Datatilsynet (Norway) - 23/00708-28: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 89: | Line 89: | ||
Secondly, the DPA found that employees had access to information about the entire population by default. Although the controller argued that it was for efficient case processing in order to provide good guidance and equal treatment and to process cases within a reasonable time, the DPA found that it was not in line with the confidentiality and the data minimisation principles (Article 5(1)(f) GDPR and [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]) and security requirements under Article 32(1). The DPA held that there were other alternative options that would take into account both efficiency in case processing and the GDPR requirements to safeguard the data subjects' privacy through technical and organisational security measures. Therefore, the DPA ordered the controller to establish technical and organisational measures related to access management that provide satisfactory confidentiality protection of personal data under Article( | Secondly, the DPA found that employees had access to information about the entire population by default. Although the controller argued that it was for efficient case processing in order to provide good guidance and equal treatment and to process cases within a reasonable time, the DPA found that it was not in line with the confidentiality and the data minimisation principles ([[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]) and security requirements under [[Article 32 GDPR#1|Article 32(1) GDPR]]. The DPA held that there were other alternative options that would take into account both efficiency in case processing and the GDPR requirements to safeguard the data subjects' privacy through technical and organisational security measures. Therefore, the DPA ordered the controller to establish technical and organisational measures related to access management that provide satisfactory confidentiality protection of personal data under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]]. This included: | ||
* Establishing technical and organisational measures for the controller’s archive system that limit cess to metadata about documents across disciplines to cases where it is necessary; | * Establishing technical and organisational measures for the controller’s archive system that limit cess to metadata about documents across disciplines to cases where it is necessary; | ||
Line 98: | Line 98: | ||
Thirdly, the DPA ordered the controller to establish technical and organisational measures related to log control that provide satisfactory confidentiality protection of personal data under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]]. | Thirdly, the DPA ordered the controller to establish technical and organisational measures related to log control that provide satisfactory confidentiality protection of personal data under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]]. | ||
Therefore, the DPA imposed a fine of €1,720,425.16 (NOK 20,000,000) under Article 83. The DPA took into account that the controller made special categories of personal data available for a long time and about a large number of people, without the necessary security mechanisms being established. Moreover, the DPA also took into account that the previous orders issued by the DPA during audits and evaluations throughout the years did not proof to be sufficiently effective. | Therefore, the DPA imposed a fine of €1,720,425.16 (NOK 20,000,000) under [[Article 83 GDPR]]. The DPA took into account that the controller made special categories of personal data available for a long time and about a large number of people, without the necessary security mechanisms being established. Moreover, the DPA also took into account that the previous orders issued by the DPA during audits and evaluations throughout the years did not proof to be sufficiently effective. | ||
== Comment == | == Comment == |
Revision as of 08:05, 3 April 2024
Datatilsynet - 23/00708-28 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 32 GDPR Article 83 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 18.03.2024 |
Published: | |
Fine: | 20,000,000 NOK |
Parties: | Norwegian Labour and Welfare Administration |
National Case Number/Name: | 23/00708-28 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | ec |
The DPA imposed a fine of €1,720,425.16 (NOK 20,000,000) on the Norwegian Labour and Welfare Administration because it made special categories of personal data available for a long time and about a large number of people, without the necessary security mechanisms being established.
English Summary
Facts
The controller is the Norwegian Labour and Welfare Administration.
The Norwegian DPA (“Datatilsynet”) audited the controller to check whether the controller ensured confidentiality in the management system used to process personal data to provide services. The audit was limited to the technical and organisational measures related to access management, logs and log control under Article 5(1)(f) GDPR and Article 32 GDPR. The audit also checked whether the controller established an appropriate management system under Article 5(2) GDPR and Article 24 GDPR.
Holding
The DPA found a number of breaches that showed structural and organisational weakness and a lack of management and understanding of the importance of data protection and the imposed requirements. The DPA identified 12 offences relating to the fact that the controller, having a large number of employees all over the country, lacked systematic control of employees’ use of the specialised systems. One of the examples that the DPA gave was that the controller had organised itself in a way that a significant group of employees needed broad access for official purposes. In combination with an inadequate system for log control, the DPA held that this is not compatible with the principle of confidentiality under Article 5(1)(f) GDPR and the requirements for organisational measures pursuant to Article 32 GDPR.
Based on the findings of the audit, the DPA also gave 3 orders to the controller:
Firstly, the DPA found that no routine risk assessments were made and that therefore also the necessary “links” between risk level and access level were not routinely made. New ID administrators, who are in charge of granting accesses, received training that were very person-dependent and only described how accesses should be granted and not on what terms. Therefore, the DPA ordered the controller to establish a comprehensive and suitable system for organisational measures to ensure and demonstrate compliance with Article 5(2) GDPR, Article 24 GDPR and Article 32 GDPR. This included:
- Updating the governing documentation for access management;
- implementing a risk assessment for determining appropriate level of access;
- creating procedures for the training of identity administrators and;
- establishing updated and appropriate procedures for granting access in the various specialist systems.
Secondly, the DPA found that employees had access to information about the entire population by default. Although the controller argued that it was for efficient case processing in order to provide good guidance and equal treatment and to process cases within a reasonable time, the DPA found that it was not in line with the confidentiality and the data minimisation principles (Article 5(1)(f) GDPR and Article 5(1)(c) GDPR) and security requirements under Article 32(1) GDPR. The DPA held that there were other alternative options that would take into account both efficiency in case processing and the GDPR requirements to safeguard the data subjects' privacy through technical and organisational security measures. Therefore, the DPA ordered the controller to establish technical and organisational measures related to access management that provide satisfactory confidentiality protection of personal data under Article 5(1)(f) GDPR and Article 32(1) GDPR. This included:
- Establishing technical and organisational measures for the controller’s archive system that limit cess to metadata about documents across disciplines to cases where it is necessary;
- establishing technical and organisational measures to limit access to personal data processed solely for archiving purposes (historical cases) to cases where it is necessary;
- establishing technical and organisational measures that make it possible to adapt the security of personal data based on risks justified by specific user needs.
Thirdly, the DPA ordered the controller to establish technical and organisational measures related to log control that provide satisfactory confidentiality protection of personal data under Article 5(1)(f) GDPR and Article 32(1) GDPR.
Therefore, the DPA imposed a fine of €1,720,425.16 (NOK 20,000,000) under Article 83 GDPR. The DPA took into account that the controller made special categories of personal data available for a long time and about a large number of people, without the necessary security mechanisms being established. Moreover, the DPA also took into account that the previous orders issued by the DPA during audits and evaluations throughout the years did not proof to be sufficiently effective.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.