Responsibility for the Processing of Personal Information Heilsuvera.is is a collaborative project between the Health Care Services of the Capital Area and the Directorate of Health. The goal of the website is to provide the public with reliable knowledge about development, health, and healthcare determinants.
My pages on Heilsuvera are a secure web space where one can interact with healthcare professionals and access their own health information, in addition to allowing caregivers in the same household to access their information.
The Health Care Services of the Capital Area is responsible for the information collected through the use of heilsuvera.is. The Directorate of Health is responsible for the processing of personal information in connection with the use of My Pages.
What is the authority of Health Care Services of the Capital Area and the Directorate of Health for data collection?
The collection of personal information in connection with Heilsuvera is based on the roles of the institutions behind the website to disseminate knowledge about health issues.
The processing of personal information on My Pages is based on the role of the Directorate of Health in developing digital communication channels. It also facilitates individuals' access to the personal information available in the databases operated by the office, in accordance with laws and regulations governing the Directorate of Health’s operations.
The health information available on My Pages is not stored on Heilsuvera but is retrieved from the relevant databases. An overview of where the information is retrieved from can be seen below.
How is personally identifiable data used?
Personally identifiable data are used to provide the service and to ensure the functionality of the website, i.e., for secure identification and to facilitate communication with desired parties.
What personally identifiable information is collected when using Heilsuvera?
When using Heilsuvera, only personal information necessary for utilizing the website and the offered services is collected. The specific personal information collected depends on how the site is used.
In addition, cookies are used to analyse traffic on the site and ensure its functionality.
Chat
When an individual uses the chat feature, they are invited to provide an email address and name. The chat is intended only for general inquiries and not as a platform to provide healthcare services or share information about one's own health.
It is possible to send an email with comments concerning the website. To send such an email, one must provide their email address. The email is intended only for general inquiries and not as a platform to provide healthcare services or share information about one's own health.
My Pages
To access My Pages, one must use digital identification. On My Pages, various health information can be accessed, and communication with healthcare institutions is facilitated. See more below.
According to the Directorate of Health's policy on digital medical records, the intention is that users on My Pages at Heilsuvera.is can ultimately access all their digital medical record information and have secure digital communication with all their healthcare providers.
What information is accessible on My Pages, and where is it retrieved from?
Here, two views of the user's prescription information are displayed and divided into "Prescriptions" and "Medication History." The information is retrieved from the National Medicines Database through the Hekla healthcare network. Under "Prescriptions," information about active prescriptions in chronological order is displayed, including the medication's name, form, strength, remaining refills, last dispensing date, usage instructions, and the expiration date of the prescription. Under "Medication History," information about all prescription dispensations from pharmacies in the last three years is presented. In both sections, users have the option to hide medications in the list if they choose and can choose to display them again. Additionally, there is a link for each medication to the Pharmacopoeia of the Icelandic Medicines Agency and an option to submit a request to the healthcare center for prescription renewal. Requests for prescription renewal and information about which medications are stored in the website's database are encrypted. Users can save the content of both views as PDF documents or print them out.
Information about the user's vaccinations is retrieved through the Hekla healthcare network from the vaccination registry of the Directorate of Health. Two views of the information are available, one for vaccinations and the other showing which diseases the individual is vaccinated against. Information is provided about the vaccine, vaccination date, age at vaccination, and vaccination location. A link to the Pharmacopoeia of the Icelandic Medicines Agency for the vaccine is also included. Users can save the content of both views as PDF documents or print them out.
If My Pages users are registered at a healthcare center that allows general inquiries, a button appears in this location that opens an inquiry window. In the window, users are informed that the inquiry is stored in their medical records at the healthcare center and that inquiries on My Pages on Heilsuvera.is are not for urgent matters. The inquiries are conveyed through the Hekla healthcare network and are encrypted, similar to all interactions within the network. The inquiry is displayed in the medical record system on the to-do list of the healthcare professional for whom the inquiry is intended. Additionally, it appears on a dashboard for inquiries to ensure that all inquiries receive a response, even if individual healthcare professionals are not currently working. The inquiry and response are stored in the patient's medical record in the same way as other digital communications but marked as electronic. The response is then sent encrypted through the Hekla healthcare network to the healthcare gateway. If the user has provided a mobile number or email address in the “settings,” they receive a notification or email that a response to their inquiry is available, without revealing its nature. Inquiries and responses, along with personal identifiers, are stored encrypted in the website's database.
Here, users can see the appointments they have at the healthcare center where they are registered. The appointments are retrieved through the Hekla healthcare network from the appointment section of the medical record system at the respective healthcare center and are not stored on the website. If the user wants to book an appointment, they click a button, and the first three available times of the healthcare professional they can book with are displayed. This information comes from the medical record system of the respective healthcare center. The user can choose one of these times or go to the calendar to see available times for that professional every day for the next 5 weeks. If the user selects another professional, the same options are available. The user then chooses a suitable time and books it. The booking is stored in the appointment section of the medical record system at the respective healthcare center and is not stored on the website. All interactions between My Pages and the appointment section of the medical record system at each healthcare center take place through the Hekla healthcare network and are thus encrypted.
Users can indicate their stance on organ donation on My Pages. They can choose to decline organ donation or allow it with restrictions. When the user saves their stance, they must check that the Directorate of Health is allowed to store their stance and convey it to healthcare institutions as needed. The stance is stored in a special database of the Directorate of Health on organ donations, and personal identifiers are encrypted. Non-identifiable stances along with gender and age are accessible to the statistician at the office handling organ donations. Users under 18 are not allowed to decide about organ donation.
Dates of admissions and discharges related to the user through entities associated with Heilsuvera.is are accessible to users on My Pages. It is a list of locations with dates and other necessary information. Initially, users cannot view detailed information about each admission and discharge.
Efforts are being made to make overviews of connections between medical records and searches in the medication database available to users on My Pages. This allows users to see whether a healthcare professional from a specific institution has accessed their data at another designated institution. If users have reason to do so, they can seek more information at the respective healthcare institution. Users can also see that doctors from certain institutions have accessed their information in the medication database of the Directorate of Health. If they have a reason to do so, they can request further information from the Directorate of Health. With this feature, the Directorate of Health aims to give patients the opportunity to monitor their medical record information.
On My Pages, users who have an active pregnancy can view information about their pregnancy. They can retrieve opinions, measurements, and documents related to the pregnancy (e.g., images from examinations and examination results). The user can save the documents on their device. All data related to maternity care is retrieved through the Hekla healthcare network. No information is stored in the website's database.
On My Pages, users can answer questionnaires sent to them through the Hekla healthcare network. The questionnaires and their responses are stored encrypted in the website's database.
Users with active exercise prescription from exercise professionals can view information about them on My Pages. Additionally, they can view older exercise prescriptions. It is possible to view an overview of the exercise plan, recorded exercises, and it is also possible to record exercises for active exercise prescriptions. Information about which healthcare institutions and exercise professionals are stored is encrypted in the website's database. Other information related to exercise prescriptions, such as the exercise plan, interactions, and recorded exercises, is retrieved through the Hekla healthcare network.
Parents and legal guardians have access to My Pages on Heilsuvera.is for their children up to the age of 16. This access is based on information from the national registry. In the national registry, it is only possible to link parents and legal guardians to children based on the so-called family number. This means that a non-custodial parent who does not live with their child does not automatically have access to their child's health page. In such cases, the individual can request access by contacting the Directorate of Health. Proof of custody issued by the National Registry must be submitted or evidence of custody relationships can be shown on the "Fjölskyldan mín" (My Family) page on Island.is. They must appear in person at the office and present a valid ID.
Parents cannot make decisions about organ donation on behalf of their children.
Cookies
Cookies are small text files stored on your computer or other smart devices when you visit a website for the first time.
There are different types of cookies; some are necessary to ensure the functionality of websites, others are used for analysing website usage, and still others are used for marketing analysis.
The Directorate of Health’s website uses cookies solely to optimize the user experience and analyse website usage to adapt the website to user needs.
The Directorate of Health uses Google Analytics for web analytics. Upon each visit to the website, several details are recorded, such as time and date, search terms, the referring website, browser type, and operating system. No further information is collected, and there is no attempt to link such information to personally identifiable information.
The Greater Reykjavik Area Health Care uses Siteimprove for web analytics. Upon each visit to the website, several details are recorded, such as time and date, search terms, the referring website, browser type, and operating system. This information can be used for improvements to the website and its development, such as the content that users search for the most, and more. There is no attempt to link such information to other personally identifiable information.
It is possible to disable cookies not necessary for the website's functionality. This can be done by changing the settings in the browser. Information on how to change cookie settings in major browsers can be found here.
The following cookies are used on the Health Directorate's website:
Category | Origin | Name | Purpose | Storage Time |
Necessary | heilsuvera.is | siteimprove | Website analysis | Session |
Necessary | heilsuvera.is | ic_sso | Allows the user to chat on heilsuvera. Remembers you when you return. | 3 years |
Website analysis | minarsidur.heilsuvera.is | _utma | Google Analytics uses it to store how often the user has visited the page. | Infinite (until 2038) |
Website analysis | minarsidur.heilsuvera.is | _utmz | Google Analytics uses it to analyse where the user comes from and information about the search engine they come from. | 6 months. |
Website analysis | minarsidur.heilsuvera.is | _ga | Records a unique identifier used to create statistical data about guest visits to the website. | 2 years. |
Website analysis | minarsidur.heilsuvera.is | _gid | Records a unique identifier used to create statistical data about guest visits to the website. |
Session. |
How is Information Security Ensured in the Storage and Processing of Data?
Maximum security was considered in the development of the Heilsuvera.is website.
The system is based on a three-layer design, where firewalls separate the web, web service layer, and database layer. No data is stored on the web server, and all communication between the web and the web service layer is encrypted with HTTPS communications. The data stored in the database is encrypted.
The website for My Pages on Heilsuvera.is is currently hosted by a hosting provider certified to ISO/IEC 27001:2013. The website is protected by intrusion prevention systems that prevent attempted intrusions through known intrusion methods.
All data collection for My Pages on Heilsuvera.is goes through the Hekla healthcare network. All communication through Hekla is encrypted with 256-bit AES encryption, and both senders and recipients are authenticated with 1024-bit RSA certificates.
Following a risk assessment, it was decided to require an authentication method at assurance level 4, meaning a digital ID. The Island.is authentication service is used for login, but login with IceKey (Íslykill) is not allowed.
Rights of the Registered User
An individual has the right to receive information about the data stored in connection with their use of Heilsuvera under their personal identifier, whether the personal identifiers are encrypted or not, and to receive a copy of such data. An individual may have incorrect personal information corrected, and in specific cases, an individual may have the right to have information deleted. It should be noted that the right to delete data is very limited, as information is usually processed based on laws that require the storage of such information. In certain cases, an individual may also have the right to object to the processing of personal information and request that their processing be restricted. If data processing is based on consent or a contract, an individual may have the right to receive data in a machine-readable format or have it transferred directly to a third party at the individual's request.
Contact can be made with the Data Protection Officer at the Directorate of Health via email at personuvernd@landlaeknir.is or by phone at 510-1900 if an individual wishes to receive further information about the processing of personal information or to provide feedback related to it. In such cases, an individual can also send mail marked 'Data Protection Officer' to the Directorate of Health, Katrínartún 2, 105, Reykjavik.
Contact can also be made with the Data Protection Officer at the Greater Reykjavik Area Health Care via email at personuverndarfulltrui@heilsugaeslan.is. Alternatively, you can send a message by postal mail to the Greater Reykjavik Area Health Care, Álfabakka 16, 109 Reykjavik, with the envelope marked 'Data Protection Officer.'
If an individual believes that the processing of personal information is not in accordance with the laws that apply to it, they can submit a complaint to the Icelandic Data Protection Authority at www.personuvernd.is.