a list of licensed health-care professions at the time of issue of the Operating Licence.
Article 10
Access to Data by Health Authorities
The Ministry of Health and Social Security and the Directorate of Health shall at all times have access to statistical data from the Database, cf. Article 9 of Act No. 139/1998. The data shall be in accessible form and meet the specifications of the health authorities as current at any time.
Article 11
Medical Records System
The Operating Licence shall establish general specifications for medical records systems. The Licensee shall meet all conditions and requirements contained in the specifications of the Operating Licence and also any later requirements and conditions which the Minister may regard as necessary to achieve the objectives of Act No. 139/1998.
Article 12
Patients' Rights
A patient may at any time request that information concerning him is not transferred to the Health Sector Database. A patient's request may involve all information already available on the patient in medical records or which may be recorded, or further specified information. Such a request from a patient shall also be observed after his death.
In the event that a patient wishes to have information on him transferred to the Health Sector Database, despite the fact that a health institution or self-employed health service worker has not entered into an agreement on such transfer of information, the patient shall submit a request to this effect to the Directorate of Health. The Directorate of Health shall ensure that such a request from a patient is carried out.
CHAPTER IV
Access Control
Article 13
Access to the Health Sector Database
The Licensee may not grant direct access to the Health Sector Database.
Before processing is begun in the Database, the Licensee shall inform the Monitoring Committee which parties in his employ work with the Database, its operation and development of software and which parties in his employ have access to the query layer. Furthermore, their roles and responsibilities shall be defined, as well as their access authorisation. The Licensee shall notify the Monitoring Committee of any intentions to confer responsibilities on new parties pursuant to this provision and ensure that the Security Terms of the Data Protection Commission are strictly observed.
Article 14
Data from the Health Sector Database
Providing information on individuals from the Health Sector Database is prohibited. Only statistical information involving groups of individuals may be provided.
CHAPTER V
Monitoring Committee
Article 15
Composition, Staff and Facilities
The Minister for Health and Social Security shall appoint a committee of three members, the Monitoring Committee, for a term of four years to supervise the creation and operation of the Health Sector Database. One member shall be a health sector worker with knowledge in the field of epidemology, another shall be knowledgeable in the field of information and/or computer science. The third shall be a lawyer and serve as Chairman of the Committee. Alternate members shall be appointed in the same way.
The Committee shall be provided with staff and working facilities. The Committee shall employ a Managing Director with a law degree. The Committee shall seek expert advice as required.
Article 16
Supervision of the Making of Agreements
The Monitoring Committee shall oversee the making of agreements between the Licensee, on the one hand, and health institutions and self-employed health service workers, on the other hand. The Committee shall protect the interests of the public health authorities, health institutions, self-employed health service workers and scientists in negotiating agreements. The negotiating parties shall inform the Committee of the status of negotiations. Members of the Committee are permitted to attend meetings of the negotiating parties at their discretion.
The Monitoring Committee shall, i.a., ensure co-ordination of the terms of the Licensee's agreements with individual institutions to the extent possible, e.g. as regards processing of health data, design of software, costs and payments.
The Monitoring Committee shall ensure that software for use in standardised recording in health institutions and self-employed health service workers is consistent with the specifications included in the Operating Licence and any later specifications and requirements, cf. Articles 10 and 11 hereof. The Committee shall ensure that the software enables data processing that will meet the needs of individual health institutions and self-employed health service workers for a co-ordinated information system, the needs of specialist fields and the needs of public health authorities for access to statistical data from the Database in accessible form so as to be useful in the preparation of health reports, plans, policies and other projects of these parties. Measures shall also be taken to ensure that the data can be used for scientific research.
Confirmation by the Monitoring Committee of an agreement between the Licensee and individual health institutions or self-employed health service workers is a prerequisite for the validity of the agreement. The parties shall be notified of the Committee's conclusion within two weeks from the time that the agreement was delivered to the Committee for confirmation.
Article 17
Surveillance
The Monitoring Committee shall monitor the day-to-day operation of the Database and ensure that its creation and operation are consistent with the provisions of law, regulations and the Operating Licence to the extent that such is not the role of the Data Protection Commission under law.
Article 18
Access to Data
The Monitoring Committee may require from the Licensee and persons in the employ of the Licensee any information necessary for the Committee to perform its tasks pursuant to Act No. 139/1998, this Regulation and provisions of the Operating Licence.
The Licensee shall ensure, e.g., that the Monitoring Committee always has access to information on all research or queries or classes of queries submitted to the Licensee for processing as well as to information on the research parties and parties submitting queries in a form permitted by the Security Terms of the Data Protection Commission.
The members of the Monitoring Committee and persons directly or indirectly in its employ shall not divulge any confidential information that they acquire in the course of their duty. The confidentiality obligation shall remain in force even when employment ceases.
Article 19
Advice on Use of Data
The Monitoring Committee shall advise the Ministry of Health and Social Security and the Directorate of Health on utilisation of data in the Database.
Article 20
Backup Copies
The Monitoring Committee shall preserve backup copies of the Database in a bank safety deposit box or in some other secure manner. The Backup copy shall be updated regularly pursuant to the further decision of the Committee as new data is entered into the Database. The Operating Licence shall contain further provisions on backing up the Database pursuant to the Technology, Security and Organization terms of the Data Protection Commission.
Article 21
Information to the Science Ethics Committee
The Monitoring Committee shall deliver to the Science Ethics Committee at least once every three months a list of all queries or query classes submitted to the Health Sector Database together with information on the parties submitting the queries, in a form permitted by the Technology, Security, and Organization Terms of the Data Protection Commission.
Article 22
Notification of Impropriety
The Monitoring Committee shall inform the Minister and the Data Protection Commission without delay if the Committee has reason to believe that there is any impropriety in the operation of the Database.
Article 23
Temporary Operation of the Health Sector Database
In the event of revocation of the Operating Licence, or if the Licensee is deprived of the Operating Licence, the Monitoring Committee shall operate the Database in the interests of the public health authorities, health institutions and self-employed health service workers, e.g., in the interests of scientific research, until such time as the Minister has arrived at a decision on its future operation.
The Committee shall submit to the Minister its opinion regarding the continued operation of the Health Sector Database following the expiration of the term of the Licence pursuant to its provisions. The same applies if the Operating Licence is revoked or the Licensee is deprived of his Licence.
Article 24
Report to the Minister
No later than 1 March of each year, the Monitoring Committee shall submit to the Minister a report on the operation of the Health Sector Database and the work of the Committee over the preceding year. Furthermore, the Committee shall keep a record of its minutes and deliver a copy of the minutes to the Minister following each meeting.
CHAPTER VI
Interdisciplinary Ethics Committee
Article 25
Composition of the Committee and Expert Assistance
The Minister for Health and Social Security shall appoint an Interdisciplinary Ethics Committee of three members for a term of four years. One member shall be appointed pursuant to the nomination of the Directorate of Health; one member shall be appointed pursuant to the nomination of the Minister for Education, and one member shall be appointed by the Minister for Health and Social Security without nomination to serve as Chairman of the Committee. Alternate members shall be appointed in the same manner. Steps shall be taken to ensure that the Committee is composed of individuals with expert knowledge in the field of health sciences, research ethics and human rights. The Committee may summon experts for consultation as necessary.
Article 26
Role
The Interdisciplinary Ethics Committee shall ensure that processing of data in the Health Sector Database is at all times conducted in full compliance with recognised international rules on science ethics and rules established on the basis of such international rules and current in Iceland at any time. The Committee shall base its opinions on those rules.
The Licensee shall submit to the Interdisciplinary Ethics Committee a request for research and individual queries or query classes which are intended for processing using data from the Health Sector Database. This applies to research which is conducted exclusively within the enterprise of the Licensee or in co-operation with other parties. A request pursuant to this provision shall be accompanied by a detailed description and other data pursuant to further provision of the rules of procedure of the Committee.
Research, queries or query classes shall not be processed without the prior consent of the Interdisciplinary Ethics Committee.
The Interdisciplinary Ethics Committee shall respond to requests within two weeks of receiving all documents. In the event of unusually extensive research or queries, the Committee may extend this deadline by two weeks.
Article 27
Appeal
Decisions of the Interdisciplinary Ethics Committee may be appealed to the Minister for Health and Social Security. The Minister shall seek the opinion of the Science Ethics Committee before returning a decision.
Article 28
Surveillance and Revocation
The Interdisciplinary Ethics Committee shall monitor the progress of research and processing of queries which it has approved in the Health Sector Database. The Committee may require that the Licensee submit reports to the Committee to enable the Committee to ascertain that work is conducted in accordance with information submitted to the Committee and/or instructions of the Committee on processing.
The Interdisciplinary Ethics Committee may withdraw its permission to use specific classes of research or queries if it is of the opinion that their conduct is not consistent with the documents submitted information submitted to the Committee and/or the instructions of the Committee on their use.
If the permission of the Committee is revoked, the research or processing of queries shall be stopped immediately.
Article 29
Rules of Procedure
The Minister shall establish rules of procedure for the Interdisciplinary Ethics Committee pursuant to the recommendations of the Interdisciplinary Ethics Committee and comments of the Science Ethics Committee.
CHAPTER VII
The Data Protection Commission
Article 30
Requirements for Technology, Security and Organisation
The Data Protection Commission shall establish Technology, Security and Organisation terms to be met by the Licensee in the creation and operation of the Health Sector Database.
The Data Protection Commission may review the Technology, Security and Organisation Terms to be met by the Licensee in the light of new technology, experience or changed assessment of the Technology, Security, and Organization Terms, and establish a deadline for the Licensee to comply with the new requirements.
The Licensee shall not make any alterations in matters of Technology, Security and Organisation, including changes in software or hardware, except pursuant to rules established by the Data Protection Commission.
In the event of circumstances where the security of data may be at risk, the Data Protection Commission may prohibit further processing in the Database until such time as the Data Protection Commission is satisfied that data security is adequate.
Article 31
The Data Protection Commission Encryption Agency
The Data Protection Commission shall operate an Encryption Agency which shall carry out the transfer of all data to the Health Sector Database.
Personal identifiers shall be encrypted by one-way encryption at Health Institutions or at the location of self-employed health service workers who have concluded an agreement with the Licensee. Medical data processed by these parties shall be sent in encrypted form to the Encryption Agency of the Data Protection Commission. The Directorate of Health shall provide the Encryption Agency of the Data Protection Commission with an encrypted list of those patients who have requested to be excluded from the Health Sector Database, and the Encryption Agency shall delete all data processed from their medical records.
The Encryption Agency of the Data Protection Commission is responsible for further encryption of personal identifiers before the data is sent to the Health Sector Database using methods which in the opinion of the Agency will best ensure personal privacy.
Article 32
Cross-referencing of Data
The Licensee shall establish rules of procedure and work processes which meet the conditions of the Data Protection Commission in order to ensure privacy protection in the cross-referencing of data from the Health Sector Database, a genealogical database and a database containing genetic data.
The Data Protection Commission shall attach such conditions to its approval of the rules of procedure and work processes of the Licensee as it considers necessary at any time to ensure privacy protection and data security in the Health Sector Database. Data from the Health Sector Database shall not be cross-referenced with genetic data unless such data has been obtained in accordance with the rules current in Iceland at any time.
Among the conditions for the approval of the Data Protection Commission is that the results should be non-personally identifiable. If it becomes evident that results obtained from cross-referencing of data are personally identifiable, the Data Protection Commission may withdraw its approval and order the destruction of such results in their entirety or in part. During the course of investigation, the Data Protection Commission may prohibit further cross-referencing of data on the basis of its approval and take custody of the results
In the event that the Licensee does not observe the conditions of the Data Protection Commission on the cross-referencing of data, the Data Protection Commission may revoke its approval pursuant to this provision.
Article 33
Transfer of Medical Data
In order to preserve the security of personal data, the Data Protection Commission may establish rules to be observed during the collection, registration and processing of medical data in the medical records system in preparation for their transfer to the Encryption Agency of the Data Protection Commission.
Health Institutions and self-employed health service workers are responsible for the delivery of health data to the Encryption Agency of the Data Protection Commission, and shall observe the conditions established by the Data Protection Commission.
Article 34
Inspections and Monitoring Activities of the Data Protection Commission
The Data Protection Commission is responsible for monitoring the creation and operation of the Health Sector Database as regards the recording and processing of personal data and the security of data in the Health Sector Database.
The Data Protection Commission shall take measures to monitor observance of the conditions established by the Commission.
The Data Protection Commission may inspect the technology, security and organisation aspects of the Health Sector Database whenever necessary. The Data Protection Commission may conduct any test, inspection or take any surveillance action it may regard as necessary and demand the required assistance of the personnel of the Licensee in taking such action.
The Data Protection Commission may require from the Licensee and any of the Licensee's employees any information necessary for the Commission to perform its tasks, including information to determine whether a particular activity falls under the provisions of this Regulation and the Act on a Health Sector Database. The Data Protection Commission may also summon personnel of the Licensee and persons employed by the Licensee to appear before the Commission and provide oral information and explanations.
In the course of its surveillance duties, the Data Protection Commission shall have free access to the premises where the Health Sector Database is preserved and processing takes place.
The Data Protection Commission may, by a special resolution, entrust specific employees and consultants with certain aspects of the work entrusted to the Data Protection Commission pursuant to this Regulation and the Act on a Health Sector Database.
Article 35
Report of the Data Protection Commission
The Data Protection Commission shall advise the Minister on the continued operation of the Health Sector Database following the expiration of the term of the Operating Licence pursuant to its provisions. The same applies if the Operating Licence is revoked or the Licensee deprived of his Licence.
CHAPTER VIII
Disposal of the Health Sector Database Following the End of the Term of the License
Article 36
Disposal and Operation Following the End of the Term of the Licence
When the term of the Licence expires pursuant to the provisions of the Operating Licence, or if the Licence is terminated for other reasons, the Minister for Health and Social Security shall, on the recommendation of the Monitoring Committee and the Data Protection Commission, decide on the disposal and operation of the Database.
Article 37
Rights to Software, Database and other Rights Necessary for the Operation of the Database
The Licensee shall ensure that the Ministry of Health and Social Security, or such party as the Minister may entrust with the operation of the Database, is granted, without time limits, the use of all software and rights necessary for the creation and operation of the Health Sector Database, as further provided in the Operating Licence, following the expiration or termination of the Operating Licence.
On the termination or expiration of the Operating Licence the Licensee shall deliver to the Ministry of Health and Social Security, or such party as the Minister may entrust with the operation of the Database, the software, rights and hardware necessary for the creation and operation of the Health Sector Database, as further provided in the Operating Licence.
Article 38
Limitations on Disposal Rights
The Licence and the Health Sector Database are neither assignable nor subject to enforcement of claims. The Operating Licence and the Database may not be pledged against any financial liability.
CHAPTER IX
Payment of Costs
Article 39
Payment of costs, Budget and Procedure in the Event of Disputes
The Licensee shall bear all costs incurred by the Ministry of Health and Social Security, the Monitoring Committee, Data Protection Commission, Interdisciplinary Ethics Committee and Directorate of Health from the tasks assigned to those parties pursuant to Act No. 139/1998 on a Health Sector Database, this Regulation, or the Operating Licence for the creation and operation of a Health Sector Database.
Prior to 15 August of each year, the Ministry of Health and Social Security and the Ministry of Justice, acting on behalf of the Data Protection Commission, shall present to the Licensee their budgets and work plans, referred to in Paragraph 1 of this Article [39], in respect of the activities of the Licensee in the creation and operation of a Health Sector Database in the subsequent operating year. The Licensee shall, before 15 September of each year, submit his comments on such plans if he sees reason to do so.
Following the end of each month the State Treasury shall invoice the Licensee for costs incurred in the preceding month, cf. Paragraph 1 hereof. The Licensee shall pay the invoice within 15 days of its issue.
In the event of any dispute regarding payments, the opinion of the National Audit Bureau shall be sought. The opinion of the National Audit Bureau shall be binding on both parties.
Article 40
Costs Pursuant to Agreements
The Licensee shall pay all costs incurred in the processing of data for transfer to the Health Sector Database, as well as the cost of producing an integrated information system for health institutions and self-employed health service workers pursuant to further provisions in agreements [of the Licensee] with health institutions and self-employed health service workers.
CHAPTER X
Confidentiality, Procedural Rules, Further Claims and Conditions Etc.
Article 41
Confidentiality
Parties working for public authorities in the enforcement of Act No. 139/1998 on a Health Sector Database, regulations issued pursuant to that Act or the Operating Licence shall not divulge any matters on which they may obtain information in the course of their work and which are subject to confidentiality. The confidentially shall remain in force even when work is ceased.
Article 42
Administrative Law
To the extent applicable, the provisions of the Administrative Act No. 37/1993 shall be observed in all procedure pursuant to Act No. 139/1998 on a Health Sector Database, this Regulation and the provisions of the Operating Licence, cf., i.a., the provisions of the Administrative Act on competence, speed of procedure, proportionality, the right to be heard and the publication and revocation of decisions.
Article 43
Further Requirements and Conditions
Through amendment of this Regulation, the Minister may establish further requirements and conditions regarding the creation and operation of a Health Sector Database following the issue of the Operating Licence in the event of any issues arising on which Act No. 139/1998 on a Health Sector Database, this Regulation or the Operating Licence contain no provisions.
Article 44
Effect and Legal Basis
This Regulation, issued on the basis of Article 18 of Act No. 139/1998 on a Health Sector Database, cf. Article 6, Paragraph 2 of Article 10, and Paragraph 3 of Article 12 of the same Act, shall take effect on its publication.
Temporary Provisions
Payment of Incidental Costs Prior to the Issue of the Operating Licence and Costs Incurred in the Year 2000
Following the issue of the Operating Licence the costs which can reasonably and fairly be regarded as relating to the preparation and issue of the Operating Licence pursuant to Act No. 139/1998 on a Health Sector Database shall be calculated and the Licensee invoiced for such costs. The Licensee shall have 15 days to comment on the invoice and itemisation of costs if he so chooses. In the event of any dispute regarding individual items the binding opinion of the National Audit Bureau shall be sought regarding the dispute.
The Licensee shall reimburse the State Treasury for all costs pursuant to this Paragraph 1 with six equal monthly payments, the first such payment to be made no later than 45 days after the date of the invoice pursuant to this Article.
Following the end of each month of the year 2000 the Ministry of Health and Social Security shall, in respect of costs incurred by the Monitoring Committee, the Interdisciplinary Ethics Committee and the Directorate of Health and the Ministry of Justice, instruct the State Treasury to collect the accrued costs of the said parties in the preceding month arising from the performance by such parties of the tasks entrusted to them pursuant to Act No. 139/1998 on a Health Sector Database.
The Licensee shall have 15 days to submit his comments on invoices pursuant to Paragraph 3. In the event of disputes regarding individual cost items the binding opinion of the National Audit Bureau shall be sought regarding the dispute.
Ministry of Health and Social Security, 22 January 2000