Datatilsynet (Norway) - 20/02165: Difference between revisions
From GDPRhub
No edit summary |
|||
| Line 54: | Line 54: | ||
}} | }} | ||
The Norwegian DPA fined Moss municipality approximately €47,700 (NOK 500,000) for breaching [[Article 32 GDPR|Article 32(1)(b) and (d) GDPR]] by merging two IT systems for health records | The Norwegian DPA fined Moss municipality approximately €47,700 (NOK 500,000) for breaching [[Article 32 GDPR|Article 32(1)(b) and (d) GDPR]] by merging two IT systems for health records. This lead to, among other things, incorrect information about vaccines and substance abuse during pregnancy. | ||
== English Summary == | == English Summary == | ||
Revision as of 14:20, 4 August 2021
| Datatilsynet (Norway) - 20/02165 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 5 GDPR Article 32(1)(b) GDPR Article 32(1)(d) GDPR Health Records Act §22 (pasientjournalloven) |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 04.06.2021 |
| Published: | 24.06.2021 |
| Fine: | 500,000 NOK |
| Parties: | Moss municipality (kommune) |
| National Case Number/Name: | 20/02165 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Norwegian |
| Original Source: | Datatilsynet (in NO) |
| Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined Moss municipality approximately €47,700 (NOK 500,000) for breaching Article 32(1)(b) and (d) GDPR by merging two IT systems for health records. This lead to, among other things, incorrect information about vaccines and substance abuse during pregnancy.
English Summary
Facts
The two municipalities Rygge and Moss merged in January 2020. In the process of merging their IT systems for health records, several errors occurred:
- Incorrect registration of vaccines. Some people were registered as having received vaccines, when they in reality had not, and others were incorrectly registered as not having been given a vaccine, when they in fact had.
- Errors in health records for pregnant women, including error in the number of weeks into the pregnancy and related to information about the mother’s use of drugs/alcohol/nicotine.
- Patient health data was made accessible to unauthorized healthcare personnel and it was not possible to trace any unauthorized access (in Norway a patient has the opportunity and right to view who has accessed their medical information).
- Errors relating to daily operations (administration), such as appointment books.
28,000 people were transferred during the merger of the IT systems and about 2,000 could potentially have been affected by errors. However, no one were actually affected and the errors were rectified and are under control.
Moss municipality notified the DPA themselves about the personal data security breaches. The DPA found, in the end, that the municipality had breached § 22 of the Norwegian Health Records Act (pasientjournalloven) and Article 32(1)(b) and (d) GDPR (cf. Article 5 GDPR).
Holding
The DPA fined Moss municipality NOK 500,000 (€47,700) for insufficient technical and organisational measures to ensure a sufficient level of security when merging the IT systems. The DPA commented that the breaches were very serious and that the municipality should have conducted a data protection impact assessment (DPIA), as well as more testing before making the changes.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
MOSS MUNICIPALITY
PO Box 175
1501 MOSS
Their reference Our reference Date
20 / 10671-12- INAN 20 / 02165-9 04.06.2021
Decision on infringement fee - Moss municipality
1 Introduction
We refer to the submitted report of 4 February 2020 on breaches of personal data security,
as well as follow-up e-mail of 12 February 2020, and final notification of breach
personal data security of 27 April 2020. We also refer to correspondence with Moss
municipality's privacy representative, i.a. email of November 2, 2020.
Finally, reference is made to the Data Inspectorate's notification of infringement fines of 9 December 2020 and response
on this from Moss municipality of 21 January 2021, as well as, as well as other correspondence in the case.
Based on the municipality's response of 21 January 2021, and previous cases, we have adjusted
the violation fee down to 500,000 kroner.
Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance Article 58
no. 2 letter i), cf. article 83, we impose an infringement fee of 500,000 on Moss Municipality
kroner for failing to implement appropriate technical and organizational measures to achieve a
a level of security suitable for ensuring the continued confidentiality of treatment systems and
the services, cf. section 22 of the Patient Records Act, cf. section 32 no. 1 letter of the Privacy Ordinance
(b) and (d), in accordance with Article 5.
The background and reasons for the decision follow below.
2. The case
In connection with the merger of Rygge and Moss municipality which took place on 1 January 2020,
The municipality has sought to merge the use of IT systems for different service areas in
the municipality. This applies to the use of the subject system CGM Journal, which Moss municipality has used
for a number of years, and which Rygge municipality's employees in the health service children and young people used
the merger. In that context, a conversion of users and the system was made
data 13 and 14 January 2020.
Postal address: Office address: Telephone: Org.nr: Homepage:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 The OSLO subject system handles personal information and health data and includes persons residing in
the municipality, and which uses the health station. The system applies to services associated with
vaccination programs in the municipality, and other health checks as well as follow-up of pregnant women.
Moss municipality has discovered errors in connection with the conversion from HSPro to CGM
Journal. The plan was that all changes involving health information would be resolved on Friday 7.
February, and the rest on Thursday 13 February. A test environment was established so that the superuser
tested solutions before they were used in the production environment, and that the super user did
samples that the corrections worked as they should.
Errors have been corrected from 7 February to 4 March, when some errors were also discovered
what was originally reported to the Norwegian Data Protection Authority. These are stated in the final report of 27.
April 2020.
Moss municipality states that some of the violations represent violations
personal data security, including breaches of confidentiality, integrity and
availability. The breaches include both adults and children.
The violations reported are as follows:
• Errors in the registration of vaccines, including registered vaccines that persons do not have
received, and vaccines that individuals have received and that are not registered in
vaccine overview. The errors represent a danger of incorrect vaccination, and risk of
errors in the National Vaccine Register
• Error in journal data. Errors that have been found are related to follow - up of mothers in
pregnancy, i.a. errors in the number of weeks of pregnancy, weight and goals in the school health service
and in information about the mother's drug use.
• Patient information is made available to healthcare professionals at a department such as
does not have an official need for access, without access being traceable.
• Faults that have been found are related to daily operations, such as time books and
journal manager.
The number of registered records in the subject system that was transferred was a total of 28,000. 2,000 people are
potentially affected, but it has not been revealed that any people are specifically affected by the errors.
The errors have been corrected and are under control per. February 11, 2020.
3 The offense
The discrepancies concern breaches of confidentiality, integrity and availability. IN
Article 32 of the Privacy Regulation states:
«Taking into account the technical development, the implementation costs and the nature of the treatment,
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
severity of the rights and freedoms of natural persons, the data controller and
The data processor implements appropriate technical and organizational measures to achieve a level of security
which is suitable in terms of risk, including, inter alia, as appropriate,
a) pseudonymisation and encryption of personal data,
b) ability to ensure lasting confidentiality, integrity, availability and robustness in
treatment systems and services,
c) ability to restore the availability and access to personal information in a timely manner if necessary
a physical or technical event occurs,
d) a process for regular testing, analysis and assessment of the effectiveness of treatment
technical and organizational security measures are. "
Patient information has been available to healthcare professionals, without service needs, at
department Bredsand Rygge. The errors in the conversion have led to the danger that
patient information is no longer correct, valid and complete as a result of an error in
registration of vaccines and errors in medical records related to follow-up of mothers during pregnancy.
During the conversion, errors were registered in information about intoxication / alcohol / smoke during pregnancy.
The error occurred as a result of it being incorrectly registered that everyone has "ended the pregnancy"; something
which would be interpreted as meaning that everyone used drugs during pregnancy. This has now been corrected.
This constitutes a breach of Article 32 (1) (b) of the Privacy Regulation, which requires that
a level of security is established that is suitable for ensuring continued confidentiality, integrity and
availability.
In connection with the conversion, many and very serious errors occurred which could have had
major consequences for those affected. Lack of risk assessment has been a contributing factor
to the errors that occurred in the conversion. This is a violation of the Privacy Ordinance
Article 32 (1) (d).
The incident also indicates inadequate test runs prior to the process. In e-mail of 2.
November 2020, CGM (data processor) states that testing was performed at Rygge municipality
its database in connection with the conversion tool had to be further developed, in order to
handle exactly this conversion, but that it has not been adequately tested in
this case.
In a case involving the conversion of large amounts of sensitive data, it is reasonable to
expect that a test regime consisting of different test scenarios suitable for is established in advance
to be able to detect different types of errors that can occur during this type of conversion activity.
The results of such tests should be documented in a test report that is approved or
approved by the data controller before the actual conversion is carried out.
The information in such a test report could provide valuable information to super users and
other test personnel after the conversion and would have provided a good basis for testing that
all information has been converted correctly.
This would be a breach of Article 32 (1) (d) of the Privacy Regulation.
35 Assessment of the Privacy Ordinance's rules on infringement fines
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
authorities and bodies infringement fines under the rules of the Privacy Regulation Article
58, cf. Article 83 no. 7. It is stated here that «without prejudice to the authority of the supervisory authorities
to adopt corrective measures in accordance with Article 58 (2), each Member State may provide
rules on when and to what extent public authorities and bodies are established in the said
Member State may be fined. '
The right to impose infringement fines shall be a tool to ensure effective
compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as
punishment under Article 6 of the European Convention on Human Rights.
The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.
In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMK).
For companies, the guilt assessment is unique. Section 46 (1) of the Public Administration Act states:
"When it is stipulated by law that an administrative sanction may be imposed on an enterprise,
the sanction can be imposed even if no individual has shown guilt ».
In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that‘ none
individual has shown guilt ’is taken from the section on corporate punishment in the Penal Code § 27
first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ».
Article 83 provides in principle that the imposition of infringement fines depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting
moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure
that the imposition of infringement fines in each individual case is effective is reasonable
relation to the violation and acts as a deterrent.
In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
moments:
a) the nature, severity and duration of the infringement, taking into account
the nature, extent or purpose of the action concerned and the number of data subjects affected,
and the extent of the damage they have suffered
4 The breach of personal data security includes breaches of confidentiality, integrity and
availability. Patient information is made available to others at a ward that does not
have service needs. Who has had access to the patient data is not traceable.
The conversion errors have also meant that for a period of time one could not be sure that
the personal information was correct. For example. all pregnant women were classified as drug addicts
without being so.
No risk assessments and assessments of the privacy implications have been carried out
at the conversion. The breaches of personal data security also indicate deficiencies
test drive prior to conversion.
The breach of personal data security has meant that the data subject has lost control of
information about themselves. This applies both in relation to the accuracy of the information and who
who has seen the information. Health information has been available to healthcare professionals at
Bredsand Rygge, without it being traceable who has seen these.
The Data Inspectorate takes a serious view of the fact that the municipality has not implemented sufficient measures
technical measures to ensure a secure conversion of health information from the system in Rygge
municipality to system in Moss municipality.
b) whether the infringement was committed intentionally or negligently
The breach of personal data security has meant that the data subject has lost control of
information about themselves. No risk assessment has been carried out, assessment of
the privacy implications or adequate test runs before the conversion became
completed. The case shows that there has been a routine failure in the municipality. The breach includes special
categories of personal information, which should have led to extra caution from
the municipality's side. The Data Inspectorate considers the municipality's action to be negligent.
c) any measures taken by the data controller or data processor to
limit the damage suffered by the data subjects
The municipality has been in contact with those affected and informed about the incident. The municipality
first considered that the breach of personal data security would not entail a high risk of
the rights and freedoms of those affected. The Danish Data Protection Agency assesses this differently and has come to
the extent and nature of the breach means that Moss municipality is in the core area for
the duty to notify, cf. Article 34. That the municipality has not registered any of the consequences
has occurred shall be given importance. This was announced to the municipality in a letter dated 9 March 2020.
d) the degree of responsibility of the data controller or data processor, taking into account
to the technical and organizational measures they have implemented in accordance with Article 25 and
32
In this case, CGM admits that those who process data must bear the main responsibility
the test drive, but that the municipality had the main responsibility for quality assurance of converts
data. The Data Inspectorate shares this view.
5e) any relevant previous violations committed by the data controller or
the data processor
No previous violations have been established that have been committed by the data controller
or data processors relevant to the case.
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it
There has been no cooperation between the Norwegian Data Protection Authority and Moss municipality to remedy
the damage.
g) the categories of personal data affected by the infringement
The breach of personal data security includes health information, which is a special category
of personal data, which is covered by Article 9. That the breach includes special categories of
personal information makes the incident extra serious.
h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
possibly to what extent the data controller or data processor has
notified of the infringement
Moss municipality, through the privacy ombudsman, notified the Danish Data Protection Agency of the breach
personal data security by e-mail of 4 February 2020
(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data processor with respect to the same subject matter, that
the said measures are complied with
Not relevant to the case.
(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42
Not relevant to the case.
k) any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
the infringement
The Data Inspectorate views positively that Moss municipality quickly took action when the breach
personal data security was discovered. The municipality has also implemented measures that should
prevent similar offenses in the future.
The Data Inspectorate has not established that Moss municipality has had financial benefits, or avoided
direct or indirect loss as a result of the infringement.
The Norwegian Data Protection Authority has also not taken into account Moss municipality's financial ability.
66 Overall assessment
It is very serious that the municipality in connection with the conversion of patient information from
Rygge municipality to Moss municipality completed this conversion without one
risk assessment or assessment of the privacy implications. Nor has it been
conducted adequate testing prior to conversion.
In the Data Inspectorate's assessment, the case is important in principle. Moss municipality should have been equipped
to meet the requirements for personal data security in the event of this case
includes. In this respect, a decision on infringement fines can have an important signal effect.
After an overall assessment, the Data Inspectorate has come to the conclusion that Moss municipality should be imposed a
infringement fine.
7 The size of the fee
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that
«As a starting point, the same rules for infringement fines shall apply
public bodies as for private, as this is the scheme under current
Personal Data Act. »
The ministry further writes that they have noted the concern as some public
consultation bodies have expressed, but the Ministry assumes that within the rules of
Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement
of administrative fees, there is room for considerable consideration with regard to the size of
fee. The Ministry states that «[t] he flow limits in the regulation Article 83 state
maximum limits for the calculation of administrative fees, while no one has been set
minimum limits. "
With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the violation and the activity, cf. art. 83 No. 1.
The Data Inspectorate agrees with the municipality's input on the size of the infringement fee, seen in
in relation to similar cases that the Data Inspectorate has dealt with, and finds it possible to adjust this downwards
to NOK 500,000.
After an overall assessment of the case, and then especially with regard to the seriousness of the violation and
the legislation's requirement that the imposition of infringement fines in each individual case shall be
effective, proportionate and dissuasive, we have come to the conclusion of an infringement charge
NOK 500,000 is considered correct.
78 Deadline for fulfillment and right of appeal
You can appeal the decision. Any complaint must be sent within three weeks of this letter
has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will send
the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22.
If you do not appeal the order for an infringement fee, the fulfillment deadline is four weeks
after the expiry of the appeal period, cf. the Personal Data Act § 27.
With best regards
Bjørn Erik Thon
director
Knut Brede Kaspersen
legal director
The document is electronically approved and therefore has no handwritten signatures
8
