Datatilsynet (Norway) - 20/02291
Datatilsynet - 20/02291-4 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24 GDPR Article 32 GDPR Health Records Act (pasientjournalloven) §§ 22-23 Personal Data Act § 26(1) |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 22.10.2020 |
Published: | 27.10.2020 |
Fine: | 750000 NOK |
Parties: | Sykehuset Østfold HF |
National Case Number/Name: | 20/02291-4 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined Østfold Hospital NOK 750,000 (approx. €64400) for insufficiently protecting patient data (Articles 32 and 5(1)(f) GDPR) and inadequate internal controls (Articles 24 and 5(2) GDPR).
English Summary
Facts
Østfold Hospital notified the DPA about a personal (patient) data breach, including insufficient security (lack of access controls and logs, not adhering to own policies and procedures) and storing personal data longer than necessary. Datatilsynets launched an investigation, which was concluded with a fine on 22 October 2020.
Dispute
How serious was the personal data breach submitted by Østfold Hospital? Did they breach the former Personal Data Act and/or the updated one, with the GDPR incorporated?
Holding
The DPA held that Article 32, cf. Article 24 and 5(1)(f), as well as the Health Records Act § 22, were breached due to unauthorized access to patient data; that Article 32, cf. Article 24 and 5(2), as well as the Health Records Act § 23, were breached due to unauthorized access to and possible unauthorized alteration of patient data; that Article 32, cf. Article 24 and 5(1)(f) and 5(2), as well as the Health Records Act §§ 22 and 23, were breached due lack of confidentiality, integrity and availability and that Article 32, cf. Article 24 and 5(1)(e), as well as the Health Records Act § 23, were breached due to unlawfully storing personal data. The DPA finally held that the medical records system's option for extracting patient reports was not in line with the principles of data protection by design and default, cf. Article 25, cf. Articles 32 and 24, and that Østfold Hospital failed to adhere to the requirements as per Article 30 for this processing activity.
Comment
It's interesting to note how the DPA reasons around which law is applicable in this case, as the personal data breach first happened in 2013, before the GDPR came into effect. Since the data breach extended into January 2019, the DPA held that the updated Personal Data Act, including the GDPR, was applicable in this case, increasing the potential level of fines from NOK 1,000,000 (approx. EUR 89,800) to NOK 107 000 000 (up to EUR 10,000,000).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE HOSPITAL ØSTFOLD HF PO Box 300 1714 GRÅLUM Their reference Our reference Date 19/00251 20 / 02291-4 22.10.2020 Decision on infringement fines and orders The Data Inspectorate refers to previous correspondence in connection with reports of violations personal data security (non-conformance report) with reference AR300186895, as you sent 14.01.2019. In a letter dated 16.07.2019, we asked for an account of several matters related to the discrepancy. Østfold HF Hospital reported on the case in a letter dated 13.08.2019. On 22.06.2020, we notified Østfold HF Hospital that we would consider making a decision infringement fines and orders. The hospital has commented on the warning in a letter dated 29.06.2020. We apologize for the long processing time. Decision on infringement fines and orders The Data Inspectorate has today made the following decision: Pursuant to Article 58 (2) (i) of the Privacy Ordinance, cf. the Personal Data Act § 26 second paragraph and the Patient Records Act § 29, cf. Article 83 of the Privacy Ordinance, Østfold HF Hospital is ordered to pay a infringement fine of 750,000 NOK - seven hundred and fifty thousand Norwegian kroner To the Treasury, for violation of the requirements for security and internal control by processing of personal data, cf. the Privacy Ordinance Article 32, cf. the Personal Data Act § 26 first paragraph, cf. the Privacy Ordinance article 24, and the Patient Records Act §§ 22 and 23. 2. Pursuant to Article 58 (2) (d) of the Privacy Regulation, the following is imposed Østfold HF Hospital to ensure that the management system for the treatment of personal data is suitable for meeting the requirements of the privacy regulations and patient record law. We refer in particular to the routines for access control and storage of personal information. The management system must involve follow-up of that the routines are followed, including follow-up that only safe systems are used Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO processing of sensitive personal data. We refer to Article 32 of the Privacy Ordinance, cf. Article 24, and the Patient Records Act § 23. 2. Description of the facts of the case From August 2013 until January 2019, Østfold HF Hospital has been missing access control on report extracts from electronic patient records (EHR). The extracts from EHR are lists of patients ready for discharge (USK lists) and include special categories of personal information (sensitive patient information). The lists are based on the Patient Records Act § 6 second paragraph and aims to support the administration of package process, deadline breach and breach of promise, interaction, surgery and medical coding. The discrepancy includes three different lists: a) An updated USK list that includes approx. 25-30 patients. This list is updated every 15 minutes. b) A historical USK list from 2013 to 2019, with 13,800 patients and 26,596 printouts. c) Two lists with birth number and reason for admission, with approx. 30 patients. The personal information in the lists includes demographic information and name, date of birth, municipality, department affiliation and any information about arrangements for the transfer of patient to municipality. Two of the lists contained, as mentioned, the birth number and reason for admission. According to Sykehuset Østfold HF, there are no indications that personal information has been obtained balance and that the duty of confidentiality has thus been breached. All employees at Østfold HF Hospital have duty of confidentiality and has signed for this. 2.1 Access control Østfold HF Hospital has an established routine for access control, which was attached the statement to the Norwegian Data Protection Authority. We understand that the discrepancy is a violation of internal routines to provide access to employees with service needs. There has been no access control in the area / folders where the extracts of special categories personal data from the EHR was stored and / or temporarily stored. The personal information from the report extracts has been available to 118 employees at Østfold HF Hospital, of which many employees have not had an official need for such access. The hospital says in its letter that the personal information "was in an area that was not natural for most employees to go into "and that personal information" was difficult to access in the form that they were stored in subfolders among a larger amount of anonymized or strongly deidentified information ». It further states: «[The] information has not been available for persons who have not signed a declaration of confidentiality ». 22.2 Logging There is no functionality for logging in the folder structure used. This the folder structure was used since there was no other ICT tool that could take care of it the need for report and extraction. 2.3 Internal management system Østfold HF Hospital has decided that revision of personal registers will be included in the Hospital Østfold HF's overall, two-year audit plan. Østfold HF Hospital has not carried out an audit of, or otherwise controlled, content or functionality in the relevant folder structure, including access control on it current area. The Norwegian Data Protection Authority assumes that neither the storage location and storage time for the extracts from EPR have been checked. 2.4 Storage routines Østfold HF Hospital has established routines for storing health information and personal information. We understand that the discrepancy is a violation of internal storage routines and storage time. 2.5 Built-in privacy and privacy by default Østfold HF Hospital carried out a preliminary and main project in connection with the new one the Personal Data Act and the Privacy Ordinance entered into force on 20.07.2018. The project was to «Detect discrepancies in that the entire organization was better informed about the requirements in the Personal Data Act ». According to the project plan, the project identified a need for mapping of accesses and automated access control (idM) in DIPS, and one should consider the need for the introduction of one regional standard. This item has status completed, and the system owner DIPS was responsible. It does not appear that the project included whether the medical record system DIPS has built-in privacy and privacy as the default setting or that the project aimed to uncover weaknesses in the routines for storing personal data. 2.6 Treatment protocol Østfold HF Hospital has established a complete and updated protocol of treatment the activities of the hospital. As we have understood it, the USK lists were entered into the hospital's protocols in June 2018. Østfold HF Hospital has stated that they ensure control over all processing of personal data by risk assessment of any establishment or change of personal registers. 2.7 Implemented measures Østfold HF Hospital has pointed out that the following immediate measures have been implemented: • Folders have been reviewed and historical personal information has been deleted. • The folders have been moved, and only the analysis department's employees have access. The approach governed by affiliation to organizational unit. 3 • Reports with anonymized information for statistical needs have been moved to folders with access control, where 118 employees now have access. • Personal information related to patient logistics is "copied" to access controllers folders. The need for access for employees has been revised. Of the long-term measures, Østfold HF Hospital refers to the following: • Introduction of an analysis platform that enables a smaller degree of manual routines. The project has started, and we understand it so that the analysis platform is established. • A reception project has been established to decide on the use of the solution. 2.8 Information to the registered Information is not provided to patients affected by the abnormality. The reason is that the Hospital Østfold HF believes that the deviation does not include loss or dissemination of personal information, and that has not been revealed that personal data has been used for other purposes. Østfold HF Hospital shows also that all employees have signed that they have a duty of confidentiality. 3. Legal basis The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. privacy Article 57 of the Regulation. We are also the supervisory authority under the Patient Records Act, cf. section 26 of the Act. The Patient Records Act applies to all processing of health information that is necessary to, among other things quality-assured health care for individuals, cf. section 3 of the Act. 3.1 On choice of law The new Personal Data Act, which incorporates the EU Privacy Regulation into Norwegian law, entered into force on 20.07.2018. The law also repealed the Personal Data Act (2000) and the rules in the Personal Data Regulations (2000). This case concerns matters that arose in 2015, ie before the entry into force of the Personal Data Act (2018), but which has persisted in the time since. We must therefore take a stand whether the case is to be assessed in accordance with the Personal Data Act (2018) or the Personal Data Act (2000). The Personal Data Act (2018) § 33 first paragraph contains a special transitional rule infringement charge, which reads: «The rules on the processing of personal data that applied at the time of the action, shall be used as a basis when a decision is made on an infringement fee. The legislation on the time of the decision shall nevertheless be used when this leads to a more favorable one result for the person responsible ». The question of choice of law must therefore be assessed on the basis of what is considered the time of action. The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted until the discrepancy was discovered in January 2019. The time of action in this case has thus 4waited over time and in the time after the Personal Data Act (2018) came into force. It follows then of the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with this Act. We also refer to the preparatory work for the Personal Data Act (2018), Prop. 56 LS (2017-2018) page 196, where the Ministry states, among other things, the following on the question of choice of law between the Personal Data Act (2000) and the Personal Data Act (2018): «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to is made on the basis of the material rules in force at any given time ». The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and PVN-2018-06. Against this background, it is in our assessment clear that the case must be assessed accordingly the Personal Data Act (2018) and the Privacy Ordinance. 3.2 About health information and confidential information Health information about patients is a so-called special category of personal information, cf. Article 9 (1) of the Privacy Regulation. Such information will be covered by various confidentiality provisions, see for example the Health Personnel Act § 21. We also refer to the prohibition in the Health Personnel Act § 21 a against unlawful acquisition of confidential information. Pursuant to section 16 of the Health Personnel Act, enterprises in the health service must organize themselves in such a way that health professionals will be able to comply with their statutory obligations under, among other things the Health Personnel Act. 3.3 The basic principles The basic principles for the processing of personal data are set out in Article 5 of the Privacy Regulation. We refer in particular to Article 5 (1) (f), where it appears: «1. Personal information shall (…) f) processed in a manner that ensures sufficient security for the personal data, including protection against unauthorized or illegal treatment (…), by the use of appropriate technical or organizational measures ("integrity and confidentiality") ". It is the data controller's responsibility that the principles are complied with, and the data controller must be able to demonstrate this, cf. Article 5 (2). 3.4 The requirements for personal data security and management systems 3.4.1 The Privacy Ordinance Article 32 of the Privacy Regulation regulates the security requirements when processing personal information. The following is an excerpt from relevant parts of Article 32: 5 «1. Taking into account the technical development, implementation costs and the nature, scope, purpose and context of the treatment, as well as the risks of varying degrees of probability and severity for the rights of natural persons and freedoms, the data controller and the data processor shall implement appropriate technical and organizational measures to achieve a level of security that is suitable with consideration of the risk, including, inter alia, as appropriate, (…) b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services, (…) d) a process for regular testing, analysis and assessment of how effective the treatment's technical and organizational security measures are. 2. In assessing the appropriate level of safety, special consideration shall be given to the risks associated with the processing, in particular as a result of (…) unauthorized disclosure of or access to personal information that has been transferred, stored or otherwise treated". The obligation to implement appropriate technical and organizational measures is correspondingly stated in Article 24 of the Privacy Regulation, which regulates the data controller's responsibilities separately. Built-in privacy and privacy by default, cf. the Privacy Ordinance Article 25, entails a requirement that the principles of privacy are observed throughout the processing. We refers again to the principle of integrity and confidentiality, cf. the Privacy Ordinance article 5 no. 1 letter f. The data controller has a duty to ensure that the electronic solutions such as used has built-in privacy. Pursuant to Article 30 (1) of the Privacy Regulation, the data controller has a duty to keep minutes over the treatment activities performed. The protocol shall, among other things, contain one description of the categories of personal data processed, cf. Article 30, paragraph 1, letter c, and the categories of recipients to whom the personal data will be disclosed, cf. Article 30 no. 1 letter d. 3.4.2 Patient Records Act The requirements for the data controller when processing journal information are also stated in patient record law. The Patient Records Act § 22 first paragraph on information security reads: «The data controller and data processor shall carry out technical and organizational measures to achieve a level of safety that is suitable with regard to the risk, cf. Article 32 of the Privacy Regulation otherwise ensure access control, logging and subsequent control ». 6 The Patient Records Act § 23 on internal control reads: «The data controller shall implement technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance with the Privacy Ordinance, the Personal Data Act and this Act, cf. Article 24 of the Regulation. The data controller must document the measures. The documentation must be available to the employees of the data controller and the data processor. The documentation must also be available to the supervisory authorities. The Ministry may in regulations issue further provisions on internal control ». 3.5 Information for affected persons If it is probable that the breach of security will entail a high risk for natural persons rights and freedoms, the data controller shall without undue delay notify those affected persons about the breach, cf. the Privacy Ordinance Article 34 No. 1. The supervisory authority may order the data controller to inform affected persons, cf. article 34 (4). The detailed requirements for the content of such a notification are set out in Article 34 (2) and 3. 3.6 In particular on the imposition of infringement fines Article 58 no. 2 letter i of the Privacy Ordinance, cf. the Personal Data Act § 26 other paragraph and the Patient Records Act § 29, it appears that the Data Inspectorate may impose public authorities and bodies infringement fines under the rules of Article 83 of the Privacy Regulation in case of violation of provisions of the respective laws. Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision contains, among other things, an overview of which aspects are to be taken into account, both in the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee. The relevant parts of Article 83 (1) and (2) are reproduced below: «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each case is effective, stands in a reasonable relation to the violation and works deterrent. 2. (…) When a decision is made on whether to impose an infringement fee and on the amount of the infringement fee, it must be duly taken into account in each individual case following: a) the nature, severity and duration of the infringement, taking into account to the nature, extent or purpose of the treatment concerned as well as the number of registered as are affected, and the extent of the damage they have suffered, b) whether the infringement was committed intentionally or negligently, 7 c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, d) the degree of responsibility of the data controller or data processor, as taken with regard to the technical and organizational measures they have implemented in accordance with Articles 25 and 32, e) any relevant previous violations committed by the data controller or the data processor, (f) the degree of cooperation with the supervisory authority to remedy the infringement; and reduce the possible negative effects of it, g) the categories of personal data affected by the infringement, (h) the manner in which the supervisory authority became aware of the infringement, in particular: and, if so, to what extent the data controller or data processor has notified of the infringement, (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with, (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 and k) any other aggravating or mitigating factor in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, such as consequence of the infringement ». Article 83 also sets out the framework for the magnitude of the infringement fine. We show in this in connection with Article 83 (4). The relevant parts of the provisions are: «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2 infringement fine of up to EUR 10,000,000 (…): (a) the obligations of the controller and the processor in accordance with Articles 8, 11, 25-39 and 42 and 43 (…) '. Section 26, first paragraph, of the Personal Data Act states that Article 83 of the Privacy Ordinance Paragraph 4 shall apply mutatis mutandis to infringements of Article 24 of the Regulation. 4. The Data Inspectorate's assessment In the account of our assessment of the discrepancy, we will follow the same chronology as below "Description of the facts of the case" above. 4.1 Access control Østfold HF Hospital has an established routine for access control, and the deviation represents one violation of internal routines to only provide access to employees with service needs. It has not been access control on the site / folders where the extracts of (special categories of) personal data from the EHR was stored and / or temporarily stored. We assume that 118 employees 1 To our understanding, the term "service need" includes not only needs that arise in clinical patient work, but also needs related to, for example, administrative work, technical support and management functions. 8at the hospital in the period 2013-2019 has had access to the files, many of which employees do not has had an official need for access. In our assessment that sensitive personal information has been available to employees without service needs, it is not of particular importance that the hospital believes that the information was stored in an area where it was not natural for most employees to enter. The risk of breaches of the confidentiality and integrity of the information have nevertheless been present. Furthermore, Østfold HF Hospital points out that the employees who have had access to the folder and the personal data has signed that they have a duty of confidentiality. In our view, this is not the case relevant for the assessment of which patient information an employee should have access to. We refer to the requirement that employees must not have access to personal information they do not have a service need for for, regardless of whether the employee has a duty of confidentiality or not. The Data Inspectorate's assessment: The personal information in the report extracts has been available to 118 employees at the Hospital Østfold HF, of which many employees have not had an official need for such access. The hospital has thus not preventing unlawful access to personal data. This is a violation Article 32 of the Privacy Regulation, cf. Article 24 and Article 5 (1) (f), and Patient Records Act § 22. 4.2 Logging Østfold HF Hospital has not logged the activity in the area where the report extracts were stored. If the hospital had had a routine for logging the activity and followed up the logs on one systematically, the hospital could have confirmed and / or denied whether employees have used of access to and / or changed the personal information / lists. The lack of logging is increasing the risk of losing track of where personal information / patient data is located. We are unsure whether Sykehuset Østfold HF has now established a sufficient system and routine for logging and follow-up of logs in the hospital. The Data Inspectorate's assessment: Østfold HF Hospital has not logged the activity where the extracts from EPR were stored, and the hospital has thus not been able to follow up the activity and uncover unauthorized access and any compromise of the personal data. This is a breach of privacy the regulation, article 32, cf. articles 24 and 5 no. 2, and the Patient Records Act § 23. 4.3 Internal control system Østfold HF Hospital has not carried out regular checks on employees' access to folders, storage and deletion on the server. In the procedure "Health information - storage, archiving and deletion" all levels are in the hospital given a responsibility to ensure that the routines are complied with. In connection with saving the report extracts from EPR, the hospital has not followed up on the overall responsibility of the CEO 9for access control at the hospital to work. Nor can we see that other leaders have provided that the access control functioned as intended. This could, for example, have been done by requesting internal reporting on compliance with the said procedure. Internal audit of access control as well as follow-up of logs and storage should be carried out regularly, so that you have an overview of the risk picture at all times. Security Manager, who has the executive responsibility for information security, can be a key part of such Activity. The hospital can also consult with the privacy representative in the process of ensuring that only employees with service needs have access to patient information from which the report extracts EPJ. The Data Inspectorate's assessment: Østfold HF Hospital has not had control over the employees' access to report extracts sensitive personal data in the years 2013-2019. The management, which has overall responsibility for storage, access control and deletion, did not ensure that the access control functioned as provided in connection with the report extracts from the EHR. This is a violation Article 32 of the Privacy Ordinance, cf. Articles 24 and 5 no. 2, and Section 23 of the Patient Records Act. Due to the deficient management, Sykehuset Østfold HF has not been able to correct the solution in terms of confidentiality, integrity and availability. This is a violation Article 32 and 5 (1) (f) and (2) of the Privacy Regulation, and Sections 22 and 23 of the Patient Records Act. 4.4 Storage routines The personal information in the report extracts from EHR has not been deleted as the purpose with the processing of the information has been fulfilled. Østfold HF Hospital thus does not have complied with the principle of storage limitation. The Data Inspectorate's assessment: Østfold HF Hospital has stored report extracts from EPR from 2013-2019 long after the purpose with the processing of the information was achieved and the need for storage of the information ceased. This is a violation of Article 32 of the Privacy Regulation, cf. Articles 24 and 5 (1) letter e, and the Patient Records Act § 23. 4.5 Built-in privacy and privacy by default Østfold HF Hospital is responsible as a treatment manager for having programs, systems and / or solutions that have built-in privacy and privacy by default. We can not see that there has been a focus on built-in privacy in the hospital's project to ensure the transition to new privacy regulations or in other measures described. 10Datatilsynet's assessment: The solution for report extraction from EHR was not in accordance with the requirements for built-in privacy / privacy as the default setting in the Privacy Ordinance Article 25, cf. Articles 32 and 24. 4.6 Treatment protocol The report extracts from EPR were not integrated in the protocols at Østfold HF Hospital until in 2018. Østfold HF Hospital states that safety assessments are always made of new or changed treatments. The Norwegian Data Protection Authority has doubts about whether the minutes were kept in June 2018 was complete. In our opinion, this should have meant that a need was identified security measures for the solution - such as access control, logging and deleting the personal information in the extracts. The Data Inspectorate's assessment: The requirement for a protocol in Article 30 of the Privacy Regulation has not been complied with in connection with the report extracts from the EHR. 4.7 Implemented measures Østfold HF Hospital implemented immediate measures after the discrepancy was discovered. It is also implemented long-term measures that indicate that the hospital has understood the seriousness of the discrepancy. Østfold HF Hospital must ensure that the measures have the desired effect and that the hospital has satisfactory level of safety. We refer to point 4.3 Internal management system above. The Data Inspectorate's assessment: The Norwegian Data Protection Authority has no comments on the immediate measures implemented. We nevertheless believe that Østfold HF Hospital has not established sufficient management when it comes to processing of personal data, including for access control and storage routines, cf. Article 32 of the Privacy Ordinance, cf. Article 24, and Section 23 of the Patient Records Act. 4.8 Information to the registered The affected patients have not been informed about the storage and access control of the report extracts with some very sensitive information about them. Østfold HF Hospital believes that the deviation does not include loss or spread of personal data, and it has not been revealed that the personal data has been used for other purposes. Patients have a legitimate expectation of confidentiality when treated at a hospital. They expect that only health professionals with service needs will have access to information about themselves and their state of health. 2 See our understanding as it appears in footnote 1. 11The fact that employees have a duty of confidentiality is not relevant for the assessment of which information employee shall have access to. The duty of confidentiality may nevertheless limit the harmful effects of unauthorized access to personal data. There is a precondition in the duty of confidentiality that healthcare professionals should not disseminate confidential patient information. Pursuant to Article 34 of the Privacy Regulation, the obligation to notify the persons concerned is triggered if the breach of security entails a "high risk" for the rights and freedoms of natural persons. In this case, the information has been available to many employees who have not had official need for the information. Due to the lack of logging, it is impossible to check whether employees have actually accessed or otherwise processed the information, and in the case of how many. As we have understood it, most of the 118 employees have not had official need for access to the information. There is also information about several thousand patients through approx. six years. Nevertheless, we have made sure that there is a limited number of employees that everyone has duty of confidentiality. According to the information, the folder structure where the information has been open has we have been difficult to access. Overall, we have therefore come to the conclusion that Østfold HF Hospital is not obliged to inform them affected patients. We will nevertheless encourage Østfold HF Hospital to be open about the deviation. Information can for example is made available via the hospital's website. The information should be designed on a way that enables patients to understand the scope and content of the security breach. The Data Inspectorate's assessment: Østfold HF Hospital is not obliged to notify those registered who are affected by the deviation, cf. Article 34 of the Privacy Regulation. 4.9 Summary Patient information shall not be stored so that employees without service needs have access to it. At Østfold HF Hospital, patient information in the form of report extracts from EPR has been stored on a server and in a folder structure without access control. As the primary purpose of health personnel is health care, the hospital must have established a technical support system that meets the requirements for privacy and information security. The hospital must also facilitate that only secure systems are used in the handling of sensitive information. In this way, healthcare professionals' duty of confidentiality and information security regarding patient information maintained throughout the treatment chain. It is a management responsibility that such technical solutions are established and functioning as intended. We believe there have been fundamental shortcomings in the internal management system and information security in the processing of report extracts at Østfold HF Hospital. 124.10 Assessment of whether an infringement fee is to be imposed The Norwegian Data Protection Authority has come to the conclusion that Østfold HF Hospital has violated the Privacy Ordinance Article 32, cf. 24 and the Patient Records Act §§ 22 and 23. The offense has largely occurred before the Personal Data Act (2018) and the Privacy Regulation entered into force. The Data Inspectorate could also impose earlier infringement fee, cf. the Personal Data Act (2000) § 46, but the amount was then limited to up to 10 times the National Insurance basic amount (currently approx. NOK 1,000,000). However, we refer to the discussion under section 3.1 and assume that the fee will be measured according to new regulations. In principle, there is thus a basis for imposing Østfold Hospital HF a violation fee of up to 10,000,000 euros (currently approx. 107,000,000 NOK), cf. Article 83 (4) of the Regulation. Nevertheless, we will ensure that the offenses have also taken place in the period when previous privacy regulations applied. Below we review the factors that we consider relevant for the assessment of whether infringement fines must be imposed. (a) the nature, gravity and duration of the infringement, taking into account it; the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered The discrepancy related to the report extracts has been going on for approx. six years, and health information about Thousands of patients have been available to many staff without the need for service the information. Although there is no evidence that employees have done wrong access to the report extracts, it is not possible to review whether such access has taken place and whether patient information has gone astray. Lack of opportunity for follow-up contributes in itself even to increase the severity of the discrepancy. b) whether the infringement was committed intentionally or negligently Østfold HF Hospital has carried out risk assessments related to information security and has routines for access control. The storage of report extracts with health information without access control has nevertheless not emerged through the management's follow-up in the years 2013- 2019. The offense must be described as negligent. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects Østfold HF Hospital has now taken care of shielding or deleting the report extracts. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 Østfold HF Hospital has had a management system that includes access control confidential information. However, the control system has not been suitable for capture storing the report snippets in folders without access control. The Data Inspectorate believes that this provides expression of shortcomings in the internal management system. 13g) the categories of personal data affected by the infringement In this case, health information has been available to many employees without service needs. Pursuant to Article 9 (1) of the Privacy Ordinance, health information is designated as a special category personal information, ie very sensitive information. This is increasing the severity of the offense. h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement Østfold HF Hospital itself reported the deviation to the Norwegian Data Protection Authority. 4.11 Measurement of the fee In assessing the size of the fee, we have ensured that Østfold HF Hospital quickly took care of it deletion or shielding of the report extracts and that the hospital itself reported the deviation The Data Inspectorate. It is also not known that the practice has had concrete consequences for individual patients, although this is given less weight. We have emphasized that the offense partly took place before the Personal Data Act (2018) and the Privacy Regulation entered into force. Pursuant to the previously applicable Personal Data Act (2000) the fee was limited to a maximum of approx. NOK 1,000,000. Initially, the Data Inspectorate understood the case so that the personal data had in principle been lying available to all of the hospital's employees, a total of over 5,000 people. However, there is talk about up to 118 employees. However, many of these have not had an official need for access. The discrepancy also extends over several years. In addition, we believe that the discrepancy illustrates shortcomings in Sykehuset Østfold HF's management system when this applies to internal access control. The Danish Data Protection Agency has concluded that an infringement fee of NOK 750,000 is reasonable in this the case. 4.12 Assessment of whether an order is to be issued Østfold HF Hospital has not had sufficiently good management with the employees' access to report extract with sensitive personal information in the years 2013-2019. The folders there the report snippets were stored were not access controlled and the activity in the folders was not logged. The report extracts have also been stored long after the lists were no longer needed. We believe that such extensive storage of unprotected health information could take place over a long period of time indicates deficiencies in the internal management system. We have therefore found grounds to order Sykehuset Østfold HF to supervise the management system for the processing of personal data is suitable to meet the requirements of the privacy regulations and Patient Records Act: 14Datatilsynet believes that Østfold HF Hospital has not established a system for access control which is sufficient to prevent similar deviations from occurring in the future. We find it therefore necessary to impose an order on Sykehuset Østfold HF to ensure that the management system for processing of personal data is suitable to meet the requirements of the privacy regulations and patient record law. We refer in particular to the routines for access control and storage personal information. The management system must involve follow-up that the routines are followed, including follow-up that only secure systems are used in the processing of sensitive personal data. We refer to Article 32 of the Privacy Ordinance, cf. Article 24, and Section 23 of the Patient Records Act. 5. Right of appeal and further proceedings This decision can be appealed within three weeks after you have received this letter, cf. Sections 28 and 29 of the Public Administration Act. Any complaint is sent to the Danish Data Protection Agency. If we do not take as a result of the complaint, the case will be sent to the Privacy Board for processing complaints, cf. the Personal Data Act § 22. If you do not complain about the order, we ask that Sykehuset Østfold HF document that the management system is in line with the order by 01.12.2020. If you have any questions, you can contact caseworker Susanne Lie (tel. 22 39 69 57, e-mail suli@datatilsynet.no). With best regards Bjørn Erik Thon director Susanne Lie senior legal adviser The document is electronically approved and therefore has no handwritten signatures.