Personal data protection and the handling of medical records

The health records administrators shall actively monitor the enforcement of the health records law. The health records administrator shall have the right to access the health records insofar as is necessary for the purposes of the monitoring.

The Director of Health (Embætti Landlæknis), as appropriate, monitors compliance with the provisions of the law on medical records. For example, if a patient believes that a healthcare professional has violated the confidentiality and professional secrecy obligations, he/she may send a complaint to the Directorate of Health.

The Icelandic Data Protection Authority monitors the security and processing of personal data in medical records in accordance with the provisions of data protection legislation. The Data Protection Authority can therefore rule on disputes regarding access to the medical records on the basis of that law.

For example, if a patient believes that a healthcare professional or another person has looked into a medical record without authorization, he or she can send a complaint to the Data Protection Authority.

If the Data Protection Authority reveals that there is a significant likelihood that the patient’s privacy interests have been violated, the violation shall be reported to the police.