Parts of the guide are based on legislation and use terms that have a legal meaning. The legal terms may differ somewhat from how the same terms are used in everyday language. As the guide progresses and central concepts are introduced, they will either refer to pages with more information on how central concepts should be understood or be accompanied by an explanation of the concept. If the information is not already known, those responsible for the project must familiarize themselves with this information.
In addition to this, we have gathered some central concepts below:
Anonymous information is information that cannot be linked to an identifiable physical individual or that has been anonymized in such a way that personal information can no longer be linked to a physical individual (see the recital of the GDPR point 26). When developing artificial intelligence, it is important to note that algorithms can compile and analyse anonymous information in ways that may identify physical individuals. In that case, the information will no longer be anonymous.
Processing of health and personal information
Processing of health and personal information includes any operation or series of operations carried out with health and personal information, whether automated or not (e.g., collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure or destruction, cf. GDPR Art. 4 No. 2). This means that the use of personal and health information for the development of artificial intelligence, for example, collecting and training algorithms, is processing personal and health information.
The institution/company/other legal entity that determines the purpose of the processing of personal data and which tools to use.
A data processor is a person or entity outside the controller's organization who processes personal data on behalf of the controller. To use a data processor, a data processing agreement is required between the data processor and the controller. Examples of data processors may include an external supplier of questionnaires, a supplier of storage capacity, a supplier of analysis of human biological material, a transcription assistant, or an interpreter.
Health research is research on humans, human biological material, or health information when the purpose is to generate new knowledge about health and disease (the Health Research Act § 4). Research means activities carried out using scientific methodology. Often, it may be unclear whether innovation projects should be regarded as health research. The Norwegian Directorate of Health has provided guidance on this issue.
Health information is personal information that provides information about a person's physical or mental health, including the provision of health services, cf. GDPR Art. 4 No. 15.
Clinical decision support tools
Clinical decision support tools are all types of tools that can help a person make a decision in connection with clinical activities, such as knowledge summaries that help ensure that health care is evidence-based. It does not include tools that are primarily commercial or purely administrative tasks. It is a technology-neutral concept.
Clinical testing of drugs and medical equipment
Clinical testing refers to any systematic testing involving one or more test participants, conducted to evaluate the safety or performance of a medical device or drug.
Artificial intelligence (AI) is often used as a collective term for various types of machine learning, but there is no consensus on the meaning of the term. We use a broad understanding of the term.
Quality improvement means increasing the quality of healthcare through changes in practice. This often requires studying different practices and outcomes for patients. In projects aimed at generating knowledge that can be used to change practices, quality improvement is an appropriate description of the purpose.
Quality assurance of healthcare involves controlling that diagnosis, treatment, and other healthcare actually produce the intended results and identifying whether quality requirements are met. Quality assurance can provide the basis for quality improvement.
Machine learning uses mathematical and statistical methods to create algorithms based on data analysis. The training of a system can occur through supervised learning, unsupervised learning, or reinforcement learning.
Medical devices are any instrument, apparatus, equipment, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, on human beings for one or more of the specific medical purposes:
- diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease
- diagnosis, monitoring, treatment, alleviation or compensation for injury or disability
- examination, replacement or modification of anatomy or a physiological or pathological process or state
- to provide information through in vitro examination of samples derived from the human body, including organ, blood and tissue donations
The following products shall also be considered as medical devices:
- equipment for contraception or fertilization assistance
- products specifically intended for the cleaning, disinfection or sterilization of medical devices
Personal data means any information relating to an identified or identifiable natural person, as defined in the General Data Protection Regulation (GDPR) Art. 4 No. 1. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Protection Impact Assessment (DPIA)
Data Protection Impact Assessment (DPIA) is a type of risk assessment that deals with privacy risks. A DPIA must be carried out in projects where the processing of personal data will put the rights and freedoms of natural persons at a high risk. In such projects, a more comprehensive assessment of the consequences of the planned processing for the protection of personal data must be carried out before the processing of personal data begins.
Pseudonymous/De-identified Personal Data
Information where name, social security number, or other unique personal identifiers are removed or replaced with other identifying data.
Validation is used both for validation of AI products that occurs at the manufacturer and validation of AI products that occurs in healthcare institutions. Validation at the manufacturer involves proving that the equipment meets the requirements for a specific intended use as defined by the manufacturer. Validation in the healthcare institution involves determining whether the equipment is suitable for the current patient group/use in the current healthcare institution.