Datatilsynet (Norway) - 20/01893: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/...") |
(→Facts) |
||
(9 intermediate revisions by 3 users not shown) | |||
Line 54: | Line 54: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=Rie Aleksandra Walle | |Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle] | ||
| | | | ||
}} | }} | ||
The Norwegian DPA fined the Public Service Pension Fund (SPK) | The Norwegian DPA fined the Public Service Pension Fund (SPK) € 99,940 (NOK 1,000,000) for obtaining unnecessary income data of approximately 24,000 people receiving disability pension, in breach of [[Article 5 GDPR#1c|Article 5(1)(c)]], [[Article 5 GDPR#1e|Article 5(1)(e)]], [[Article 6 GDPR#1|Article 6(1)]], and [[Article 9 GDPR#2|Article 9(2) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Norwegian Public Service Pension Fund (SPK - Statens pensjonskasse) reported a personal data breach in September 2019. Between 2016-2019, they obtained a large amount of personal data from the Norwegian Tax Administration, much which was not needed for their purpose. The data was meant to be used for correcting disbursed disability pensions, | The Norwegian Public Service Pension Fund (SPK - Statens pensjonskasse) reported a personal data breach in September 2019. Between 2016-2019, they obtained a large amount of personal data from the Norwegian Tax Administration, much of which was not needed for their purpose. The data was meant to be used for correcting disbursed disability pensions. However, SPK lacked a filter to prevent receiving and storing unnecessary data, as well as organisational measures for deleting the superfluous data. | ||
SPK themselves categorized the breach as serious, as it involved processing highly sensitive personal data about a vulnerable group of people (those receiving disability pensions). In total, about 44,000 people were affected by the breach, of which about 24,000 receiving disability pension. | SPK themselves categorized the breach as serious, as it involved processing highly sensitive personal data about a vulnerable group of people (those receiving disability pensions). In total, about 44,000 people were affected by the breach, of which about 24,000 receiving disability pension. | ||
=== Holding === | === Holding === | ||
The | First, the DPA stated that, although the SPK could rely on both [[Article 6 GDPR#1c|Article 6(1)(c)]] and [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], the processing must have been necessary. The same necessity requirement follows from [[Article 9 GDPR#2b|Article 9(2)(b) GDPR]], since SPK processed health data. Because SPK processed unnecessary income information that was obtained from the Tax Authority, the necessity requirement was not met, in violation of [[Article 6 GDPR#1|Article 6(1)]] and [[Article 9 GDPR#2|Article 9(2) GDPR]]. In addition, the DPA found that the Public Service Pension Fund (SPK) had obtained excess personal data not needed for the purpose of calculating correct disability pension disbursements, in breach of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. Lastly, SPK lacked sufficient routines for assessing what personal data was needed and for deleting superfluous data, in breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. | ||
Although the DPA found that the violations were not found intentional, but negligent, and SPK took measures to limit the damage, SPK violated basic principles of the GDPR, special categories of personal data were involved, and a large number of persons was affected. Hence, the DPA concluded that SPK needed to be fined, and considered the fine of € 99,940 (NOK 1 million) to be sufficient. | |||
== Comment == | == Comment == |
Latest revision as of 15:30, 12 January 2022
Datatilsynet (Norway) - 20/01893 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 6(1) GDPR Article 9(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 24.11.2021 |
Published: | 08.12.2021 |
Fine: | 1000000 NOK |
Parties: | Statens pensjonskasse (SPK - The Norwegian Public Service Pension Fund) |
National Case Number/Name: | 20/01893 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined the Public Service Pension Fund (SPK) € 99,940 (NOK 1,000,000) for obtaining unnecessary income data of approximately 24,000 people receiving disability pension, in breach of Article 5(1)(c), Article 5(1)(e), Article 6(1), and Article 9(2) GDPR.
English Summary
Facts
The Norwegian Public Service Pension Fund (SPK - Statens pensjonskasse) reported a personal data breach in September 2019. Between 2016-2019, they obtained a large amount of personal data from the Norwegian Tax Administration, much of which was not needed for their purpose. The data was meant to be used for correcting disbursed disability pensions. However, SPK lacked a filter to prevent receiving and storing unnecessary data, as well as organisational measures for deleting the superfluous data.
SPK themselves categorized the breach as serious, as it involved processing highly sensitive personal data about a vulnerable group of people (those receiving disability pensions). In total, about 44,000 people were affected by the breach, of which about 24,000 receiving disability pension.
Holding
First, the DPA stated that, although the SPK could rely on both Article 6(1)(c) and Article 6(1)(e) GDPR, the processing must have been necessary. The same necessity requirement follows from Article 9(2)(b) GDPR, since SPK processed health data. Because SPK processed unnecessary income information that was obtained from the Tax Authority, the necessity requirement was not met, in violation of Article 6(1) and Article 9(2) GDPR. In addition, the DPA found that the Public Service Pension Fund (SPK) had obtained excess personal data not needed for the purpose of calculating correct disability pension disbursements, in breach of Article 5(1)(c) GDPR. Lastly, SPK lacked sufficient routines for assessing what personal data was needed and for deleting superfluous data, in breach of Article 5(1)(e) GDPR.
Although the DPA found that the violations were not found intentional, but negligent, and SPK took measures to limit the damage, SPK violated basic principles of the GDPR, special categories of personal data were involved, and a large number of persons was affected. Hence, the DPA concluded that SPK needed to be fined, and considered the fine of € 99,940 (NOK 1 million) to be sufficient.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
STATE PENSION FUND MANAGEMENT COMPANY PO Box 10 Skøyen 0212 OSLO Their reference Our reference Date 19/029514 20 / 01893-12 24.11.2021 Decision on infringement fine The Norwegian Data Protection Authority refers to previous correspondence in connection with a deviation report dated 24.09.2019, latest their response to notification of decision on infringement fee dated 12.05.2021. We apologize for the long case processing time and a somewhat messy procedure, cf. our letter to dated 27.04.2021. Decision on infringement fine The Norwegian Data Protection Authority hereby imposes the following decision on the Government Pension Fund: Pursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf. § 26 of the Personal Data Act, the Government Pension Fund is imposed an infringement fee of NOK 1,000,000 - one million Norwegian kroner - to the Treasury, for violation of the principles for the processing of personal data in the Privacy Regulation article 5 no. 1 letter c and e and the requirement of necessity pursuant to Article 6 no. 1, cf. Article 9 No. 2. 2. Description of the deviation The deviation report states that the Government Pension Fund (hereinafter SPK) in the period 01.07.2015 until 24.09.2019 collected larger amounts of personal information they did not need for it stated purpose. SPK has stated that the discrepancy was discovered on 15.02.2019. The discrepancy relates to the collection of accrued income information from the Tax Administration in in connection with SPK's annual post-settlement for disability pension. The information is used to correct paid pension (too much or too little). The transfer of information has taken place in accordance with the Tax Administration Act § 3-6 other paragraph, which gives the Tax Administration authority to disclose information on «pensionable income» 1Incomes earned in a specified time interval within a year. Postal address: Office address: Telephone: Org.nr: Homepage: 1 PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 0105 OSLO 0191 OSLO to SPK, and in line with an information exchange agreement between the parties. The transfer has happened via a technical interface (API). The information submitted by the Tax Administration is current, accrued income information 2 (raw data) from the a-scheme. The information is partly special categories of personal information in the form of information on disability pension from other than SPK and the National Insurance Scheme. Otherwise, it's about very detailed income information, such as taxable portion of insurance, purchase of shares at a discount, benefits in kind, etc. SPK has lacked a filter to prevent the import and storage of unnecessary income information, and one has not had a delete function for the data. SPK employees have had access to the redundant information at the individual level. At the time of the deviation report, SPK summarized the reasons for the deviation as follows: insufficient assessment of the legal basis for treatment of personal data, including the term «pensionable income» lack of follow-up of the requirement for data minimization missing deletion routines / deletion function lack of access control in the caseworker system SPK considers the discrepancy to be serious, as it is an illegal treatment of very personal information about a generally vulnerable group of persons (people on disability benefits). SPK also refers to the possible consequences of the illegal treatment of personal information. The follow-up may trigger a claim for reimbursement from the individual recipient, and a claim for recovery of an overpaid disability pension will constitute a coercive basis for disbursement. SPK's decisions on repayment are made by fully automated (machine) decisions without regard to the guilt of the person on disability benefits. SPK states that taxpayers are subject to a comprehensive duty to provide information to the tax authorities. It is pointed out that taxpayers must be able to feel confident that they have reported information is not reused for incompatible purposes without a legal basis. Furthermore, SPK points out that they generally do not provide active information about which personal information which is obtained, which makes it difficult for the data subjects to exercise their right to the privacy regulations for, for example, deleting unnecessary information. As a result of the deviation, SPK had planned and / or implemented the following measures: dialogue with the Ministry of Labor and Social Affairs on changes to the legal basis for gathering of information block the internal access to the information delete data establish filters to avoid importing unnecessary data 2 An electronic solution for coordinated reporting from employers. 2 3. Statement from the Government Pension Fund In a letter dated 18.02.2020, the Norwegian Data Protection Authority requested a more detailed account of the measures that were in place implemented after the deviation. SPK responded to the inquiry in a letter dated 16.03.2020. SPK has also provided information in a meeting on 16.04.2021. SPK emphasizes that post-settlement is not a control activity to uncover prohibited actions, but a statutory task where SPK makes an annual settlement that can result in a payment or repayment claims. SPK also states that income information was obtained from the Tax Administration for the first time in October 2016 (ie not in July 2015, as previously stated). Only SPK employees with access to disability pension in the caseworker system has had the opportunity to access the information. This amounts to approx. 50 of a total of 450 employees. For approx. 44,000 people (out of a total of approx. 1,000,000) have received income information for use in post-settlement without sufficient legal basis. For approx. 24,000 of these are not obtained surplus information, as the persons only have a disability pension as income. SPK emphasizes that they take the case very seriously. As a result of the deviation, SPK has implemented the following measures: The legal basis for obtaining accrued income information has been changed and specified. The internal access to redundant information was blocked in September 2019. Surplus information was deleted on 11.10.2019. SPK established a deletion routine where all income information that is not relevant for the post-settlement is deleted immediately after loading into the database. Afterwards is a filter to avoid the import of unnecessary data introduced in collaboration with the Tax Administration. In the time after the non-conformance report was sent, SPK has assessed the legal basis for the collection of income information in more detail. SPK now considers that they have had a legal basis in the Tax Administration Act § 3-6 second paragraph to collect a wide range of income information. The provision was somewhat unclear when it came to obtaining accruals income information, and SPK therefore took the initiative to change the wording of the provision. SPK nevertheless wishes to emphasize that they believe that income information is not obtained without legal basis in special legislation. A main reason why SPK has obtained unnecessary income information is that SPK found it expedient to obtain information from the Tax Administration. The income information from The tax authorities were only available in a predefined data set that also contained information SPK did not need in connection with post-settlement. In the meeting on 16.04.2021, SPK explained that the scheme was disability pension was changed in 2015 ("Disability reform"). After the reorganization, it was unclear to SPK what income information which were relevant to the annual post-settlement. What information has been shown to be relevant has also changed over time. This has led to the collection of unnecessary income information. SPK did not realize the implications of this at an early enough time. SPK Has not had a system for reviewing and deleting surplus information during the period the discrepancy persisted. SPK further explained that a closer assessment had to be made of which income information which were necessary for post-settlement when the discrepancy was discovered. This is the reason why the information was first blocked and then deleted. 4. The Government Pension Fund's comments on the notice letter The Government Pension Fund has provided further comments and clarifications in a letter dated 12.05.2021. The letter points out that the disability pension must be adjusted based on how much a person has had earned income a given year. The disability pension is paid as a starting point on the basis of what it is disabled people think their income will be in the coming year. It can be difficult for a person to Predict exactly what the annual income will be, and SPK is dependent on that person continuously reports income changes. The reform presupposes that a post-settlement is carried out subsequent year, where SPK calculates whether the disabled person will be paid back, or must repay, a part of the performance. Post-settlement is largely done mechanically, and the annual tax settlement is made as a basis for the calculations. However, the tax settlement does not sufficiently differentiate between different types of income, ie the types of income that are to be included or excluded from the basis for calculation, respectively of the disability benefit - and thus also the post-settlement. Furthermore, the tax settlement indicates income for year as a whole and not as accrued income figures. In the post-settlement, SPK needs information about the tax settlement's pensionable income broken down by income type and accrued by month. It will most often be demanding and complicated for the disabled self to document this properly, and manual submission of documentation will usually provide surplus information that is difficult to sort out. SPK therefore chose to obtain accrued data broken down by income type data directly from the Tax Administration. The post-settlement takes place once a year, in the autumn after the tax settlement for the previous year is ready. Correspondingly, the data is obtained from the Tax Administration once a year. Despite the lack of better solutions, SPK acknowledges that the deviation from the privacy regulations should have been discovered earlier. SPK has collected and stored profit information a total of three times: in October 2016, 2017 and 2018. Two of the collections took place before the new Personal Data Act came into force (in July 2018). In October 2019, surplus information was obtained, but deleted immediately. IN October 2020, only necessary income information was obtained. SPK developed a filter which from July 2019 ensured that only necessary information about pensionable income was available to caseworkers. Before SPK collected data for After the settlement in October 2019, a system solution was implemented that deleted all surplus information from the database. The solution also ensured that all profit information 4which in 2019 and later had to be retrieved, would be deleted continuously and immediately. A new data extraction with only necessary information was in place as of 27.08.2020. SPK also points out that they spent a long time on the non-conformance report because they were "untrained" in sending such messages. The discrepancy was therefore strictly interpreted and explained in detail in the first message. SPK indicates that today they would present the case differently and more nuanced. Among other things, SPK points out that the disabled who are covered by the deviation participate in working life in positions of between 20 and 80%. It was not SPK's intention to stigmatize the group as generally vulnerable. Furthermore, it appears that SPK strives to provide the registered with their good information through website. In summary, SPK acknowledges that the discrepancy should have been discovered earlier. It is pointed out, however that the impact on those affected has been limited. The surplus information was subject access control, and SPK has done its utmost to rectify the situation when the deviation occurred discovered. In light of this, SPK believes that the notified infringement fee is too high in relation to the nature of the deviation. 5. Current legal basis for the assessment The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. the personal data section 20 of the Act and Article 57 of the Privacy Ordinance. 5.1 On choice of law The new Personal Data Act, which incorporates the EU Privacy Regulation into Norwegian law, entered into force on 20.07.2018. The law also repealed the Personal Data Act (2000) and the rules in the Personal Data Regulations (2000). This case concerns circumstances that arose in 2016, ie before the entry into force of the Information Act (2018), but which has persisted in the time since. We must therefore decide whether the case shall be assessed in accordance with the Personal Data Act (2018) or the Personal Data Act (2000). There is a special transitional rule in the Personal Data Act (2018) § 33 first paragraph infringement fine, which reads: «The rules on the processing of personal data that applied at the time of the action, shall be used as a basis when a decision on an infringement fine is made. The legislation on the time of the decision shall nevertheless be used when this leads to a more favorable one result for the person responsible ». The question of choice of law must therefore be assessed on the basis of what is considered the time of action. The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted until the discrepancy was discovered in September 2019. The time of action in this case has thus persisted over time and in the time after the Personal Data Act (2018) came into force. It follows then of the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with this Act. 5We also refer to the preparatory work for the Personal Data Act (2018), Prop. 56 LS (2017-2018) page 196, where the Ministry states, among other things, the following on the question of choice of law between the Personal Data Act (2000) and the Personal Data Act (2018): «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to is made on the basis of the material rules in force at any given time ». The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and PVN-2018-06. Against this background, in our assessment it is clear that the case must be assessed accordingly the Personal Data Act (2018) and the Privacy Ordinance. 5.2 The principles for the processing of personal data The basic principles for the processing of personal data are set out in the Privacy Ordinance Article 5. The relevant parts of the provision read: «1. Personal information must (…) c) be adequate, relevant and limited to what is necessary for the purposes they processed for ("data minimization"), (…) e) is stored so that it is not possible to identify the data subjects for longer periods than that necessary for the purposes for which the personal data are processed (…) ("Storage restriction"), f) processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal treatment and against unintentional loss, destruction or damage, using appropriate technical or organizational measures («Integrity and confidentiality») ». 5.3 Legal basis for the processing Any processing of personal data must have a legal basis in the Privacy Ordinance Article 6 (1) to be lawful. The relevant parts of the provision read: «1. The treatment is only legal if and to the extent that at least one of the following conditions is fulfilled: (…) c) the processing is necessary to fulfill a legal obligation that is incumbent the data controller, (…) e) the processing is necessary to perform a task in the public interest or exercise public authority imposed on the controller (…) ». Processing of so-called special categories of personal data, for example health information, is in principle prohibited, cf. the Privacy Ordinance, Article 9, No. 1. For the processing of such information to be lawful, at least one of the conditions set out in Article 9 must apply No. 2 be fulfilled. The relevant parts of the provision read: 6 «2. Nr. 1 does not apply if one of the following conditions is met: (…) b) The processing is necessary for the data controller or the data subject shall be able to fulfill their obligations and exercise their special rights the area of labor law, social security law and social law to the extent this is permitted under Union law or the national law of the Member States, or a collective agreement pursuant to to the national law of the Member States which provides the necessary guarantees for it registered fundamental rights and interests. (…) ». 5.4 In particular on the imposition of infringement fines Article 58 no. 2 letter i of the Privacy Ordinance, cf. the Personal Data Act § 26 other paragraph, it appears that the Data Inspectorate may impose on public authorities and bodies infringement fine according to the rules of the Privacy Regulation Article 83 in case of violation provisions in the privacy regulations. Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision contains, among other things, an overview of which aspects should be taken into account, both when and when it is considered whether an infringement fee should be imposed and in determining the size of the fee. The relevant parts of Article 83 (1) and (2) are reproduced below: «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each case is effective, stands in a reasonable relation to the violation and works deterrent. 2. (…) When a decision is made on whether to impose an infringement fine and on the amount of the infringement fee, it must be duly taken into account in each individual case following: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the treatment concerned and the number of registered persons who are affected, and the extent of the damage they have suffered, b) whether the infringement was committed intentionally or negligently, c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, d) the degree of responsibility of the data controller or data processor, as taken with regard to the technical and organizational measures they have implemented in accordance with Articles 25 and 32, (…) (f) the degree of cooperation with the supervisory authority to remedy the infringement; and reduce the possible negative effects of it, g) the categories of personal data affected by the infringement, (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement, (…) k) any other aggravating or mitigating factor in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, as a result of the infringement ». Article 83 also sets out the framework for the amount of the infringement fine. We show in this in connection with Article 83, paragraphs 4 and 5. The relevant parts of the provisions are: «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2 infringement fine of up to 10,000,000 euros (…): (a) the obligations of the controller and the processor in accordance with Article 8, 11, 25-39 and 42 and 43 (…). In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2 infringement fine of up to EUR 20,000,000 (…): (a) the basic principles of treatment, including conditions for consent; i pursuant to Articles 5, 6, 7 and 9 ». 6. The Danish Data Protection Agency's assessment In the following, we will first assess SPK's legal basis for processing surplus information obtained from the Tax Administration for follow-up of disability pension. We will then assess whether SPK has complied with the principles for the processing of personal data. 6.1 Legal basis for the processing SPK has pointed out that post-settlement for disability pension is a statutory task. A current legal basis under the privacy regulations could thus be to fulfill a legal obligation according to national law, cf. the Privacy Ordinance Article 6 No. 1 letter c. One can also consider the post-settlement as an exercise of public authority under national law, cf. Article 6 (1) letter e. Both provisions require that the treatment be necessary. Regarding the treatment information about disability pension from others than SPK itself and the National Insurance Scheme, the processing must also be permitted under the Privacy Ordinance, Article 9 no. 2. Information that a person receives a disability pension is in itself a health information, as the granting of a disability pension in itself presupposes a reduced ability to work due to illness / health problems. We will confine ourselves to pointing out that the relevant provision of Article 9 No. 2 letter b (fulfill obligations in the area of social security law) also requires that the treatment is necessary. SPK has stated that the transfer of information has taken place pursuant to the tax administration § 3-6 second paragraph of the Act, which states that the Tax Administration may disclose information about «Pensionable income» to SPK without prejudice to the duty of confidentiality. SPK has stated that they have had authority in the Tax Administration Act § 3-6 second paragraph to obtain a wide range of income information. SPK has nevertheless reported and acknowledged that Unnecessary income information was obtained from the Tax Administration in the predefined data set from the Tax Administration. After the Disability Reform in 2015, it was unclear what income information was needed for post-settlement, and the understanding also changed over time. The Data Inspectorate will nevertheless point out that SPK must be responsible for clarifying within a reasonable time what information they needed for in this work, so that only necessary information was obtained from the Tax Administration. 8We assume that SPK obtained between October 2016 and October 2019 surplus information on four occasions. In October 2019, it became unnecessary the information obtained but deleted immediately. The Norwegian Data Protection Authority has concluded that SPK has violated the requirement of necessity Article 6 (1) of the Privacy Regulation, cf. Article 9 (2), in connection with the collection of income information from the Tax Administration for use in post-settlement for disability pension. 6.2 The principles for the processing of personal data 6.2.1 The principle of data minimization The principle of data minimization is set out in the Privacy Ordinance, Article 5, paragraph 1, letter c. It is stated that the processing of personal data shall be limited to the information that is necessary for the purpose. In connection with the collection of income information, SPK has obtained surplus information that was not necessary for the post-settlement for disability pension. Eventually a technical solution for obtaining only necessary information has later come up space, we assume that it has been practically possible to only collect information such as SPK need. This constitutes a breach of the principle of data minimization, cf. Article 5, paragraph 1, letter c. 6.2.2 The principle of storage limitation Pursuant to Article 5 (1) (e), personal data shall not be stored longer than they are necessary for the purpose. An injury-limiting measure when obtaining surplus information can be good routines to assess what information is needed and delete unnecessary information. SPK has until October 2019 had no routines for deleting unnecessary income information which was obtained from the Tax Administration. This constitutes a breach of the principle of storage limitation, cf. Article 5 (1) (e). 6.2.3 The principle of confidentiality The principle of confidentiality is set out in the Privacy Ordinance, Article 5, paragraph 1, letter f and means, among other things, that only those who have service needs should have access to personal information. SPK has reported that after the Disability Reform in 2015 it has had to be reviewed the income information to assess what information is necessary for post-settlement. Only employees who work with disability pension have had access to the surplus information as has been obtained from the Tax Administration. After a comprehensive assessment, the Data Inspectorate has concluded that SPK has not violated the principle of confidentiality, cf. Article 5 (1) (f). 9 6.3 Assessment of whether an infringement fee is to be imposed The Norwegian Data Protection Authority has concluded that SPK has violated the Privacy Ordinance, Article 5, No. 1, letter c and e as well as the necessity requirement in Article 6 (1), cf. Article 9 (2). offenses that may provide a basis for imposing an infringement fine. The offense has largely occurred before the Personal Data Act (2018) and the Privacy Regulation entered into force. The Data Inspectorate could also impose earlier infringement fee, cf. the Personal Data Act (2000) § 46, but the amount was then limited to up to 10 times the National Insurance basic amount (currently approx. 1,010,000 NOK). However, we refer to the discussion under section 3.1 and assume that the fee will be measured according to new regulations. In principle, there is thus a basis for imposing a SPK on one infringement fine of up to 20,000,000 euros (currently approx. 213,000,000 NOK), cf. Article 83 (5) of the Privacy Regulation. We will nevertheless consider that three of the four cases of collection of surplus information has taken place in the period when previous privacy regulations applied. Below we review the factors that we consider relevant for the assessment of whether infringement fines must be imposed. a) the nature, severity and duration of the infringement, taking into account it the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered We have come to the conclusion that SPK has violated the basic requirements for the processing of personal data - that that is, the basic principles of the Privacy Regulation Article 5 (1) and the requirement to necessity in Article 6 (1), cf. Article 9 (2). This is serious. The collection of profit information has been going on for almost three years, from October 2016 to October 2019. About. 44,000 people are affected. Although this is a relatively low proportion of SPKs members, there is still a high number of people. b) whether the infringement was committed intentionally or negligently SPK first became aware of the discrepancy in February 2019. SPK has explained why afterwards took time to assess specifically which information was not necessary for post-settlement, so that neither blocking nor deletion could be carried out immediately. After an overall assessment, the Data Inspectorate considers that SPK, represented by the managing director director, has been negligent in connection with the offense. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects SPK implemented several measures after the discrepancy was discovered; access to the information was blocked in September 2019, and a solution for deletion was in place in October of the same month. 10Some measures have taken longer to implement, including a solution for filtering the information obtained. In our view, SPK has overall done a good job of implementing relevant measures and shown that they take the situation seriously. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 SPK has obtained a predefined data set from the Tax Administration, without any review of the content to assess the necessity of the various pieces of information. SPK has also not had a routine for deleting surplus information. With regard to access control, only employees with official access to disability pension have been able to see the excess income information, although it has been shown that neither the persons should have had access to the information. g) the categories of personal data affected by the infringement, The information obtained illegally is partly special categories of personal data, as they include information on disability pension from other than SPK and the National Insurance Scheme. This makes the offense more serious, as special categories of personal data have a special protection under Article 9 of the Privacy Regulation. In other respects, this is very detailed income information that most people will perceive as private. h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement SPK itself notified the Norwegian Data Protection Authority of the violation and has otherwise contributed to the information in the case. It took a long time before the discrepancy was reported, as the discrepancy was discovered in February 2019, but was first reported in September of that year. SPK has admittedly explained the reasons for this the delay, but it is nevertheless clearly contrary to the 72-hour deadline set out in Article 33 of the Privacy Regulation. k) any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement We have noticed that three out of four collections of surplus information were made before a new one Personal Data Act came into force in July 2018. The Data Inspectorate has in total used approx. 1 year to process the case. This will also get something significance for the case, cf. the Privacy Board's decisions PVN-2021-09 and PVN-2021-03. 11Overall assessment The case concerns the collection of unnecessary income information, including special categories of personal data, and SPK has violated several basic principles for the processing of personal information. This is so serious that the Danish Data Protection Agency has come to the conclusion that SPK must be imposed infringement fine. 6.4 Measurement of the fee In assessing the size of the fee, we have emphasized that SPK has violated the basics and principal provisions of the Privacy Regulation. SPK has collected intervention income information without this being necessary for the purpose. Furthermore, special categories of personal data are affected, as the information applies to disability pension. The purpose of the collection was post-settlement for disability pension, which may result financial consequences (repayment claims) for the affected persons. The case includes in total approx. 44,000 people, ie a significant number of disability pensioners. It is also pointed out that the inhabitants in general have a broad duty to provide information the tax authorities. Illegal use of collected information can be detrimental to trust to the public. The discrepancy also persisted for over three years before it was discovered. SPK has not done during this period sufficient to clarify what income information they have needed for the purpose post-settlement disability pension. On the other hand, we have seen to it that SPK implemented relevant measures after the deviation discovered, and SPK has shown that they take the case seriously. We have also seen to it that SPK itself reported the deviation to the Norwegian Data Protection Authority, albeit much later than the regulations dictate. Furthermore, we have emphasized that the offense partly took place before the Personal Data Act (2018) and the Privacy Regulation entered into force. According to the previously applicable Personal Data Act (2000) the fee was limited to a maximum of approx. NOK 1,010,000. The Data Inspectorate's case processing time of approx. 1 year will also have some effect on the size of the fee, see PVN-2021-09 and PVN-2021-03. The Data Inspectorate has come to the conclusion that the infringement fee must be set at NOK 1,000,000 in this the case. The amount has been adjusted downwards somewhat from the notified fee of NOK 1,500,000 based on our weighting of the moments that appear above. 7. Right of appeal This decision can be appealed within three weeks after you have received this letter, cf. Sections 28 and 29 of the Public Administration Act. Any complaint is sent to the Danish Data Protection Agency. If we do not take As a result of the complaint, the case will be sent to the Privacy Board for complaint processing, cf. the Personal Data Act § 22. If you have any questions, you can contact director Bjørn Erik Thon or caseworker Susanne Lie (e-mail: suli@datatilsynet.no). With best regards Bjørn Erik Thon director Susanne Lie senior legal adviser The document is electronically approved and therefore has no handwritten signatures Copy to: GOVERNMENT PENSION FUND ADMINISTRATION COMPANY, Gry-Helen Henriksen THE TAX AUTHORITY 13