Datatilsynet (Norway) - 20/03293 (decision 2): Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/...")
 
m (just small linguistic changes to Brisith English (organisation instead of organization))
 
(10 intermediate revisions by 2 users not shown)
Line 4: Line 4:
|DPA-BG-Color=
|DPA-BG-Color=
|DPAlogo=LogoNO.png
|DPAlogo=LogoNO.png
|DPA_Abbrevation=Datatilsynet (Norway)
|DPA_Abbrevation=Datatilsynet
|DPA_With_Country=Datatilsynet (Norway)
|DPA_With_Country=Datatilsynet (Norway)


Line 11: Line 11:


|Original_Source_Name_1=Datatilsynet
|Original_Source_Name_1=Datatilsynet
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/b8f80f9ade934d2b9ec2d51cc165e0b3/vedtak-om-palegg---brevkontroll-med-kriminalomsorgens-behandling-av-personopplysninger.pdf
|Original_Source_Link_1=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/tilsynrapport-og-palegg-til-kriminalomsorgen/
|Original_Source_Language_1=Norwegian
|Original_Source_Language_1=Norwegian
|Original_Source_Language__Code_1=NO
|Original_Source_Language__Code_1=NO
|Original_Source_Name_2=Final inspection report
|Original_Source_Link_2=https://www.datatilsynet.no/contentassets/d7b778fca25d48ffa4ccb7d077c33251/20_03293-42-kontrollrapport-til-publisering.pdf
|Original_Source_Language_2=Norwegian
|Original_Source_Language__Code_2=NO
|Original_Source_Name_3=
|Original_Source_Link_3=
|Original_Source_Language_3=
|Original_Source_Language__Code_3=
|Original_Source_Name_4=
|Original_Source_Link_4=
|Original_Source_Language_4=
|Original_Source_Language__Code_4=


|Type=Investigation
|Type=Investigation
|Outcome=Violation Found
|Outcome=Violation Found
|Date_Decided=26.08.2021
|Date_Started=09.11.2021
|Date_Published=01.09.2021
|Date_Decided=19.10.2022
|Year=2021
|Date_Published=01.11.2022
|Fine=None
|Year=2022
|Fine=
|Currency=
|Currency=


|GDPR_Article_1=Article 30 GDPR
|GDPR_Article_1=
|GDPR_Article_Link_1=Article 30 GDPR
|GDPR_Article_Link_1=
|GDPR_Article_2=
|GDPR_Article_Link_2=


|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=


|National_Law_Name_1=Norwegian Personal Data Act of 2000 §14
|National_Law_Name_1=Norwegian Execution of Sentences Act Chapter 1A and 1B
|National_Law_Link_1=
|National_Law_Link_1=https://lovdata.no/dokument/NLE/lov/2001-05-18-21
|National_Law_Name_2=Norwegian Regulation on personal data processing §2-4
|National_Law_Name_2=Norwegian Personal Data Act of 2000
|National_Law_Link_2=https://lovdata.no/dokument/SF/forskrift/2018-06-15-876
|National_Law_Link_2=https://lovdata.no/dokument/NLO/lov/2000-04-14-31
|National_Law_Name_3=Norwegian Regulation on personal data processing §2-7
|National_Law_Name_3=Norwegian Personal Data Act of 2018
|National_Law_Link_3=https://lovdata.no/dokument/SF/forskrift/2018-06-15-876
|National_Law_Link_3=https://lovdata.no/lov/2018-06-15-38/%C2%A720
|National_Law_Name_4=Norwegian Personal Data Act of 2018
|National_Law_Link_4=https://lovdata.no/lov/2018-06-15-38/%C2%A714
|National_Law_Name_5=Norwegian Regulation on personal data processing §2-7
|National_Law_Link_5=https://lovdata.no/dokument/SF/forskrift/2018-06-15-876
|National_Law_Name_6=Norwegian Regulation on personal data processing Chapter III
|National_Law_Link_6=https://lovdata.no/dokument/LTI/forskrift/2000-12-15-1265
|National_Law_Name_7=
|National_Law_Link_7=
|National_Law_Name_8=
|National_Law_Link_8=


|Party_Name_1=Directorate of Norwegian Correctional Service
|Party_Name_1=Directorate of Norwegian Correctional Service
Line 40: Line 69:
|Party_Name_3=
|Party_Name_3=
|Party_Link_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=


|Appeal_To_Body=
|Appeal_To_Body=
Line 50: Line 75:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Rie Aleksandra Walle
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
|
|
}}
}}


The Norwegian DPA has requested the Directorate of Correctional Service to establish records of processing activities, explain controller roles and responsibilities and document their internal controls.
After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organisation.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On their own initiative, the Norwegian DPA requested information from the Directorate of Norwegian Correctional Service (DCS) regarding their processing of personal data, specifically an overview of such processing (equivalent to [[Article 30 GDPR|Article 30 GDPR]]) for purposes related to the Execution of Sentences Act, and details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally.
In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to [[Article 30 GDPR|Article 30 GDPR]]) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a [[Datatilsynet (Norway) - 20/03293|first decision]] issued in August 2021.


The DCS responded that they lack an overview of personal data processing activities, despite having procured a dedicated system for this purpose. They had initiated the work, but could only document ten processing activities - which are insufficient as per the GDPR, their own view. The DCS further stated that they process several - and many to a great extent - sensitive personal data related to sentencing. Consequently, it's important that the directorate has a good overview and control of personal data processing.
As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway)  for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.
 
During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.
 
Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.
 
The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.


=== Holding ===
=== Holding ===
The DPA held that the Directorate of Correctional Service (DCS) must 1) establish records of processing activities in line with the Norwegian Personal Data Act of 2000 § 14 and the associated Regulation on personal data processing § 2-4, 2) describe how the responsibility for personal data processing is structured and distributed in the directorate, both organisationally and practically, cf. the Regulation on personal data processing § 2-7, and 3) send the DPA their internal controls documentation, cf. the Personal Data Act of 2000 § 14. Relevant documentation must be enclosed.
The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organisation. 
 
The controller must comply with the order within six months. If they fail to do so (with the deadline set to 9 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.  


== Comment ==
== Comment ==
''Share your comments here!''
The daily penalty is an option under the Norwegian Personal Data Act § 29.


== Further Resources ==
== Further Resources ==
Line 76: Line 109:


<pre>
<pre>
THE DIRECTOR OF THE CRIMINAL CARE
DIRECTORATE OF CRIMINAL CARE
 
PO Box 694
PO Box 694
4302 SANDNES
4302 SANDNES
 
 
 
 
 
 
 
 
 
Their reference Our reference Date
 
202105340 20 / 03293-13 26.08.2021
 
 
 
Decision on order - Letter control with the Prison and Probation Service's processing of
personal information
 
 
 
    1 Introduction
 
 
We refer to our notification of a decision on an order, dated 28 June 2021. The Norwegian Prison and Probation Service
had a deadline to submit comments on the notice on 13 August 2021.
 
 
We have not received any comments, and the decision is identical to the notification. For the record, we take
 
the same text as stated in the notice.
 
    2. Decision on order
 
 
The Data Inspectorate adopts the following order:
 
 
        1. In accordance with the Personal Data Act 2000 § 14 and
        associated regulations § 2-4 establish an overview of all the treatments of
 
        personal data made in the directorate.
 
        2. The Norwegian Prison and Probation Service must account for how the responsibility for treatment follows
 
        The Personal Data Act is organizationally and practically located and distributed in
        the organization, cf. the Personal Data Regulations § 2-7. We request that applicable
        delegation documents are attached.
 
 
        3. The Norwegian Prison and Probation Service must submit the current internal control to the agency,
 
        cf. the Personal Data Act 2000 § 14.
 
 
 
 
 
 
 
 
 
Postal address: Office address: Telephone: Org.nr: Homepage: 1
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no
0105 OSLO 0191 OSLOOur legal basis for issuing orders is Article 58 no. 2 of the Privacy Ordinance. We refer to our
review of the legal order later in this letter.
 
The deadline for implementing the orders is September 21, 2021. By this deadline, you must
send us a written confirmation that the orders have been implemented. You must also send
the documents to which the orders apply.
 
 
    Background
 
3.1 The Data Inspectorate's requirements for reporting
 
The Norwegian Data Protection Authority decided on its own initiative to request information from
The Norwegian Prison and Probation Service on the Directorate's processing of personal data. In letter dated
On December 10, 2020, we requested the following:
 
 
- The Norwegian Prison and Probation Service has an overview of the processing of personal data
(corresponding processing protocol according to Article 30 of the Privacy Regulation and Directive
2016/680 article 24) which takes place in the Prison and Probation Service for purposes after
the Penal Code? If this is available, we ask that this be sent to us.
If this is not available, we ask for an explanation of why this is missing.




- Who is responsible for processing the various treatments that take place in the penal care?
Your reference Our reference Date
Describe the responsibilities internally in the agency.
201819876 20/03293-62 19.10.2022


3.2 Summary of report from the Norwegian Prison and Probation Service


The Norwegian Prison and Probation Service writes in the report that as of today there is no central office
Submission of final inspection report and decision on order
overview of processing of personal data in the directorate. The Directorate went to last year
purchase of a computer system (DraftIt) to be used to create a central overview. Directorate


present a draft based on the work in the system. This treatment protocol contains ten
We refer to local supervision of the correctional service and subsequent correspondence.
treatment activities. The Directorate writes in the report that they do not consider this to be
an adequate overview of processing activities, as required by the privacy regulations.


In the report, the directorate emphasizes that many and in some cases very sensitive people are treated
personal data in connection with the execution of sentences. It is therefore important that
the directorate has a good overview and control. Furthermore, the directorate writes that one has happened


strengthening of resource input on ICT security.
In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at
The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike
prison, Bredtveit prison and detention center and Oslo probation office). The control was


    4. More about the requirements of the Personal Data Act
carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art.
58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority
The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out
penalty.


4.1 The Data Inspectorate's competence


The Norwegian Prison and Probation Service's processing of personal data after
Proceedings
The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by


Chapter 1A and 1B of the Execution of Sentences Act are still regulated by Act no. 31 of 14 April 2000
24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in
on the processing of personal data with associated regulations, cf. regulations on
pursuant to § 20 of the Personal Data Act:
transitional rules on the processing of personal data § 1 a. The Execution of Sentences Act


    1. The Directorate of Correctional Services must ensure that clear responsibilities and


        authority relations, cf. the personal data regulations § 2-7. We refer to the report
        chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for


        information security, and update this to ensure that the Personal Data Act becomes
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
        chapter 3 of the personal data regulations. We refer to the report's chapter 6.2.


                                                                                              2 rules apply to the execution of prison sentences, etc., cf. section 1 of the Act.
Section 4c of the Execution of Sentences Act exhaustively states the purposes through which this can be achieved
processing of personal data in the Prison and Probation Service.


The Personal Data Act of 2018 § 20 third paragraph letter a states that the Data Inspectorate's authority
Deadline for making comments on the preliminary inspection report and the notice of decision
pursuant to Article 58 of the Privacy Regulation, the same applies to supervision of compliance with
was set for 22 August 2022.
provisions given in the Act here and in regulations issued pursuant to the Act.




The Data Inspectorate therefore finds that our competence to impose measures is stated in
KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the
the Personal Data Act 2018 § 20 third paragraph, cf. the Privacy Ordinance article 58 no. 2.
preliminary report. KDI's assessment is that the report contains some smaller ones
mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The


4.2 Requirements for treatment protocol


Pursuant to Article 30 of the Privacy Regulation (and Article 24 of Directive (EU) 2016/680)


the person responsible for treatment has a duty to have a treatment protocol.
Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have


Corresponding duty to have an overview of the treatments that take place in one
have been identified during the supervision period.
the person responsible for processing follows from the Personal Data Act 2000 § 14 and associated regulations § 2-
4. Such an overview must be considered necessary in order to have a suitable system for internal control.


4.3 Requirements for internal control
KDI states that in future they will complete the work of updating and preparing them
formal instructions to the correctional service which are necessary to be able to document clear


responsibilities and internal control. At the same time, KDI requests that a deadline of six be set
months to carry out orders as notified. It has been shown that it will take some time to secure one
joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this
area throughout the organization. KDI believes this is best done by them - in addition to designing
formal guidelines - give these topics the necessary space at management meetings, subject meetings and


Section 14 of the Personal Data Act and Chapter 3 of the Personal Data Regulations provide rules on
seminars in the future. In this way, training will be provided, questions will be clarified and KDI will
internal control system. Pursuant to the Personal Data Act § 14 first paragraph, it shall
could ensure an agreed understanding and practice.
treatment managers «establish and maintain planned and systematic measures that are
necessary to meet the requirements of or pursuant to this Act, including ensuring
the quality of personal data ». A number of different measures may be relevant in this connection,
but a key part of internal control will often be to establish routines to fulfill the duties


and the rights under the law. The data controller must document the measures, and
Regulations
the documentation must be available to employees of the data controller and
at the data processor, as well as for the Data Inspectorate and the Privacy Board, cf. section 14, second paragraph.


In accordance with the regulations § 3-1 first paragraph, the measures shall be adapted to the nature of the business, activities
The Probation Service's processing of personal data is regulated by various sets of rules.
and size, and special emphasis shall be placed on compliance with the requirements
information security in the Personal Data Act § 13. The requirements for measures are specified in


the regulations § 3-1 second paragraph, which requires that the person responsible for processing, among other things
The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate
ensure knowledge of current rules and adequate and up-to-date documentation
processing of personal data on inmates, convicts, etc. related to the execution of sentences
implementation of routines. The third paragraph, letters a to f, provides a non-exhaustive overview of
and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for
duties and rights the data controller must have routines for, including collection and
control of consent, assessment of the purpose of processing and fulfillment of the request for
insight and information.


criminal enforcement purposes in regulations on transition rules to the Personal Data Act of
2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018
pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other
joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on
                        1
directive (EU) 2016/680 .


4.4 Location of treatment responsibilities
It follows from Section 4c of the Execution of Sentences Act that the correctional service can process
personal data that is necessary for the following purposes:


The Execution of Sentences Act § 4e letter c states that the king gives regulations on who is
treatment manager.


    a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act,
    b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large,
    c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to
      counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting
      adaptation of inmates and convicts to society,
    d. ensure children's right to visit their parents under safe and secure conditions,
    e. notify the aggrieved party or his next of kin, cf. § 7 b,
    f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14.


For the processing of personal data in the Infoflyt system, special rules set out in
Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf.


regulation on transition rules to the Personal Data Act of 2018 § 1 letter a.


                                                                                                3In the preparatory work for the Execution of Sentences Act, Chapters 1a and 1b, the Ministry emphasizes that
it is especially important to regulate who has the responsibility for treatment. Furthermore, it follows:


        A key question is who should have the responsibility for treatment in the penal care.
        Pursuant to section 2 no. 4 of the Personal Data Act, the person responsible for processing is the one who decides
        the purpose of the processing of personal data and what kind of aid can
        used. The definition used by the Ministry in the draft § 4b, take nevertheless, as


        the submission of a new Police Register Act, based on the definition in the Privacy Directive in
        instead of the corresponding definition in the Personal Data Act. It
        The person responsible for treatment is after this defined as the one who by law or regulation
        determines the purpose of the treatment. When it comes to the background and the rationale for this
        position, one refers to Ot.prp.nr.108 (2008–2009) «On the Act on the processing of
        information in the police and the prosecuting authority (the Police Register Act) »pages 59-60.




        When the purpose of the processing is determined by law, as the Ministry submits,
1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing
        the main tasks of the person in charge of treatment will be to look after and relate to
personal data to prevent, investigate, uncover or prosecute offenses or the execution of
        ensure that the regulations for the treatment are followed. The treatment manager has for
penal reactions, and on the free exchange of such information and repeal of the council's framework decision
        for example, the responsibility for safety and aids, for the treatment to be reported
        The Norwegian Data Protection Authority, and for the protection of the rights that the data subject has by virtue of the law, cf.
        Ot.prp.nr.108 (2008–2009) page 60.


2008/977/JIS


        The Norwegian Data Protection Authority points out that one best takes care of the processing responsibility by placing
        responsibility in close connection with the treatment itself, and asks the ministry to reconsider
        its position from the consultation note. The ministry is well on its way to
        views from the Data Inspectorate and believes that prison tenants and probation tenants should be
        treatment manager at the local level. But prison care treats
        personal information at several levels - both centrally, regionally and locally. Such


        the ministry sees it, should the specific location of the processing responsibility
        regulated in regulations in the same way as for the police, see below. The question of
        who is to be responsible for treatment in the penal care system will be considered
        in more detail when the regulations are to be prepared.


                                                                                                  2Other processing of personal data, including for administrative, administrative purposes
and private law purposes, the Personal Data Act of 2018 and the EU's apply
privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act.


    5. The Data Inspectorate's assessment


The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so
it is difficult to understand which rules apply, and that this has had an impact on the agency
compliance with the privacy rules.


We further assume that the chief executive of the Norwegian Prison and Probation Service has
The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant
the processing responsibility for the processing of personal data in the agency.
for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added


The Norwegian Data Protection Authority finds that the Norwegian Prison and Probation Service has not presented a satisfactory report
reason that processing responsibility can be shared between two processors. This was considered to
overview of the directorate's processing of personal data.
be practical for central systems, such as Kompis. At the same time it was stated that
the specific distribution of tasks must be determined in regulations or guidelines. However, it is
no regulations or guidelines have been drawn up in this regard.




The requirement for an overview of the treatments that are done in a company is fundamental to
Without clear instructions for the processing of personal data in the correctional service, will
be able to comply with other obligations under the regulations. The Prison and Probation Service has not provided any
compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize
justification for the lack of this central overview.
that it is a management responsibility to ensure uniform understanding of the regulations in a complex
organization.


Final inspection report


The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report.
The report is therefore finalized without changes. The final inspection report is attached.


Decision on orders
Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order:




                                                                                                4There is also no documentation or description of the internal responsibilities in
    1. The Directorate of Correctional Services must ensure that clear responsibilities and
agencies. The Directorate has only referred to its general right to delegate responsibilities in the steering line in
        authority relations, cf. the personal data regulations § 2-7. We refer to
agencies. This is considered to constitute a deviation from the requirements in the privacy regulations that are reproduced above.
        the control report's chapter 6.1.
As the directorate itself emphasizes in the report, the Prison and Probation Service processes large quantities
    2. The Directorate of Correctional Services must carry out a review of the internal control system for
personal information. Among other things, many sensitive personal data are processed, including
special categories of personal data. Through what we have experienced through our treatment
of cases concerning the protection of the privacy regulations in the Prison and Probation Service, which


reports of breaches of personal data security, guidance requests and complaints from
        information security, and update this to ensure that the Personal Data Act becomes
inmates, we believe that there is reason to check the Prison and Probation Service's compliance
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
closer.
        chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2.


In order to investigate the Prison and Probation Service's compliance with the privacy regulations, it is
Deadline for implementation
necessary for the Norwegian Data Protection Authority to be sent an overview of which treatments of
On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to
personal information made in the agency, see our notified order no. 1.


carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19.
April 2023. By this deadline, you must send us a written confirmation that the orders are
carried out.


Furthermore, we find it necessary to receive an overview of how the treatment responsibility is exercised
If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf.
in practice in the agency, see our notified order no. 2. This means that you must send us one
overview of where and how responsibility for the processing of personal data, including
personal data security requirements, are delegated to the various units and subordinate agencies to
The Norwegian Prison and Probation Service.


Section 29 of the Personal Data Act.


Finally, we also consider it appropriate and relevant to impose Correctional Care
2
submit the overall documented internal control that applies to the agency's processing of
Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of
personal information. We refer to the requirements that follow from the Personal Data Act § 14, cf.
personal data in correctional facilities, access to pardon cases, etc.).
associated regulations chapters 2 and 3.


The documentation you submit will form the basis for our assessment of any


further control of the agency's compliance with the privacy regulations.
                                                                                                3 Access to complaints
The decision can be appealed. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will
the case will be forwarded to the Personal Protection Board for complaint processing.


    6. Concluding remarks
Party transparency and publicity


6.1 Coercive fine
As a party to the case, you have the right to access the case's documents in accordance with the provisions of
 
Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in
We will consider the use of a coercive fine if the orders have not been implemented by the deadline
the starting point is public, cf. section 3 of the Public Information Act.
 
(cf. the Personal Data Act § 29.)
 
6.2 Opportunity to appeal
 
You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received (cf. the Public Administration Act §§ 28 and 29). If we maintain our decision will
we forward the case to the Privacy Board for complaint processing.
 
 
6.3 Transparency and publicity
 
You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform
that all documents are in principle public (cf. the Public Access to Information Act § 3.)
 
 
 
 
                                                                                              5If you believe there are grounds for exempting all or part of the document from public view
insight, we ask you to justify this.
 
If you have any questions, you can contact Embla Helle Nerland on telephone number 22
39 69 54.


If there are questions related to the decision, you can contact the case manager by telephone
22 39 69 80 or email (maren.vaagan@datatilsynet.no).




Line 379: Line 300:


Camilla Nervik
Camilla Nervik
section chief
section manager
                                                              Embla Helle Nerland
                                                                Maren Vaagan


                                                              legal adviser
                                                                senior legal advisor


The document is electronically approved and therefore has no handwritten signatures
The document is electronically approved and therefore has no handwritten signatures


 
Appendix: Final control report
Copy to: THE DIRECTOR OF THE CRIME CARE CENTER, Per Ketil Andersen
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                                                          6
</pre>
</pre>

Latest revision as of 14:32, 8 November 2022

Datatilsynet - 20/03293
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law:
Norwegian Execution of Sentences Act Chapter 1A and 1B
Norwegian Personal Data Act of 2000
Norwegian Personal Data Act of 2018
Norwegian Personal Data Act of 2018
Norwegian Regulation on personal data processing §2-7
Norwegian Regulation on personal data processing Chapter III
Type: Investigation
Outcome: Violation Found
Started: 09.11.2021
Decided: 19.10.2022
Published: 01.11.2022
Fine: n/a
Parties: Directorate of Norwegian Correctional Service
National Case Number/Name: 20/03293
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Final inspection report (in NO)
Initial Contributor: Rie Aleksandra Walle

After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organisation.

English Summary

Facts

In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a first decision issued in August 2021.

As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.

During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.

Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.

The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.

Holding

The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organisation.

The controller must comply with the order within six months. If they fail to do so (with the deadline set to 9 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.

Comment

The daily penalty is an option under the Norwegian Personal Data Act § 29.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

DIRECTORATE OF CRIMINAL CARE
PO Box 694
4302 SANDNES


Your reference Our reference Date
 201819876 20/03293-62 19.10.2022


Submission of final inspection report and decision on order

We refer to local supervision of the correctional service and subsequent correspondence.


In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at
The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike
prison, Bredtveit prison and detention center and Oslo probation office). The control was

carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art.
58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority
The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out
penalty.


Proceedings
The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by

24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in
pursuant to § 20 of the Personal Data Act:

    1. The Directorate of Correctional Services must ensure that clear responsibilities and

        authority relations, cf. the personal data regulations § 2-7. We refer to the report
        chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for

        information security, and update this to ensure that the Personal Data Act becomes
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
        chapter 3 of the personal data regulations. We refer to the report's chapter 6.2.


Deadline for making comments on the preliminary inspection report and the notice of decision
was set for 22 August 2022.


KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the
preliminary report. KDI's assessment is that the report contains some smaller ones
mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The



Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have

have been identified during the supervision period.

KDI states that in future they will complete the work of updating and preparing them
formal instructions to the correctional service which are necessary to be able to document clear

responsibilities and internal control. At the same time, KDI requests that a deadline of six be set
months to carry out orders as notified. It has been shown that it will take some time to secure one
joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this
area throughout the organization. KDI believes this is best done by them - in addition to designing
formal guidelines - give these topics the necessary space at management meetings, subject meetings and

seminars in the future. In this way, training will be provided, questions will be clarified and KDI will
could ensure an agreed understanding and practice.

Regulations

The Probation Service's processing of personal data is regulated by various sets of rules.

The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate
processing of personal data on inmates, convicts, etc. related to the execution of sentences
and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for

criminal enforcement purposes in regulations on transition rules to the Personal Data Act of
2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018
pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other
joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on
                         1
directive (EU) 2016/680 .

It follows from Section 4c of the Execution of Sentences Act that the correctional service can process
personal data that is necessary for the following purposes:


     a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act,
     b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large,
     c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to
       counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting
       adaptation of inmates and convicts to society,
     d. ensure children's right to visit their parents under safe and secure conditions,
     e. notify the aggrieved party or his next of kin, cf. § 7 b,
     f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14.

For the processing of personal data in the Infoflyt system, special rules set out in
Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf.

regulation on transition rules to the Personal Data Act of 2018 § 1 letter a.





1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing
personal data to prevent, investigate, uncover or prosecute offenses or the execution of
penal reactions, and on the free exchange of such information and repeal of the council's framework decision

2008/977/JIS



                                                                                                  2Other processing of personal data, including for administrative, administrative purposes
and private law purposes, the Personal Data Act of 2018 and the EU's apply
privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act.


The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so
it is difficult to understand which rules apply, and that this has had an impact on the agency
compliance with the privacy rules.

The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant
for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added

reason that processing responsibility can be shared between two processors. This was considered to
be practical for central systems, such as Kompis. At the same time it was stated that
the specific distribution of tasks must be determined in regulations or guidelines. However, it is
no regulations or guidelines have been drawn up in this regard.


Without clear instructions for the processing of personal data in the correctional service, will
compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize
that it is a management responsibility to ensure uniform understanding of the regulations in a complex
organization.

Final inspection report

The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report.
The report is therefore finalized without changes. The final inspection report is attached.

Decision on orders
Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order:


    1. The Directorate of Correctional Services must ensure that clear responsibilities and
        authority relations, cf. the personal data regulations § 2-7. We refer to
        the control report's chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for

        information security, and update this to ensure that the Personal Data Act becomes
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
        chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2.

Deadline for implementation
On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to

carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19.
April 2023. By this deadline, you must send us a written confirmation that the orders are
carried out.

If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf.

Section 29 of the Personal Data Act.

2
 Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of
personal data in correctional facilities, access to pardon cases, etc.).


                                                                                                 3 Access to complaints
The decision can be appealed. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will
the case will be forwarded to the Personal Protection Board for complaint processing.

Party transparency and publicity

As a party to the case, you have the right to access the case's documents in accordance with the provisions of
Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in
the starting point is public, cf. section 3 of the Public Information Act.

If there are questions related to the decision, you can contact the case manager by telephone
22 39 69 80 or email (maren.vaagan@datatilsynet.no).



With best regards


Camilla Nervik
section manager
                                                                 Maren Vaagan

                                                                 senior legal advisor

The document is electronically approved and therefore has no handwritten signatures

Appendix: Final control report