Datatilsynet (Norway) - 20/03293 (decision 2): Difference between revisions

From GDPRhub
No edit summary
m (just small linguistic changes to Brisith English (organisation instead of organization))
 
(5 intermediate revisions by 2 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=Datatilsynet
|Original_Source_Name_1=Datatilsynet
|Original_Source_Link_1=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/varsel-om-vedtak-om-palegg-til-kriminalomsorgsdirektoratet/
|Original_Source_Link_1=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/tilsynrapport-og-palegg-til-kriminalomsorgen/
|Original_Source_Language_1=Norwegian
|Original_Source_Language_1=Norwegian
|Original_Source_Language__Code_1=NO
|Original_Source_Language__Code_1=NO
|Original_Source_Name_2=Preliminary inspection report
|Original_Source_Name_2=Final inspection report
|Original_Source_Link_2=https://www.datatilsynet.no/contentassets/d7b778fca25d48ffa4ccb7d077c33251/20_03293-42-kontrollrapport-til-publisering.pdf
|Original_Source_Link_2=https://www.datatilsynet.no/contentassets/d7b778fca25d48ffa4ccb7d077c33251/20_03293-42-kontrollrapport-til-publisering.pdf
|Original_Source_Language_2=Norwegian
|Original_Source_Language_2=Norwegian
|Original_Source_Language__Code_2=NO
|Original_Source_Language__Code_2=NO
|Original_Source_Name_3=sdfd
|Original_Source_Name_3=
|Original_Source_Link_3=https://www.datatilsynet.no/contentassets/d7b778fca25d48ffa4ccb7d077c33251/20_03293-53-oversendelse-av-forelopig-kontrollrapport-og-varsel-om-vedtak---tilsyn-med-kriminalomsorgen.pdf
|Original_Source_Link_3=
|Original_Source_Language_3=Norwegian
|Original_Source_Language_3=
|Original_Source_Language__Code_3=NO
|Original_Source_Language__Code_3=
|Original_Source_Name_4=
|Original_Source_Name_4=
|Original_Source_Link_4=
|Original_Source_Link_4=
Line 30: Line 30:
|Outcome=Violation Found
|Outcome=Violation Found
|Date_Started=09.11.2021
|Date_Started=09.11.2021
|Date_Decided=24.06.2022
|Date_Decided=19.10.2022
|Date_Published=07.07.2022
|Date_Published=01.11.2022
|Year=2022
|Year=2022
|Fine=
|Fine=
Line 79: Line 79:
}}
}}


After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered them to sort out and document their controller responsibilities and update internal controls for managing privacy and personal data protection.
After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organisation.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to [[Article 30 GDPR|Article 30 GDPR]]) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a [https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/03293 first decision] issued in August 2021.
In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to [[Article 30 GDPR|Article 30 GDPR]]) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a [[Datatilsynet (Norway) - 20/03293|first decision]] issued in August 2021.


As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) § 20 for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.
As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.


=== Holding ===
During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.
The DPA found several discrepancies relating to the controller's efforts on managing privacy and personal data protection in their organization. During the audit, the controller created an instruction to place their responsibilities throughout the whole organization. The DPA, however, noted that not all underlying organizational units shared the same understanding of this.  


Further, the DPA noted that the internal control system was insuffienct and outdated, especially since the controller evidently registers very few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.
Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.


The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.
The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.


In conclusion, the DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organization.
=== Holding ===
The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organisation. 
 
The controller must comply with the order within six months. If they fail to do so (with the deadline set to 9 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.  


== Comment ==
== Comment ==
''Share your comments here!''
The daily penalty is an option under the Norwegian Personal Data Act § 29.


== Further Resources ==
== Further Resources ==
Line 107: Line 109:


<pre>
<pre>
THE DIRECTOR OF THE CRIMINAL CARE
DIRECTORATE OF CRIMINAL CARE
PO Box 694
PO Box 694
4302 SANDNES
4302 SANDNES




Their reference Our reference Date
Your reference Our reference Date
20 / 03293-53 24.06.2022
201819876 20/03293-62 19.10.2022




Submission of preliminary inspection report and notification of decision - Supervision of
Submission of final inspection report and decision on order
prison care


We refer to local supervision of the correctional service and subsequent correspondence.




    1 Introduction
In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at
The Danish Data Protection Agency refers to on-site inspections of the probation service on 9 November 2021, 4 April 2022,
The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike
April 6, 2022 and April 7, 2022. The inspection was carried out in accordance with
prison, Bredtveit prison and detention center and Oslo probation office). The control was


the Personal Data Act 2018 § 20.
carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art.
58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority
The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out
penalty.


The control concerned processing responsibility and internal control. The deviations from the regulations are closer
described in the attached control report. The control report covers the entire audit, from the opening of


letter control for on-site inspections of prisons and probation offices. The report describes
Proceedings
the observations made by the Norwegian Data Protection Authority during the audit, and include information collected
The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by
through documents and group interviews. The control report describes the Data Inspectorate


assessments of compliance in penal care. Any objections to the descriptions of
24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in
factual matters must be addressed to the Norwegian Data Protection Authority in connection with the response to this notification.
pursuant to § 20 of the Personal Data Act:


     2. Notice of decision
     1. The Directorate of Correctional Services must ensure that clear responsibilities and


This is a notice that the Data Inspectorate, pursuant to the Personal Data Act § 20, will take
        authority relations, cf. the personal data regulations § 2-7. We refer to the report
decision on the following order:
        chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for


    1. The Norwegian Prison and Probation Service must ensure that clear responsibilities and
        information security, and update this to ensure that the Personal Data Act becomes
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
        chapter 3 of the personal data regulations. We refer to the report's chapter 6.2.


        authority, cf. section 2-7 of the Personal Data Regulations. We refer to the report
        Chapter 6.1.
    2. The Norwegian Prison and Probation Service must conduct a review of the internal control system for


        information security, and update this to ensure that the Personal Data Act becomes
Deadline for making comments on the preliminary inspection report and the notice of decision
        complied with in all sections of the agency, cf. the Personal Data Act 2000 § 14 and
was set for 22 August 2022.
        Chapter 3 of the Personal Data Regulations. We refer to Chapter 6.2 of the report.




The Prison and Probation Service is free to implement measures within the framework of the law. We will ask for one
KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the
feedback on the time of implementation of the orders. Furthermore, we will ask for one
preliminary report. KDI's assessment is that the report contains some smaller ones
mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The






Postal address: Office address: Telephone: Org.nr: Homepage:
Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, feedback from the prison service on the implementation of the orders, with descriptions. See
0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have
more about this in point 4 of the notice.


have been identified during the supervision period.


    3. Legal basis
KDI states that in future they will complete the work of updating and preparing them
3.1 Current regulations for the processing of personal data in the penal care system
formal instructions to the correctional service which are necessary to be able to document clear
The Prison and Probation Service's processing of personal data is regulated in several different sets of rules.
Chapter 1A of the Execution of Sentences Act and the Personal Data Act of 2000 regulate


processing of personal data about prisoners, convicts, etc. directly related to
responsibilities and internal control. At the same time, KDI requests that a deadline of six be set
sentencing and custody. The Personal Data Act of 2000 has otherwise been repealed, however
months to carry out orders as notified. It has been shown that it will take some time to secure one
continued for the purpose of execution of sentence in § 1 of the regulations on transitional rules to
joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this
the Personal Data Act of 2018. The Ministry of Justice and Emergency Preparedness has notified a new law
area throughout the organization. KDI believes this is best done by them - in addition to designing
based on Directive (EU) 2016/680.
formal guidelines - give these topics the necessary space at management meetings, subject meetings and


seminars in the future. In this way, training will be provided, questions will be clarified and KDI will
could ensure an agreed understanding and practice.


For the processing of personal data in the Infoflyt system, separate rules laid down in apply
Regulations
Chapter 1B of the Execution of Sentences Act.


All other processing of personal data, including administrative,
The Probation Service's processing of personal data is regulated by various sets of rules.


administrative and private law purposes, etc., are regulated in KDI's opinion by
The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate
the Personal Data Act of 2018, cf. Regulation (EU) 2016/679.
processing of personal data on inmates, convicts, etc. related to the execution of sentences
and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for


3.2 Regulations to the Execution of Sentences Act, Chapter 1A
criminal enforcement purposes in regulations on transition rules to the Personal Data Act of
When the Execution of Sentences Act was amended in 2009, the legislature proposed further regulations
2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018
pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other
joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on
                        1
directive (EU) 2016/680 .


of processing of personal data should be laid down in regulations. One regulation is given in
It follows from Section 4c of the Execution of Sentences Act that the correctional service can process
pursuant to section 4e of the Execution of Sentences Act.
personal data that is necessary for the following purposes:


The preparatory work for the Execution of Sentences Act § 4b states that the responsibility for processing pursuant to this
the provision could be shared between two data controllers. It appears further


    a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act,
    b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large,
    c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to
      counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting
      adaptation of inmates and convicts to society,
    d. ensure children's right to visit their parents under safe and secure conditions,
    e. notify the aggrieved party or his next of kin, cf. § 7 b,
    f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14.


For the processing of personal data in the Infoflyt system, special rules set out in
Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf.


        The specific division of tasks must be specified in regulations or
regulation on transition rules to the Personal Data Act of 2018 § 1 letter a.
        guidelines. The daily responsibility for treatment - the practical
        implementation - can be delegated.




Regulations on treatment responsibility in the penal care have not been issued by the Ministry.




3.3 Comments on the regulations
Prior to the audit, as well as along the way, references to various documents have appeared
both different and incorrect regulations. Among other things, the Data Inspectorate has observed references to
the Personal Data Act of 2018 for processing that is still regulated by the 2000 Act


and Chapter 1A of the Execution of Sentences Act.
1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing
personal data to prevent, investigate, uncover or prosecute offenses or the execution of
penal reactions, and on the free exchange of such information and repeal of the council's framework decision


2008/977/JIS






1
                                                                                                  2Other processing of personal data, including for administrative, administrative purposes
2Regulations on transitional rules on the processing of personal data, FOR-2018-06-15-877
and private law purposes, the Personal Data Act of 2018 and the EU's apply
Regulations on the processing of personal data in the penal care, FOR-2013-09-20-1099
privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act.




The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so
it is difficult to understand which rules apply, and that this has had an impact on the agency
compliance with the privacy rules.


                                                                                              2, the Norwegian Data Protection Authority believes that there is reason to assume that a complex and motley set of rules has done so
The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant
difficult to understand which rules and laws apply, which has since become significant
for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added
compliance.


The Data Inspectorate also believes that a lack of regulatory regulation of the processing responsibility has been given
reason that processing responsibility can be shared between two processors. This was considered to
significance for compliance. The Ministry must bear part of the responsibility for partial deficiencies
be practical for central systems, such as Kompis. At the same time it was stated that
compliance with the privacy regulations of the agency. At the same time, it is clear from the preparatory work for
the specific distribution of tasks must be determined in regulations or guidelines. However, it is
no regulations or guidelines have been drawn up in this regard.


Section 4 b of the Execution of Sentences Act states that the specific division of tasks must be determined in regulations
or guidelines. No regulations or guidelines have been prepared.


During the consultation round for the amendments to the Execution of Sentences Act in 2009 noted
Without clear instructions for the processing of personal data in the correctional service, will
The Norwegian Data Protection Authority states that the term "daily processing responsibility" does not exist in the privacy regulations.
compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize
The legal responsibility must be placed. The Danish Data Protection Agency emphasizes that the responsibility cannot be delegated, i
that it is a management responsibility to ensure uniform understanding of the regulations in a complex
as opposed to the tasks related to compliance with the treatment responsibility, which can be delegated.
organization.


Final inspection report


If there are no clear instructions for processing personal data in
The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report.
penal care, it could lead to differential treatment of prisoners' right to privacy.
The report is therefore finalized without changes. The final inspection report is attached.
Compliance with the regulations may differ from unit to unit. It is a
management responsibility to ensure a uniform understanding of the regulations in a composite organization.


    4. Deadline for feedback
Decision on orders
Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order:


If you have any comments on this notice or the attached inspection report, you must
send us a feedback on this. We ask that you send us a suggested date for when
you can close the discrepancies we describe in the control report. The Norwegian Data Protection Authority will take this into account
the proposal when we in our final decision set a deadline for when all deviations must be closed and
the decision implemented.


    1. The Directorate of Correctional Services must ensure that clear responsibilities and
        authority relations, cf. the personal data regulations § 2-7. We refer to
        the control report's chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for


We ask that you send us deadlines for closing deviations and any comments within 15.
        information security, and update this to ensure that the Personal Data Act becomes
August 2022. If it is documented that deviations have been closed within the deadline for feedback, will
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
we include this in the assessment when we make the final decision.
        chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2.
 
Deadline for implementation
On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to
 
carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19.
April 2023. By this deadline, you must send us a written confirmation that the orders are
carried out.


    5. Transparency and publicity
If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf.
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
that all documents in the case are in principle public, cf. the Public Access to Information Act § 3.


If you have specific comments to the public about the documents, you can make them
Section 29 of the Personal Data Act.
these to the Danish Data Protection Agency.


With best regards
2
Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of
personal data in correctional facilities, access to pardon cases, etc.).
 
 
                                                                                                3 Access to complaints
The decision can be appealed. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will
the case will be forwarded to the Personal Protection Board for complaint processing.
 
Party transparency and publicity


As a party to the case, you have the right to access the case's documents in accordance with the provisions of
Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in
the starting point is public, cf. section 3 of the Public Information Act.


Camilla Nervik
If there are questions related to the decision, you can contact the case manager by telephone
22 39 69 80 or email (maren.vaagan@datatilsynet.no).


section chief
                                                                    Embla Helle Nerland
                                                                    legal adviser


The document is electronically approved and therefore has no handwritten signatures


With best regards




Camilla Nervik
section manager
                                                                Maren Vaagan


                                                                                                3, Copy to: THE MINISTRY OF JUSTICE AND EMERGENCY PREPAREDNESS
                                                                senior legal advisor


Attachments:
The document is electronically approved and therefore has no handwritten signatures


Control report from the Norwegian Data Protection Authority, dated 24 June 2022
Appendix: Final control report
</pre>
</pre>

Latest revision as of 14:32, 8 November 2022

Datatilsynet - 20/03293
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law:
Norwegian Execution of Sentences Act Chapter 1A and 1B
Norwegian Personal Data Act of 2000
Norwegian Personal Data Act of 2018
Norwegian Personal Data Act of 2018
Norwegian Regulation on personal data processing §2-7
Norwegian Regulation on personal data processing Chapter III
Type: Investigation
Outcome: Violation Found
Started: 09.11.2021
Decided: 19.10.2022
Published: 01.11.2022
Fine: n/a
Parties: Directorate of Norwegian Correctional Service
National Case Number/Name: 20/03293
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Final inspection report (in NO)
Initial Contributor: Rie Aleksandra Walle

After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organisation.

English Summary

Facts

In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a first decision issued in August 2021.

As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.

During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.

Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.

The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.

Holding

The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organisation.

The controller must comply with the order within six months. If they fail to do so (with the deadline set to 9 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.

Comment

The daily penalty is an option under the Norwegian Personal Data Act § 29.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

DIRECTORATE OF CRIMINAL CARE
PO Box 694
4302 SANDNES


Your reference Our reference Date
 201819876 20/03293-62 19.10.2022


Submission of final inspection report and decision on order

We refer to local supervision of the correctional service and subsequent correspondence.


In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at
The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike
prison, Bredtveit prison and detention center and Oslo probation office). The control was

carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art.
58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority
The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out
penalty.


Proceedings
The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by

24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in
pursuant to § 20 of the Personal Data Act:

    1. The Directorate of Correctional Services must ensure that clear responsibilities and

        authority relations, cf. the personal data regulations § 2-7. We refer to the report
        chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for

        information security, and update this to ensure that the Personal Data Act becomes
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
        chapter 3 of the personal data regulations. We refer to the report's chapter 6.2.


Deadline for making comments on the preliminary inspection report and the notice of decision
was set for 22 August 2022.


KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the
preliminary report. KDI's assessment is that the report contains some smaller ones
mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The



Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have

have been identified during the supervision period.

KDI states that in future they will complete the work of updating and preparing them
formal instructions to the correctional service which are necessary to be able to document clear

responsibilities and internal control. At the same time, KDI requests that a deadline of six be set
months to carry out orders as notified. It has been shown that it will take some time to secure one
joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this
area throughout the organization. KDI believes this is best done by them - in addition to designing
formal guidelines - give these topics the necessary space at management meetings, subject meetings and

seminars in the future. In this way, training will be provided, questions will be clarified and KDI will
could ensure an agreed understanding and practice.

Regulations

The Probation Service's processing of personal data is regulated by various sets of rules.

The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate
processing of personal data on inmates, convicts, etc. related to the execution of sentences
and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for

criminal enforcement purposes in regulations on transition rules to the Personal Data Act of
2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018
pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other
joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on
                         1
directive (EU) 2016/680 .

It follows from Section 4c of the Execution of Sentences Act that the correctional service can process
personal data that is necessary for the following purposes:


     a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act,
     b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large,
     c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to
       counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting
       adaptation of inmates and convicts to society,
     d. ensure children's right to visit their parents under safe and secure conditions,
     e. notify the aggrieved party or his next of kin, cf. § 7 b,
     f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14.

For the processing of personal data in the Infoflyt system, special rules set out in
Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf.

regulation on transition rules to the Personal Data Act of 2018 § 1 letter a.





1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing
personal data to prevent, investigate, uncover or prosecute offenses or the execution of
penal reactions, and on the free exchange of such information and repeal of the council's framework decision

2008/977/JIS



                                                                                                  2Other processing of personal data, including for administrative, administrative purposes
and private law purposes, the Personal Data Act of 2018 and the EU's apply
privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act.


The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so
it is difficult to understand which rules apply, and that this has had an impact on the agency
compliance with the privacy rules.

The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant
for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added

reason that processing responsibility can be shared between two processors. This was considered to
be practical for central systems, such as Kompis. At the same time it was stated that
the specific distribution of tasks must be determined in regulations or guidelines. However, it is
no regulations or guidelines have been drawn up in this regard.


Without clear instructions for the processing of personal data in the correctional service, will
compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize
that it is a management responsibility to ensure uniform understanding of the regulations in a complex
organization.

Final inspection report

The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report.
The report is therefore finalized without changes. The final inspection report is attached.

Decision on orders
Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order:


    1. The Directorate of Correctional Services must ensure that clear responsibilities and
        authority relations, cf. the personal data regulations § 2-7. We refer to
        the control report's chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for

        information security, and update this to ensure that the Personal Data Act becomes
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
        chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2.

Deadline for implementation
On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to

carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19.
April 2023. By this deadline, you must send us a written confirmation that the orders are
carried out.

If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf.

Section 29 of the Personal Data Act.

2
 Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of
personal data in correctional facilities, access to pardon cases, etc.).


                                                                                                 3 Access to complaints
The decision can be appealed. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will
the case will be forwarded to the Personal Protection Board for complaint processing.

Party transparency and publicity

As a party to the case, you have the right to access the case's documents in accordance with the provisions of
Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in
the starting point is public, cf. section 3 of the Public Information Act.

If there are questions related to the decision, you can contact the case manager by telephone
22 39 69 80 or email (maren.vaagan@datatilsynet.no).



With best regards


Camilla Nervik
section manager
                                                                 Maren Vaagan

                                                                 senior legal advisor

The document is electronically approved and therefore has no handwritten signatures

Appendix: Final control report