About Norse Feedback
Norse Feedback (“NF”) offers its services on behalf of health personnel at the respective treatment providers, and to the treatment provider’s patients. Norse Feedback is the first dynamic feedback system that continuously adapts to the patient’s answers to questions about problems and resources. NF has been developed in close collaboration with practitioners and patients. The services that use NF on a wider scale can also review service data for management purposes. The services can access reports of aggregated data that show what the users need and the therapeutic effects . Data-driven practice makes it possible to tailor treatment and to identify issues and crises to work through before deterioration or drop-out..
Feedback from users of the system is collected by Norse Feedback’s product team and forms the basis for continuous improvements to the software.
Information collected may include obtaining or registering patient and treatment provider information (national identification number, name and telephone number/email) measures sent as SMS or email, displaying reports for the treatment provider and PDF exports for medical records. The services described in this privacy policy will be collectively referred to as the “Services”. Your treatment provider can use the Services even if you, as a patient, decide that you do not want to use the Services yourself.
Principles of treatment
Use of Norse Feedback means that NF will process personal data about you. NF processes data and personal data in accordance with the principles and laws for the processing of personal data that follow current regulations.
This privacy policy shall explain in more detail how your personal data is processed in NF. If you would like further information on the principles and regulations for the processing of personal data, you can find this on the Norwegian Data Protection Authority’s website.
Processing Responsibility
Two key terms in privacy are “data processor” and “treatment provider”. The treatment provider is the person who, alone or together with others, determines the purpose of the processing of personal data and which means of processing are to be used, while the data processor is someone who processes personal data on behalf of the treatment provider.
As a supplier, NF is the data processor on behalf of services who use Norse Feedback for the processing of personal data that is necessary for use in these services. This means that your treatment provider is responsible for the treatment in connection with the services delivered from NF.
Data Processing Legality
According to Article 6 of the Personal Data Protection Regulation, processing of personal data is only legal when there is a valid basis for doing so in treatment. Valid basis for processing of personal data may be your consent to receive treatment; that treatment is necessary to fulfill an agreement to which you are a party; is necessary to fulfill a legal obligation incumbent on the treatment provider; is necessary to protect your or another person’s vital interests; is necessary to carry out a task in the public interest or exercise public authority to which treatment is required, or is necessary for purposes related to the legitimate interests pursued by the treatment provider or a third party.
For children under the age of 16, treatment that is based on consent is only legal if and to the extent that consent has been given or approved by the person who has parental responsibility for the child.
If such a basis for treatment exists, personal data shall only be collected for specific, expressly stated and justified purposes and shall not be further processed in a manner that is incompatible with these purposes.
What personal data is processed by NF as a data processor?
The processing carried out by NF as data processor will include personal data, including health information that is necessary for the treatment provider’s use of NF and the Services offered by NF (as described above). The data processor relationship between each treatment provider and NF is regulated by a data processor agreement.
The information about you comes either from your doctor or other healthcare personnel, yourself or the record system associated with it. NF essentially only processes information that is stored in your treatment provider or other providers’ system solutions. This includes personal information about you, such as name, national identification number, contact details, etc. Each treatment provider is considered the data controller and NF processes such information only according to their specific instructions. The processing of personal and health data by doctors and other practitioners is informed by health legislation, and is partly based on the consent of the patients. It is your treatment provider’s responsibility as data controller to ensure that this processing of your personal data has a valid processing basis.
Is it voluntary to provide information?
It is voluntary for you as a patient if you wish to use Norse Feedback. You can also use NF for a period and then choose to end use at a later time. However, you as a patient cannot decide whether your treatment provider wants to use NF or not.
Is information shared with third parties?
No health information is provided to other recipients. No other treatment providers will have access to your personal data unless you make an explicit request for this.
Access to your own information
You always have the right to access the information we have registered about you in connection with NF in accordance with Article 15 of the Personal Data Protection law. For access to your information, you must contact your treatment provider.
Right to delete personal data
All personal data for which your treatment provider is the Data Controller for, will be found at the relevant treatment provider site.
The right to delete personal data does not apply if the processing is necessary to fulfill a legal obligation, or for reasons of public interest in the area of public health (Article 17 of the Personal Data Protection law). To delete your personal data, you must contact your treatment provider.
Right to Object
According to Article 21 of the Personal Data Protection Regulation, you have the right to object to the processing of your personal data under further conditions. You can read more about the right to object on the Norwegian Data Protection Authority’s website. You must contact the treatment provider if you wish to exercise this right.
The right to complain to a supervisory authority
If you believe that our, or the treatment provider’s, processing of your personal data is in breach of the personal data protection law, or the data protection regulations in general, you have the right to complain about this to the supervisory authorities. For Norway, this is the Norwegian Data Protection Authority, and complaints can be submitted on their website.
Change of privacy terms
NF reserves the right to change this privacy policy with one month’s notice. If, in NF’s opinion, the change is to the benefit of the users or is of minor importance, the change can nevertheless be carried out without notice.
How is the information secured?
We take your privacy seriously and therefore require BankID or similar security mechanisms when logging in for treatment providers. For you as a patient, you can choose for yourself whether you want a simplified login through a unique link, or whether you want to use BankID or similar security mechanisms. The solution is in line with the requirements of the Connecting Norwegian Health Services and the requirements of the Norm for information security in the health sector. This means that information processed in NF is safeguarded in accordance with the Personal Data Act.
The following are examples of other measures we have implemented to provide satisfactory security with regard to confidentiality, integrity and availability of your personal data: encryption of the storage of the content of your profile, encryption of communications with healthcare companies so that unauthorized persons will not gain access to the information; automatic monitoring of the Services to detect viruses, malfunctions, abuse and intrusion attempts, and more; operation of the services is protected with strong physical security.
These and other measures carried out by NF contribute to achieving a level of security that is suitable in accordance with Article 32 of the Personal Data Protection law.
Limitation of liability
We work continuously to ensure that the information and functions available on the website are complete and correct, but pages may contain insufficient or inaccurate information. All information that is processed is obtained either from you, your use of the services, publicly administered registers or the treatment provider.
Insufficient or incorrect personal information from healthcare personnel or patients that is presented through the Service must be taken up with the relevant treatment provider.
NF is not responsible for errors and deficiencies in routines and processes belonging to healthcare personnel, for example how healthcare personnel follow up on patient tasks. This is a relationship between you and your treatment provider.
Other conditions that lie outside NF’s responsibility include, among other things: errors, deficiencies and/or undesirable properties of relevant data, file attachments, links or similar, other than that detected threats such as viruses will be removed; mistakes you as a user of the services yourself make, for example deleting information, sending information to the wrong recipient or otherwise making information available to unauthorized persons through the use of an insecure connection to the internet (e.g. through the use of an internet café); errors, deficiencies or operational disruptions relating to BankID and other login solutions, the user’s hardware, software, access to or transmission over the internet; content and actions on external links.
If you contact us to exercise your rights related to the processing of personal data for which NF only acts as a data processor, we are obliged to forward your inquiry to the treatment provider.
Legislation and jurisdiction
The website is subject to and relates to Norwegian legislation, including legislation and other legal framework conditions in the fields of privacy, health and copyright. All questions that may arise in connection with the content and use of the pages are governed by Norwegian law. Any disputes are settled under Norwegian jurisdiction.
Contact Information
If you have questions about personal data privacy and how personal data is used in relation to treatment, you must contact your treatment provider.