Risk assessment


What is a risk assessment? 

A risk assessment is a tool for identifying unwanted events and the risk that these will occur. The risk that the processing of health and personal data poses to the data subject must also be assessed. 

A risk assessment must be documented. If it is necessary to implement measures to achieve an acceptable risk, the measures must also be documented in a plan with a clear deadline for implementing the measures and who is responsible for this. 

Risk is that an event may occur and negatively affect the achievement of a goal. 

Risk assessment involves taking a decision on the probability that an event with a negative effect on the achievement of the goal will occur, and the expected consequence of the event. The result of the assessment indicates how big the risk is and forms the basis for prioritizing which risks must be addressed, and how the follow-up should take place. 

The consequence of the risk occurring will often be the loss of something one have, or something one plans to achieve. How serious the consequence is will depend, among other things, on the nature and extent of the possible loss, compared to the company's objectives. This could, for example, concern consequences such as: 

  1. Loss of life and health 
  1. Loss of material values/financial consequence 
  1. Loss of progress in a planned activity 
  1. Delayed health care 
  1. Not good enough quality of health care 
  1. Loss of information 
  1. Loss of time 
  1. Loss of reputation 

The consequences must nevertheless be adapted to the relevant scope of the risk assessment. 

According to Normen, a risk assessment should be carried out based on the minimum requirements for confidentiality, integrity, availability, and robustness, and checked against the organization's level of acceptable risk. Significant consideration should be given to the consequences for the patient/user and the provision of proper healthcare in the risk assessments. 

Acceptable level of risk 

Acceptable risk level is the risk that the data controller is willing to accept in order to achieve their goals. Each healthcare facility is responsible for defining what constitutes an acceptable risk level, and it is the management's task to define the organization's risk tolerance. In order to determine what level of risk is acceptable, it is therefore important to have a clear understanding of who is the data controller. 

Risk assessment includes the identification, analysis and evaluation of risk. The assessment must therefore be carried out with the right scope and level of detail. After the risk assessment, the data controller must decide how to manage the risk and identify and implement necessary measures to reduce the risk. These measures must be implemented in accordance with established criteria for acceptable risk. 

​When should a risk assessment be carried out? 

A risk assessment must be carried out at the start of a project. It is recommended that it be carried out as early as possible in the planning phase of a project, and as a bare minimum it must be conducted prior to commencing any activities in the project such as for example processing personal data. 

If the project runs over several years, the risk assessment should be carried out regularly (possibly annually) to see if it needs adjustments. 

The risk assessment should be carried out "on the basis of an objective assessment where it is determined whether the processing of personal data involves a moderate risk or a high risk". 

Risk assessment is also related to assessment of data protection impact (DPIA) according to Article 35. If the risk assessment reveals that it is likely that the data processing will result in a "high risk" to the data subject, a DPIA must also be conducted. ​

If there are changes in the risk profile or if the prerequisites for the use of the system/service change, the risk assessment must be revised. 

Who will carry out the risk assessment? ​

It is the data controller who is responsible for carrying out a risk assessment. In practice, this will mean that the project will be responsible for the implementation itself, but that UNN can contribute as a facilitator when UNN is responsible for the data. 

If a risk assessment needs to be carried out,  the project must be reported to the Digital Services and Technology (Digitale tjenester og teknologi) at UNN using the following e-mail: UNN-KVALUT-Ehelse-Postboks@unn.no

After a risk assessment has been carried out, measures must be implemented if risk elements have been revealed. These measures must ensure that the project is within an acceptable level of risk. Normally, one of the participants in the risk assessment will be given responsibility for the follow-up and implementation of the measures. UNN will decide this in collaboration with the project  leader during the risk assessment. 

Finally, a risk assessment report must be prepared and archived as documentation. ​

If a risk assessment is not prepared, this must be justified and documented. 

More information and resources ​

Normen contains further information on risk assessment:  

Norm on risk assessment   ​

The Directorate of Digitization [Digitaliseringsdirektoratet]: 

Carry out risk assessment 

About risk and risk assessment