Table 4.
Legal documents from Norway.
| No | Legal document | Type |
| 1 | Code of conduct for information security and data protection in the health care and care services sector version 6.0 [61] | Code of conduct |
| 2 | Ministry of Government Administration, Reform and Church Affairs’ requirements specification for PKIa for the public sector [62] | Guidelines |
| 3 | General principle to regional control system for information security and privacy [63] | Policy |
| 4 | Safety regulator legislation applicable to the enterprise group [63] | Policy |
| 5 | Organization of information security work [63] | Policy |
| 6 | Safety goals and level for acceptable risk of information security [63] | Policy |
| 7 | Security strategy [63] | Policy |
| 8 | Security instructions (signed version) [63] | Policy |
| 9 | ICTb services and information security for medical devices [63] | Policy |
| 10 | Requirements specification—ICT services and information security for MTUc [63] | Policy |
| 11 | Security principles and requirements for ICT infrastructure and applications [63] | Policy |
| 12 | Anonymization of health and personal information [63] | Policy |
| 13 | Use of data processor—treatment of personal information at other legal entity [63] | Policy |
| 14 | Use of email and fax [63] | Policy |
| 15 | Use of mobile phones [63] | Policy |
| 16 | Basis for posting in journal [63] | Policy |
| 17 | Storage, archiving, and deletion of health and personal information [63] | Policy |
| 18 | Crypto policy [63] | Policy |
| 19 | Password policy for the health trusts in Health South-East | Policy |
| 20 | Guidance for approval of data processing from secure third countries [63] | Policy |
| 21 | Requirements for coded research data | Policy |
| 22 | Use of email, fax, and SMS text messaging for communication with and about patients [63] | Policy |
| 23 | Regional policy for publishing and public services and DMZd [63] | Policy |
| 24 | Description of identification procedure in Health South-East [63] | Policy |
| 25 | Use of logs for administrative purposes | Policy |
| 26 | Internal control information security [63] | Policy |
| 27 | Logging of activity and control of logs [63] | Policy |
| 28 | Regional security policy for cloud services [63] | Policy |
| 29 | Regulations relating to the Processing of Personal Data [64] | Regulation |
| 30 | Norwegian Personal Health Data Filing System Act [16,65,66] | Statutory law |
| 31 | Act relating to Patients’ Rights | Statutory law |
| 32 | Act relating to the Processing of Personal Data [18] | Statutory law |
| 33 | Health Care Personnel Act [67,68] | Statutory law |
| 34 | Health Research Act [16] | Statutory law |
| 35 | Act relating to Public Supervision of the Health Service | Statutory law |
aPKI: public key infrastructure.
bICT: information and communication technology.
cMTU: medical technical equipment.
dDMZ: demilitarilized zone.