PVN - PVN-2024-07: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 66: Line 66:
}}
}}


The Privacy Appeals Board dismissed an appeal against the DPA decision on access request.
The DPA’s appeal board confirmed that a controller does not have to provide a data subject with access to information on the specific employees who accessed their data.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject requested access to her data processed by the board within the [https://www.npe.no/no/ Norwegian System of Patient Injury Compensation] (Norsk pasienterstatning), a controller. The data subject was a party of proceedings before the controller and her request covered the documents of the case, including the logs data. The data subject stood on the position that the controller’s employees didn’t check the documents in depth, while examining her case. For this reason, the data subject wanted to verify who and when accessed her documents.   
A data subject requested access to her data processed by the board within the [https://www.npe.no/no/ Norwegian System of Patient Injury Compensation] (Norsk pasienterstatning), a controller. The data subject was a party to proceedings before the controller and her request covered the documents of the case, including the logs data. The data subject stood on the position that the controller’s employees didn’t check the documents in depth, while examining her case. For this reason, the data subject wanted to verify who and when accessed her documents.   


The controller partially answered the access request. The data subject didn’t receive the information she asked for, in particular whether printouts of the documents were done, or the documents were sent by e-mail or copied and stored elsewhere.  
The controller partially answered the access request. The data subject didn’t receive the information she asked for, in particular whether printouts of the documents were done, or the documents were sent by e-mail or copied and stored elsewhere.  


The data subject complained with the Norwegian DPA (Datatilsynet) and notified the Ministry of Public health. The data subject claimed that the controller violated [[Article 32 GDPR|Article 32 GDPR]], because they didn’t secure the data properly as there was no logs control in place. Moreover, lack of access to log’s data deprived the data subject from scrutinising the controller’s conduct with their case.  
The data subject complained with the Norwegian DPA (Datatilsynet) and notified the Ministry of Public health. The data subject claimed that the controller violated [[Article 32 GDPR|Article 32 GDPR]], because they didn’t secure the data properly as there was no logs control in place. Moreover, lack of access to log data deprived the data subject from scrutinising the controller’s conduct with their case.  


Additionally, the data subject filed the access request with the [https://www.helseklage.no National Appeals Body for the Health Service] (Nasjonalt klageorgan for helsetjenesten).
Additionally, the data subject filed an access request with the [https://www.helseklage.no National Appeals Body for the Health Service] (Nasjonalt klageorgan for helsetjenesten), which was the body competent to deal with appeals and/or complaints against the controller's decisions.  


The appeal body answered the request and provided the data subject with the dates and purposes of access to the data subject’s documents. Nevertheless, in reference to the Ministry of Public health letter, the appeal body didn’t disclosed the identity of employees who accessed the documents.  
The appeal body answered the request and provided the data subject with the dates and purposes of access to the data subject’s documents. Nevertheless, in reference to the Ministry of Public health letter, the appeal body didn’t disclosed the identity of employees who accessed the documents.  
Line 88: Line 88:
The Privacy Appeals Board dismissed the appeal.
The Privacy Appeals Board dismissed the appeal.


Firstly, the controller didn’t violate [[Article 32 GDPR|Article 32 GDPR]]. The log control was implemented. Furthermore, the Privacy Appeals Board had no doubts that the members of the controller’s board, who examined the case, had lawful access to the documents.
Firstly, the controller didn’t violate [[Article 32 GDPR|Article 32 GDPR]]. A log control was implemented. Furthermore, the Privacy Appeals Board had no doubts that the members of the controller’s board, who examined the case, had lawful access to the documents.


Secondly, the data subject’s complaint didn’t provide the DPA with sufficient grounds to examine the processing’s compliance with [[Article 32 GDPR|Article 32 GDPR]]. The data subject asked the DPA only for additional investigation whether or not the security of data was good enough under the GDPR. According to the Privacy Appeals Board, such a claim didn’t oblige the DPA to further investigate the case. Hence, the DPA didn’t violate [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]].  
Secondly, the data subject’s complaint didn’t provide the DPA with sufficient grounds to examine compliance with [[Article 32 GDPR|Article 32 GDPR]]. The data subject asked the DPA only for additional investigation whether or not the security of data was good enough under the GDPR. According to the Privacy Appeals Board, such a claim didn’t oblige the DPA to further investigate the case. Hence, the DPA didn’t violate [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]].  


Thirdly, the data subject received the answer to the access request. All the information disclosed by the controller satisfied the purposes indicated by the data subject in the request. Then, there was no reason to provide the data subject with the identity of the controller employees who accessed the data. The Privacy Appeals Board explained that in principle employees’ identity under the CJEU Pankki case was not covered by the [[Article 15 GDPR|Article 15 GDPR]].
Thirdly, the data subject received the answer to the access request. All the information disclosed by the controller and the the National Appeals Body for the Health Service satisfied the purposes indicated by the data subject in the request. Then, there was no reason to provide the data subject with the identity of the controller employees who accessed the data. The Privacy Appeals Board explained that in principle employees’ identity under the [[CJEU - C-579/21 - Pankki S|CJEU Pankki case]] was not covered by the [[Article 15 GDPR|Article 15 GDPR]].


== Comment ==
== Comment ==

Latest revision as of 06:54, 22 October 2024

PVN (Norway) - PVN-2024-07
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 32 GDPR
Article 57(1)(f) GDPR
Decided: 24.09.2024
Published:
Parties: Norwegian System of Patient Injury Compensation
he National Appeals Body for the Health Service
National Case Number/Name: PVN-2024-07
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
23/00105-10
Appeal to: Unknown
Original Language(s): Norwegian
Original Source: Personvernnemnda (in Norwegian)
Initial Contributor: wp

The DPA’s appeal board confirmed that a controller does not have to provide a data subject with access to information on the specific employees who accessed their data.

English Summary

Facts

A data subject requested access to her data processed by the board within the Norwegian System of Patient Injury Compensation (Norsk pasienterstatning), a controller. The data subject was a party to proceedings before the controller and her request covered the documents of the case, including the logs data. The data subject stood on the position that the controller’s employees didn’t check the documents in depth, while examining her case. For this reason, the data subject wanted to verify who and when accessed her documents.

The controller partially answered the access request. The data subject didn’t receive the information she asked for, in particular whether printouts of the documents were done, or the documents were sent by e-mail or copied and stored elsewhere.

The data subject complained with the Norwegian DPA (Datatilsynet) and notified the Ministry of Public health. The data subject claimed that the controller violated Article 32 GDPR, because they didn’t secure the data properly as there was no logs control in place. Moreover, lack of access to log data deprived the data subject from scrutinising the controller’s conduct with their case.

Additionally, the data subject filed an access request with the National Appeals Body for the Health Service (Nasjonalt klageorgan for helsetjenesten), which was the body competent to deal with appeals and/or complaints against the controller's decisions.

The appeal body answered the request and provided the data subject with the dates and purposes of access to the data subject’s documents. Nevertheless, in reference to the Ministry of Public health letter, the appeal body didn’t disclosed the identity of employees who accessed the documents.

The DPA issued a decision, stating that access request was answered. Moreover, alleged violation of Article 32 GDPR were not found. Thus, the DPA closed the case.

The data subject lodged an appeal with the Privacy Appeals Board (Personvernnemnda), sustaining her previous arguments. Also, the data subject pointed out that the DPA violated Article 57(1)(f) GDPR by refusing to examine the case.

Holding

The Privacy Appeals Board dismissed the appeal.

Firstly, the controller didn’t violate Article 32 GDPR. A log control was implemented. Furthermore, the Privacy Appeals Board had no doubts that the members of the controller’s board, who examined the case, had lawful access to the documents.

Secondly, the data subject’s complaint didn’t provide the DPA with sufficient grounds to examine compliance with Article 32 GDPR. The data subject asked the DPA only for additional investigation whether or not the security of data was good enough under the GDPR. According to the Privacy Appeals Board, such a claim didn’t oblige the DPA to further investigate the case. Hence, the DPA didn’t violate Article 57(1)(f) GDPR.

Thirdly, the data subject received the answer to the access request. All the information disclosed by the controller and the the National Appeals Body for the Health Service satisfied the purposes indicated by the data subject in the request. Then, there was no reason to provide the data subject with the identity of the controller employees who accessed the data. The Privacy Appeals Board explained that in principle employees’ identity under the CJEU Pankki case was not covered by the Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Norwegian Privacy Board's decision on 24 September 2024 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Malin Tønseth)
The Norwegian Data Protection Authority's reference: 23/00105-10
The case concerns a complaint from A about the Norwegian Data Protection Authority's decision on 9 October 2023 to close the case regarding access to the log and breach of personal data security at the National Complaints Body for the Health Service (Helseklage) without issuing an order.
Background of the case
A has had a case pending with Norwegian Patient Injury Compensation. After the case was concluded there, she asked for access to the documents in her case, as well as access to the log that showed notices in the case. Norwegian Patient Injury Compensation gave her partial access. However, A was critical that the log did not show whether prints had been taken from the case documents, whether documents had been copied and stored elsewhere or whether documents had been sent by e-mail. She was also critical of the fact that the log did not show how long the individual posted posting lasted. The reason why she wanted insight into how long the notices lasted was that she suspected that the members of the Patient Injury Board had not familiarized themselves sufficiently with her case before reaching a decision. Norwegian Patient Injury Compensation refused further requests for access and stated that they did not have such information.
A contacted the Norwegian Data Protection Authority for the first time on 9 January 2023 and notified of improper case management in the Health Complaint. She has since sent several inquiries. She believes that the lack of log-keeping deprived her of the possibility of verifiability of whether the tribunal's members had read the documents before they reached a decision. As an attachment to the complaint to the Norwegian Data Protection Authority, A's notification to the Ministry of Health and Care Services about the case followed.
The Ministry of Health and Care Services responded to the inquiry on 26 June 2023. The Ministry found no evidence that the Health Complaint does not meet the requirements for information security, cf. the Personal Data Protection Regulation Article 32. The Ministry pointed out that the Norwegian Data Protection Authority is the supervisory authority in the area of privacy.
A contacted Helseklage on 12 September 2023 and asked for access to the log and correspondence in his case. The Health Complaint assessed the access requirement under Article 15 of the Personal Protection Regulation and granted access to the log on 3 October 2023. The inspection included the date and purpose of the notices. The health complaint referred to a letter from the Ministry of Health and Care on 26 June 2023 and refused access to the identity of the person or persons who had made the post. The health complaint assumed that there was an official need for all notices in the case. Health Complaints also informed A about the right to see documents in his case under the Public Administration Act.
In a decision to A on 14 November 2023, the Norwegian Data Protection Authority concluded that A had fulfilled his right to access pursuant to Article 15 of the Personal Data Protection Ordinance and that the Health Complaint had not breached the requirements for personal data security in Article 32 of the Personal Data Protection Ordinance. The Data Protection Authority found no grounds for conducting further investigations and closed the case , cf. regulation article 57 no. 1 letter f. The Norwegian Data Protection Authority refers to the decision as a decision, but states that it can be appealed.
A timely complained about the Norwegian Data Protection Authority's conclusion of the case in an email on 23 November 2023 and elaborated the complaint further in an email on 11 January 2024. The Norwegian Data Protection Authority processed the complaint and upheld its decision. The case was forwarded to the Personal Protection Board on 2 April 2024. A was informed about the case in a letter from the board, and was given the opportunity to make comments. A has given his comments in e-mail and letter on 28 April, 4 and 24 July 2024.
The case was dealt with at the board's meeting on 24 September 2024. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin and Malin Tønseth. Investigation leader Anette Klem Funderud was also present.
The Norwegian Data Protection Authority's decision in brief
The Danish Data Protection Authority assumes that the Health Complaints Committee and the Boards of Health Complaints are the secretariat for organizationally, they are considered to be the same business. It is Helseklage that is responsible for processing according to the Personal Data Protection Regulation.
The right to view the log
The Danish Data Protection Authority assumes that a log is primarily a tool for the data controller and for the supervisory authority in assessing whether the requirements for personal data security have been breached. As a starting point, the log of employee postings is not intended to be accessible to those registered.
Article 15 of the Personal Protection Ordinance does not grant the right to inspect the log. This is supported by the EU Court's judgment in case C-579/21 J.M vs. Pankki S.
The requirements for personal data security
When it comes to external storage, storage on a memory stick, or the use of e-mail to send documents, the person in charge of processing himself - based on the principle of accountability - is obliged to assess whether the security of personal data is sufficiently safeguarded during such processing.
The Authority cannot see that the complaint gives an indication that the Health Complaint has breached the requirements for personal data security, cf. Article 32 of the Personal Data Protection Regulation.
The Norwegian Data Protection Authority's conclusion
The Norwegian Data Protection Authority came to the conclusion that A's right of access to Helseklage was fulfilled, cf. the personal data protection regulation article 15. The supervisory authority also concluded that Helseklage has not breached the requirements for personal data security, cf. the regulation article 32.
The Norwegian Data Protection Authority stated that it had found no basis for conducting further investigations into the case, cf. Article 57 no. 1 letter f, and closed the case without issuing any orders.
In the transmission letter to the tribunal on 2 April 2024, the Norwegian Data Protection Authority mentions the rules on access to the log of entries in patient records, cf. the Patient Records Act § 18, cf. the Patient Records Regulations § 11 and § 14. However, this right only applies to "processing of health information that is necessary to provide, administer or ensure the quality of health care for individuals", cf. the Patient Records Act § 2. The Patient Records Act does not therefore apply to the proceedings at the Health Appeal. In that case, the general rules on access according to the privacy regulations apply.
As's view of the case in brief
A's complaint concerns two different cases which the Norwegian Data Protection Authority has mixed up.
Case 1 concerns the complaint that there is no log from the Patient Injury Board's handling of her case. This means that the board members can read patient records without it being registered and checked in connection with access. Lack of access control means that the business has not implemented suitable security control measures, as required by the standard. The Norwegian Data Protection Authority's response to this is not satisfactory.
Case 2 concerns a complaint that A is not given access to a log of who has read her patient records. The complaint was submitted at the request of the Norwegian Data Protection Authority. A was informed that EU judgment C-579/21 would not be leading when it came to access to patient records, that information on the Norwegian Data Protection Authority's side still applies and that special laws are weighted higher. This is a right A has according to the Norwegian Data Protection Authority's own website. The Norwegian Data Protection Authority's response is not satisfactory. She asks for further clarification on whether she, as a private person, has the right to access who has read her health information and whether special laws allow for this. Printing of her patient records must follow rules on internal control and storage of particularly sensitive information.
She had expected that the Norwegian Data Protection Authority would look at Helseklages' DPIA or make sure that the company has sufficient control over sensitive documents.
It is an artificial clarification to say that logs are for the business, while they must be kept secret from the person who owns the information. If this statement is now to be leading legislation, patients will no longer have any opportunity to find out if employees are snooping on health information.
The Danish Data Protection Authority refers to EU judgment C-579/21 as the reason why she should not be given access to who has read her documents. She believes the judgment opens up transparency, especially in individual cases concerning applications for patient rights, and cites:
"information regarding searches in a person's personal data and regarding the dates and purpose of these searches constitute information which the person concerned has the right to receive from the data controller in accordance with this provision. This provision, on the other hand, does not prescribe such a right with regard to information about the identity of those of the data controller's employees, who have carried out the searches under the data controller's direction and according to instructions from the person concerned, unless this information is necessary for the data subject to effectively exercise their rights in accordance with this regulation, and provided that the employees' rights and freedoms are observed."
She refers in particular to the sentence: "unless this information is necessary for the registered person to effectively exercise his rights".
In the same week that she received a response to her complaint, NAV was imposed a fee of NOK 20 million. In the NAV case, the EU judgment is not mentioned a word and NAV is praised for providing access logs to anyone who wants it.
The conditions reported are of great importance for safety and privacy. She asks the Personal Data Protection Board to assess whether Health Complaints has adequate protection of patient records in terms of privacy, access control, potential dissemination of confidential information and verifiability.
In an e-mail on 28 April 2024, A elaborates on his complaint and also asks the Privacy Board to assess whether the app Onenote as a platform for board processing has the technical solutions that safeguard the desired privacy.
In an e-mail on 4 July 2024, A refers to the fact that a tribunal decision is legally of high value and that a log will be able to show which documents are used as a basis for the decision. In addition, the state will be able to show that the case has been thoroughly assessed. When a log is not kept, it represents a breach of the Archives Act and the Public Administration Act on verifiable conclusions. She questions whether the IT arrangements in Norwegian Patient Injury Compensation/Health Complaints are good enough. She hopes the Personal Protection Board takes her notifications seriously and asks for the board's assessment of this.
The Norwegian Privacy Board's assessment
Introduction
As's inquiry to the Norwegian Data Protection Authority concerns three different matters. Firstly, she complains about what she perceives as a breach of personal data security in the Patient Injury Board's handling of cases; namely the failure to log the board members' postings in the documents.
Secondly, the inquiry concerns a request to the supervisory authority to carry out a more thorough assessment of whether Helseklage has a system that provides adequate privacy protection in terms of their processing of patient records, including a request to assess whether the Onenote app has the technical solutions that safeguard the desired privacy , when it is used as a platform for tribunal proceedings.
Thirdly, the complaint concerns that she has been denied her right to access who has made a lookup in her patient record.
The board, like the Norwegian Data Protection Authority, assumes that the Health Appeal Board and the Patient Injury Board are organizationally considered to be the same business, and that the Health Appeal Board is responsible for processing according to the Personal Data Protection Regulation.
Logging of the board members' notices in cases in the Patient Injury Board
The duty for the data controller to implement technical and organizational security measures follows from Article 32 of the Personal Protection Regulation, cf. Article 24. In Article 32 no. 1 letters a to d, four examples of security measures that may be relevant are listed. The measures implemented must be suitable in light of the risk the processing of personal data represents. The business must be able to document the measures, cf. the accountability principle in the personal protection regulation article 5 no. 2.
Logging is not explicitly mentioned as an example of a measure to safeguard personal data security. However, there is no doubt that logging can be an important instrument for ensuring and demonstrating compliance with the rules. Log data also helps to detect and prevent unlawful postings and to check whether the security measures related to access management have the desired effect.
It has been stated that a system has been established for logging notices in the cases at Helseklage. It is not stated whether this logging only takes place during the Health Appeal's preparation of the cases, before the documents in the individual case are sent to the members of the Patient Injury Board, or whether the members of the Patient Injury Board are also given access to the cases in such a way that their postings are also logged. The tribunal has not found it necessary to investigate this, as there is no doubt in any case that the members of the Patient Injury Board have legal access to the documents in the cases they deal with, regardless of whether it is logged or not. The Personal Protection Ordinance does not set out a requirement that it be logged how long the individual tribunal member spends reading each case, as A argues.
The security of personal data in Helseklage's processing of patient record information
The Danish Data Protection Authority has concluded that Health Complaints has not acted in breach of the personal data security in Article 32, and has not found it necessary to carry out further investigations into the security of the document processing system used by the Patient Injury Board.
The question for the tribunal is, firstly, whether the Norwegian Data Protection Authority, when it has closed the case without carrying out further investigations into Helseklage's processing of patient record information, has fulfilled its duty as a supervisory body under the Personal Data Protection Regulation.
The Norwegian Data Protection Authority's tasks follow from Article 57 of the Personal Data Protection Ordinance. According to the provision, the Data Protection Authority shall process a complaint submitted by a registered person and investigate, to the extent that it is appropriate, the subject of the complaint and notify the complainant of the course and outcome of the investigation within a reasonable period, cf. the Personal Data Protection Ordinance article 57 no. 1 letter f.
In a number of cases, the tribunal has taken as its basis that the supervisory authority has a certain freedom to decide how extensive investigations the individual case requires and that the supervisory authority can prioritize cases in such a way that not all inquiries are treated equally thoroughly.
The question in this case is what leeway the supervisory authority has, when it receives an inquiry asking it to assess the security of personal data at a body, to choose not to investigate this further.
It follows directly from the wording of Article 77 No. 1 that the data subject must assert that the person's personal data has been processed in a manner that is in breach of the regulation. In other words, a requirement can be derived for a certain specification of the alleged illegality, and that the alleged illegality must affect the person making the complaint. Such an interpretation also finds support in recital 141, where it is stated, among other things, that the registered person has a right to complain to a national supervisory authority "if the person concerned considers his rights according to this regulation to have been infringed" (the board's italics).
The Norwegian Data Protection Authority has decided that the logging described is sufficient and has found no evidence that there are any breaches of personal data security. The Norwegian Data Protection Authority has also dealt with the complaint about lack of access.
A general request to the Norwegian Data Protection Authority to also investigate whether the security of personal data is good enough in the Health Complaints' processing of patient record information cannot, in the board's view, be considered a complaint that obliges the Norwegian Data Protection Authority to carry out certain investigations, cf. Article 57 no. 1 letter f and the statement in recital 141 that "The investigation of a complaint should [...] be carried out to the extent that is suitable in the individual case". In several cases, the tribunal has assumed that it is basically the complainant's task to explain the case and present documentation for the relationship complained of, see among others PVN-2023-15 and PVN-2023-22.
The Norwegian Data Protection Authority has not found any circumstances in the submitted documents that indicate that the security of personal data has been breached at Helseklage and has found no reason to carry out a further investigation of this. It is therefore reasonable for the Norwegian Data Protection Authority to conclude that the Health Complaint has not acted in breach of the requirements for personal data security in Article 32 and close the case without further investigations. The tribunal agrees with the authority's assessments of personal data security and has not found it necessary to carry out further investigations.
Access to lookup log
A is given access to log data related to when the search was made and the purpose of the search. She has not been given access to which persons at Helseklage have made notices. The question for the tribunal is whether A is entitled to further access to the log, particularly as a result of the fact that it concerns patient record information which is subject to the rules in the Patient Record Act.
The Patient Records Act applies to the processing of health information that is necessary to provide, administer or ensure the quality of health care for individuals, cf. § 3 of the Act. The processing of personal data in A's patient injury case at Helseklage does not apply to health care. Helseklagen's processing of personal data is therefore regulated by the general rules in the Personal Data Protection Ordinance.
The tribunal shares the Norwegian Data Protection Authority's assessment that a log showing which employees in a business have made a lookup of personal data is not initially covered by the right of access pursuant to Article 15. The tribunal refers to the EU Court's statements in C-579/21 (Pankki S) section 83:
"It follows from the above considerations that the data protection regulation's article 15, subsection 1, shall be interpreted as meaning that information regarding searches in a person's personal data and regarding the dates and purpose of these searches constitutes information which the person concerned is entitled to receive from the data controller in accordance with this provision. This provision, on the other hand, does not prescribe such a right as regards information about the identity of those of the data controller's employees, who have carried out the searches under the data controller's direction and following instructions from the latter, unless this information is necessary for the data subject to effectively exercise his rights in accordance with this regulation, and provided that the employees' rights and freedoms are observed."
The tribunal assumes that the purpose of A's request for access to the log, which shows which persons have made postings and possibly the duration of the posting, is to reveal how well prepared the members of the Patient Claims Board were when they decided on her case. The quality of the proceedings at the Patient Injury Board is ensured through legislation other than the right of access under the Personal Data Protection Ordinance. The tribunal considers that the insight A has gained is sufficient for her to safeguard her rights under the regulation.
The tribunal agrees with the Norwegian Data Protection Authority's assessment that A's right to access the log pursuant to Article 15 is fulfilled and that the provision does not give her the right to further access.
A has not been successful in his appeal.
The decision is unanimous.
Conclusion
The Norwegian Data Protection Authority's decision is upheld.
Oslo, 24 September 2024
Mari Bø Haugstad
Manager