Documents in English
The Code of Conduct for information security and data protection in the healthcare and care services is a holistic approach to information security and data protection requirements for all organisations within the sector.
The Code is intended to contribute to a satisfactory level of information security and data protection in individual organizations, in joint systems and infrastructures, and within the sector generally. The Code is intended to ensure that organizations in compliance with the Code, has appropriate technical and organizational measures in place regarding information security and data protection for its processing of personal health data and personal data
The Code itself covers all aspects of information security as regulated by Norwegian law. In some instances, the Code of Conduct defines more stringent rules than the law itself.
The Code has been prepared and is administered by a steering group from the healthcare and care services sector. The Directorate for eHealth is the secretariat of the steering group, with permanent representation from Norsk Helsenett HF.
The Code consists of a main section with the substantial provisions. To this document several appendices are attached, spanning "guidelines" and some 30 thematically arranged best practice routines, in the Code denominated "fact sheets", providing guidance on e.g. how to perform risk analyses, how to establish back up-procedures, etc. Together, the main document, the guidelines and the fact sheets, aim to cover both the crucial and basic elements of the information security, as well as the more peripheral and remote ones.
An increasing amount of communication in the health sector, both internally, i.e. within a health service provider entity, and between such providers, is taking place electronically.
The fact that the information is collected, stored and spread electronically, in an extent hardly imaginable only a few years back, evoked a need for mechanisms safeguarding that all aspects of information security in the sector are handled adequately.
Consequently, in 2002, the Directorate for Health and Social Affairs invited affected organizations and authorities to establish a project group, whose objective was to compose a holistic set of information security rules for the sector.
A prerequisite was that the group's recommendations were to be in accordance with the data protection and information security principles laid down in EU Directive 95/46/EC (the Data Protection Directive).
As a result, on August 7th 2006, the Code of conduct for information security in the health sector ("the Code") was launched, ready to be used by small, medium-sized and large health service providers alike, and by the collaborating partners of these bodies, as a means to establish satisfactory information security.
Comply with the Code to get connected
The Code is supposedly the first of its kind in Europe; no other overall standards on information security in the health sector are yet developed in any of the EU/EEZ countries.
Norsk Helsenett SF ("Norwegian Health Network") is the provider of a national infrastructure for electronic communication in the health sector, helsenettet ("the health network"). In order to be linked to, and actually utilize, this network, the health service provider must enter into an "affiliation agreement" with the company.
By force of this agreement, the entity admitted to the infrastructure, is obliged to comply with the Code. By this mechanism, the health service providers ensure that the receivers of health-related data – i.e. collaborating partners of many kinds – within the network, all meet the standards of the Code, and thus of the legal provisions. Failing to meet the information security standards of the Code, may lead to the exclusion of the contract-breaching entity.
The Code can also be binding through other legal instruments, for example a data protection agreement (DPA).
The Code of Conduct for information security and data protection in the healthcare and care services: [email protected]
Documents in english
Code of conduct version 6.1 (PDF)
Appendix – Overall summary of the requirements of the Code (Word)
Guideline for remote access between supplier and organization (PDF)
No fact sheets are currently updated based on the latest version of the Code (6.0), changes in norwegian health legislation, or GDPR.
Other relevant dokuments
Download Standard Data Processing Agreement for the Health and Care Services Sector (Word)