Operating License for the Creation and Operation of a Health Sector Database - Minister for Health and Social Security and Islensk Erfdagreining ehf
THE MINISTER FOR HEALTH AND SOCIAL SECURITY
MAKES KNOWN:
that pursuant to Act No. 139/1998
on a Health Sector Database
ISLENSK ERFDAGREINING EHF
STATE REG. NO. 691295-3549
LYNGHALS 1
REYKJAVIK
has on this day been granted an exclusive Operating Licence for the creation
and operation of a Health Sector Database
The Operating Licence is issued with the objective of creating and operating in
Iceland a Centralised Health Sector Database with non-personally identifiable
health data for the purpose of increasing knowledge for the improvement of
health and the promotion of health services. The creation and operation of the
Database is intended to result in an integrated collection of data with records
of numerical data from the majority of the medical records already existing and
which will exist during the term of the Operating Licence in Iceland. The data
shall be processed with a view to serving the health system as a whole,
individual health institutions, self-employed health service workers and the
nation as a whole.
The Operating Licence is issued with all the conditions, rights and obligations
contained in the Operating Licence itself, Act No. 139/1998 on a Health Sector
Database, as current at any time, and regulations issued on the basis of the
said act during the term of the Licence
The Ministry of Health and Social Security
22 January 2000
Ingibjorg Palmadottir [sign.]
David R. Gunnarsson [sign.]
OPERATING LICENCE 1
<PAGE> 3
OPERATING LICENCE
ISSUED TO
ISLENSK ERFDAGREINING EHF.
STATE REG. NO. 691295-3549
LYNGHALS 1
REYKJAVIK
FOR
THE CREATION AND OPERATION
OF
A HEALTH SECTOR DATABASE
MINISTRY OF HEALTH AND SOCIAL SECURITY
JANUARY 2000
OPERATING LICENCE 2
<PAGE> 4
TABLE OF CONTENTS
<TABLE>
<S> <C> <C>
Article 1: Preamble......................................................................3
Article 2: Definitions...................................................................4
Article 3: General and Financial Conditions..............................................6
Article 4: Transfer of Data..............................................................7
Article 5: Role of the Monitoring Committee..............................................9
Article 6: Role of the Data Protection Commission.......................................10
Article 7: Conditions for Processing and Handling of Data...............................11
Article 8: Intellectual Property Rights.................................................13
Article 9: Process on the Revocation of the Operating Licence...........................15
Article 10: Payment of Costs Etc........................................................16
Article 11: Surveillance................................................................17
Article 12: Assignment and Enforcement..................................................18
Article 13: Disputes....................................................................18
Article 14: Revocation of Licence, Sanctions, Penalties and Compensation................18
Article 15: Term, Review and Issue of Licence...........................................18
</TABLE>
LIST OF ANNEXES
ANNEX A: GENERAL SPECIFICATIONS
ANNEX B: TRANSFER OF DATA TO THE HEALTH SECTOR DATABASE
ANNEX C: THE MAIN FORMAL AND SUBSTANTIVE CONTENTS OF AGREEMENTS
ANNEX D: STATUS REPORT ON HEALTH DATA
ANNEX E: TERMS OF FINANCIAL SEGREGATION
ANNEX F: REGISTER OF HEALTH PROFESSIONS
ANNEX G: TECHNOLOGY, SECURITY AND ORGANISATION TERMS OF THE DATA
PROTECTION COMMISSION
OPERATING LICENCE 3
<PAGE> 5
OPERATING LICENCE
ISSUED TO
ISLENSK ERFDAGREINING EHF.
STATE REG. NO. 691295-3549
LYNGHALS 1
REYKJAVIK
FOR
THE CREATION AND OPERATION
OF
A HEALTH SECTOR DATABASE
ARTICLE 1
PREAMBLE
1.1 This Operating Licence is issued with the objective of creating and
operating in Iceland a Centralised Health Sector Database, in the
Operating Licence also referred to as "the Health Sector Database" or
"the Database", with non-personally identifiable health data for the
purpose of increasing knowledge for the improvement of health and the
promotion of health services.
1.2 The creation and operation of the Database is intended to result in an
integrated collection of data with records of numerical and encoded
data from the majority of the medical records already existing and
which will exist during the term of the Operating Licence in Iceland
and to which access is not restricted pursuant to the provisions of
this Operating Licence. The data shall be processed with a view to
serving the health system as a whole, individual health institutions,
self-employed health service workers and the nation as a whole.
1.3 The Operating Licence is issued by the Minister for Health and Social
Security, who in this Licence is referred to as the "Issuer," pursuant
to Act No. 139/1998 on a Health Sector Database.
1.4 The Operating Licence is issued to Islensk erfdagreining ehf., State
Reg. No. 691295-3549, of Lynghals 1, Reykjavik, referred to in this
Operating Licence as the Licensee, with all the conditions, rights and
obligations contained in this Operating Licence, Act No. 139/1998 on a
Health Sector Database and regulations issued on the basis of the said
act on the effective date of the Operating Licence and during the term
of its effect.
1.5 This Operating Licence is issued on the basis of information on the
scope of activities, projects and work plan of the Licensee, which have
been submitted by the Licensee, and on the basis of Technology,
Security and Organisation Terms of the Data Protection Commission,
which are attached to this Operating Licence as ANNEX G.
OPERATING LICENCE 4
<PAGE> 6
1.6 The Operating Licence extends to the creation and operation of a
centralised Health Sector Database pursuant to Act No. 139/1998, on a
Health Sector Database, as current at any time, and regulations issued
pursuant to that Act.
1.7 The Operating Licence, the operation of the Database and the operation
of a Centralised Health Sector Database, and the handling of data from
the Database shall at all times be consistent with Icelandic law and
regulations, as current at any time, international agreements and any
international commitments to which Iceland is or becomes a party.
1.8 All data that enters the Health Sector Database is the common property
of the Icelandic nation and in the care and under the responsibility of
the Minister for Health and Social Security, acting for the Icelandic
Government. This applies both during the time that the Operating
Licence is in effect and after its expiration.
1.9 The Operating Licence provides for the conditions which form the
original basis for the issue of an Operating Licence for the creation
and operation of a Health Sector Database. During the term of the
Operating Licence these conditions may change in the light of
experience and further requirements by surveillance authorities, the
Issuer and the Licensee.
1.10 Individual provisions of the Operating Licence refer to Annexes
attached to the Operating Licence and all bear the identification of
the Ministry for Health and Social Security, and they are all
inseparable parts of the Operating Licence. The Annexes, seven in
number, are identified with the letters A-G, as shown in the list of
annexes attached to the Operating Licence on p. 22 [page no. of
original Icel. document].
ARTICLE 2
DEFINITIONS
2.1 The following terms, wherever they appear in this Operating Licence,
shall have the meaning specified below:
a) "General Specifications" means the general specifications for medical
records systems, as current and as updated by the Ministry of Health
and Social Security at any time, currently the updated report of the
Ministry of January 2000, attached to this Operating Licence as ANNEX
A.
b) "Direct access" means access to the primary data in the Database or
copies thereof, cf. Paragraph 3 of Article 10 of the Act.
c) "Encryption" means the transformation of words or numbers into an
unintelligible sequence of symbols.
d) "One-way encryption" means the transformation of words or numbers into
an unintelligible sequence of symbols which cannot be traced back using
a decryption key.
e) "Genetic data" means any data pertaining to the inheritable features of
an individual or the hereditary pattern of such features within a group
of related individuals, and furthermore all data pertaining to the
transfer of genetic information (genes) pertaining to features which
determine the diseases and health of individuals and groups of related
individuals, regardless of whether such features can be identified or
not.
f) "Transfer of data to the Database" means the summary of the handling
and transfer of data to the Health Sector Database attached to this
Operating Licence as Annex B.
OPERATING LICENCE 5
<PAGE> 7
g) "Query layer" means the software intended to process research or
queries in the Health Sector Database.
h) "Health Sector Database" means a collection of data containing the
medical data registered in a co-ordinated systematic manner in a single
centralised database intended for processing and dissemination of
information as further provided for in Act No. 139/1998, on a Health
Sector Database, the regulation on a Health Sector Database and this
Operating Licence.
i) "Medical data" means data pertaining to the health of individuals,
including genetic data.
j) "The Main Formal and Substantive Contents of Agreements" means a
summary of formal and substantive contents of agreements between the
Licensee and health institutions and self-employed health service
workers and attached to the Operating Licence as ANNEX C.
k) "Intellectual property rights" means the following rights: i.) Any
rights in the area of intellectual property rights to software which is
necessary for the creation and operation of the Database, i.e.
copyright, trade mark rights, patent rights, design rights, business
and technical know-how or other rights. Software in this context refers
to computer programmes, any systems descriptions and related documents
and any handbooks and other accompanying documents. ii.) Any rights in
the area of intellectual property rights to the Database, i.e.
copyrights, sui generis rights pursuant to EU Directive No. 96/9 of 11
March 1996 on the legal protection of databases, trade mark rights,
patent rights, design rights, business and technical know-how or other
rights. iii.) Any rights in the area of intellectual property rights,
i.e. copyright, trademarks, patents, design rights, business and
technical know-how or other rights, even if they extend directly
neither to software or a database, if the rights are necessary for the
creation or the operation of the Database. In all cases, this is a
reference to rights, whether they are presently known or established
later, and both to the rights in their entirety and licences to use
such rights.
l) "Centralised Health Sector Database" and "Database" means the Health
Sector Database pursuant to Act No. 139/1998, on a Health Sector
Database, the Regulation on a Health Sector Database and this Operating
Licence.
m) "Non-personally identifiable data" means data on an individual which
are not identifiable according to the definition of Subsection (n)
below.
n) "Personal data" means all data on an identified or identifiable
individual. An individual is regarded as identifiable if he can be
identified, directly or indirectly, e.g. by reference to an identity
number or one or more features specific to his physical, physiological,
mental, economic, cultural or social identity.
o) "Regulation" means the Regulation on a Health Sector Database.
p) "Operating Licence" means this Operating Licence.
q) "The Terms on Financial Segregation" means further conditions and terms
on the financial segregation of the operation by the Licensee of the
Database and other operations of the Licensee, attached to this
Operating Licence as ANNEX E.
r) "Register of Health Professions" means a separate register of certified
health professions, attached to this Operating Licence as ANNEX F.
OPERATING LICENCE 6
<PAGE> 8
s) "The Monitoring Committee" means the Committee on the Creation and
Operation of a Health Sector Database pursuant to Article 6 of Act No.
139/1998, and Chapter V of the Regulation.
t) "Status Report on Health Data" means the Status Report on Health Data
as current at any time and as updated by the Ministry of Health and
Social Security, currently the updated report of the Ministry of
January 2000, attached to this Operating Licence as ANNEX D.
u) "Query classes" means specific classes of queries which are comparable
and processed using software in the query layer of the Health Sector
Database.
v) "Data Protection Commission" means the Data Protection Commission
pursuant to Act No. 121/1989 on the registration and handling of
personal data, cf. also Sub-Section 2 of Article 5 and Paragraph 1 of
Article 12 in Act No. 139/1998, and Chapter VII of the Regulation on a
Health Sector Database.
w) "Science Ethics Committee" means the Science Ethics Committee pursuant
to Article 1 of Regulation No. 552/1999, on Scientific Research in the
Health Sector, cf. Paragraph 4 of Article 2 in Act No. 74/1998 on
Patients' Rights.
x) "Interdisciplinary Ethics Committee" means the Interdisciplinary Ethics
Committee pursuant to Article 12 of Act No. 139/1998 and Chapter VI of
the Regulation.
y) "Security Terms of the Data Protection Commission" means the conditions
and security requirements in the Technology, Security and Organisation
Terms of the Health Sector Database, as well as the main security
requirements and conditions of the Data Protection Commission for the
operation of the Database as current at any time, currently in the
second edition of the Data Protection Commission dated 19 January 2000,
attached to this Operating Licence as ANNEX G.
ARTICLE 3
GENERAL AND FINANCIAL CONDITIONS
3.1 The Licensee shall without exception meet all the conditions laid down
in this Operating Licence.
3.2 The Licensee shall endeavour to maintain at all times good co-operation
with the Ministry of Health and Social Security, the Directorate of
Public Health, health institutions and self-employed health service
workers, the Monitoring Committee, the Data Protection Commission, the
Interdisciplinary Ethics Committee and the National Audit Bureau.
3.3 The Licensee shall in all respects observe applicable and current legal
provisions on health services, currently Act No. 97/1990, as amended.
The Directorate of Public Health is responsible for monitoring of the
Licensee's observance of the provisions of legislation and regulations
regarding health in general and the security of patients and the
public.
3.4 The Health Sector Database shall be located exclusively in Iceland.
Processing from the Database shall take place exclusively in Iceland.
The Licensee shall not transfer any data to which he is granted access
to other databases or merge them or connect with activities taking
place elsewhere, unless the consent of the surveillance authorities has
been obtained pursuant to the instructions laid down in the Act,
Regulation or Operating Licence.
3.5 The Licensee shall not begin processing in the Health Sector Database
until an assessment has been conducted by an independent expert in the
field of information
OPERATING LICENCE 7
<PAGE> 9
systems security. The Operating Committee is responsible for the
conduct of such an assessment.
3.6 The Licensee is, in his business transactions with third parties in
respect of the creation and operation of a Health Sector Database,
bound by the provisions of the Competition Act, No. 8/1993, and the
provisions of the EEA Agreement, cf. Act No. 2/1993, as applicable, cf.
in particular the provisions of Chapter IV of the EEA Agreement. The
Licensee shall in the creation and operation of the Health Sector
Database refrain from abusing his position as Licensee in his business
with parties purchasing his services, e.g. through unreasonable fees
for the services, by refusing business with competitors or by
discriminating among his business partners through the use of
dissimilar business terms or other onerous business terms. Special
business terms, such as discounts for extensive business, shall be
based on general and transparent business terms.
3.7 The operation of the Health Sector Database shall be financially
segregated from other activities of the Licensee, cf. Paragraph 2 of
Article 14 in the Competition Act No. 8/1993. The operation of the
Health Sector Database shall be conducted within a separate operating
unit or department, and keep separate accounts. Accounting shall be
conducted in conformance with rules of law on accounting. A separate
Initial Balance Sheet shall be established. Assets regarded as
pertaining to the activities covered by the Operating Licence shall be
appraised at market value where possible, or at replacement value
following reasonable depreciation. Liabilities of the activities
covered by the Operating Licence shall include only liabilities
connected with such activities alone.
3.8 All joint use of the operation subject to the Operating Licence and the
competitive operations of the Licensee, such as use of real estate,
machinery and human resources, shall be valued at market price on an
arm's length basis. In the event that market price is not available,
the value shall be based on cost price plus a reasonable mark-up.
Similarly, business between the operation subject to the Operating
Licence and other departments shall be conducted on an arm's length
basis. When the utilisation of the Health Sector Database has begun,
the party responsible for the day-to-day administration of the
operation subject to the Operating Licence shall not be responsible for
the administration of the departments of the Licensee engaged in
competitive activities.
3.9 The Licensee shall meet the further conditions on the arrangement of
financial segregation of the Licensee contained in the Annex "Terms of
Financial Segregation", attached to the Operating Licence as ANNEX E.
ARTICLE 4
TRANSFER OF DATA
4.1 The Licensee shall observe directions on the collection, transfer,
preservation and processing of data pursuant to recognised
international rules on science ethics and rules established on the
basis of such international rules and current in Iceland at any time.
4.2 The Licensee is aware of the fact that a patient may at any time
request that information concerning him should not be transferred to
the Health Sector Database. A patient's request to such effect may
involve all information already available on the patient in medical
records or which may be recorded, or further specified information.
Such a request from a patient shall also be observed after his death.
In the event that a patient wishes to have information on him
transferred to the Health Sector Database, despite the fact that a
health institution or self-employed health service worker has not
entered into an agreement on such transfer of information, the patient
shall submit a request to this
OPERATING LICENCE 8
<PAGE> 10
effect to the Directorate of Public Health. The Directorate of Public
Health shall ensure that such a request from a patient is carried out.
4.3 Information may be delivered to the Licensee which has been processed
from medical records, for transfer into the Health Sector Database with
the approval of health institutions or self-employed health service
workers. The transfer of information shall conform to the security
requirements of the Data Protection Commission.
4.4 Before the commencement of transfer of data into the Database, the
Licensee shall enter into written agreements with the health
institutions in question or self-employed health service workers on
access to information from medical records and the handling of such
information, containing, at a minimum, the items specified in ANNEX C
"Main Formal and Substantive Contents of Agreements".
4.5 Medical information shall be recorded so as to form an integrated data
collection where information is recorded from the medical records
currently available and becoming available during the term of the
Operating Licence in Iceland and to which access is not limited
pursuant to the terms of this Operating Licence.
4.6 The recording of health data for transfer to the Health Sector Database
specified in ANNEX B shall proceed in stages. First, medical data
reaching back to 1986 shall be processed. During the second stage, the
intention is to process data from medical information before 1986. The
Monitoring Committee shall, on the recommendation of the Ministry of
Health and Social Security and the Directorate of Public Health, take
responsibility for co-ordination in this regard in the conclusion of
agreements with health institutions and self-employed health service
workers.
4.7 Information processed pursuant to Section 4.6 may be transferred to the
Licensee through the Encryption Agency of the Data Protection
Commission, cf. the Security Terms of the Data Protection Commission.
Such information consists on the one hand of data from the National
Register and on the other hand encoded and other numerical data. ANNEX
B, "Transfer of Data to the Database" lists the categories of data on
which the Licensee may negotiate for transfer with health institutions
and self-employed health service workers.
4.8 After a co-ordinated medical record has been taken into use, medical
data will be recorded in accordance with the structure of an electronic
medical file. Encoded and other numerical data defined in ANNEX B
"Transfer of Data to the Database" may be transferred from electronic
patient records to the Licensee through the Encryption Agency of the
Data Protection Commission.
4.9 Data from specific systems created for scientific research may not be
transferred to the Health Sector Database unless an agreement has been
made with the originators and owners of such systems and the transfer
is consistent with the Security Terms of the Data Protection
Commission. Furthermore, data from specific systems set up for
experimental or development purposes may not be transferred to the
Health Sector Database unless a separate agreement to such effect has
been concluded. No data which is not specified in ANNEX B, "Transfer of
Data to the Database" may be transferred to the Database without
special permission of the Data Protection Commission, as further
provided in ANNEX B.
4.10 Health institutions and self-employed health service workers shall
notify the Data Protection Commission and the Operating Company
immediately if the security of data and personal privacy are
endangered.
OPERATING LICENCE 9
<PAGE> 11
ARTICLE 5
ROLE OF THE MONITORING COMMITTEE
5.1 The Monitoring Committee shall supervise the making of agreements of
the Licensee with health institutions, on the one hand, and
self-employed health service workers, on the other hand, in order to
ensure the necessary consistency. The Monitoring Committee shall
protect the interests of the public health authorities, health
institutions, self-employed health service workers and scientists in
the making of agreements.
5.2 Agreements between parties pursuant to Section 5.1 shall provide for
remuneration payable by the Licensee pursuant to Paragraph 2 of Article
6 of Act No. 139/1998, and other substantive items contained in the
Annex "Main Formal and Substantive Contents of Agreements", attached to
this Operating Licence as ANNEX C.
5.3 The Licensee shall keep the Monitoring Committee informed on the
position of negotiations at any time. Confirmation by the Monitoring
Committee of an agreement between the Licensee and individual health
institutions or self-employed health service workers is a prerequisite
for the validity of the agreement. The parties shall be notified of the
Committee's conclusion within two weeks from the time that the
agreement was submitted to the Committee for confirmation.
5.4 The Licensee shall provide the Monitoring Committee with all
information which may be relevant to the work and duties of the
Committee.
5.5 The Licensee shall ensure that the Monitoring Committee always has
access to information on all research or queries or classes of queries
submitted to the Licensee for processing and information on the
research parties and parties submitting queries.
5.6 The Licensee shall deliver to the Monitoring Committee for safe-keeping
backup copies of the Database. A representative of the Monitoring
Committee shall be present at the making of the backup copies. The
backup copies shall be designed to enable the Monitoring Committee to
take over the operation of the Database in the event that the Licensee
discontinues its operation for any reason. The Committee shall be
delivered equipment or provided access to equipment to verify whether
the backup copies are adequate. The backup copies shall be transported
by an employee of the Monitoring Committee and deposited in fireproof
and guarded premises controlled by the Committee or in a Bank safety
deposit box. The Monitoring Committee shall perform tests of the backup
procedure at regular intervals.
5.7 Before processing in the Database begins, the Licensee shall submit to
the Monitoring Committee for approval a detailed description of the
process of making backup copies, which shall include the following
information:
- A general description of the backup process
- The process of making a backup copy
- The input and output of the backup process
- Description of the type of backup medium being used (what operating
system, software and hardware) and whether, and if so how, it is
re-used and what the lifetime of the backup medium is.
- What the source of the backup is, i.e. software and hardware.
OPERATING LICENCE 10
<PAGE> 12
- When the backup takes place according to a backup schedule, i.e. how
often a full backup is made, how often incremental backups are made
and how far back in time backup copies are preserved.
- Who performs the backup.
- Whether any errors have been reported.
- How backup copies are destroyed.
- What backup copies are in existence and their dates.
- The method of ascertaining whether a backup has been successful
- That configuration control is used.
5.8 When the Monitoring Committee has approved the description by the
Licensee of the process of making backup copies, the Committee shall
deliver the description to the Data Protection Commission which shall
establish security requirements and terms which shall be used in
making, transporting, and safe-keeping backup copies.
ARTICLE 6
ROLE OF THE DATA PROTECTION COMMISSION
6.1 The Licensee shall meet the current Technology, Security and
Organisation Terms of the Data Protection Commission at any time in the
creation and operation of the Database in conformity with the terms set
out in APPENDIX G.
6.2 The Data Protection Commission may review the Technology, Security and
Organisation Terms to be met by the Licensee in the light of new
technology, experience or changed circumstances, and establish a
deadline for the Licensee to comply with the new requirements.
6.3 The Licensee shall not make any alterations in matters of technology,
security and Organization, including changes in software or hardware,
except pursuant to rules established by the Data Protection Commission.
6.4 In the event of circumstances where the security of data may be at
risk, the Data Protection Commission may prohibit further processing in
the Database until such time as the Data Protection Commission is
satisfied that data security is adequate.
6.5 The Data Protection Commission shall operate an Encryption Agency which
shall carry out the transfer of all data to the Health Sector Database.
The Encryption Agency of the Data Protection Commission shall take
delivery of encrypted health data from health institutions and
self-employed health service workers which have concluded agreements
with the Licensee.
6.6 The Licensee shall establish rules of procedure and work processes
which meet the conditions of the Data Protection Commission in order to
ensure privacy protection in the cross-referencing of data from the
Health Sector Database, a genealogical database and a database
containing genetic data. The Data Protection Commission shall attach
such conditions to its approval of the rules of procedure and work
processes of the Licensee as it considers necessary at any time to
ensure privacy protection and data security in the Health Sector
Database. Among the conditions for the approval of the Data Protection
Commission is that the results should be non-personally identifiable.
6.7 If it becomes evident that results obtained from cross-referencing of
data are personally identifiable, the Data Protection Commission may
order the destruction of such results in
OPERATING LICENCE 11
<PAGE> 13
their entirety or in part and revoke its approval. During the course of
investigation, the Data Protection Commission may prohibit further
cross-referencing of data on the basis of its approval and take custody
of the results. In the event that the Licensee does not observe the
conditions of the Data Protection Commission on the cross-referencing
of data, the Data Protection Commission may revoke its approval
pursuant to Section 6.6.
6.8 In order to preserve the security of personal data, the Data Protection
Commission may establish rules to be observed during the collection,
registration and processing of medical data in the medical records
system in preparation for their transfer to the Encryption Agency of
the Data Protection Commission. Those employees of Health Institutions
and self-employed health service workers who are directly employed in
the transfer of health data to the Health Sector Database shall not be
involved in the Licensee's operation of the Database. Health
Institutions and self-employed health service workers are responsible
for the delivery of health data to the Encryption Agency of the Data
Protection Commission.
6.9 The Data Protection Commission is responsible for monitoring the
creation and operation of the Health Sector Database as regards the
recording and processing of medical data and the security of data in
the Health Sector Database. The Data Protection Commission shall take
measures to monitor observance of the conditions established by the
Commission.
6.10 The Data Protection Commission may inspect the technology, security and
organisation aspects of the Health Sector Database whenever necessary.
The Data Protection Commission may conduct any tests or inspection or
take any surveillance action it may regard as necessary and demand the
required assistance of the personnel of the Licensee in taking such
action.
6.11 The Data Protection Commission may require from the Licensee and any of
the Licensee's employees any information necessary for the Commission
to perform its tasks, including information to determine whether a
particular activity falls under the provisions of regulations and
legislation on the Health Sector Database. The Data Protection
Commission may also summon personnel of the Licensee and persons
employed by the Licensee to appear before the Commission and provide
oral information and explanations.
6.12 In the course of its surveillance duties, the Data Protection
Commission shall have free access to the premises where the Health
Sector Database is preserved and processing takes place. The Data
Protection Commission may, by a special resolution, entrust specific
employees and consultants with certain aspects of the work entrusted to
the Data Protection Commission pursuant to Act No. 139/1998, on a
Health Sector Database and the Regulation issued on the basis of the
Act.
ARTICLE 7
CONDITIONS FOR PROCESSING AND HANDLING OF DATA
7.1 The recording and processing of medical data for transfer to the Health
Sector Database shall be performed or controlled by employees who are
licensed health-care professionals in order to ensure accurate
recording and confidentiality. The "Register of Health-Care
Professions" attached to this Operating Licence in ANNEX F is a list of
licensed health-care professions.
7.2 The Ministry of Health and Social Security and the Directorate of
Public Health shall at all times have access to statistical data from
the Database. The data shall be in accessible
OPERATING LICENCE 12
<PAGE> 14
form and meet the specifications of the health authorities as current
at any time. The data shall be prepared so as to be directly usable for
the preparation of health reports, plans, policies and projects of the
Ministry and the Directorate of Public Health. The data shall be
supplied to the above parties free of charge. The access of the above
parties is subject to the approval and surveillance of the Data
Protection Commission.
7.3 The Licensee shall meet the conditions and requirements contained in
the Annex "Status Report on Health Data", attached to the Operating
Licence as ANNEX D, and all subsequent amendments, whether in place of
or in addition to the said "Status Report on Health Data". In other
respects, the parties shall consult on changes resulting from special
needs and requests in individual fields and developments and
innovations which may emerge during the term of the Operating Licence.
7.4 Data shall be prepared for transfer to the Health Sector Database in
such a way as to meet the needs of the institutions or self-employed
health service workers for a co-ordinated information system, the needs
of specialist fields and the needs of public health authorities, and in
such a way as to be of use in scientific research.
7.5 The Executive Boards of health institutions shall take the initiative
in consulting with the relevant professional associations, head
physicians of institutions, head physicians of divisions and nursing
supervisors in order to ensure that the data is as useful as possible
for administration and research. Furthermore, consultations shall be
held with the above parties regarding what information should be
processed from medical files and whether any information is of such a
nature that it should not be transferred to the centralised Database.
7.6 The Licensee shall meet the conditions and requirements laid down in
the Annex "General Specifications" attached to the Operating Licence as
ANNEX A and all subsequent amendments, whether in place of or in
addition to the said "General Specifications". The Licensee shall
furthermore meet the guidelines laid out in the appendix "Transfer of
Data to the Database" attached to the Operating Licence as ANNEX B. In
other respects the parties shall consult on additions or alterations
with respects to the specialised part of electronic patient records,
special needs and requests in individual fields and developments and
innovations which may emerge during the term of the Operating Licence.
7.7 In the handling of files, other data and information, the conditions
regarded as necessary by the Data Protection Commission at any time
shall be observed. Personal identifiers shall be encrypted prior to
transfer to the Database in order to ensure that the employees of the
Licensee work only with non-personally identifiable data. The employees
of the health institutions in questions or self-employed health service
workers shall prepare data for transfer to the Health Sector Database.
Medical data shall be transferred in encrypted form in order to
preserve their security. Personal identifiers shall be one-way
encrypted, i.e. using encryption which cannot be traced back using an
identifying key. Access to data in medical records is in other respects
governed by the Act on Patients' Rights, the Act on Health Service and
the Act on the Recording and Handling of Personal Data.
7.8 Data which are recorded or obtained by processing in the Health Sector
Database may be utilised to develop new or improved methods of
promoting health, prognosis, diagnosis and treatment of diseases, to
seek the most efficient methods in the operation of health systems and
in the interests of reporting in the area of health. The Licensee is
authorised to process data in the Health Sector Database from the
medical data of medical records recorded in the Database provided that
measures are taken to ensure that in the course of
OPERATING LICENCE 13
<PAGE> 15
processing and cross-referencing of data, no information can be linked
to personally identifiable individuals.
7.9 The Licensee may not grant direct access to the Database.
7.10 Before processing is begun in the Database, the Licensee shall inform
the Monitoring Committee which parties in his employ work with the
Database, its operation and development of software and which parties
in his employ have access to the query layer. Furthermore, their roles
and responsibilities shall be defined, as well as their access
authorisation. The Licensee shall notify the Monitoring Committee of
any intentions to confer responsibilities on new parties pursuant to
this provision and ensure that the Security Terms of the Data
Protection Commission are strictly observed.
7.11 Providing information on individuals from the Health Sector Database is
prohibited. Only statistical information involving groups of
individuals may be provided.
ARTICLE 8
INTELLECTUAL PROPERTY RIGHTS
8.1 In Articles 8 and 9 of this Operating Licence, the terms "software" and
"intellectual property rights", as intellectual property rights are
defined in the Operating Licence, refer to software and intellectual
property rights which are necessary following the expiration or
termination of the term of this Operating Licence for the creation,
operation and maintenance of the Health Sector Database in the
interests of public health authorities, health institutions and
self-employed health service workers, including for scientific
research, cf. Articles 6 and 9, and Paragraph 1 of Article 10 in Act
No. 139/1998. Software and intellectual property rights include
software and rights utilised in the interests of the above parties
during the term of the Operating Licence. Software and intellectual
property rights pursuant to Articles 8 and 9 of this Operating Licence
do not include the software and rights which, during the term of this
Operating Licence are used only in the interests of the Licensee
himself, or for commercial purposes pursuant to agreements with third
parties.
8.2 Article 8 hereof applies to all agreements concluded by the Licensee
for the purpose of obtaining intellectual property rights, cf. Sections
2.1(k) and 8.1, including but not limited to the contracts concluded by
the Licensee with contractors on the creation of the Database, custom
software, and on the adaptation of solutions with special reference to
the Database, any agreements on the acquisition of utility
licenses/utilisation rights, development of software or software
solutions and any contracts on the purchase of or licences to
components for software. Article 8 also extends to contracts of the
Licensee with his employees and contracts with registration parties
which the Licensee may conclude for the transfer of data to the
Database.
8.3 The Licensee shall, on the expiration of the Licence pursuant to its
provisions, ensure that the Issuer, or the party entrusted by the
Issuer with the operation of the Database, receives without time
limits, based on the term of the Licence, all use of intellectual
property rights necessary for the creation and operation of the
Database. This refers to any party which the Issuer may unilaterally
decide to entrust with the operation of the Database following the
expiration of the term of the Licence, whether this is an individual,
legal entity, company or institution.
8.4 The Licensee shall ensure that utilisation, on his part, of
intellectual property rights in respect of operating the Database is
not subject to time limits which are based on the term of the Operating
Licence. In cases where there are no rights of ownership, steps shall
be
OPERATING LICENCE 14
<PAGE> 16
taken to ensure that licences or comparable rights are not restricted
by such time limits, and the Issuer or such party as the Issuer may
entrust with the operation of the Database shall have the option of
renewing such contracts, at least on an equal basis with the Licensee,
to the extent necessary for the utilisation of the rights.
8.5 The Licensee shall ensure, and take full responsibility, that the
software used by him for the creation and operation of the Database is
not in violation of any third-party rights. The same applies to the
Database and other intellectual property rights.
8.6 In the event that the Licensee obtains a copyright on software, whether
through contracts with a third party or through his own software
design, the Licensee shall ensure that following the expiration of the
Licence, he shall be capable of delivering to the Issuer all data
necessary for the Issuer or such party as the Issuer may entrust with
the operation of the Database, to continue the development and
maintenance of the Software. Such data may only be used to develop
software for the operation of the Health Sector Database. The Licensee
shall ensure, e.g., that he acquires rights to the software
contemporaneously with the creation of such rights by the other
contracting party and that the Issuer, or such party as the Issuer may
entrust with the operation of the Database, is permitted to accept
delivery of the said data notwithstanding the fact that such data is in
the possession of a party other than the Licensee, in the event that
the estate of the contracting party is subjected to bankruptcy
proceedings or if the other party is for some other reasons incapable
of performing the contract. Furthermore, the Licensee shall ensure that
he is authorised to transfer the rights to the software to the Issuer
or subsequent licensees.
8.7 In the event that the Licensee, by contract, becomes the holder of
licence rights, utilisation rights or other comparable rights to use
software, the Licensee shall ensure that following the end of the term
of the Operating Licence the Licensee will be capable of delivering or
transferring to the Issuer, or such party as the Issuer may entrust
with the operation of the Database, the number of user licenses
pursuant to licensing and service contracts which are necessary to
continue the creation and operation of the Database. The Licensee
shall, in the event that the contracting party ceases to issue licenses
or provide service for the software, or if the estate of the
contracting party is subjected to bankruptcy proceedings, or if such
party is for some other reasons incapable of performing the contract,
attempt to ensure that the Issuer, Ministry of Health and Social
Security, or the party to which the Minister may decide to entrust with
the operation of the Database, shall be entitled to receive delivery of
the information which may be necessary to maintain and develop the
software notwithstanding the fact that such information is in the
possession of a party other than the Licensee. The Licensee shall
ensure the aforesaid in all contracts on custom manufacture, adaptation
or development of software.
8.8 The Licensee shall ensure that all employees in his service, permanent
or part-time, who participate or have participated in the engenderment
of intellectual property rights, including the creation of the Database
and the development, design or maintenance of software, undertakes in
his employment contract, or through some other written undertaking,
provisions to the effect that the software and intellectual property
rights are wholly and fully the possession of the Licensee, and that
the Licensee is authorised to utilise and transfer such rights in
Iceland and in other countries by any method currently known or later
practised, to any third party, in part or in full, and modify and
continue to develop such work as the rights may extend to.
8.9 The employment contract or undertaking pursuant to Section 8.7 shall
include a declaration by the employee to the effect that he may not
provide access to any third
OPERATING LICENCE 15
<PAGE> 17
party to information or data pertaining to the software or intellectual
property rights or use such data or information in his own interests or
in the interests of others.
8.10 The Licensee shall not transfer to any third party or grant to any
third party the rights to software, Database or other intellectual
property rights which would prevent the Issuer, or such party as the
Issuer may entrust with the operation of the Database, from utilising
the software, database or rights in the operation of the Database,
following the expiration of the Operating Licence. The Licensee shall
ensure that the provisions of this Section are enforced, e.g. in any
agreements on delivery of data from the Database.
8.11 At the end of the term of the Operating Licence, the Licensee is under
obligation to take whatever steps necessary to enable the Issuer, or
such party as the Issuer may entrust with the operation of the
Database, to utilise intellectual property rights, e.g. to execute
certain agreements with the Issuer, issue confirmations to any third
party or for the registration of any rights if necessary in Iceland or
abroad.
8.12 In the event that the Licensee, at the time that the Operating Licence
expires or is terminated, is the owner of copyrights to software or the
owner of other intellectual property rights which are used in the
creation and operation of the Database, he shall for two years
following the expiration of the Licence, provide the Issuer, or such
party as the Issuer may entrust with the operation of the Database,
with access to new versions which he may develop of the software.
8.13 The Licensee shall ensure that all data relating to software, including
manuals, systems descriptions, and source programs, and data relating
to the Database and other intellectual property rights are preserved in
a secure and organised manner. The handling of such data during the
term of the Operating Licence shall at all times be such as to ensure
that, in the event of the revocation of the Operating Licence, the data
may be delivered to the Issuer, or such party as the Issuer may entrust
with the operation of the Database, and that the creation or operation
of the Database can be taken over immediately.
8.14 One year from the time of issue of this Operating Licence, and annually
thereafter during the term of the Operating Licence, the Monitoring
Committee may order the performance of an inspection of the data of the
Licensee in order to verify that the provisions of Article 8 of the
Operating Licence and the provisions of Annex G on the Technology,
Security and Organisation Terms of the Data Protection Commission on
the handling of data are observed. The Licensee is under obligation to
provide access to his premises and data for this purpose.
ARTICLE 9
PROCESS ON THE REVOCATION OF THE OPERATING LICENCE
9.1 When the Operating Licence expires pursuant to the provisions of
Section 15.1 or in the event that the Operating Licence is revoked or
the Licensee deprived of the License pursuant to the provisions of law,
regulations or provisions of the Licence itself, the Issuer shall make
a decision on the disposal and operation of the Database. The
Monitoring Committee shall operate the Database until a final decision
has been made on its future operation.
9.2 The Licensee shall, on the expiration or termination of the Operating
Licence, deliver to the Issuer or such party as the Minster may entrust
with the operation of the Database, the Database and all data relating
to the software to which the Licensee has proprietary rights and which
are necessary for the creation and operation of the Database, including
systems descriptions and source programs. Furthermore, the Licensee
shall deliver all necessary
OPERATING LICENCE 16
<PAGE> 18
documents for the transfer or provision of rights to other software
which is necessary for the creation and operation of the Database.
Delivery of data shall comply with the instructions of Annex G on the
Technology, Security and Organisation Terms of the Data Protection
Commission on the handling of data or, as applicable, the document
which replaces it on the review of the terms.
9.3 On the expiration of the Operating Licence, the Licensee shall in the
nine months immediately following the expiration provide the Issuer and
the Monitoring Committee, without special remuneration, with the use of
all hardware and software which may be necessary for the creation and
operation of the Databse. The Issuer shall, during the course of this
period, pay service fees and comparable fees in respect of the
software, including license fees on patents and registration fees in
respect of ther rights which may be due during the period.
9.4 During the nine month period immediately following the expiration of
the Operation Licence pursuant to Section 15.1 or for other reasons,
the Licensee shall ensure that intellectual property rights do not
lapse or become lost for other reasons. The Licensee, in consultation
with the Issuer and the Operaing Committee, take any necessary measures
in this respect, e.g. pursuant to agreements of the Licensee with a
third party, to register rights as well as any other measures which may
be provided for by law.
9.5 An independent agreement between the Licensee and Issuer, signed on the
issue of the Operating Licence, stipulates how the established rights
of the Licensee shall be transferred to the Issuer on the expiration or
termination of the Operating Licence. One of the conditions for the
issue of the Operating Licence is the existence and validity of such an
agreement. Breach of the agreement may result in loss of the Operating
Licence.
ARTICLE 10
PAYMENT OF COSTS ETC.
10.1 The Licensee shall during the term of the Operating Licence pay to the
Icelandic government costs and fees as further provided hereinbelow in
Sections 10.2 - 10.8 and in the Regulation on the Health Sector
Database.
10.2 The Licensee shall pay all costs of the preparation and issue of the
Operating Licence, the payment of such cost to be provided for in a
Government Regulation on the Health Sector Database.
10.3 The Licensee shall pay all costs of the work of the Monitoring
Committee. Following the end of each month the Licensee shall be
invoiced for the cost of the work of the Committee in the preceding
month. The invoice shall be paid within 15 days of its issue.
10.4 The Licensee shall pay all costs relating to service and monitoring of
the operation of the Database, including the monitoring of the Data
Protection Commission and the Cost of the Directorate of Public Health
of publishing and promoting information on patients' rights, cf.
Article 8 of the Act on a Health Sector Database. Following the end of
each month the Licensee shall be invoiced for costs pursuant to Section
10.4 in the preceding month. The invoice shall be paid within 15 days
of its issue.
10.5 The Licensee shall pay all costs incurred in the processing of data for
transfer to the Health Sector Database, i.e. all costs of processing
the data of health institutions and self-employed health service
workers for transfer to the Database, and the costs of producing an
integrated information system, cf. Section 4.8, as further provided in
agreements of the Licensee with the parties in question.
OPERATING LICENCE 17
<PAGE> 19
10.6 In addition to costs pursuant to Sections 10.1 to 10.5, the Licensee
shall, on the basis of an independent agreement with the Issuer which
has been signed on the issue of the Operating Licence and constitutes
one of the conditions for the issue of the Licence, pay a fixed
remuneration to the Icelandic government and a share of the profit from
the operation of Islensk erfdagreining ehf, such share to be used to
promote health services, research and development.
10.7 The Licensee shall effect all payments pursuant to Sections 10.2, 10.3
and 10.4 in the office of the State Treasury. Payments pursuant to
Sections 10.5 and 10.6 are subject to further agreement.
10.8 In the event of default by the Licensee as regards the payments due
during the term of the Operating Licence pursuant to this Article or
pursuant to the Agreement referred to in Section 10.6, the Minister for
Health and Social Security may revoke the Operating Licence.
ARTICLE 11
SURVEILLANCE
11.1 The Monitoring Committee shall ensure the observance of all provisions
of the Act, government regulations issued on the basis of the Act and
the conditions of the Operating Licence in the operation of the Health
Sector Database. The Committee shall monitor all queries and processing
from the Database and report regularly to the Science Ethics Committee
on all queries made to the Database, including information on the
parties submitting the queries. The Committee shall inform the Minister
and the Data Protection Commission without delay if the Committee has
reason to believe that there is any impropriety in the operation of the
Database. The Committee shall also advise the Ministry of Health and
Social Security and the Directorate of Public Health regarding the
utilisation of information from the Database.
11.2 The Data Protection Commission is responsible for monitoring the
creation and operation of the Health Sector Database with regard to the
recording and handling of personal data and the security of data in the
Database as well as monitoring adherence to its terms.
11.3 The Interdisciplinary Ethics Committee is responsible for assessing
research conducted within the company of the Licensee and queries
received. The assessment of the Committee shall reveal that there are
no scientific or ethical objections to the performance of research or
processing of queries.
11.4 The auditor of the annual financial statement of the Licensee shall
annually, immediately following approval of the Licensee's annual
financial statement, send to the Issuer confirmation of the fact that
the provisions of the Operating Licence on financial segregation have
been observed. The National Audit Bureau is responsible for monitoring
that payments and statements of the Licensee proceed in conformance
with the provisions of the Operating Licence and applicable
legislation. The Licensee shall provide the National Audit Bureau with
access to all relevant documents and information.
11.5 The Licensee shall not begin transfer of data to the Database and
processing in the Database until such time as all conditions of the
Operating Licence are met in the opinion of the parties responsible for
monitoring the operation of the Database.
11.6 In the event of violation by the Licensee of provisions of the
Operating Licence or the Act, the Minister shall issue a written
warning with a reasonable deadline for amends. Inaction on the part of
the Licensee, intent and gross negligence are subject to revocation of
the Licence.
OPERATING LICENCE 18
<PAGE> 20
ARTICLE 12
ASSIGNMENT AND ENFORCEMENT
12.1 The Operating Licence and the Health Sector Database are neither
assignable nor subject to enforcement of claims. The Operating Licence
and the Database may not be pledged against any financial liability.
ARTICLE 13
DISPUTES
13.1 In the event of any dispute regarding performance pursuant to the
Operating Licence or on the interpretation of the Operating Licence in
other respects, such disputes shall be settled before the Icelandic
courts. However, the parties may refer such disputes to arbitration if
they so agree.
ARTICLE 14
REVOCATION OF LICENCE, SANCTIONS, PENALTIES AND COMPENSATION
14.1 As regards withdrawal and revocation of the Operating Licence,
penalties and compensation, reference is made to Chapter VI of the Act
on a Health Sector Database, cf. Articles 13-17 of the said Act.
ARTICLE 15
TERM, REVIEW AND ISSUE OF LICENCE
15.1 The Operating Licence shall take effect on its date of issue with all
the conditions, rights and obligations contained in the Licence. The
Operating Licence is effective until and including 21 January 2012.
15.2 Processing in the Database shall not begin until such time as all the
conditions of the Operating Licence have been met according to the
assessment of surveillance authorities.
15.3 The Operating Licence shall be subjected to review no later than 1
October 2008. The Operating Licence may be subjected to review
following a request to such effect from the Licensee or the Minister
for Health and Social Security.
15.4 The Operating Licence is entirely subject to the provisions of Act No.
139/1998, on a Health Sector Database and government regulations issued
on the basis of the Act. The Licence shall be subjected to review on
the part of the Minister for Health and Social Security if amendments
are made to the Act or regulations issued on the basis of the Act. The
Operating Licence shall also be subjected to review if it is
inconsistent with Icelandic law or rules or international agreements,
conventions and covenants to which Iceland is a party at any time.
Ministry of Health and Social Security
22 January 2000
Ingibjorg Palmadottir [sign.]
David A. Gunnarsson [sign.]
OPERATING LICENCE 19