8. Transfer of personal data and health research data to projects outside HVL
HVL shall ensure the lawful transfer of personal data and health research data from projects where HVL is/has been responsible for processing, for use in projects where another institution is responsible for the processing.
- HVL by the project manager can transfer personal data and health research data to external activities if there is a legal basis.
- An application for transfer of personal data and health research data personal and health information must be submitted in writing to HVL addressing the Vice-Rector for Research, who decides on transfer.
- A confirmation of the valid basis for processing personal data, a specification of which personal data is sought to be extradited and how these data will be stored must be attached.
- HVL assesses whether the original information letter and statement of consent accommodates the transfer.
- Questions about the transfer of registry data that HVL has received from an external company shall be directed to the original register.
- A transfer must be described in a co-operation agreement between the institutions.
- The project manager compiles the personal information and health research data before the transfer. This can also be done by the data processor by agreement.
- Persons who are not subject to HVL's instruction authority cannot be given access to HVL's research server to retrieve the information themselves.
- When transferring, the project manager must ensure that:
- If the information is to be transmitted de-identified, the original connection number must be replaced with a new one. The handed-out connection numbers are stored together with the connection key.
- Transmission of de-identified data via memory stick or CD / DVD is sent by registered mail in two shipments with connection key and data separately, preferably encrypted.
- Solutions for deliveries via cloud services must be risk assessed and satisfy HVL's requirements for an acceptable level of risk, cf. cloud services offered by HVL.
- When extradited to countries outside the EEA (third states or international organizations), this shall take place following GDPR Articles 44-50, and extradition shall be documented. The project manager has a dialogue with NSD or the privacy representative to ensure legal extradition.
- If unauthorized extradition of personal data has occurred, the project manager must immediately inform the data controller, who must notify the Data Inspectorate, see 9. Internal control and handling of breaches or discrepancies from legal obligations, regulations, and research ethics.