Personal Data Protection and Privacy Policy for individuals who communicate with the Icelandic Health Insurance
According to law no. 112/2008, the Icelandic Health Insurance (IHI) handles all administration of health insurance in Iceland, which involves i.a. negotiations and purchases of health care service and reimbursing of the health care service which should provided acc. to the Health Care Act no. 40/2007 as well as other applicable laws at any given time. Due to these activities, various information is necessary for IHI, including personal data. IHI endeavors to ensure the protection of personal data and that all of its processing is in accordance with applicable laws and regulations. IHI’s personal data protection policy applies to the collection and processing of personal data in the institution’s communication with the individuals who consult with it. The purpose of this data protection and privacy policy is to inform individuals of which personal data is collected, how it is collected and why and how it is handled. The personal data protection and privacy policy is based on law no. 90/2018 on personal protection and processing of personal data.
Which personal data does the Icelandic Health Insurance collect?
Personal data is all information about a personally identified or personally identifiable individual; an individual is considered personally identifiable if it is possible to personally identify him/her, directly or indirectly, such as by reference to identity like name, ID number., location data, Internet identification or one or more factors which characterize him/her in a physical, physiological, genetical, mental, material, cultural or social sense.
The processing of personal data refers to a procedure or a line of procedures where personal data is processed, whether the process is automatic or not. The process includes the obtaining of data, its use, copying and delivering to the National Archives of Iceland, which preserves the data from public parties.
IHI collects various types of personal data about individuals who turn to it, as well as their agents, if an individual has entrusted another to communicate with the institution. The processing of personal data may e.g. concern:
names and ID numbers
email addresses and phone numbers
home addresses and information about relocations
information about contacts
a copy of a passport
various data regarding employment, position in the work market and work periods, such as confirmations and employment contracts
confirmations of studies and information regarding maternity/paternity leave
health insurance situation and European Health Insurance Card
information about prior insurance countries and insurance institutions
information about gender, marital status and citizenship
information about custody
residence permits, death certificates
information about travels, cost and sustenance
accounting information
financial information, such as information about wages, sick pay, pension payments and insurance payments from others
police reports
various health information, such as any type of health-care workers’ medical certifications, notes, letters and confirmations, information about appointments with doctors, dentists and other health-care workers and their treatments, information about diagnosis and medical examination results, medical records, disability rating and other types of health ratings, hospitalizations and stays in health institutions which require payments, information about the use of pharmaceuticals
accounting for health-care services, domestically and abroad and receipts for payments
information about disability equipment applied for and approved
other sensitive personal data, e.g. information about ethnic background, national origin, political views, religion, outlook on life or union membership, information about sex life or sexual orientation, genetical information and biometric data, if it is necessary to process such information due to matters which the institution deals with.
The information may in some cases concern the spouse and children of an individual who consults with the institution.
Information may concern circumstances both domestically and overseas.
Where does the personal data come from?
The institution receives personal data directly from individuals. Examples of such data collection is:
when individuals contact IHI regarding applications for rights
when individuals provide information in connection with the processing of requests from them
Despite the fact that an individual provides the agency with considerable information, the institution has, in many cases, a legal obligation to obtain further information.
Sometimes information is available at the institution from the processing of prior requests from an individual. In other cases personal data comes from a third party, especially pharmacies, the National Registry of Iceland, health-care institutions, health-care workers, employers, pension funds, the Directorate of Labour, County Magistrate Offices, the Social Insurance Administration, the Unemployment Benefit Fund, the Directorate of Labour and from comparable institutions abroad. Obtaining information from all these parties is based on the institution’s specific legal authority.
What is the purpose of the Icelandic Health Insurance’s work with this personal data?
IHI uses the personal data to process individuals’ applications for rights which are determined by the institution, i.a.:
to identify and contact individuals and their agents. This process is a necessary factor for the institution to be able to perform its statutory role in processing individuals’ applications for service.
to perform its statutory role in obtaining information prior to individuals’ requests being processed. This processing is a necessary factor for the institution to be able to perform its statutory role in processing individuals’ applications.
to perform its statutory role in processing individuals’ applications and make payments to individuals or their agents, due to their rights which are determined by the institution.
to maintain a registry of communication with individuals who consult with the institution and follow the progression of the processing of their requests. This process is a necessary factor for the institution to be able to perform its statutory role in processing individuals’ applications for service.
due to the institution’s role of supervision.
When individuals or their agents contact IHI through the institution’s website or via email, it is assumed that they thereby agree with IHI’s registration and use of the personal data which appears in the relative communication.
How does IHI preserve personal data?
IHI preserves personal data in a safe way and in accordance with current law and regulations. Technical and structural arrangements have been made to protect individuals’ personal data against e.g. deletion and prohibited access. It is i.a. protected by access control where only those employees of IHI who need it have access to individuals’ cases. IHI never preserves individuals’ personal data outside the EEA.
IHI preserves individuals’ personal data as long as necessary to fulfil the instructions of law no. 77/2014 about public archives. Accounting data in connection with IHI’s service for individuals is preserved in accordance with law on accounting no. 145/1994, as according to this they are obligated to preserve accounting data for seven years from the closing of the relative financial year.
The rights of registered individuals
IHI does not share personal data about individuals with a third party unless it is to fulfil a legal obligation. IHI may share personal data about individuals or their agents to their service providers, e.g. those who run the software which is used by the institution. These service providers are bound by confidentiality.
IHI does not share personal data with a third party that is located outside the EEA unless it has permission on the basis of applicable personal data protection laws and regulations.
IHI may be obligated to hand over personal data about an individual to law enforcement and other qualified third parties, due to judicial demand or in accordance with legal instructions.
The rights of registered individuals
Individuals and their agents have a right to receive information about and access to personal data which IHI has possession of regarding the relative individual. They also have a right, in certain circumstances, to request a correction, deletion or limitation of the processing of personal data about themselves or speak against such processing. Aforementioned rights may, however, have limitations on account of applicable laws and regulations.
Individuals have a right to information about the source of personal data which is not obtained by themselves.
Should individuals request further information about, or make use of aforementioned rights, they are advised to contact the IHI personal data protection representative on personuvernd@sjukra.is or on telephone 515-0000.
Individuals have a right to file a complaint with a qualified surveillance authority, The Data Protection Authority, should they think that IHI has not respected their rights in handling personal data.
Changes
IHI reserves the right to change this personal data protection policy as deemed necessary. IHI will make known any material changes to this personal data protection policy. The latest issuance of the personal protection data policy is published on IHI’s website each time.
This personal data protection policy was implemented on June 25, 2019 and updated March 11, 2020.
You can get more information on the IHI’s privacy webpage.
Service provider
Iceland Health