Privacy policy

NOMA monitors adverse reactions related to the use of medicinal products in Norway. The purpose is to make medicine use safer by identifying safety information from real-world use and shortening the time it takes before all adverse reactions to a medicinal product are well-known. The legal basis for this task is provided in the Adverse Reaction Register Regulations.

Healthcare personnel are obliged to notify NOMA if they suspect a connection between a reaction in one of their patients and the use of a medicinal product (Adverse Reaction Register Regulations §3-1). This reporting obligation applies to fatal or life-threatening reactions, reactions causing permanent serious consequences, and unexpected or new adverse reactions. Reports may be submitted and processed without the patient’s consent (§2-1).

Reports from healthcare personnel are processed by a Regional Medicines Information and Pharmacovigilance Centre (RELIS). Reports concerning adverse reactions to vaccines are processed by the Norwegian Institute of Public Health (NIPH).

Private individuals may report adverse reactions concerning themselves or relatives using a form on Helsenorge.no. These reports are processed by NOMA.
Reports from healthcare personnel and private individuals are stored in the Adverse Reaction Register. NOMA is the data controller for the register.

Anonymised adverse reaction data from the register is exchanged with the EudraVigilance database at the European Medicines Agency (EMA). From there, data is also exchanged with the World Health Organization (WHO). This is an important part of international pharmacovigilance; by analysing adverse reaction data from multiple countries, new reactions and safety signals can be detected earlier.

Data in the Adverse Reaction Register is stored indefinitely.

If you are registered in the Adverse Reaction Register, you have the right to information and access to your own personal and health data. Please use the form below. You may also request information about who has accessed or received your data, but you must specify this in the form. Only specially authorised personnel may view your name, national identity number or other identifying information. Note that access is not possible for adverse reaction reports without a national identity number. This applies to reports received before the register was established on 1 January 2020, and to some reports received thereafter.

You may also request the correction of errors in the data. Due to overriding public interest, reports cannot be fully deleted (Health Register Act §25), but adverse reactions later shown to have causes other than the suspected medicinal product may be deactivated.

You may object to your health data being made available to anyone other than NOMA (§2-2 of the Adverse Reaction Register Regulations). This does not apply to anonymised data made available as part of European pharmacovigilance cooperation. The right of reservation also does not apply to the compilation of health data (§§2-2, 4-1, 4-2 and 4-3).

All medicinal products sold in Norway must have a Norwegian marketing authorisation. Doctors and dentists may apply to NOMA for an exemption to prescribe a medicinal product without such authorisation.

Applications are processed in NOMA’s compassionate use, named patient database. The legal basis is §2-5 of the Medicines Regulations. Applications include the doctor’s or dentist’s name, postal address and ID number. For the patient, gender, age, prescription ID, indication, and a medical justification for why a medicinal product without market authorisation cannot be used, are recorded. The prescription is handled by a pharmacy.

NOMA processes personal data in order to fulfil the Agency’s statutory tasks in accordance with, among others, the Norwegian Medicines Act, the Norwegian Pharmacy Act, the Medical Devices Act and the Public Administration Act.

Enquiries that are processed as cases in NOMA are stored electronically in our case processing and archiving system Public 360°. Registration, storage and retention of case documents are carried out in accordance with the Norwegian Archives Act. Various types of personal data such as name, address, email address and other relevant information provided in the enquiry are stored in Public 360°. Relevant information and responses to enquiries are also archived. Case documents may contain sensitive personal data, such as adverse reaction reports.

Under the Norwegian Freedom of Information Act, NOMA is required to publish its public journal on www.eInnsyn.no. Sensitive personal data will not be shown, but personal names may be used as sender or recipient for a case document. These names will not be searchable for enquiries that are more than one year old (in accordance with the Freedom of Information Regulations).

When access is requested under the Freedom of Information Act and the Public Administration Act, certain personal data such as name and email address may be disclosed to the person requesting access.

NOMA uses email and telephone as part of its daily work to fulfil its statutory tasks pursuant to, among others, the Norwegian Medicines Act, the Norwegian Pharmacy Act, the Medical Devices Act and the Public Administration Act. Relevant information arising from telephone conversations and email exchanges that form part of case processing is archived in Public 360°.

NOMA’s employees also use email for general communication with internal and external contacts. Each employee is responsible for deleting messages that are no longer needed. When an employee leaves, the email account is deleted, but certain relevant emails will normally be transferred to colleagues.

Please note that ordinary email is not secure. We therefore encourage you not to send health information, national identity numbers or other sensitive personal data by email.

Telephone calls are logged and stored in our system for 30 days, after which they are automatically deleted. The log is necessary in order to provide good reception services and for the administration and operation of the system.

Logging of media enquiries

We keep an internal media log in Microsoft Power Pages where we record the date, media outlet, first name and surname of the journalist, telephone number and email address, as well as what the enquiry concerns and any email correspondence. The information is used solely internally by the Communications Department and is not disclosed to others.
Information in the media log is deleted after three years.

NOMA is responsible for the collection and use of personal data and anonymous data in connection with the operation and maintenance of dmp.no and www.legemiddelsok.no. It is voluntary for visitors to these sites to provide personal data in connection with the services offered, for example by entering an email address to receive alerts about new or updated content.

Data collected is stored on servers in Norway operated by Optimizely. Only NOMA, developers at the hosting provider Netcompany, and support staff at the system provider have access to the data collected. If a visitor wishes to use the various services, they must consent to our processing of personal data. The visitor may withdraw consent at any time. The sections below explain in more detail the storage periods for personal data and how you can withdraw your consent.

Search

NOMA stores information about which search terms users enter when searching on the website. We do this to improve user-friendliness. Usage patterns related to search are stored anonymously. Search terms are stored and cannot be linked to other information about users, such as IP addresses.

“Did you find what you were looking for?”

At the bottom of most pages on www.dmp.no you can give us feedback on whether you found the information you were looking for or not. We use this feedback to improve the content on the wbsite. When you use this function, we do not store any information about you. The feedback you send us is stored in the database of the web publishing system Optimizely and is automatically deleted after 6 months.
Please do not send personal data via this feedback function. If you wish to inform us or discuss something related to your health or other personal matters, please contact us in another way.

Email alerts about published and updated pages

On dmp.no you can subscribe to email alerts when pages within specific topics are published or updated. For us to send you such alerts, we need your email address. You may also provide your name, although this is not mandatory. The data you provide is used solely to send email alerts for the topics you have selected.
When you register as a subscriber, you will receive a confirmation email. You must click on a link in this email to activate your subscription. By activating your subscription, you consent to our processing of your personal data. We then store the following information about you: name (if provided), email address, and which topic(s) you wish to receive alerts about. The data is stored in the web publishing system database for two years. The data is only available to web-administrators at NOMA and support staff at the system provider and is not shared with others.
You can withdraw your consent at any time by cancelling your subscription. You cancel by clicking the unsubscribe link at the bottom of any of the emails you receive. Your data will then be deleted from our database.

An active subscription must be renewed every two years in order for you to continue receiving alerts. You will receive an email with information and instructions on how to renew one month before the subscription expiry date. If you do not renew, the subscription will automatically be terminated and your data will be deleted from our database.

Storage of visitor statistics

DMP.no stores visitor statistics showing how the website is used. Examples of information stored include the number of visitors to different pages, which websites visitors come from, how long they stay on the site, and which browsers are used. The information is used to improve and further develop the site’s services and content. We cannot trace your use of the website back to you as an individual.

NOMA currently uses Siteimprove to collect visitor statistics. dmp.no uses a feature in Siteimprove to anonymise the visitor’s IP address so that it is not stored by Siteimprove or in dmp.no.

Read Siteimprove’s privacy policy.

Cookies are small text files that are placed on your device when you load a webpage. The vast majority of websites use cookies. DMP.no uses cookies to improve your user experience and to collect statistics. We never store information that can identify you personally.

The following cookies are used on dmp.no:

Microsoft Azure

AspNetCore.Cookies: Maintains the authenticated state of the user (editor or administrator) after successful login with Microsoft Azure AD. It contains an encrypted representation of the user’s identity but does not directly collect personal data.

ARRAffinity: Ensures that your browser session remains consistent throughout your visit by generating a unique identifier. It is used to bind your browser requests to a specific server. Does not collect personal data.

ARRAffinitySameSite: Similar to ARRAffinity, but with an additional “SameSite” flag for increased security. Generates a unique identifier to ensure a consistent and functional browser session. Does not collect personal data.

ai_user: Stores a unique, randomly generated key to distinguish users and the time when the key was created. Set by Application Insights to collect anonymous statistics to understand how visitors use the website.

ai_session: Stores three values: a unique and randomly generated key, the time when it was created, and the renewal time. Used by Application Insights to group telemetry from client and server into the same user session.

Optimizely 12 (CMS)

EPiStateMarker: Used to identify a user session. This cookie is harmless and does not contain personal information.

EPiStartUrlKey: Tracks the user’s starting URL in order to understand which page the user first visited. Stores this information in encrypted form and is usually session-based. Does not collect personal data.

apt.uid, apt.sid: Used for telemetry data, meaning that they collect aggregated and anonymised statistics that help us understand how users interact with our website. This enables us to improve the user experience and identify areas for improvement. No personally identifiable information is collected through these cookies.

AspNetCore.Antiforgery: Prevents Cross-Site Request Forgery (CSRF) attacks by generating a unique, random value that the server uses to verify that requests are legitimate. Does not collect personal data.

AspNetCore.Identity.Application: Used for user authentication when editors and administrators log in to the CMS. Generates an encrypted token that stores essential authentication information to keep you logged in. This information can only be decrypted by our server.

Read more about cookies from Optimizely (external link).

General site settings

Language: Stores your selected language code (for example “en” for English or “no” for Norwegian) to adapt content to your preferred language. Does not collect personal data.

Feedback – Optimizely

feedback-submitted-page: Stores the URL of the page from which you submitted feedback in a session cookie. This cookie is deleted when the browser is closed.

feedback-submitted: Stores a Boolean value “true” when feedback is submitted, in a session cookie. This cookie is deleted when the browser is closed.

Read more about the feedback functionality in the section “Did you find what you were looking for?”.

Siteimprove (web analytics)

nmstat: This cookie is used to record a visitor’s use of the website. It collects statistics about website usage, for example when the visitor last visited the site. This information is then used to improve the user experience. This Siteimprove Analytics cookie contains a randomly generated ID that is used to recognise the browser when a visitor views a page. The cookie does not contain personal data and is used for web statistics only.

Read more about how Siteimprove uses cookies.

Power Pages:
Overview of cookies in the forms portal – Power Pages

B2C (login system for the forms portal)

Newsletters

On dmp.no you can subscribe to newsletters in several categories. In order for us to send you newsletters, you must register an email address. We also ask you to register your name, but only a first name is mandatory. You register as a subscriber on a separate registration page. By registering, you consent to us sending you newsletters and using your email address and telephone number for this purpose. The data you provide is used solely to send newsletters by email. For some types of newsletter, we may wish to send SMS in addition to email, in which case we will ask you to provide a mobile phone number as well.

Only newsletter administrators at NOMA and support staff at the system provider Bas Kommunikasjon have access to the data. Through the newsletter, you can view and change your subscription details and you can unsubscribe from the service at any time.

Through the system provider, NOMA administrators can see how many and which subscribers open the newsletter, as well as how many and which subscribers click on various links in the newsletter.

Survey tools

NOMA uses the survey tool Questback. In some of these surveys, senders are asked to provide their name, email address and, if relevant, telephone number. The contact details are used for further dialogue with the sender, for example about meeting invitations, evaluations or clarification of professional questions. Data is stored only as long as it is relevant to the matter the survey concerns. The legal basis, purpose of data collection and retention period vary from survey to survey and are stated in the information at the beginning of each survey.

For notifications of medicine shortages, the Wufoo form solution is used. Here we ask for information about the name of the contact person at the pharmaceutical company as well as email address and telephone number. Only case handlers and the internal administrator of the solution have access to the data. See Wufoo’s privacy policy.

Social media

NOMA has its own pages/profiles on social media (Facebook and LinkedIn). We only have access to the information that individuals themselves have made public in social media. The information can be deleted by the individual at any time.

All entries and exits in the building where NOMA is located are logged electronically. This applies to both visitors and employees. The log contains name, time, telephone number and (for employees) email address. The data is automatically deleted after 90 days.

All entrances to the building where NOMA is located, and the exterior around the façade, are subject to CCTV surveillance. All video recordings are stored for one week, after which they are automatically deleted.

When you apply for a job with us, your application and attachments are stored temporarily in the recruitment system Webcruiter and in our case and archiving system 360. All lists of applicants and decisions are kept, while the applications are deleted after one year.