Reversal of reported data
The Norwegian Data Protection Authority has, in a letter dated 18.1.2013, ordered the Cancer Registry of Norway to stop all transfer of identifiable personal data to reporting enterprises that do not have a licence from the Norwegian Data Protection Authority or prior approval from the Regional Committee for Medical and Health Research Ethics.
The order reads:
- The Cancer Registry of Norway shall, with immediate effect, stop all disclosure of identifiable personal data to reporting enterprises that cannot demonstrate that they have been granted a licence for the treatment in accordance with § 3-5 of the Cancer Registry Regulations.
- The Cancer Registry of Norway shall urgently change its routines for disclosure of personally identifiable health information in accordance with the provisions of the Cancer Registry Regulations.
Until now, the Cancer Registry of Norway has had a practice that allows for the transfer of own data to notifiable enterprises, with reference to Sections 23 no. 1 and 26 and the Public Administration Act § 13 b first paragraph no. 2, cf. Section 4-1, first paragraph, of the Cancer Registry Regulations.
As a consequence of the Norwegian Data Protection Authority's order, the Cancer Registry of Norway is no longer able to continue this practice. The Cancer Registry of Norway is very concerned that agencies should still be able to routinely receive quality-controlled data from the Cancer Registry of Norway for follow-up/quality assurance of their own patient data.
Against this background, we will address a request to the Ministry of Health and Care Services where we will propose that the reporting of quality-controlled data from enterprises subject to notification be authorised by the Cancer Registry Regulations, corresponding to the provision set out in § 2-2, third paragraph, of the Cardiovascular Disease Regulations.
We apologize for any impact this may have on our enrollees.