General Security Terms

This document, identified as Document No. 1, as well as documents No. 2-8, contains the Icelandic Data Protection Commission's definitions of technology, security and organisation terms which the Licensee must fulfil in relation to the preparation and operation of the Health-Sector Database, cf. Act no. 139/1998 on a Health-Sector Database.
Documents 1-8 have the following names:
1. General Security Terms of the Icelandic Data Protection Commission
2. Approval Process Methodology – January 2000, issue 1.3
3. Security Target for an Icelandic Health Database, from 5 January 2000, issue 1.0.
4. Technology, Security and Architecture: BS 7799 Controls. Database Division Documents DDXP.101, DDXP.oo, DDXP.000.1.
5. Production and Operation of a Centralised Health Sector Database. Database Division Document DDXD.002.
6. Technology, Security and Architecture: Concept and Requirements. Database Division Document DDXD.001.
7. Further Comments on Administrative Methods for Data Protection in the Icelandic Healthcare Database, with References to the Operating Licence Application and Supplementary Documents from Íslensk erfðagreining ehf., dated 17 December 1999, together with an English translation of this document.
8. Clarification of the Personnel Organisation of the Icelandic Healthcare Database dated 20 December 1999, together with an English translation of this document.
In the event of a discrepancy between, on the one hand, documents 1-3 and, on the other hand, documents 4-8, the latter of which were prepared by the applicant for the Operating License, Íslensk erfðagreining ehf., the provisions of documents 1-3 shall prevail against the provisions of documents 4-8.

The Licensee shall fulfil the technology, security and organisation terms of the Icelandic Data Protection Commission as current at any time and use the methodology described in Document 2 (Approval Process Methodology) in the construction of the database.
The Data Protection Commission may review the technology, security and organisation terms which the Licensee must fulfil, with regard to new technology, experience or altered conditions, and establish time limits by which the Licensee is required to fulfil such new requirements.
No changes may be made to these technology, security or organisation conditions, including alterations to software or hardware, except with the written permission of the Data Protection Commission following an assessment of the change in question.

In the event that the Data Protection Commission is of the view that the security of data is endangered, the Commission may ban further processing in the database until such time as the security of data has been tested and confirmed by the Commission.

The Data Protection Commission shall operate an Encryption Agency which shall be the sole party responsible for the transfer of all data to the Health-Sector Database.
The Encryption Agency of the Data Protection Commission shall receive encrypted health data from the Licensee. The Director General of Public Health shall deliver to the Encryption Agency of the Data Protection Commission an encrypted register of patients who have requested that data on themselves is not entered into the Health-Sector Database. The Encryption Agency shall delete data on such patients.
The Encryption Agency of the Data Protection Commission shall encrypt personal identifiers before the data is sent to the Health-Sector Database, by such methods as the Agency considers most effective in ensuring personal protection.

No data shall be provided on fewer than ten patients at each time.

The Licensee shall formulate working methods and procedures which fulfil the terms of the Data Protection Commission, to ensure personal privacy in connecting data from the Health-Sector Database, a database with genealogical data and a database with genetic data.
The approval of the Data Protection Commission is granted under such terms as the Commission considers necessary at each time to ensure personal protection and the security of data in the Health-Sector Database.
Among the conditions for the Data Protection Commission's approval of the working methods and procedures of the Licensee is that results are non-personally identifiable. Should results obtained by the connecting of data prove personally identifiable, the Data Protection Commission may order their destruction in their entirety or in part and withdraw its approval. During the investigation of a case, the Data Protection Commission may ban further connecting of data on the basis of its approval and confiscate the results obtained.
In the event that the Licensee does not conform with the terms of the Data Protection Commission in relation to the connecting of data, the Commission may withdraw its approval under the terms of this provision.

In order to ensure the security of personal data, the Data Protection Commission may establish rules which shall be followed during the collection, registration and processing of health data in clinical records systems for the preparation of the transfer of such data to the Encryption Agency of the Data Protection Commission.
Staff of health institutions, including staff employed by self-employed health service workers, who are directly engaged in the transfer of health data into the Health-Sector Database shall not be involved in the operation of the Database at the premises of the Licensee.
Health institutions and self-employed health service workers are responsible for the transfer of health data to the Encryption Agency of the Data Protection Commission and shall conform to the terms established by the Data Protection Commission in this respect.

The Data Protection Commission shall monitor the construction and operation of the Health-Sector Database as regards the registration and handling of personal data as well as the security of data in the Health-Sector Database.
The Data Protection Commission shall monitor compliance with the terms which it establishes.
The Data Protection Commission may inspect the technology, security and organisation of the Health-Sector Database whenever necessary in its opinion. The Data Protection Commission may perform any test, assessment or inspection which, in its opinion, should be performed, and request the necessary assistance of the Licensee's staff for such measures.
The Data Protection Commission may request from the Licensee and parties working for the Licensee all information necessary for the Commission to carry out its responsibilities, including information on which decisions are based on whether certain activities are to be regarded as subject to the provisions of a Government Regulation and the Act on the Health-Sector Database. The Data Protection Commission may also summon employees of the Licensee, as well as other staff working for the Licensee, to a meeting with the Commission to provide information and explanations orally.
The Data Protection Commission shall, for the purposes of its inspection activities, have free access to the premises of storage and processing of the Health-Sector Database.
The Data Protection Commission may with a special resolution entrust specified members of its staff and consultants with the supervision of certain aspects of the responsibilities assigned to the Data Protection Commission under the terms of a Government Regulation and the Act on the Health-Sector Database.

The Data Protection Commission shall submit to the Minister its opinion on the continuation of the operation of a Health-Sector Database on the expiry of the Operating License under the terms of the provisions of the Operating License. The same applies in the event that the Operating License is withdrawn or the Licensee is deprived of the Operating License.

The Licensee shall within three months immediately following the issue of the Operating License submit to the Data Protection Commission his proposal on the storage location of the Health-Sector Database. On such submission, the Data Protection Commission shall establish security terms for the premises or projected building in question, provided that it is considered suitable as regards the security of the Database. The terms shall be based on BS 7799.
When a committee on the creation and operation of the Health-Sector database has accepted the Licensee's description of the process of preparing backup copies, the Committee shall send such description to the Data Protection Commission, which shall establish security terms on which the preparation, transfer and preservation of backup copies shall be based.

The Committee on the Construction and Operation of the Health-Sector Database shall preserve backup copies from log files for ten years.

Following the issue of the Operating License, the Data Protection Commission shall elect parties to assess technology, security and organisation issues in relation to the Health-Sector Database, cf. Document 2. Such assessment shall be carried out before the transfer of health data to the Health-Sector Database commences. During the performance of such assessment, account shall be taken of the division of the construction of the Health-Sector Database into stages. When the transfer of data into the Database has begun, continuous monitoring shall be maintained on whether the processing fulfils the technology, security and organisation terms of the Data Protection Commission.