Datatilsynet (Norway) - 20/03293 (decision 2): Difference between revisions

Latest revision as of 14:32, 8 November 2022

Datatilsynet - 20/03293

Authority:	Datatilsynet (Norway)
Jurisdiction:	Norway
Relevant Law:	Norwegian Execution of Sentences Act Chapter 1A and 1B Norwegian Personal Data Act of 2000 Norwegian Personal Data Act of 2018 Norwegian Personal Data Act of 2018 Norwegian Regulation on personal data processing §2-7 Norwegian Regulation on personal data processing Chapter III
Type:	Investigation
Outcome:	Violation Found
Started:	09.11.2021
Decided:	19.10.2022
Published:	01.11.2022
Fine:	n/a
Parties:	Directorate of Norwegian Correctional Service
National Case Number/Name:	20/03293
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Norwegian Norwegian
Original Source:	Datatilsynet (in NO) Final inspection report (in NO)
Initial Contributor:	Rie Aleksandra Walle

After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organisation.

English Summary

Facts

In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a first decision issued in August 2021.

As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.

During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.

Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.

The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.

Holding

The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organisation.

The controller must comply with the order within six months. If they fail to do so (with the deadline set to 9 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.

Comment

The daily penalty is an option under the Norwegian Personal Data Act § 29.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

DIRECTORATE OF CRIMINAL CARE
PO Box 694
4302 SANDNES

Your reference Our reference Date
201819876 20/03293-62 19.10.2022

Submission of final inspection report and decision on order

We refer to local supervision of the correctional service and subsequent correspondence.

In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at
The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike
prison, Bredtveit prison and detention center and Oslo probation office). The control was

carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art.
58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority
The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out
penalty.

Proceedings
The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by

24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in
pursuant to § 20 of the Personal Data Act:

1. The Directorate of Correctional Services must ensure that clear responsibilities and

authority relations, cf. the personal data regulations § 2-7. We refer to the report
chapter 6.1.
2. The Directorate of Correctional Services must carry out a review of the internal control system for

information security, and update this to ensure that the Personal Data Act becomes
complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
chapter 3 of the personal data regulations. We refer to the report's chapter 6.2.

Deadline for making comments on the preliminary inspection report and the notice of decision
was set for 22 August 2022.

KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the
preliminary report. KDI's assessment is that the report contains some smaller ones
mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The

Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have

have been identified during the supervision period.

KDI states that in future they will complete the work of updating and preparing them
formal instructions to the correctional service which are necessary to be able to document clear

responsibilities and internal control. At the same time, KDI requests that a deadline of six be set
months to carry out orders as notified. It has been shown that it will take some time to secure one
joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this
area throughout the organization. KDI believes this is best done by them - in addition to designing
formal guidelines - give these topics the necessary space at management meetings, subject meetings and

seminars in the future. In this way, training will be provided, questions will be clarified and KDI will
could ensure an agreed understanding and practice.

Regulations

The Probation Service's processing of personal data is regulated by various sets of rules.

The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate
processing of personal data on inmates, convicts, etc. related to the execution of sentences
and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for

criminal enforcement purposes in regulations on transition rules to the Personal Data Act of
2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018
pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other
joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on
1
directive (EU) 2016/680 .

It follows from Section 4c of the Execution of Sentences Act that the correctional service can process
personal data that is necessary for the following purposes:

a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act,
b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large,
c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to
counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting
adaptation of inmates and convicts to society,
d. ensure children's right to visit their parents under safe and secure conditions,
e. notify the aggrieved party or his next of kin, cf. § 7 b,
f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14.

For the processing of personal data in the Infoflyt system, special rules set out in
Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf.

regulation on transition rules to the Personal Data Act of 2018 § 1 letter a.

1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing
personal data to prevent, investigate, uncover or prosecute offenses or the execution of
penal reactions, and on the free exchange of such information and repeal of the council's framework decision

2008/977/JIS

2Other processing of personal data, including for administrative, administrative purposes
and private law purposes, the Personal Data Act of 2018 and the EU's apply
privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act.

The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so
it is difficult to understand which rules apply, and that this has had an impact on the agency
compliance with the privacy rules.

The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant
for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added

reason that processing responsibility can be shared between two processors. This was considered to
be practical for central systems, such as Kompis. At the same time it was stated that
the specific distribution of tasks must be determined in regulations or guidelines. However, it is
no regulations or guidelines have been drawn up in this regard.

Without clear instructions for the processing of personal data in the correctional service, will
compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize
that it is a management responsibility to ensure uniform understanding of the regulations in a complex
organization.

Final inspection report

The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report.
The report is therefore finalized without changes. The final inspection report is attached.

Decision on orders
Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order:

1. The Directorate of Correctional Services must ensure that clear responsibilities and
authority relations, cf. the personal data regulations § 2-7. We refer to
the control report's chapter 6.1.
2. The Directorate of Correctional Services must carry out a review of the internal control system for

information security, and update this to ensure that the Personal Data Act becomes
complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2.

Deadline for implementation
On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to

carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19.
April 2023. By this deadline, you must send us a written confirmation that the orders are
carried out.

If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf.

Section 29 of the Personal Data Act.

2
Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of
personal data in correctional facilities, access to pardon cases, etc.).

3 Access to complaints
The decision can be appealed. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will
the case will be forwarded to the Personal Protection Board for complaint processing.

Party transparency and publicity

As a party to the case, you have the right to access the case's documents in accordance with the provisions of
Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in
the starting point is public, cf. section 3 of the Public Information Act.

If there are questions related to the decision, you can contact the case manager by telephone
22 39 69 80 or email (maren.vaagan@datatilsynet.no).

With best regards

Camilla Nervik
section manager
Maren Vaagan

senior legal advisor

The document is electronically approved and therefore has no handwritten signatures

Appendix: Final control report

@@ Line 11: / Line 11: @@
 |Original_Source_Name_1=Datatilsynet
-|Original_Source_Link_1=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/varsel-om-vedtak-om-palegg-til-kriminalomsorgsdirektoratet/
+|Original_Source_Link_1=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/tilsynrapport-og-palegg-til-kriminalomsorgen/
 |Original_Source_Language_1=Norwegian
 |Original_Source_Language__Code_1=NO
-|Original_Source_Name_2=Preliminary inspection report
+|Original_Source_Name_2=Final inspection report
 |Original_Source_Link_2=https://www.datatilsynet.no/contentassets/d7b778fca25d48ffa4ccb7d077c33251/20_03293-42-kontrollrapport-til-publisering.pdf
 |Original_Source_Language_2=Norwegian
 |Original_Source_Language__Code_2=NO
-|Original_Source_Name_3=sdfd
+|Original_Source_Name_3=
-|Original_Source_Link_3=https://www.datatilsynet.no/contentassets/d7b778fca25d48ffa4ccb7d077c33251/20_03293-53-oversendelse-av-forelopig-kontrollrapport-og-varsel-om-vedtak---tilsyn-med-kriminalomsorgen.pdf
+|Original_Source_Link_3=
-|Original_Source_Language_3=Norwegian
+|Original_Source_Language_3=
-|Original_Source_Language__Code_3=NO
+|Original_Source_Language__Code_3=
 |Original_Source_Name_4=
 |Original_Source_Link_4=
@@ Line 30: / Line 30: @@
 |Outcome=Violation Found
 |Date_Started=09.11.2021
-|Date_Decided=24.06.2022
+|Date_Decided=19.10.2022
-|Date_Published=07.07.2022
+|Date_Published=01.11.2022
 |Year=2022
 |Fine=
@@ Line 79: / Line 79: @@
 }}
-After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA has notified them of an order to sort out and document their controller responsibilities and update internal controls for managing privacy and personal data protection.
+After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organisation.
 == English Summary ==
@@ Line 88: / Line 88: @@
 As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway)  for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.
-=== Holding ===
+During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.
-The DPA found several discrepancies. During the audit, the controller created an instruction to place their responsibilities throughout the whole organization. The DPA, however, noted that not all underlying organizational units shared the same understanding of this.
-Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers very few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.
+Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.
 The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.
-In conclusion, the DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organization. The controller has until August 2022 to submit any comments before the DPA will make a final decision.
+=== Holding ===
+The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organisation.
+The controller must comply with the order within six months. If they fail to do so (with the deadline set to 9 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.
 == Comment ==
-''Share your comments here!''
+The daily penalty is an option under the Norwegian Personal Data Act § 29.
 == Further Resources ==
@@ Line 107: / Line 109: @@
 <pre>
-THE DIRECTOR OF THE CRIMINAL CARE
+DIRECTORATE OF CRIMINAL CARE
 PO Box 694
 SANDNES
-Their reference Our reference Date
+Your reference Our reference Date
-/ 03293-53 24.06.2022
+ 201819876 20/03293-62 19.10.2022
-Submission of preliminary inspection report and notification of decision - Supervision of
+Submission of final inspection report and decision on order
-prison care
+We refer to local supervision of the correctional service and subsequent correspondence.
-Introduction
+In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at
-The Danish Data Protection Agency refers to on-site inspections of the probation service on 9 November 2021, 4 April 2022,
+The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike
-April 6, 2022 and April 7, 2022. The inspection was carried out in accordance with
+prison, Bredtveit prison and detention center and Oslo probation office). The control was
-the Personal Data Act 2018 § 20.
+carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art.
+no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority
+The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out
+penalty.
-The control concerned processing responsibility and internal control. The deviations from the regulations are closer
-described in the attached control report. The control report covers the entire audit, from the opening of
-letter control for on-site inspections of prisons and probation offices. The report describes
+Proceedings
-the observations made by the Norwegian Data Protection Authority during the audit, and include information collected
+The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by
-through documents and group interviews. The control report describes the Data Inspectorate
-assessments of compliance in penal care. Any objections to the descriptions of
+June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in
-factual matters must be addressed to the Norwegian Data Protection Authority in connection with the response to this notification.
+pursuant to § 20 of the Personal Data Act:
-. Notice of decision
+. The Directorate of Correctional Services must ensure that clear responsibilities and
-This is a notice that the Data Inspectorate, pursuant to the Personal Data Act § 20, will take
+        authority relations, cf. the personal data regulations § 2-7. We refer to the report
-decision on the following order:
+        chapter 6.1.
+. The Directorate of Correctional Services must carry out a review of the internal control system for
-. The Norwegian Prison and Probation Service must ensure that clear responsibilities and
+        information security, and update this to ensure that the Personal Data Act becomes
+        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
+        chapter 3 of the personal data regulations. We refer to the report's chapter 6.2.
-        authority, cf. section 2-7 of the Personal Data Regulations. We refer to the report
-        Chapter 6.1.
-. The Norwegian Prison and Probation Service must conduct a review of the internal control system for
-        information security, and update this to ensure that the Personal Data Act becomes
+Deadline for making comments on the preliminary inspection report and the notice of decision
-        complied with in all sections of the agency, cf. the Personal Data Act 2000 § 14 and
+was set for 22 August 2022.
-        Chapter 3 of the Personal Data Regulations. We refer to Chapter 6.2 of the report.
-The Prison and Probation Service is free to implement measures within the framework of the law. We will ask for one
+KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the
-feedback on the time of implementation of the orders. Furthermore, we will ask for one
+preliminary report. KDI's assessment is that the report contains some smaller ones
+mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The
-Postal address: Office address: Telephone: Org.nr: Homepage:
+Postal address: Office address: Telephone: Org. no: Website:
 PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
-OSLO 0191 OSLO, feedback from the prison service on the implementation of the orders, with descriptions. See
+OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have
-more about this in point 4 of the notice.
+have been identified during the supervision period.
-. Legal basis
+KDI states that in future they will complete the work of updating and preparing them
-.1 Current regulations for the processing of personal data in the penal care system
+formal instructions to the correctional service which are necessary to be able to document clear
-The Prison and Probation Service's processing of personal data is regulated in several different sets of rules.
-Chapter 1A of the Execution of Sentences Act and the Personal Data Act of 2000 regulate
-processing of personal data about prisoners, convicts, etc. directly related to
+responsibilities and internal control. At the same time, KDI requests that a deadline of six be set
-sentencing and custody. The Personal Data Act of 2000 has otherwise been repealed, however
+months to carry out orders as notified. It has been shown that it will take some time to secure one
-continued for the purpose of execution of sentence in § 1 of the regulations on transitional rules to
+joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this
-the Personal Data Act of 2018. The Ministry of Justice and Emergency Preparedness has notified a new law
+area throughout the organization. KDI believes this is best done by them - in addition to designing
-based on Directive (EU) 2016/680.
+formal guidelines - give these topics the necessary space at management meetings, subject meetings and
+seminars in the future. In this way, training will be provided, questions will be clarified and KDI will
+could ensure an agreed understanding and practice.
-For the processing of personal data in the Infoflyt system, separate rules laid down in apply
+Regulations
-Chapter 1B of the Execution of Sentences Act.
-All other processing of personal data, including administrative,
+The Probation Service's processing of personal data is regulated by various sets of rules.
-administrative and private law purposes, etc., are regulated in KDI's opinion by
+The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate
-the Personal Data Act of 2018, cf. Regulation (EU) 2016/679.
+processing of personal data on inmates, convicts, etc. related to the execution of sentences
+and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for
-.2 Regulations to the Execution of Sentences Act, Chapter 1A
+criminal enforcement purposes in regulations on transition rules to the Personal Data Act of
-When the Execution of Sentences Act was amended in 2009, the legislature proposed further regulations
+(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018
+pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other
+joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on
+directive (EU) 2016/680 .
-of processing of personal data should be laid down in regulations. One regulation is given in
+It follows from Section 4c of the Execution of Sentences Act that the correctional service can process
-pursuant to section 4e of the Execution of Sentences Act.
+personal data that is necessary for the following purposes:
-The preparatory work for the Execution of Sentences Act § 4b states that the responsibility for processing pursuant to this
-the provision could be shared between two data controllers. It appears further
+     a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act,
+     b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large,
+     c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to
+       counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting
+       adaptation of inmates and convicts to society,
+     d. ensure children's right to visit their parents under safe and secure conditions,
+     e. notify the aggrieved party or his next of kin, cf. § 7 b,
+     f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14.
+For the processing of personal data in the Infoflyt system, special rules set out in
+Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf.
-         The specific division of tasks must be specified in regulations or
+regulation on transition rules to the Personal Data Act of 2018 § 1 letter a.
-         guidelines. The daily responsibility for treatment - the practical
-         implementation - can be delegated.
-Regulations on treatment responsibility in the penal care have not been issued by the Ministry.
-.3 Comments on the regulations
-Prior to the audit, as well as along the way, references to various documents have appeared
-both different and incorrect regulations. Among other things, the Data Inspectorate has observed references to
-the Personal Data Act of 2018 for processing that is still regulated by the 2000 Act
-and Chapter 1A of the Execution of Sentences Act.
+Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing
+personal data to prevent, investigate, uncover or prosecute offenses or the execution of
+penal reactions, and on the free exchange of such information and repeal of the council's framework decision
+/977/JIS
+Other processing of personal data, including for administrative, administrative purposes
-Regulations on transitional rules on the processing of personal data, FOR-2018-06-15-877
+and private law purposes, the Personal Data Act of 2018 and the EU's apply
- Regulations on the processing of personal data in the penal care, FOR-2013-09-20-1099
+privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act.
+The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so
+it is difficult to understand which rules apply, and that this has had an impact on the agency
+compliance with the privacy rules.
-, the Norwegian Data Protection Authority believes that there is reason to assume that a complex and motley set of rules has done so
+The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant
-difficult to understand which rules and laws apply, which has since become significant
+for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added
-compliance.
-The Data Inspectorate also believes that a lack of regulatory regulation of the processing responsibility has been given
+reason that processing responsibility can be shared between two processors. This was considered to
-significance for compliance. The Ministry must bear part of the responsibility for partial deficiencies
+be practical for central systems, such as Kompis. At the same time it was stated that
-compliance with the privacy regulations of the agency. At the same time, it is clear from the preparatory work for
+the specific distribution of tasks must be determined in regulations or guidelines. However, it is
+no regulations or guidelines have been drawn up in this regard.
-Section 4 b of the Execution of Sentences Act states that the specific division of tasks must be determined in regulations
-or guidelines. No regulations or guidelines have been prepared.
-During the consultation round for the amendments to the Execution of Sentences Act in 2009 noted
+Without clear instructions for the processing of personal data in the correctional service, will
-The Norwegian Data Protection Authority states that the term "daily processing responsibility" does not exist in the privacy regulations.
+compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize
-The legal responsibility must be placed. The Danish Data Protection Agency emphasizes that the responsibility cannot be delegated, i
+that it is a management responsibility to ensure uniform understanding of the regulations in a complex
-as opposed to the tasks related to compliance with the treatment responsibility, which can be delegated.
+organization.
+Final inspection report
-If there are no clear instructions for processing personal data in
+The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report.
-penal care, it could lead to differential treatment of prisoners' right to privacy.
+The report is therefore finalized without changes. The final inspection report is attached.
-Compliance with the regulations may differ from unit to unit. It is a
-management responsibility to ensure a uniform understanding of the regulations in a composite organization.
-. Deadline for feedback
+Decision on orders
+Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order:
-If you have any comments on this notice or the attached inspection report, you must
-send us a feedback on this. We ask that you send us a suggested date for when
-you can close the discrepancies we describe in the control report. The Norwegian Data Protection Authority will take this into account
-the proposal when we in our final decision set a deadline for when all deviations must be closed and
-the decision implemented.
+. The Directorate of Correctional Services must ensure that clear responsibilities and
+        authority relations, cf. the personal data regulations § 2-7. We refer to
+        the control report's chapter 6.1.
+. The Directorate of Correctional Services must carry out a review of the internal control system for
-We ask that you send us deadlines for closing deviations and any comments within 15.
+        information security, and update this to ensure that the Personal Data Act becomes
-August 2022. If it is documented that deviations have been closed within the deadline for feedback, will
+        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
-we include this in the assessment when we make the final decision.
+        chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2.
+Deadline for implementation
+On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to
+carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19.
+April 2023. By this deadline, you must send us a written confirmation that the orders are
+carried out.
-. Transparency and publicity
+If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf.
-You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
-that all documents in the case are in principle public, cf. the Public Access to Information Act § 3.
-If you have specific comments to the public about the documents, you can make them
+Section 29 of the Personal Data Act.
-these to the Danish Data Protection Agency.
-With best regards
+ Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of
+personal data in correctional facilities, access to pardon cases, etc.).
+Access to complaints
+The decision can be appealed. Any complaint must be sent to us within three weeks of this
+the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will
+the case will be forwarded to the Personal Protection Board for complaint processing.
+Party transparency and publicity
+As a party to the case, you have the right to access the case's documents in accordance with the provisions of
+Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in
+the starting point is public, cf. section 3 of the Public Information Act.
-Camilla Nervik
+If there are questions related to the decision, you can contact the case manager by telephone
+39 69 80 or email (maren.vaagan@datatilsynet.no).
-section chief
-                                                                    Embla Helle Nerland
-                                                                    legal adviser
-The document is electronically approved and therefore has no handwritten signatures
+With best regards
+Camilla Nervik
+section manager
+                                                                 Maren Vaagan
-, Copy to: THE MINISTRY OF JUSTICE AND EMERGENCY PREPAREDNESS
+                                                                 senior legal advisor
-Attachments:
+The document is electronically approved and therefore has no handwritten signatures
-Control report from the Norwegian Data Protection Authority, dated 24 June 2022
+Appendix: Final control report
 </pre>