The Icelandic Health Insurance Information Security Policy describes emphasis on the protection of data and information systems as well as security of information processing. The strategy is the cornerstone of the Information Security Management System and in context of ISO 27001:2013 information security standard.

The Icelandic Health Insurance Information Security Administration system covers the hardware, software, services, processes, personnel and premises necessary to maintain an acceptable level of service for the Icelandic Health Insurance business, consumers and healthcare providers. The Icelandic Health insurance is committed to continuous improvement of the information security management system and review in order to achieve policy objectives.

Data, information systems and communication channels shall be secure, reliable, available and accessible only to those with appropriate rights. Information security management is an essential means of reducing operational risk and minimizing the risk of damage caused by incidents that may affect the operations of the Health Insurance.

The information security policy supports continuous operations and services and optimizes the security of data and information systems owned and managed by the Health Insurance Administration. All changes to information technology infrastructure are managed through a formal change management process. Event registration is logged and periodically reviewed.

The information security policy is binding on the staff of the Icelandic Health Insurance Administration. The policy includes a commitment to protect data and information systems from unauthorized access, use, alteration, disclosure, destruction, loss and/or transfer.

Approved by the Icelandic Health Insurance Executive on 31 August 2021.

The IT policy of Icelandic Health Insurance describes a focus on the operation and service of information systems and their infrastructure with the aim of creating a positive business enabler for all the operations of the Health Insurance. The IT organizational unit is responsible for the implementation of policy objectives with a focus on providing efficient and professional services to support processes that use information technology for the resolution of projects.

Iceland Health seeks to use standard software solutions that meet the requirements for functionality, integration with other solutions and safety in all its activities. Solutions, and their service providers, shall be evaluated and selected with the help of the Icelandic Health Insurance Administration, and the most suitable solutions shall be chosen at any given time. Health insurance shall manage collaboration with software solutions providers on project progression and change through formal and active supplier management. Efforts shall be made to have more suppliers, but fewer, at any given time to spread risk. In cases where the Health Insurance needs to create its own software solutions, whether as a whole system and/or integration between systems, the Icelandic Health Insurance shall manage the journey and carry out as much of the task as possible with its own people, albeit in good cooperation with the suppliers involved. The software formulation shall be based on the best practices in each instance, and an effort shall be made to use the latest technology to minimize future technical debt. The objective of the software development is to replace older software solutions.

Iceland Health is collaborating with public bodies to use a coordinated platform on electronic services and electronic data dissemination. It is important that consumers and healthcare providers should be able to submit applications and/or data electronically and that all processes should be fully electronic in order to reduce redress time and reduce administrative costs.

Information systems users are provided with information and education by health insurance employees to coordinate their work methods and to meet defined service levels. The goal of services for users is to ensure that they are able to use the systems and infrastructure that the Health Insurance operates in an efficient manner.

Icelandic Health insurance seeks to host systems and their infrastructure with the aim of offering regular out-of-pocket services and operations to ensure both quality and the highest standards of benefits for Health Insurance policy makers.

The IT policy is binding on the staff of the Icelandic Health Insurance Administration. The strategy includes a commitment to the parties to operate and service information systems in an efficient, secure and efficient manner. Information security is further discussed in information security policy.

Approved by the Icelandic Health Insurance Executive on 31 August 2021.

It is the policy of the Icelandic Health Insurance that all staff enjoy equal pay and the same terms for equal work and that there is no insubstantial wage differential. Furthermore, all staff are guaranteed equal opportunities for employment, responsibility, pay, promotion, continuing education and vocational training.

To this end, the Institute undertakes to introduce and maintain an equal pay system that includes all staff. The equal pay system implies that all wage decisions are transparent, documented and based on objective criteria. The Institute also undertakes to continuously improve the management of the equal pay system in accordance with the requirements of the Standard ÍST 85:2012.

The director is responsible for the Institute's equal pay system and for ensuring that it complies with the Gender Equal Status and Equal Rights Act, No. 150/2020. The human resources manager is the representative of the management concerning the equal pay system of the institution and is responsible for the implementation and maintenance of the system in accordance with the standard ÍST 85:2012.

The introduction and maintenance of a certified equal pay system, in accordance with applicable laws and regulations, by the Icelandic Health Insurance Administration, includes: a.

• Implementation of an annual wage analysis comparing work of equal value to check whether gender-based wage differentials exist and that results are presented to the staff.

• The setting of equal pay objectives, which are reviewed annually with reference to the results of wage analysis.

• Continuous improvement and monitoring of the equal pay system and the response to unexplained wage differences and to the deviations that emerge from internal audits and management reviews of the system.

• Posting of the equal pay policy on the internal website and regular publicity of the policy to all staff.

The equal pay policy is also accessible to the public on the website of the Institute.