Privacy policy

Why does NPE process personal data?
NPE's legal basis for processing personal data
How we process personal data
Storing data
Who has access to your personal data?
How we look after your personal data
Data Processing Agreements
Your rights under the Personal Data Act
Data controller and data protection officer
Right to complain to the Norwegian Data Protection Authority
Web statistics and user behaviour

Why does NPE process personal data?

The purpose of NPE is to examine and determine whether you are entitled to compensation pursuant to the Patient Injuries Act. In order to do so, we need to process personal data.

NPE is also required to contribute statistical data for injury prevention and quality improvements in the health service. In these cases, we will use personal data to generate statistics and analytics. We use the data in a form that means it is not possible to link the data to individuals.

If personal data is used for research purposes, this will be done in accordance with relevant laws and regulations and consent will be obtained if required.

NPE registers enquiries from journalists in order to provide the best possible service and to follow up on media enquiries that span longer periods of time. We will store the date, medium, first name and last name of the journalist, as well as a brief description of what the enquiry concerns. This data will only be used internally by the communications department and no disclosure of the data will take place. The legal basis for processing is the statutory duties imposed on NPE.

NPE will ask for the HCP number and the names of healthcare professionals when private enterprises that are required to pay subsidies register data in the subsidy register for private health services. In order to ensure accurate and reliable data, enterprises must use HCP numbers in connection with registration. The legal basis is the regulations on the scope of the Patient Injuries Act.

NPE’s legal basis for processing personal data

The processing of personal data must always be subject to a legal basis. NPE’s legal basis for processing is the Patient Injuries Act with regulations and the Personal Data Act. Articles 6 and 9 of the Personal Data Act and the GDPR are central.

How we process personal data

NPE complies with the Patient Injuries Act, the Personal Data Act, the Public Administration Act, the Archives Act and the Freedom of Information Act. This ensures that all personal data is processed appropriately, correctly and securely. We do not request more data than is necessary to consider your claim.

In connection with the majority of claims, we also need to obtain data from other parties. This could include:

• Information from the Norwegian Population Register
• Information from healthcare professionals, such as GPs and hospitals
• Documents from the Norwegian Labour and Welfare Administration (NAV)
• Tax data

Pursuant to Section 10 a of the Patient Injuries Act, NPE has the legal basis for obtaining confidential information necessary for the consideration of compensation claims. If NPE requires information that is not covered under this legal provision, NPE will contact the claimant to request a separate power of attorney to obtain such data.

The data we collect will be used solely for the purpose for which the data was obtained unless we have a legal basis to use the data for other purposes.

We use personal data, among other things, to develop and improve systems and claims processing systems. This is done to provide more expedient claims processing and to ensure equal treatment.

Storing data

We cannot store your data for longer than necessary to fulfil the purpose for which the data was collected. Nevertheless, under the Archives Act, we are required to store all data relating to claims processing. We also need to retain the data after claims processing has been completed. Personal data will generally be stored for between 25 and 30 years before the data is transferred to the National Archives.

Who has access to your personal data?

Those involved in the processing of your claim at NPE will have access to your personal data. If we engage a specialist in connection with the consideration of your claim, they will also be given access to your personal data.

When we obtain personal data relating to you (for example from a treatment provider), we need to submit a copy of your claim. In some cases, it may be necessary to submit any appendices to the claim and any later comments you submit.

If you are using an agent for the claim, your agent will also have access to the data relating to the claim.

How we look after your personal data

We have procedures in place to ensure that your personal data is processed in an appropriate, correct and secure manner. Only employees who have a legitimate business need will have access to your personal data.

Personal data is subject to a statutory duty of confidentiality. We do not disclose your personal data to third parties. We will only disclose your data subject to your consent or if we are required to waive confidentiality under the law.

Data Processing Agreements

We have entered into agreements with external suppliers for a variety of required services, such as IT services and mail opening. We have entered into data processing agreements with these suppliers to safeguard your privacy, amongst other things. These agreements govern how suppliers will process personal data on our behalf. They cannot use the data for any purposes other than what has been agreed with us. They are subject to the same duty of confidentiality as NPE employees.

Our use of data processors may entail your personal data being transferred to data processors in countries outside of the EU/EEA. This means that your personal data may be transferred to a country with regulations that do not provide the same degree of protection for personal data as the rules applicable in Norway. In order to safeguard your privacy, such transfer will only take place in line with the data protection legislation applicable at any time.

Your rights under the Personal Data Act

Here you can see your rights and who to contact in the event of any questions:

Information

You have the right to receive understandable information about the data we process in relation to you. You have the right to know the purpose, legal basis and your rights as a data subject.

Access

You have the right of access to the personal data we process and store in relation to you. If you have an ongoing claim with us, you also have a right of access to claims documents.

Correction

It is important that the data we hold about you is correct and necessary for the processing of your claim. You can request the correction of your data if the data is incorrect or incomplete. You also have the right to add correct data. We cannot correct data obtained from other parties (for example data contained in medical records).

Erasure

In special cases, you may have the right to erasure of personal data relating to you unless we have a statutory duty to retain the data. We cannot erase data obtained from other parties.

Subject access requests must be responded to within 30 days, unless the request is so extensive that we require more time. We will notify you within 30 days if we require more time.

Data Controller and Data Protection Officer

At NPE, the Director is responsible for the processing of personal data.

Contact details:

Norwegian System of Patient Injury Compensation (NPE), Postboks 232 Skøyen, NO-0213 Oslo
Telephone: +47 22 99 45 00
Email:npepost@npe.no

NPE has a dedicated Data Protection Officer who can provide general advice and guidance relating to data protection and privacy.
Contact details:

Norwegian System of Patient Injury Compensation (NPE), Data Protection Officer, Postboks 232 Skøyen, NO-0213 Oslo
Telephone: +47 22 99 45 00
Email:personvernombud@npe.no

For reasons of privacy, please do not submit sensitive personal data via email.

Right to complain to the Data Protection Authority

If you have experienced something you consider to be a breach of your data protection rights, you can lodge a written complaint with the Norwegian Data Protection Authority, Postboks 8177, NO-0034 Oslo.

nformation about the complaints procedure can be found on the Data Protection Authority's website.

Web statistics and user behaviour

We use the Plausible analytics tool. Read more about Plausible's Privacy Notice.