Personal information

Personal information refers to any information that can be linked or traced back to specific individuals, either directly or indirectly. This could include written text, electronic information systems, or images. Examples include name, national identification number, address, e-mail, admission department, and health data of various kinds. For employees, this includes information such as employment duration, salary information, information about attendance and absence, illness, vacation, and working hours. Non-personally identifiable information is not considered personal data. Recording of various types of information is necessary for both the healthcare services provided by the hospital and its operations. Without these records, it would not be possible to provide the quality of service that the hospitals clients expect or to manage operations efficiently. The term processing encompasses all use of personal data, such as collection, registration, storage, sharing, and deletion.

Whose personal data does Landspítali process?

Landspítali processes personal data about patients, staff, students, and customers. Information regarding individuals in communication with the hospital and contacts of various legal entities is also stored. All personal data is processed in accordance with the personal data protection legislation applicable at any given time. Processing is always conducted for clear, lawful, and relevant purposes, ensuring that the information is appropriate and not in excess of what is necessary.

What personal data does Landspítali process and why?

Landspítali processes both general and sensitive information about the aforementioned categories of individuals. Only information that is necessary and appropriate for the specific situation is collected, which is determined by the nature of the relationship between Landspítali and the individual involved. The Hospital processes personal data in order to fulfill the statutory services it is required to provide and to meet the obligations imposed by law. The provision of healthcare services is paramount; therefore the processing of patient health information is extensive. Personal data is also collected on the basis of contractual relationships, including with staff or contractors, as well as for security and asset management purposes. The Hospital may also need to process personal data for purposes of administrative decision-making, actions performed for the public good, and to safeguard legitimate interests.

Rights of the Data Subject

Data subjects have the right to know what information is recorded about them at Landspítali and, upon special request, to access that information. They also have the right to have incorrect information corrected and to restrict its processing. In certain cases, it is permissible to delete personal data. If personal data is processed with the consent of the data subject, that consent can always be withdrawn.

Confidentiality

Landspítali places a strong emphasis on maintaining the confidentiality of personal and health information at all times. All staff at Landspítali are bound by a non-disclosure
agreement and have thus undertaken to maintain utmost confidentiality. Breaches of this are taken very seriously. The right to confidentiality of all clients and staff at Landspítali is protected by the Act on Privacy and Protection of Personal Data.

Retention Period

Landspítali is under obligation of transfer pursuant to the Public Archives Act and is therefore prohibited from destroying or disposing of documents that fall under the scope of the Act without permission. Other personal data is either deleted or made non-peronsally identifiable as soon as it is no longer needed for the purpose of processing. The retention of medical records is governed by the Medical Records Act, and accounting records are retained in accordance with laws and regulations on accounting information and the retention thereof.

Disclosure

Landspítali discloses personal data to various parties in accordance with the legal obligations imposed on it. These parties include Icelandic Health Insurance, the Directorate of Health, and the Financial Management Authority. Personal data may also be disclosed on the basis of contracts with Landspítali, including service agreements with parties providing services related to IT systems and medical devices. Finally, information may be disclosed on the basis of the informed consent of the individual concerned. When Landspítali enters into agreements with external parties that involve the disclosure of personal data, it is always ensured that said parties can guarantee the security of the information.

Security

Landspítali promotes active security awareness among staff through appropriate education and training regarding the security of personal data processing and confidentiality. Processing of information and technical and organizational security measures are in accordance with Landspítali's information security policy.

Responsibility and oversight

Landspítali, located at Eiríksgata 5, 101 Reykjavík, ID number 500300-2130, is the designated controller of information stored at the Hospital, and the director is responsible for all handling and processing of the information. Inquiries, requests, and complaints regarding this privacy policy shall be directed to the Landspítali Data Protection Officer by e-mail, at personuvernd@landspitali.is.

Review

Landspítali may amend this privacy policy from time to time in accordance with changes to relevant laws and regulations or due to changes in how the Hospital processes personal data. Any amendments made to this policy will be announced on the Hospital website. This privacy policy was approved by Landspítali Board of Directors on 16 July, 2018. It is in accordance with the new Data Protection Act, which implements the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Further information about privacy laws can be found on the website of the Data Protection Authority.

Patients

At Landspítali, our goal is to provide the best available healthcare. If you are a patient with us, it is necessary that we maintain a medical record about you, your health, and the treatment we have provided or plan to provide to you. Our doctors, nurses, and other healthcare staff responsible for your care, as well as other members of staff, will need certain information about you. This information is part of ensuring that you receive the best possible service. Different healthcare professionals may record information about you after treating you; your records may therefore be temporarily stored in different locations, although they are all part of your medical record.

Your information is primarily used to plan, manage and provide healthcare in such a way that:

• The healthcare professionals involved in your treatment have accurate and up-to-date information needed to correctly assess your health status and provide you with the treatment you need.

• Relevant information is available if you need to consult other doctors after discharge or have been referred to a specialist, or if you require any healthcare services outside of Landspítali.

• The quality of the services you have received can be monitored and compared against domestic and international quality standards.

• Any questions or concerns that may arise after your treatment at the Hospital can be investigated effectively.

Other uses of information about you may include:

• Monitoring public health

• Ensuring that the healthcare services we provide meet our patients’ present and future needs

• Statistical analysis of Landspítali’s operations and management

• Education and training of students in the healthcare sector

• Scientific research, development, and innovation

• Calculation/assessment of the funding needs of Landspítali

• Review of the Hospital’s operations and services

• Analysis of complaints, legal claims, and incidents.

If your information is used for any of the above purposes, it is made non-personally identifiable in nearly all cases by removing your name and national ID number. This is done in order to maintain your privacy and respect confidentiality.

Staff

We collect employee information in order to have an overview of all our staff at any given time. Employee information is recorded in Orri, the government employee and payroll
system, and the Financial Management Authority handles all payroll processing. Information about work hours, attendance, and absences is recorded in Vinnustund.

Your information is primarily used to plan and manage Hospital operations and management:

• To ensure that the healthcare services we provide meet the needs and safety of our patients, today and in the future

• For payroll processing

• Statistical analysis of Landspítali’s operations and management

• Monitoring employee health, safety, and work environment of employees

• Scientific research, development, and innovation

• Calculation/assessment of the funding needs of Landspítali

• Review of Hospital operations and services

• Analysis of employee incidents.

If your information is used for any of the above purposes, it is made non-personally identifiable in nearly all cases by removing your name and national ID number. This is done in order to maintain your privacy and respect confidentiality.

Applicants

If you are applying for a job at Landspítali, all documents submitted by you will only be used for processing your job application or to fulfill a legal obligation if necessary. Landspítali is responsible for all data you may provide in connection with the recruitment process unless otherwise stated. All information about applicants is stored in a recruitment system that is part of Orri, the government financial and human resources system.

Your information is used to:

• Contact you and further process your application.

• Assess your qualifications for the advertised position.

We do not collect more information than necessary to fulfill our stated purpose with the advertised position.

Students

We also collect information about all students in internships and/or training to manage and organize all studies at the Hospital.

Family members

If a patient designates you as their closest relative, your contact information is recorded in the patients medical record.

Clients

We record information about our clients for operational and accounting purposes.

Patients

Information about you may be in paper form or in electronic form, which is more common.

The information we collect about our patients includes:

• Demographic and personal information (such as name, national identification number, address, general practitioner, etc.)

• A detailed history of your previous interactions with Landspítali (e.g., last visits to outpatient/emergency departments, last admissions)

• Records and notes about your health, your treatments, and the nursing care you have received

• Results of examinations (such as medical imaging exams, CT scans, and blood tests)

• Relevant information from your caregivers or those who know you well (such as home care personnel, social services, and relatives).

The Icelandic Electronic Patient Record is a collection of patient information that is processed in connection with diagnosis, treatment, and monitoring at the Hospital or obtained from elsewhere but is relevant to their treatment at the hospital. All information about a patient is recorded there. Medical record information is considered sensitive personal data. Healthcare professionals working at Landspítali record information in the medical record pursuant to Health Records Act (No. 55/2009) and have access to information contained therein, in accordance with Landspítali’s rules on employee access authorisation.

Employees

Information about you may be in paper form or in electronic form, which is more common.

The information we collect about our employees includes:

• Demographic and personal information (such as name, national identification number, address, etc.)

• Employment history at Landspítali

• Salary information

• Bank details

• Union membership

• Work hours, attendance, and absences

• Education and professional development

• Electronic monitoring

Applicants

Information about you may be in paper form or in electronic form, which is more common.

Information we collect about job applicants are:

• Demographic and personal information (such as name, national identification number, address, etc.)

• CV and cover letter

• Certificates

• References

• Results from job interviews, scoring

• Qualification assessments

Additional information that those who are hired by Landspítali must provide includes:

• Bank details

• Union membership.

Students

Information about you may be in paper form or in electronic form, which is more common.

Information we collect about our employees is:

• Demographic and personal information (such as name, national identification number, address, etc.)

• Educational level

• Performance evaluations

• Attendance and students locations in departments

Relatives, clients and others

We record contact information such as name, address, and phone number, and in certain cases national identification numbers of relatives, as well as bank details of Hospital clients.

Guest Network of the Hospital (WIFI)

The healthcare IT department at Landspítali records the internet usage of individuals connected to the Hospitals wireless guest network (extranet) in accordance with the terms to which the user agrees upon login. When someone uses the Landspítali guest network, Landspítali may collect personal information about users, such as name, phone number, and national identification number, as well information about the device, such as IP address.

Landspítali does not disclose personal data to third parties except on the basis of legal obligation, contractual provisions, or with the consent of the data subject.

Patients

Disclosure of information outside the Hospital occurs solely in accordance with the law. For instance, healthcare professionals who work outside Landspítali may receive information stored at the Hospital when patients seek their assistance regarding their illnesses. In certain cases, the Director of Health and Icelandic Health Insurance have access to information. The hospital is also obligated in certain cases to disclose information to other parties, such as child protection authorities, the Chief Epidemiologist, and the Director of Health; such disclosure also occurs on the basis of legislation. With the consent of the patient concerned, information may in a few cases be disclosed to other parties. Icelandic researchers conducting health science research may also gain access to information at the Hospital after obtaining permission from research ethics committees, pursuant to law. The Patient Records Editorial Board at Landspítali is a policy-making and oversight committee that aims to promote improved and efficient recording of medical records for the benefit of patients, and operates in accordance with Landspítali' s policy on medical records.

Employees

All payroll and employee information, along with information about applicants, is stored in Orri, the government financial and human resources system, and Vinnustund, as previously mentioned. The Financial Management Authority has access to necessary information, while the IT company Advania manages the hosting of all data on behalf of the State. In certain cases, it is necessary to disclose payroll information to the Directorate of Labor, e.g. in instances involving temporary work/residence permits or when dealing with so-called work contracts.

Others (students, applicants, etc.)

In general, information about applicants, students, and Hospital clients is not disclosed outside the Hospital. Data about all applicants is stored in the State human resources system, which is managed by the Financial Management Authority.

Every employee of Landspítali has a legal obligation to ensure that your information, whether you are a patient or an employee, is stored securely and that confidentiality is observed, as confirmed in each individual' s employment contract.

The information about you that Landspítali retains is subject to strict rules and procedures, both in terms of manual handling and electronic environments. This also applies to the Hospital’s external processors who are involved in specific projects for the Hospital. Such projects may involve technical work related to electronic information systems or temporary processing projects. In either case, Landspítali is responsible for ensuring that processors observe the highest level of security when handling information. This pertains to security, legality, and confidentiality. A third party may only process data upon request from Landspítali - no other use is permitted. The Financial Management Authority has a contract with the IT company Advania for the hosting of data from the Orri system and Vinnustund for all State institutions.

It is often necessary to share your medical record information with other healthcare professionals both within and outside of Landspítali so that we can work together in your
best interest. However, we will only share your information when there is a legitimate necessity, and information is only disclosed using secure methods.

In exceptional cases, your information may be shared with a third party without your consent. For example, this may arise in connection with a court order or due to an investigation into a serious crime.

• You have the right to object to the use or sharing of your confidential data beyond what pertains to your treatment and care; to have your objections taken into account; and if your requests cannot be met, to receive valid responses, including legal justification for why not.

• You have the right to have corrected any factual innacuracies that may appear in any data that we store about you. It is our obligation to ensure that the information we hold about you is always accurate and up to date. We verify this upon every new interaction you have with us.

• We kindly ask you to help us maintain this accuracy, e.g. by informing us of any changes, such as if you have changed your general practitioner or if your address is different from what is listed in the national registry. It is important that your information is correct. Please reach out to the staff in your treatment department or to your supervisor if you are an employee.

• Whether you are a patient or an employee at Landspítali, you have the right to access your personal information. If you are a patient, you may wish to obtain a copy of your medical record. If you are an applicant or an employee, you may wish to obtain a copy of your records. In such cases, you will need to fill out the designated form for data requests.

How to Access Your Medical Record

You or your representative are legally entitled to access your medical record or to obtain a copy of it, in whole or in part, and to receive explanations for anything you may not
understand. Under certain circumstances, you may be denied access to some information, for example, if it is believed that such access could in any way lead to harm to your health or if violate confidentiality with a third party. If you wish to request information from your medical record, you must fill out the designated request form for medical record information.

How to access information about your employment or working relationship

You have the right to obtain a copy of the records that the Hospital maintains regarding your working relationship. If you wish to request information about the recruitment process or your working relationship, please contact the Data Protection Officer at Landspítali.

The Data Protection Officer at Landspítali is Aðalbjörg Guðmundsdóttir.

The Data Protection Officer is independent and autonomous in their duties and oversees that all processing of personal data related to the operations and management of the Hospital is in accordance with the Act on Privacy and Protection of Personal Data.

Inquiries or comments regarding privacy or personal information should be directed to the Data Protection Officer by:

• Sending an email to personuvernd@landspitali.is

• filled out inquiry form

• Phone at +354 543 1000

• Post addressed to: Data Protection Officer, Landspítali, Skaftahlíð 24, 105 Reykjavík.

Further information on how , other than medical record information, is processed.