Privacy is a fundamental and integral part of all our operations at the Healthcare Institution of North Iceland (HSN). The institution is committed to promoting built-in and default data protection in the handling of personal information. We are obligated to record and process various personal and health-related data, but we ensure that the processing of this information complies with all applicable laws and regulations.
Our staff respects the dignity of everyone who seeks services from or works at HSN. We place great emphasis on confidentiality, respect for privacy, and the secure handling of information.
You can access HSN’s full privacy policy here, which provides more detailed information about the purposes for which we collect data, what data we collect, how we store it, and whether and how it is shared. The policy also outlines how the security of personal data is maintained within the institution and what rights individuals have regarding their own information.
Why Do We Process Your Personal Data?
At HSN, our goal is to provide you with the highest quality healthcare available at any given time. To ensure effective and safe treatment, it is necessary for us to maintain a medical record about you, which includes health information and details about the care you have received or are scheduled to receive. This information is essential for doctors, nurses, other healthcare professionals, and staff involved in your care to ensure you receive safe and efficient healthcare.
Why is it necessary to process your information?
To enable healthcare professionals to provide you with appropriate care, accurate and up-to-date health information is required.
To ensure your health information is available if you need to consult other healthcare providers, for example, after discharge or referral outside HSN.
To respond to any questions you may have about your health, treatment, or medication.
To monitor the quality of the services we provide, compare them to quality benchmarks and other institutions or countries, and strive to offer the best possible care.
Other purposes for processing patient data may include:
Monitoring public health.
Ensuring the best possible healthcare services are provided.
Statistical analysis of HSN’s operations and performance.
Educating and training students in the healthcare field.
Scientific research, development, and innovation.
Calculating HSN’s funding needs.
Analyzing complaints, legal claims, and incidents.
When your data is used for the above purposes, it is almost always anonymized. This means the data can no longer be traced back to you. Once personal data is anonymized, it is no longer considered personal data. This ensures the protection of your privacy and confidentiality.
We collect employee data to maintain an overview of our workforce at all times. Employee information is recorded in Orri, the government’s HR and payroll system, and the State Financial Management Authority handles all payroll processing. The system Vinnustund contains information on work hours, attendance, and absences.
Why is it necessary to process employee data?
For payroll processing.
To calculate HSN’s funding needs.
For statistical analysis of HSN’s operations.
To monitor employee health, safety, and work environment.
To manage employee development.
To analyze employee-related incidents.
When applying for a job at HSN, submitted documents are used solely for processing the application or to fulfill legal obligations, if applicable. HSN is responsible for all documents received in connection with job applications unless otherwise stated. Applicant information is stored in the recruitment system, which is part of Orri, the government’s financial and HR system.
Why is it necessary to process your data when you apply for a job?
To be able to contact you.
To process and evaluate applications.
To assess your qualifications for the advertised position.
HSN only collects the information necessary to achieve the specific goals of the job advertisement.
Why is it necessary to process student data? It may be necessary to process personal data about students in training or internships at HSN. This is done to manage and organize their education within the institution.
Contact information for close relatives is recorded in the patient’s medical record.
Only information necessary for operational and accounting purposes is recorded about HSN’s clients.
What Personal Data Do We Collect About You?
The information we collect about our patients includes:
Demographic and personal details
Health information
Medication history and immunizations
Test results
Treatments received and treatment plans
Relevant information from caregivers, if applicable (e.g., home nursing, social services, and relatives)
HSN is legally obligated under the Health Records Act to maintain a medical record for each patient. All patient-related information is recorded in this medical record. A medical record is a collection of health-related data processed in connection with treatment or obtained from other sources for the purpose of treatment at a healthcare institution or by a healthcare professional. Medical record data may include written descriptions or interpretations, images (including X-rays), graphs, and audio or video recordings that contain information about the patient’s health and treatment, as well as other necessary personal data. Access to this information is governed by HSN’s internal rules on staff access rights.
Medical record data is considered sensitive personal data. In recording, storing, and accessing medical records, the dignity and autonomy of patients are respected. All our staff are bound by confidentiality and a duty of secrecy.
The information we collect about our employees includes:
Demographic and personal details
Salary information
Bank account details
Union membership, pension fund, and private pension savings
Tax deductions
Work hours, attendance, and absences
Education and professional development
Employment certificates
Performance reviews
Attendance meetings
Immunizations
Activity on the Viva Engage social platform
The information we collect about job applicants includes:
Demographic and personal details
CV and cover letter
Diplomas and certificates
References
Competency assessments
Interview results and scoring
The information we collect about our students includes:
Demographic and personal details
Education level
Performance evaluations
Placement in departments and work units
Attendance
Immunizations
Disclosure of Personal Data to Third Parties
In certain cases, it is necessary to share medical record information with other healthcare professionals, both within and outside HSN, to ensure the highest possible quality of healthcare. In such cases, information is only shared when there is a legitimate need, and secure methods are used for data transmission.
With the patient’s informed written consent, HSN may disclose personal data to third parties.
Icelandic researchers conducting studies for medical purposes may be granted access to hospital data after obtaining approval from ethics committees, in accordance with the Act on Scientific Research in the Health Sector No. 44/2014.
In specific instances, HSN is legally obligated to disclose personal data to other entities, such as child protection authorities, the Chief Epidemiologist, health insurance agencies, the Directorate of Health, or the police in connection with investigations of serious crimes.
Payroll and employee data, as well as information about job applicants, are stored in Orri, the government’s financial and HR system, and in Vinnustund. The State Financial Management Authority therefore has access to necessary information. Advania hosts all data on behalf of the government.
In certain cases, it is necessary to disclose salary information to the Directorate of Labour, and such processing is based on a legal obligation.
Security of Personal Data
The information HSN stores about you is protected in accordance with applicable laws and regulations, regardless of the format in which it is stored. All HSN employees are legally obligated to ensure that your personal data is securely stored and kept confidential. This obligation is confirmed in all employment contracts within the institution.
HSN promotes active security awareness among staff through appropriate education and training on data protection and information security.
Our IT department continuously reviews and improves processes and implements all necessary security measures to protect your personal data. The department is committed to safeguarding the information HSN holds against all threats—internal and external—whether caused intentionally, negligently, or accidentally.
External processors who perform specific tasks for the hospital, such as technical service providers, are required to follow strict rules and procedures when processing personal data. HSN enters into data processing agreements with these parties and is responsible for ensuring that they apply the same level of security when handling data.
A third party is only authorized to process data as instructed by HSN and is not permitted to use the data for any other purpose.
The State Financial Management Authority has an agreement with the IT company Advania for hosting data from Orri and Vinnustund on behalf of all government institutions. Advania guarantees that personal data is handled in accordance with the law and implements appropriate security measures to protect the data from unauthorized or unlawful access.
Access to Personal Data
How can I access my medical record? Patients or their authorized representatives have the right to access their medical records, in whole or in part, and to receive a copy upon request, in accordance with the Icelandic Health Records Act No. 55/2009.
A request form for a copy of the medical record must be completed and submitted to the relevant HSN service location. The form can be accessed here. You may also request a copy through your personal pages on Heilsuvera.
The request is processed by health information specialists. Once the documents are ready, they can be collected at your local health center or delivered via Signet Transfer.
Access to medical record information is limited when the data originates from someone other than the patient or healthcare professionals. In such cases, efforts must be made to obtain the consent of the person who provided the information before it is disclosed to the patient. If the individual who provided the information is deceased, unreachable, or refuses consent without valid reason, the Directorate of Health may decide whether the patient or their representative should be granted full or partial access to the information.
How can I see who has accessed my medical record? Patients have the right to receive a log of who has viewed their medical record. To access this information, a request form must be completed. The form can be accessed [HERE]. Once completed, the form should be submitted to the relevant HSN service location or sent via the HSN data portal.
The request is processed by health information specialists. Once the data is ready, it can be collected at your local health center or delivered via Signet Transfer.
How can I access information about my employment and work relationship? HSN employees have the right to receive a copy of the records the institution holds about them. You can request this information by contacting laun@hsn.is or mannaudur@hsn.is.
We will protect your rights - Contact us if you have questions or suggestions.
Our Data Protection Officer is the point of contact between individuals and the institution regarding matters related to personal data or privacy. If you have any inquiries or comments, please direct them to the Data Protection Officer at HSN.
The Data Protection Officer at HSN is Kristína Björk Arnórsdóttir. You can contact the DPO directly via email at personuvernd@hsn.is.
The Data Protection Officer operates independently and oversees the institution’s compliance with all requirements of data protection legislation in the handling of personal data. The DPO is also bound by a duty of confidentiality regarding any information acquired in the course of their duties that is to remain confidential.
