This policy presents general information about how the Norwegian System of Patient Injury Compensation (NPE) processes personal data and what rights you have.
Why does NPE process personal data?
NPE's legal basis for processing personal data
How we process personal data
Retention of data
Who will see your personal data?
How we take care of your personal data
Data processor agreements
Your rights under the Personal Data Act
Data controller and data protection officer
Right to complain to the Norwegian Data Protection Authority
Web statistics and user movements
The purpose of NPE is to investigate and determine whether you are entitled to compensation under the Patient Injury Act. In order to do this, we need to process personal data.
NPE is also tasked with providing statistical data in order to help prevent injuries and improve the quality of the health service. To do this, we use personal data to prepare statistics and analyses. We use the data in a form that does not allow the information to be linked to individuals.
All processing of personal data must have a legal basis. NPE’s basis for processing data is the Patient Injury Act and associated regulations, and the Personal Data Act. In the Personal Data Act and the associated General Data Protection Regulation, Articles 6 and 9 are pivotal.
NPE complies with the Patient Injury Act, the Personal Data Act, the Public Administration Act, the Archive Act and the Freedom of Information Act. This ensures that all personal data is processed in a proper, correct and secure manner. We do not ask for any more information than is necessary in order to process your case.
For some types of cases, we need to obtain information from other parties. For example, this might include:
- Information from the Norwegian National Registry
- Information from health personnel, such as a GP or hospital
- documents from NAV
- tax information
We need your consent to collect adequate and relevant data in order to process your case. We will only collect the data after consent has been given.
The giving of consent is voluntary and you can withdraw your consent at any time. If you withdraw your consent, we will no longer be able to process your case.
In some cases, it may also be appropriate to search for publicly available data on the internet.
The data we collect will only be used for the purpose for which it is collected, unless we have a lawful basis to use it for other purposes.
We will not retain data about you for any longer than is necessary for the intended purpose. However, we are obliged under the Archive Act to retain all data relating to the processing of the case. We must retain the data even after the case has been closed. Personal data is normally retained for between 25 and 30 years before it is transferred to the National Archives of Norway.
NPE staff who process your case will be able to access your personal data. If we use an expert to assess your case, he or she will also be able to access your personal data.
When we collect personal data about you (for example, from your treatment provider), we will need to forward your application for compensation and your consent.
If you have a proxy representing you in the case, he or she will also be able to access the data in the case.
We have established procedures to ensure that your personal data is processed in a proper, correct and secure manner. Only employees who require access to your personal data as part of their work will have such access.
The personal data is subject to statutory confidentiality. We will not disclose your personal data to anyone else. We will only do that with your consent or if we are exempt from the duty of confidentiality by law.
We have established agreements with external suppliers concerning various essential services, such as IT services and the opening of post. We have entered into data processor agreements with these suppliers. These agreements govern how the suppliers process personal data on our behalf. They are not permitted to use the data for any purpose other than that agreed with us. They are subject to the same duty of confidentiality as NPE employees.
Here, you can see what rights you have and who you should contact if you have any questions:
You have a right to receive clear information about the data we process about you. You are entitled to know the purpose, legal basis and your rights as a data subject.
You have the right to access the personal data we process and store about you. If you have submitted an application to us, you will also have the right to access the case documents.
It is important that the data we hold about you is accurate and necessary for the processing of your case. You may ask for your data to be corrected if it is inaccurate or incomplete. You also have the right to add accurate information. We are not permitted to correct information that we have collected from others (e.g. in medical records).
In exceptional cases, you may have the right to have your information erased, if we do not have a statutory obligation to store the information. We cannot erase information that we have obtained from others.
Requests for access must be answered within 30 days, unless the request is so wide-ranging that we need more time to respond. If we do need more time, we will notify you within 30 days.
At NPE, the Director General is responsible for the processing of personal data.
Norsk pasientskadeerstatning, Postboks 232 Skøyen, 0213 Oslo
Tel.: (+47) 22 99 45 00
NPE has its own data protection officer who can provide general advice and guidance concerning privacy.
Norsk pasientskadeerstatning, Personvernombudet, Postboks 232 Skøyen, 0213 Oslo
Tel.: (+47) 22 99 45 00
In order to safeguard your privacy, you must not send sensitive personal information by e-mail.
If you become aware of circumstances which you believe represents a breach of your privacy, you can complain by writing to the Norwegian Data Protection Authority, Postboks 8177, 0034 Oslo.
You will find information on what you need to do on the Norwegian Data Protection Authority’s website.
In order to create and develop a user-friendly website, www.npe.no, we use the analytics tools, Google Analytics and Hotjar.
We anonymise IP addresses in Google Analytics (through Google Tag Manager), so that Google does not receive any data concerning the IP addresses of users.
In Hotjar, IP addresses are anonymised by default.