Documents in English

The Code of Conduct for information security and data protection in the healthcare and care services is a holistic approach to an information security policy for all organisations within the sector.

Code of conduct version 6.0 (PDF)

Appendix – Overall summary of the requirements of the Code (Word)

Guideline for remote access between supplier and organization (PDF)

Fact sheets

No fact sheets are currently updated based on the latest version of the Code (6.0), changes in norwegian health legislation, or GDPR. Updates are in progress.

General information

The Code itself covers all aspects of information security as regulated by Norwegian law. In some instances, the Code of Conduct defines more stringent rules than the law itself.

The Code ensures a secure interoperability for all organizations that comply with the regulations set forth in the Code.

The Code of Conduct has been developed by representatives from the health and care services sector, and comprises the sector's view of how to ensure information security.

In addition to developing the Code of Conduct, the sector has produced a set of short practical guidelines on how to meet the individual requirements in the Code.

Note: Version 4 of the Code of Conduct was published in December 2013. New versions of other Code of Conduct documents in English were published in February 2011.

Presentation in English: Norwegian Code of conduct for information security in the health and care sector (PDF)


An increasing amount of communication in the health sector, both internally, i.e. within a health service provider entity, and between such providers, is taking place electronically.

The fact that the information is collected, stored and spread electronically, in an extent hardly imaginable only a few years back, evoked a need for mechanisms safeguarding that all aspects of information security in the sector are handled adequately.

Consequently, in 2002, the Directorate for Health and Social Affairs invited affected organizations and authorities to establish a project group, whose objective was to compose a holistic set of information security rules for the sector.

A prerequisite was that the group's recommendations were to be in accordance with the data protection and information security principles laid down in EU Directive 95/46/EC (the Data Protection Directive).

As a result, on August 7th 2006, the Code of conduct for information security in the health sector ("the Code") was launched, ready to be used by small, medium-sized and large health service providers alike, and by the collaborating partners of these bodies, as a means to establish satisfactory information security.

Comply with the Code to get connected

The Code is supposedly the first of its kind in Europe; no other overall standards on information security in the health sector are yet developed in any of the EU/EEZ countries.

Norsk Helsenett SF ("Norwegian Health Network") is the provider of a national infrastructure for electronic communication in the health sector, helsenettet ("the health network"). In order to be linked to, and actually utilize, this network, the health service provider must enter into an "affiliation agreement" with the company.

By force of this agreement, the entity admitted to the infrastructure, is obliged to comply with the Code. By this mechanism, the health service providers ensure that the receivers of health-related data – i.e. collaborating partners of many kinds – within the network, all meet the standards of the Code, and thus of the legal provisions. Failing to meet the information security standards of the Code, may lead to the exclusion of the contract-breaching entity.


It is to be noted that the Code, as a text, consists of a main section, where the substantial provisions are expressed. As appendixes to this head document, are found several "guidelines" and some 50 thematically arranged best practice routines, in the Code denominated "fact sheets", providing guidance on e.g. how to perform risk analyses, how to establish back up-procedures, etc. Together, the main document, the guidelines and the fact sheets, aim to cover both the crucial and basic elements of the information security, as well as the more peripheral and remote ones.

The Code itself and a selection of fact sheets and guidelines have been translated to English.


The Code of Conduct for information security and data protection in the healthcare and care services: [email protected]

Fant du det du lette etter?
Ja Nei