Datatilsynet (Norway) - 23/00708: Difference between revisions
m (→Holding) |
No edit summary |
||
Line 97: | Line 97: | ||
}} | }} | ||
The Norwegian DPA | The Norwegian DPA fined the Labour and Welfare Administration (NAV) €1,754,678 (NOK 20 million) and issued several orders for 12 violations, attributed to "serious neglect over an extended period" in their information security and IT systems. | ||
== English Summary == | == English Summary == |
Latest revision as of 14:50, 20 December 2023
Datatilsynet - 23/00708 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 24(2) GDPR Article 32(1) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR Article 32(4) GDPR Article 57(1)(a) GDPR Article 57(1)(h) GDPR Article 58(1)(f) GDPR Article 58(1)(b) GDPR Article 58(1)(e) GDPR Article 58(1)(a) GDPR Article 58(2)(d) GDPR Article 58(2)(i) GDPR Article 83 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 01.03.2023 |
Decided: | 27.11.2023 |
Published: | 28.11.2023 |
Fine: | 20000000 NOK |
Parties: | The Labour and Welfare Administration (NAV) |
National Case Number/Name: | 23/00708 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) NAV (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined the Labour and Welfare Administration (NAV) €1,754,678 (NOK 20 million) and issued several orders for 12 violations, attributed to "serious neglect over an extended period" in their information security and IT systems.
English Summary
Facts
"NAV", the Norwegian Labour and Welfare Administration, is a government agency that collaborates with local municipalities to provide a unified access to public labor and welfare services. Its primary functions include promoting employment and ensuring financial and social security. NAV administers a significant portion of the state budget and is one of the country's largest employers with about 22,000 employees. Almost all citizens of Norway are in contact with NAV at some point of their life.
On 1 March 2023, the Norwegian DPA Datatilsynet notified NAV (the controller) of a physical inspection as per Article 57(1)(a) GDPR, Article 57(1)(h) GDPR, cf. Article 58(1)(a) GDPR, Article 58(1)(b) GDPR, Article 58(1)(e) GDPR and Article 58(1)(f) GDPR.
The DPA conducted their inspection on 6 September. They focused on the controller's IT systems for processing personal data related to their government-related services, including technical and organisational measures related to access controls, logging and log control, as per Article 32 GDPR and Article 5(1)(f) GDPR, including if the controller had established an appropriate management system in line with Article 24 GDPR and Article 5(2) GDPR.
The DPA sent the controller the preliminary audit report on 1 November, to which the controller responded on 22 November. The DPA then submitted their final report on 27 November, along with a notification of their intent to impose a fine and issue several orders.
The controller has three weeks to respond to the DPA's preliminary conclusions, after which the DPA will make their final decision.
Holding
Overall, the DPA found that many of the controller's employees work on cases from across the country, in several service areas, with broad access rights. Despite this, there isn't systematic control over how they use systems; this relies instead on trust. The employees also lack the necessary tools to manage this trust and the responsibility they're given, due to a lack of routines and supervision.
Following the audit, the DPA draws two main conclusions. First, the controller's management system is not suited to ensuring adequate security for protecting personal data. Second, confidentiality in their systems, in practice, is not adequate. This resulted in 12 violations:
- Violation 1: The controller has not established an adequate management system to provide adequate technical and organisational measures to ensure and demonstrate that processing personal data is done in line with Article 5(2) GDPR and Article 24(1) GDPR and Article 24(2) GDPR.
- Violation 2: The controller's governing documentation for access controls fails to incorporate adequate technical and organisational measures, necessary for ensuring and demonstrating compliance with Article 32(1) GDPR and Article 32(2) GDPR, see also Article 5(2) GDPR and Article 24(1) GDPR and Article 24(2) GDPR.
- Violation 3: The controller does not regularly review its governing documentation for access controls, as required by Article 32(1)(d) GDPR.
- Violation 4: The controller has not implemented sufficient organisational measures to ensure that risk assessments are done as per Article 32(2) GDPR, when establishing and developing IT systems.
- Violation 5: Access to meta data of documents in one system is too general and broad, violating the confidentiality principle of Article 5(1)(f) GDPR and the security requirements set out in Article 32(1) GDPR.
- Violation 6: The controller has not implemented sufficient organisational measures for training identity control administrators, violating Article 32(1) GDPR and Article 32(4) GDPR.
- Violation 7: The routines for granting accesses are out of date and fail to provide guidance for discretionary assessments, violating Article 32(1) GDPR and Article 32(4) GDPR.
- Violation 8: Access to personal data only processed for archive purposes in historical cases is too general and broad, violating the confidentiality principle of Article 5(1)(f) GDPR and the security requirements set out in Article 32(1) GDPR.
- Violation 9: The controller has chosed to organise their access controls in a way that allows a significant number of users access to systems with no real work-related need for it. Combined with an inadequate system for access controls, this violates the confidentiality principle of Article 5(1)(f) GDPR and the security requirements set out in Article 32(1) GDPR.
- Violation 10: The controller has inadequate technical and organisational measures for safeguarding personal data of certain categories of data subjects (own employees, people with secret addresses etc.), violating Article 32(1) GDPR and Article 32(2) GDPR.
- Violation 11: The controller has inadequate routines for controlling unit leaders' yearly revision of accesses, violating Article 32(1)(d) GDPR.
- Violation 12: The controller has not established a systematic access log control. Combined with the fact that a significant number of employees have broad accesses (see violation 9), this violates the requirement to implement sufficient technical and organisational measures to ensure and demonstrate that the processing of personal data is done in line with the GDPR, thus violating Article 32(1) GDPR and Article 32(2) GDPR, see also Article 5(2) GDPR, Article 24(1) GDPR and Article 24(2) GDPR, as well as the requirements for periodic control as per Article 32(1)(d) GDPR.
First, the DPA intends to order the controller to rectify the 12 violations. This includes establishing a comprehensive and suitable systematic approach for organisational measures to ensure and demonstrate compliance with the GDPR, including necessary routines. Further, the controller must establish technical and organisational measures for access controls and access control logs to ensure confidentiality in their processing of personal data, including limiting access to what's necessary.
Second, the DPA intends to fine the controller €1,754,678 (NOK 20 million) for violating Article 5(1)(f) GDPR, Article 32(1) GDPR, Article 32(2) GDPR, Article 32(4) GDPR, as well as Article 5(2) GDPR, Article 24(1) GDPR and Article 24(2) GDPR.
The controller has three weeks to respond to the DPA's preliminary conclusions, after which the DPA will make their final decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
LABOR AND WELFARE AGENCY PO Box 354 8601 MO IN RANA Your reference Our reference Date 23/4873 23/00708-23 27.11.2023 Submission of final inspection report - Notice of decision on order and infringement fee 1 Introduction We refer to the local inspection at the Norwegian Labor and Welfare Agency (NAV) on 6 September 2023, which was notified in our letter of 1 March 2023. The inspection was carried out pursuant to the personal protection regulation article 57 no. 1 letter a and letter h, cf. article 58 no. 1 letter a, b, e and f. The Personal Data Protection Regulation has been implemented in Norwegian law by incorporation, see § 1 of the Personal Data Act. It appears from § 20 of the Personal Data Act that the Norwegian Data Protection Authority is the supervisory authority Article 51 of the Personal Data Protection Regulation. Our powers to issue orders and to impose infringement fees are respectively the personal protection regulation article 58 no. 2 letter d and article 58 no. 2 letter i. We show also to § 26 second paragraph of the Personal Data Act, which states that the Norwegian Data Protection Authority can impose public authorities and bodies infringement fee according to the rules in the personal data protection regulation Article 83. Preliminary inspection report was submitted to NAV on 1 November 2023. NAV submitted its comments to the report on 22 November 2023. 2. Final inspection report and notice of decision Our final inspection report is attached. Based on NAV's comments, we have done so some changes in the report. The changes are marked continuously with footnotes. In the audit, we have checked whether NAV ensures satisfactory confidentiality in the IT solutions (the "professional systems") that are used to process personal data in connection with service provision. Postal address: Office address: Telephone: Org. no: Website: PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO The inspection included technical and organizational measures related to access control, log and log control, cf. the personal protection regulation article 32 and article 5 no. 1 letter f, including re NAV has established a suitable management system, cf. Article 24 and Article 5 of the Personal Protection Ordinance No. 2. The control was limited to the processing of personal data in professional systems that are part of it the governmental part of NAV's service provision. Our main conclusions are that NAV's management system is not suitable for ensuring a satisfactory level of security for personal data, and that the safeguarding of confidentiality i NAV's subject systems in practice are also not satisfactory. In the report we have identified 12 offenses (in the report and in the notice here also referred to as "deviation") that NAV is required to rectify. We have come to the conclusion that NAV should also be subject to an infringement fee as a result of the offences. Our assessments and the factual and legal conditions underlying the notified the orders and the notified infringement fee appear below. We also refer to our assessments, and to the descriptions of the factual and legal conditions in the case, as described in the final inspection report. 3. Notice of decision on order In accordance with Section 16 of the Public Administration Act, we hereby notify you that, pursuant to the personal protection regulation article 58 no. 2 letter d, is considering making the following decision: 1. NAV is required to establish a comprehensive and suitable system for organizational measures to ensure and demonstrate compliance with the privacy regulations, cf. the privacy regulation article 5 no. 2, article 24 no. 1 and 2 and article 32 no. 1, 2 and 4, as the local the inspection has revealed that the existing measures do not meet the requirements of the law. See point 4 and 5 (deviations 1 and 2) in the inspection report. Below this, NAV must establish: Routines for regular revision of the governing documentation for a. access management, as the local inspection revealed that it is not subject to regular audit in accordance with the requirements of the Personal Data Protection Regulation article 32 no. 1 letter d. See point 5.2.2 (deviation 3) in the inspection report. b. Routine for carrying out risk assessments in the establishment and development of professional systems, when the local inspection revealed that the existing routines did not ensures that risk assessments are carried out in accordance with the Personal Data Protection Regulation article 32 no. 2. See point 5.2.2 (deviation 4) in the inspection report. 2 c. Routine for training identity administrators, as the local inspection revealed that no satisfactory organizational measures have been established for the training of this group, cf. the personal protection regulation article 32 no. 1 and no. 4. See point 5.3.2 and 5.4.2 (deviation 6) in the inspection report. d. Updated and suitable routines for granting access in the various subject systems, when the local inspection revealed that the existing routines are outdated and deficient, and thus do not meet the requirements of the Personal Data Protection Ordinance article 32 no. 1 and no. 4. See point 5.4.2 (deviation 7) in the inspection report. e. Routine for checking unit managers' annual audit of accesses, then that The local inspection revealed that the existing routines do not meet the requirements of the personal data protection regulation article 32 no. 1 letter d. See point 5.8.2 (deviation 11) in the supervision report. 2. NAV is required to establish technical and organizational measures related to access management which provides satisfactory confidentiality protection of personal data, cf. the personal protection regulation article 5 no. 1 letter f and article 32 no. 1, then the local the inspection revealed that the existing measures do not meet the requirements of the law. See point 5 (deviation 9) in the inspection report. Below this, NAV must establish: a. Technical and organizational measures for the archive system Joark which limit access to metadata about documents across disciplines to cases where it is necessary, as the local inspection revealed that the availability of such data is too general and broad, and thus does not meet the requirements of personal protection regulation article 5 no. 1 letter f and article 32 no. 1. See point 5.3.2 (deviation 5) in the inspection report. b. Technical and organizational measures to limit access to personal data that is only processed for archival purposes (historical matters) to cases where it is necessary, when the local inspection revealed that access to historical matters are too general and broad, and thus do not meet the requirements of personal protection regulation article 5 no. 1 letter f and article 32 no. 1. See point 5.4.2 (deviation 8) in the inspection report. c. Technical and organizational measures that provide the opportunity to adapt personal data security based on risk based on specific user needs, when the local inspection revealed that the existing measures do not provide such possibility, and consequently do not meet the requirements for the security measures to be adapted the risk of the processing cf. the personal data protection regulation article 32 no. 1. See point 5.7.2 (deviation 10) in the inspection report. 3. NAV is required to establish technical and organizational measures related to log control such as provides satisfactory confidentiality protection of personal data, cf. the personal protection regulation article 5 no. 1 letter f and article 32 no. 1 letter d and no. 4, when the local inspection revealed that the existing measures do not comply with the law claim. See point 7 (deviation 12) in the inspection report. 3 The Norwegian Data Protection Authority requests a timetable for the implementation of the notified orders, which will be considered taken into account during the design of the final decision. 4. Notification of a decision to impose an infringement fee In accordance with Section 16 of the Public Administration Act, we hereby notify you that, pursuant to the personal data protection regulation article 58 no. 2 letter i, cf. personal data act § 26, considers making the following decision: NAV is charged with an infringement fee of NOK 20,000,000 – twenty million – for violation of a) the personal protection regulation article 5 no. 1 letter f and article 32 no. 1, 2 and 4, as a result of processing personal data in a way that does not ensures sufficient security for the personal data, and b) the personal protection regulation article 5 no. 2 and article 24 no. 1 and 2, which as a result of not having implemented suitable technical and organizational measures to ensure and demonstrate that the processing of personal data is carried out in compliance with the Personal Data Protection Regulation. 5. Privacy in NAV NAV is a nationwide public enterprise, and consists of both municipal and state agencies services. NAV consists of the state employment and welfare agency and the partnership with each single municipality. NAV is responsible for managing welfare services as labor market measures, social security benefits and social assistance. Almost all residents of Norway are in contact with NAV during life. NAV is in a special position from a privacy perspective. The tasks are imposed on NAV entails the processing of personal data on an enormous scale, including highly sensitive ones information. According to figures from NAV's annual report for 2022, last year there were approx. 3.2 million people who received benefits from NAV. There is therefore a built-in high privacy risk in NAV's operations, which entails strict requirements for personal data security. This risk was identified and pointed out already at the adoption of Act 16 June 2006 no. 20 on the employment and welfare administration (NAV Act). In the consultation round, the Norwegian Data Protection Authority expressed concern that the reform would lead to a significant availability of sensitive information about the individual. The Norwegian Data Protection Authority's consultation opinion is reproduced as follows in the preparatory work for NAV Act (on page 66 of Ot.prp. no. 47 (2005-2006)): "Overall, the proposal does not appear, in the opinion of the Norwegian Data Protection Authority, to be suitable for create trust in the new agency in the population. For the Norwegian Data Protection Authority, it will be unacceptable 4 if a principle is not established during the merger - also for the development of the ICT system, that no one should have access to more personal data than those who they need to carry out their duties properly, and that any notice they employees do must be logged and the logs checked." The Ministry of Labor and Inclusion commented on our view and that of other hearing bodies as follows on page 71 of the proposal: "Consideration of confidentiality and privacy must be ensured by the sum of the legal rules, security measures, process and mechanisms for managing access to information in ICT the systems and the regime for control and follow-up of this which is arranged. In order to safeguard information security, including ensuring the principle that no one should have access to more personal data than they need to carry out their work tasks, is the importance of a control regime that follows up information security. Both the agency and the joint local offices will manage large amounts of sensitive information personal data. If a clear regime is not established for information security, this is a risk.” In other words, it has been a known assumption, ever since the establishment of NAV, that safeguarding personal data security - especially in the form of confidentiality protection - must be a central part of the business. 6. Overall findings The main findings of the inspection are that NAV has organized itself in such a way that a large number of employees work together cases from all over the country, within several service areas, and consequently have correspondingly wide access. At the same time, no systematic control of employees' use of the subject systems has been established. The result of this is, as we see it, that the use of the professional systems is largely based on trust. A lack of routines and management mean that employees do not have the tools they need to manage it the trust and responsibility they are given. As mentioned, we have identified 12 offences. We refer to our assessments and to the descriptions of the factual and legal circumstances in the case, as described in the final inspection report. The conclusions are as follows: • Deviation 1: NAV has not sufficiently established a management system that provides suitable technical and organizational measures to ensure and demonstrate that their processing of personal data is processed in accordance with the Personal Data Protection Regulation, cf. Article 5 no. 2 and article 24 nos. 1 and 2. See report point 4. • Deviation 2: NAV's governing documentation for access management lacks suitable technical specifications and organizational measures to ensure and demonstrate that their processing of personal data is processed in accordance with the Personal Data Protection Regulation, cf. Article 32 no. 1 and 2, cf. also article 5 no. 2 and article 24 no. 1 and 2. See report point 5.2. 5• Deviation 3: NAV's governing documentation for access management is not subject to regular audit in accordance with the requirements of the Personal Protection Regulation Article 32 No. 1 letter d. See report point 5.2. • Deviation 4: NAV has not established satisfactory organizational measures to ensure that risk assessments are carried out in accordance with the Personal Protection Ordinance Article 32 No. 2 in the establishment and development of professional systems. See section 5.2 of the report. • Deviation 5: The availability of metadata about documents in Joark is too general and vid and is not compatible with the confidentiality principle in the personal data protection regulation article 5 no. 1 letter f and the requirements for personal data security in article 32 no. 1. See section 5.3 of the report. • Deviation 6: NAV has not established satisfactory organizational measures for training by identity administrators. Our conclusion is that this is a deviation from the requirements in the personal protection regulation article 32 no. 1 and no. 4. See the report points 5.3 and 5.4. • Deviation 7: The routines for granting access are outdated and do not provide guidance linked to discretionary assessments. This is to be considered a deviation from the requirements of organizational measures according to the personal protection regulation article 32 no. 1 and no. 4. See report section 5.4. • Deviation 8: The provision of personal data that is only processed for archival purposes (historical matters) are too general and broad and are not compatible with the confidentiality principle in the personal protection regulation article 5 no. 1 letter f and the requirements for personal data security in article 32 no. 1. See report point 5.4. • Deviation 9: NAV has organized itself in such a way that a significant proportion of users have a utilitarian need to have wide access. In combination with a deficient system for log control (see report point 7) this is not compatible with the confidentiality principle in the personal protection regulation article 5 no. 1 letter f and the requirements for personal data security in article 32 no. 1. See report section 5.4. • Deviation 10: NAV's lack of technical and organizational measures for shielding based on individual needs is a deviation from the requirement that security measures be adapted the risk of the processing, cf. the personal protection regulation article 32 nos. 1 and 2. See report section 5.7. • Deviation 11: NAV has not established satisfactory routines for the control of unit managers annual audit of accesses. This is a deviation from the requirement in the Personal Data Protection Regulation article 32 no. 1 letter d. See report point 5.8. • Deviation 12: NAV has not established a systematic log check. In combination with that a significant proportion of NAV's employees have wide access (see report point 5.4/deviation 9 above), this will be considered a deviation from the requirement to introduce suitable technical and organizational measures to ensure and demonstrate that the processing of personal data 6 is carried out in accordance with the Personal Protection Ordinance, cf. Article 32 no. 1 and 2, cf. also article 5 no. 2 and article 24 no. 1 and 2, and from the requirements for regular control according to article 32 no. 1 letter d. See report point 7. We observed during the inspection that NAV's security framework is being revised. NAV has a target of completing this work in 2026. We therefore specify that our assessments take based on NAV's practice and compliance with the regulations at the time of the inspection. We would also like to clarify that we have exclusively looked at internal personal data security. Wide access and lack of use of logs can also make NAV vulnerable to outsiders security threats. 7. Previous supervision and evaluations etc. 7.1 Supervision in 2007 The Danish Data Protection Authority checked personal data security in NAV through four inspections in 2007 (case numbers 07/01456, 07/01457, 07/01458 and 07/01459). Inspection with case number 07/01456 was aimed at NAV centrally, while the other inspections were aimed at different people local office. The Norwegian Data Protection Authority found deviations related to access management, logging and log control. This resulted in blue. the following order (case 07/01456): 1. "The Directorate of Labor and Welfare must establish satisfactory information security as regards access control and logging in accordance with § 13 of the Personal Data Act, cf. § 2-11 of the Personal Data Regulations. Reference is made to section 8.1.5.1 of the control report. 2. The Directorate of Labor and Welfare must limit access granted at NAV Lier in accordance with § 13 of the Personal Data Act, cf. § 2-11 of the Personal Data Regulations. refer to section 8.1.5.2 of the control report. 3. The Directorate of Labor and Welfare must end the use of Arena as a joint follow-up tools unless security measures are established in accordance with § 13 of the Personal Data Act, cf. Personal Data Regulations §§ 2-7, 2-8, 2-11 and 2-14. Reference is made to section 8.2.3 of the control report.' Among the main findings in the inspection report was that the individual employee had received a significant greater access to personal data through the NAV reform, and that NAV seemed to have chosen a tools to follow up the individual service recipient without any basic principles being established information security measures. 7.2 Supervision in 2010 The Norwegian Data Protection Authority checked personal data security in NAV again in 2010 (case 10/01228). The deviations related to access management, logging and log control, which were ascertained in 2007, were then not closed. The inspection resulted in, among other things, in the following order to NAV: 7 1. "The Directorate of Labor and Welfare must establish logging of notices on individuals in its subject systems in accordance with § 13 of the Personal Data Act, cf. §§ 2-8 and 2-14 of the Personal Data Regulations. Reference is made to the section of the control report 6.4.3. 2. The Directorate of Labor and Welfare must establish satisfactory confidentiality protection as regards access control and the use of logs in accordance with the Personal Data Act § 13, cf. §§ 2-11 and 2-14 of the Personal Data Regulations. It is referred to section 6.5.3 of the control report." 7.3 Supervision in 2011 In 2011, the Norwegian Data Protection Authority carried out an inspection (case 11/00797) with a focus on the distribution of responsibilities between the state and the municipal part of NAV. The Norwegian Data Protection Authority also checked whether the deviations found in 2007 and 2010 were closed. From the summary of the inspection report, the following can be found: "The safeguarding of confidentiality in NAV is not satisfactory. This is because it is given very wide accesses, and logging and use of logs is deficient. This has previously been documented in the control with the directorate in 2010. In addition, sufficient routines have not been established for allocation of access. Lack of confidentiality protection applies to both municipal and state subject system." From the Norwegian Data Protection Authority's notice of an order in the case, the following can be found: "Deviations documented in the present control report confirm findings from earlier checks with the Norwegian Directorate of Labor and Welfare and previously issued orders. This applies: 1. The need for the Directorate of Labor and Welfare to establish satisfactory confidentiality protection in terms of access management and use of logs in accordance with § 13 of the Personal Data Act, cf. Personal Data Regulations §§ 2-11 and 2- 14. Reference is made to section 7.4.6.1 of the control report. Reference is made here to the Norwegian Data Protection Authority's decision on orders of 6 May 2011. The relationship is followed up in previous control case." NAV confirmed in a letter on 21 January 2013 that the discrepancies had been closed. The Norwegian Data Protection Authority based this and closed the case on 8 February 2013. 87.4 BDO and Wiersholm's evaluation of NAV in 2016 Audit company BDO AS and Advokatfirmaet Wiersholm AS prepared a report on access controls in NAV in 2016, commissioned by NAV. Their overall assessment is worded as follows on page 4 of the report: "It is BDO's and Wiersholm's overall assessment and conclusion that NAV does not have able, to a sufficient extent, to understand the meaning of that treatment of personal data is central to NAV's operations and the strict requirements that follow of this. NAV has several times been made aware of conditions that should caused users' privacy and processing of personal data to be lifted on the strategic agenda and thus given the work to look after the users privacy the necessary priority. This does not seem to have been done.” 7.5 PwC's evaluation of NAV in 2020 2 In 2020, PwC AS carried out a maturity assessment of the entire Swedish Employment and Welfare Agency, with a focus on i.a. information security. PwC also uncovered a number of weaknesses in the security work at NAV, particularly related to the management system. 7.6 NOU 2023: 11 – Fast and correct NOU 2023: 11 is an investigation of the complaint and appeal system in the Norwegian Labor and Welfare Agency and The social security right. The committee behind the study concludes that NAV's work to increase the quality of performance management appears to be not comprehensive and systematic. The committee has recommended that a comprehensive quality system be drawn up, which will ensure a focus on quality i the services to the users, as well as the processes behind these. 7.7 Final note – previous supervisory significance for this case In light of the history described above, we consider the findings from the last inspection to be very important serious. In the areas of access management and log control, we assess the current state as similar or worsened since the previous inspection. In our assessment of the necessity to impose an infringement fee in this case, we have taken into account previous orders issued by the Norwegian Data Protection Authority have not been shown to be sufficiently effective. 8. Violation fee 8.1 General information on infringement fees In accordance with the Personal Data Protection Regulation article 58 no. 2 letter i, cf. Personal Data Act § 26 second paragraph, the Norwegian Data Protection Authority may impose infringement fees on public authorities in line with the rules in the regulation article 83 in the event of a breach of the regulations. 1 Access controls in NAV - Review, analysis and proposals for improvements (13 October 2016), BDO and Wiersholm. Available via the website https://jusboka.no/wp-content/uploads/2016/11/Rapport-om- 2access-controller-in-NAV.pdf?x22677. Security maturity assessment (November 2020), PwC AS. The report is exempt from public disclosure. 9 Only violations of the provisions listed in Article 83 nos. 4 and 5 can is sanctioned with an infringement fee, cf. the legal requirement in section 44 first paragraph of the Public Administration Act. Violation fees are to be considered a penalty according to the European human rights convention article 6. A clear preponderance of probability is therefore required for offense in order to be able to impose a fee. According to section 46 first paragraph of the Public Administration Act, subjective fault (negligence) is required on the part of the person or them who has acted on behalf of the company when imposing an infringement fee, unless otherwise stated otherwise is determined. The right to impose infringement fees is given as a means of ensuring effective compliance with and enforcement of the Personal Data Act. It follows from the regulation article 83 no. 1 that each supervisory authority must ensure that the imposition of infringement fees in each single case is "effective, is in a reasonable relationship to the infringement and works deterrent". This is elaborated in point 148: "In order to strengthen the enforcement of the provisions of this regulation, it should Violation of this regulation is subject to sanctions, including an infringement fee, i in addition to or instead of suitable measures that the supervisory authority imposes accordingly this regulation." The conditions for imposing a fee appear in the regulation article 83. The provision provides i basic instruction that the imposition of infringement fees is based on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting elements such as shall be given particular weight, cf. article 83 no. 2 letter a to k. As regards the amount of the fee, Article 83 nos. 4 and 5 state maximum rates depending on which provisions of the regulation have been breached. The same points as when assessing whether a fee should be imposed must be given particular weight also during the measurement. The fee should be set so high that it also has an effect beyond the specific one the case, while the amount of the fee must be in a reasonable proportion to the infringement and the business, cf. Article 83 no. 1. 8.2 Assessment of whether an infringement fee should be imposed 8.2.1 The legal requirement The Danish Data Protection Authority has come to the conclusion that NAV has breached Article 5 No. 1 letter of the Personal Data Protection Ordinance f and article 32 no. 1, 2 and 4. In addition, we have come to the conclusion that article 5 no. 2 and article 24 no. 1 and 2 are broken. Article 24 is not mentioned in the list in Article 83 nos. 4 and 5. Breach of this the provision can therefore only be sanctioned with an infringement fee if it is stipulated in 10national law. For Article 24, such an authority is given in Section 26 first of the Personal Data Act joint. There are thus several offenses that can provide grounds for the imposition of an infringement fee, cf. the Public Administration Act § 44 first paragraph. 8.2.2 The liability claim The Norwegian Data Protection Authority cannot designate individuals at NAV who are to blame for the violations. Out from case law, however, there is no requirement that the blame be individualized. Both anonymous and cumulative errors can form a basis for liability when imposing corporate penalties, cf. HR-2022- 1271-A, paragraphs 46-50. As shown above in point 7, the violations are linked to conditions that NAV has several times has been made aware that it does not meet the requirements of the law. NAV has been aware of this for a long time time. Based on this, we must conclude that it has been a conscious choice on NAV's part to go further with technical and organizational solutions that do not meet the requirements of the privacy regulations. NAV has thus demonstrated intent in the infringements. The debt claim after Section 46 of the Public Administration Act is thus fulfilled, as general negligence is in any case sufficient. 8.2.3 Assessment points that must be given particular weight The regulation, article 83 no. 2 letter a to k sets out elements that must be taken into account the decision on whether to impose an infringement fee as well as the infringement fee size. Below follows our assessment of the points we consider relevant in the assessment of whether an infringement fee is to be imposed; a) the nature, severity and duration of the infringement, taking into account it the nature, extent or purpose of the processing concerned as well as the number of registered persons who are affected, and the extent of the damage they have suffered NAV has breached fundamental principles for the processing of personal data the violations of article 5 no. 1 letter f and article 5 no. 2. the violations of article 24 and 32 nos. 1, 2 and 4 show a pervasive systemic weakness and insufficient control related to personal data security and the obligations NAV has as data controller, both in routines and in practice. The violations indicate that NAV has not seen employees as one risk factor in assessments related to personal data security. The data minimization price cut does not seem to be taken into account through NAV's management principle "official need". The violations are extensive and have been going on for many years, probably ever since the creation of NAV, cf. point 7 above. A very large number of registered users are affected. We refer to the fact that NAV in 2022 had about. 3.2 million service recipients. 11In the audit, we looked at selected systems in the state part of NAV's service provision. We have not a basis for assessing the purposes of each individual treatment. In general, we add reason that the processing purposes are linked to the administration of the population's rights according to welfare legislation. Many of these rights exist for people in vulnerable life situations. As regards the extent of the damage the data subjects have suffered, we have only investigated the risk of damage. Lack of management from the management, very wide access for employees and absence of log control entails a high risk of damage in the form of employees' unauthorized appropriation personal data. We have not investigated the extent to which this risk actually exists realized. The extent of the damage the data subjects have suffered is therefore not known. However, we consider it a clear breach of integrity vis-à-vis the registered that their personal information is more or less openly available to all employees of NAV. This is a serious breach of the confidentiality principle enshrined in the Personal Data Protection Ordinance article 5 no. 1 letter f. b) whether the infringement was committed intentionally or negligently We have come to the conclusion that NAV has shown intent in the infringements, cf. point 8.2.2 above. This weight is added in the aggravating direction. c) any measures taken by the controller or data processor to limit the damage that the data subjects have suffered NAV's security framework is being revised and will be completed in 2026. We add for this reason that this work will in the future remedy the violations of Article 24. The work on the security framework can also limit some of the damage that follows the violations of articles 5 and 32. Nevertheless, we do not perceive that NAV has any intention to restricting employee access to subject systems or introducing systematic log control. We can therefore do not emphasize this measure in a mitigating direction when it comes to limiting damage as a result of the violations in these areas. d) the controller's or data processor's degree of responsibility, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 The violations in this case are based precisely on the fact that NAV has not implemented sufficiently suitable technical and organizational measures to ensure that the processing of personal data performed legally. There is therefore basically a high degree of responsibility. As regards the violations of Article 5 no. 1 letter f and Article 32 nos. 1, 2 and 4, the degree of responsibility is particularly high, as NAV has been made aware of the infringements several times in the past - and in addition has not complied with orders to improve the conditions, cf. points 7.1, 7.2 and 7.3 above. See also letters e and i below. 12As mentioned, we understand that NAV has no intention yet of limiting employees' rights access in the subject systems or introduce systematic log control. We have the impression that NAV has established several technical possibilities for restricting access, but that these in very is in use to a limited extent. This applies, for example, to the subject system Arena. It appeared below the supervisory authority that the "expandable" roles in Arena, where employees must justify postings outside in writing core accesses, can no longer be used as intended. NAV has changed its organization over time of the task solution so that it is no longer natural to use technical limitations associated with it to e.g. geography. We believe that through this NAV has demonstrated an inability to carry out the necessary actions improvements to personal data security, despite the knowledge that this entails offences. There is therefore no doubt that the degree of responsibility is moving in a stricter direction. e) any relevant previous violations committed by the data controller or the data processor We have not previously checked NAV's compliance with Article 24. Where applicable violation of this provision, there are therefore no previously known violations which are considered relevant to the case. Regarding the violations of Article 5 no. 1 letter f and Article 32 no. 1, 2 and 4 through inadequate access management and log control, there are several relevant ones in the past violations. We point out that, on these points, violations of the law were detected through supervision in 2007, 2010 and 2011, cf. points 7.1, 7.2 and 7.3 above. The violations are linked provisions in the Personal Data Act (2000) which have now been continued through Article 5 No. 1 letter f and article 32 nos. 1, 2 and 4. This is given weight in a stricter direction. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it the possible negative effects of it Throughout the supervisory process, NAV has acted in an accommodating and cooperative manner. NAV has complied with deadlines and presented requested information in a systematic and orderly form. Compliance with the statutory duty to provide all information to the supervisory authority need to carry out their tasks, cf. Article 58 no. 1, cannot, however, be given weight i mediating direction, cf. the Personal Protection Board's decision in PVN-2022-03. As described under letter h below, NAV itself has not considered the violations to be deviations. The assessment element in letter f has therefore not come to the fore in this case. We find no basis for emphasizing this point. g) the categories of personal data affected by the breach The subject systems at NAV may contain or provide access to detailed information about, among other things, family relationships, health, education, working conditions, finances, faith and ethnicity, institutional stays, criminal convictions and offences. Information about which of the NAVs benefits you receive can in themselves be health information. The subject systems have no time 13delimitation, so that employees have access to information about individuals from all phases of life. Several of the information affected by the violations constitute special categories personal data in accordance with Article 9 no. 1. These points are given increasing weight. h) in what way the supervisory authority became aware of the infringement, in particular if and where applicable to what extent the data controller or data processor has notified the violation The Norwegian Data Protection Authority became aware of the violations through the local inspection and orders to NAV to provide relevant information. The violations largely concern systematic, organizational weaknesses that NAV itself does not has considered as a deviation. In conversations with NAV, their representatives have emphasized explaining why the systems must be set up the way they are. With this, it cannot be said that NAV has notified The Norwegian Data Protection Authority about the violations. However, we find no basis for adding this the assessment moment weight in an aggravating direction. i) if measures mentioned in Article 58 no. 2 have previously been taken against the person concerned data controller or data processor with regard to the same subject matter, that mentioned measures are observed No measures have previously been taken against NAV with regard to violations of Article 24. NAV was ordered by the Norwegian Data Protection Authority to establish a satisfactory personal data security through access management, logging and log control in 2007, 2010 and 2011. We refer to points 7.1, 7.2 and 7.3 above. The orders are linked to provisions in the Personal Data Act (2000) which has now been continued through article 5 no. 1 letter f and article 32 nos. 1, 2 and 4. We therefore believe that the orders, both factually and legally, relate to "same subject matter", cf. letter i. The order to establish logging from the decision in 2010 is considered to have been complied with. In the areas access management and log control, we consider the current state to be similar or worse since the last inspection. The orders to establish satisfactory access management and log control is therefore not considered to have been complied with. This is given weight in an aggravating direction. j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms pursuant to Article 42 Not relevant to the case. k) any other aggravating or mitigating factor in the case, e.g. financial benefits gained, or loss avoided, directly or indirectly, as a result of the breach 14 In a mitigating way, we emphasize that NAV gives the registered parties access to the employee log notices in the subject systems. Admittedly, this cannot be considered a security measure, but may have one certain preventive effect. In a stricter direction, we emphasize that NAV, by virtue of its role, has a particular responsibility to ensure that personal data is processed in a secure manner. We also emphasize that NAV has not responded adequately to repeated calls, through supervision and external parties evaluations, about giving the work with personal data security the necessary priority. In addition, we emphasize in a stricter direction that it is largely left to the registered to detect illegal notices in the subject systems. 8.2.4 Overall assessment The offenses that have been uncovered show structural, organizational weaknesses and a lack understanding of the importance of privacy and what expectations are placed on NAV in this regard the area. We consider it very serious that an authority such as NAV does not adequately degree has safeguarded the population's personal data in a secure manner. It is clear that the work with personal data security has not been given sufficient priority and resources. It is a managerial responsibility to ensure that privacy is adequately safeguarded in a business. The way the management system linked to access management and log control is set up today, it is very difficult demanding to verify whether the use of the professional systems takes place within the framework of the law. Local offices are given great freedom to organize themselves in their own ways. This means that NAV's management principle of "service need" in practice is defined far down in the organisation. The leads to the management seemingly largely abdicating both responsibility for and the possibility to check compliance with the data protection regulation in practice. Missing governance entails a high risk of compliance being due to chance. It is not acceptable for an authority such as NAV. After an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that NAV should impose a infringement fee. In this assessment, we have taken into account that previous orders have not been proven to be sufficiently effective. The imposition of an infringement fee is therefore considered necessary. 8.3 Assessment of the fee The same points as when assessing whether a fee should be imposed must be given particular weight also during the measurement. In accordance with Article 83 no. 1, the infringement fee shall be effective, be in a reasonable relationship to the infringement and act as a deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in each individual case case. NAV has breached the basic principle for the processing of personal data, cf. Article 83 no. 5 letter a, cf. article 5 no. 1 letter f and article 5 no. 2. There is thus a basis for impose on NAV an infringement fee of up to 20,000,000 euros (currently approx. NOK 230,000,000). 15In assessing the size of the fee, we have emphasized that NAV has made available special categories of personal data for a very long time about a large number of people, without being necessary safety mechanisms are established. We have also placed emphasis on the fact that NAV has demonstrated intent in the infringements, i.a. by not arranging according to previous orders related to the same subject matter. The violations are pervasive, and are very serious, seen in light of the processing of personal data a central part of NAV's operations and that therefore particularly high demands must be placed on NAV safeguards personal data in a secure manner. In a mitigating way, we have only found that NAV has ongoing work to revise the security framework, and that NAV gives registered persons log access. After an overall assessment of the above-mentioned points, and seeing to it that the legislation's requirement that the imposition of an infringement fee in each individual case must be effective and proportionate and deterrent, we have come to the conclusion that an infringement fee of 20,000,000 – twenty million – kroner is considered correct. When measuring, we have taken into account that also the orders notified in point 3 will entail a financial burden. The rules for calculating infringement fees are basically the same for public and private companies actors. Due to the seriousness of this case, compared to other cases where The Norwegian Data Protection Authority has imposed an infringement fee, we find it necessary to explain why the fee is not set higher. Article 83 no. 7 of the Ordinance allows for national law to lay down rules about "when and in to what extent" public authorities can be charged infringement fees. IN Section 26 of the Personal Data Act, second paragraph, it is determined that public authorities can be imposed infringement fee in the same way as private actors. In the hearing on the Personal Data Act (2018), several hearing bodies advocated that the infringement fees that can be imposed on public authorities should be limited in terms of amount3 The explanation that this opportunity was not used is expressed as follows in the preparatory work: "The department has noted the concern of certain public consultation bodies has expressed, but the ministry assumes that within the rules of the regulation article 83, which also specifies the elements that must be emphasized when measuring out administrative fees, there is room for considerable discretion with regard to the size of the fee. The amount limits in the regulation article 83 specify maximum limits for assessment of administrative fees, while no minimum limits have been set." We interpret this to the extent that the legislator's intention has been to facilitate an unequal measurement practice vis-à-vis public and private actors. In addition, the criteria in Article 83 no. 1 entail that infringement fees in each individual case must be effective and a deterrent, in our view, that the assessment should turn out differently for public and private actors. For comparison, Sweden has introduced an amount-wise 3Prop.56 LS (2017-2018) p. 142. 16 limit of SEK 10,000,000 for public authorities, see chapter 6 § 2 of the Law (2018:218) with supplementary provisions to the EU's data protection regulation. In the absence of such a limit, have in this case we considered it necessary to adopt a relatively high fee. At the same time, we will emphasize that violations of a similar degree of severity by a private actor would lead to a far higher fee than what we have arrived at in this case. 9. Further proceedings This is an advance notice of a decision on an order and infringement fee, cf. Public Administration Act § 16. If you have comments on the notice, we ask that these be sent to us within three weeks after receipt of this letter. If you have any questions, you can contact Ingrid H. Espolin Johnson on phone 22 39 69 42, or e- mail ingrid.johnson@datatilsynet.no. 10. Transparency and publicity You have the right to inspect the case's documents, cf. Section 18 of the Public Administration Act. We also provide information that all the documents are basically public, cf. section 3 of the Public Disclosure Act. With best regards Line Coll director Ingrid H. Espolin Johnson senior legal advisor The document is electronically approved and therefore has no handwritten signatures Copy to: LABOR AND WELFARE DEPARTMENT, Anders Holt LABOR AND WELFARE DEPARTMENT, Odd-Erik Røste Appendix: Final inspection report 17
- Datatilsynet (Norway)
- Norway
- Article 5(1)(f) GDPR
- Article 5(2) GDPR
- Article 24(1) GDPR
- Article 24(2) GDPR
- Article 32(1) GDPR
- Article 32(1)(d) GDPR
- Article 32(2) GDPR
- Article 32(4) GDPR
- Article 57(1)(a) GDPR
- Article 57(1)(h) GDPR
- Article 58(1)(f) GDPR
- Article 58(1)(b) GDPR
- Article 58(1)(e) GDPR
- Article 58(1)(a) GDPR
- Article 58(2)(d) GDPR
- Article 58(2)(i) GDPR
- Article 83 GDPR
- 2023
- Norwegian