Datatilsynet (Norway) - 21/01057
Datatilsynet - 21/01057-10 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 57(1) GDPR Article 57(1)(f) GDPR Public Administration Act The Child Protection Act SS1-7 |
Type: | Complaint |
Outcome: | Rejected |
Started: | 02.05.2022 |
Decided: | 08.11.2022 |
Published: | 08.11.2022 |
Fine: | n/a |
Parties: | A Norwegian Data Protection Authority |
National Case Number/Name: | 21/01057-10 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian |
Original Source: | Personvernnernda (in NO) |
Initial Contributor: | Leah Fielden |
The Tribunal agreed that the Norwegian Data Protection Authority (NDPA) was not the right supervisory authority regarding child welfare services. It was confirmed that the NDPA was correct to reject the case due to a lack of competence.
English Summary
Facts
The applicant contacted the Norwegian Data Protection Agency on 18 December 2020 due to a belief that unlawful entries had been made on her son's welfare record at the Child Welfare Service. The Norwegian Data Protection Authority found no basis for conducting investigations in this area. The inspectorate went on to recommend that the applicant re-direct any questions about municipality controls and routines for handling personal data to the municipality data protection officer themselves and closed the case on 29 April 2021. The applicant was granted access to the child welfare records and proceeded to complain to the State Administrator about what she perceived as unlawful postings in the records.
Holding
The Norwegian Data Protection Authority (NDPA) held in its assessment that they did not possess the competence to assess who in the Child Welfare Service had legitimate access to the son's child welfare record and who did not. Therefore, the NDPA decided not to carry out investigations in this case because it fell outside the scope of the their area of responsibility outlined by the Personal Protection Regulation, Article 57(1)(a).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The Privacy Board's decision 8 November 2022 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Hans Marius Tessem, Morten Goodwin, Malin Tønseth, Heidi Talsethagen) The case concerns a complaint from A about the Norwegian Data Protection Authority's decision on 2 May 2022 not to carry out investigations in the case because it is outside the Norwegian Data Protection Authority's competence or area of responsibility, cf. the Personal Protection Regulation article 57 no. 1 letter a. Background of the case A contacted the Norwegian Data Protection Authority on 18 December 2020 because she believed that unlawful entries had been made in her son's child welfare record at the child welfare service in X. The Norwegian Data Protection Authority found no basis for conducting investigations in the matter. The inspectorate recommended that A direct questions about the municipality's access control and routines for handing over personal data to the municipality's data protection officer and closed the case on 29 April 2021. A was given access to the child welfare service's access logs for her son's records and also complained to the State Administrator in Y about what she perceived as unlawful postings in the records. The state administrator opened a supervisory case and concluded on 8 April 2021 as follows: "The child protection service in [X] has not acted in breach of the Child Protection Act § 6-7, cf. Administration Act § 13. The child protection service in [X] has not acted in violation of the Child Protection Act § 1-7." A requested the Norwegian Data Protection Authority to reassess the child welfare service's handling of confidential personal data in an e-mail on 7 December 2021. In an email to A on 23 February 2022, the Norwegian Data Protection Authority maintained its assessment that the Norwegian Data Protection Authority did not have the competence to assess who in the child welfare service had legitimate access to the son's child welfare record and who did not. The Norwegian Data Protection Authority repeated its assessment in a decision on 2 May 2022 and closed the case. A complained about the Norwegian Data Protection Authority's closing of the case on the same day. The Norwegian Data Protection Authority assessed the complaint, but found no grounds for changing its decision and forwarded the case to the Personal Protection Board on 16 May 2022. The parties were informed about the case in a letter from the board, and were given the opportunity to make any comments. A submitted his comments in a letter on 30 May 2022. The child protection service in X has not submitted any comments. The case was dealt with in the board's meeting on 8 November 2022. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Hans Marius Tessem, Morten Goodwin, Malin Tønseth and Heidi Talsethagen. Secretariat manager Anette Klem Funderud was also present. The Norwegian Data Protection Authority's assessment in general The inspectorate does not have the competence to assess whether employees of the child protection service have acted in breach of the rules in the Child Protection Act § 6-5, which designates the state administrator as the appeals body. The Norwegian Data Protection Authority is also not a review body for the state administrator's decisions. The Danish Data Protection Authority therefore closes the case as a result of a lack of competence, cf. the Personal Protection Regulation article 57 no. 1 letter a. In any case, the Norwegian Data Protection Authority believes that it is not appropriate to carry out further investigations into the legal and substantive aspects of the complaint, cf. the Personal Data Protection Regulation Article 57 no. 1 letter f. The Danish Data Protection Authority does not have the necessary professional expertise in child protection to assess which employees of the child protection service have had an official need for to make entries in the journal. In practice, the Danish Data Protection Authority therefore has no opportunity to review the child welfare service's own assessment of the legality of the postings. The matter has also already been considered by the state administrator, and the Norwegian Data Protection Authority cannot see that the authority would have come to a different result. As's view of the case in brief Getting access to the child welfare service's access log was a painstaking process where she had to use a lawyer, and where the municipality used arguments both that it was in the child's best interests that she was not given this access, and later that it was for the sake of their employees . Even with two approvals from the state administrator, the municipality would not hand over the access log to her. This supports that they would try to keep the number of deviations hidden; 9 A4 pages/ over 300 notices, where close friends of the family had also been inside and read both while the case was ongoing, after it had ended, and after they received a complaint from A. In the municipality's explanation of the number of logins by people who did not work on the case have they only given a list of names and what position they hold. It is not justified why they have been involved in the case. Why has almost the entire service been involved in the case, why have they been involved in dropped cases, why have close friends of the family been involved in the cases? And why does the service lie both verbally and in writing and claim that the folders are closed when they are not? This is a breach of the Personal Data Act and she had expected that the Norwegian Data Protection Authority would react to this towards the municipality. The municipality has also written in response to the complaint that the case has been dealt with in line with their routines, that is to say that all cases in X municipality are dealt with as this one. As it is now, any employee in the municipality can hide behind the duty of confidentiality and log in to matters without official need without any consequences. The privacy of children who, for various reasons, have folders with the municipality is completely absent. She is surprised that the Norwegian Data Protection Authority does not react to the municipality using cases with sensitive and confidential information for training, without anonymising them. In this case, the privacy of 10 people is violated by the fact that postings are made without an official need. The Norwegian Privacy Board's assessment The Personal Protection Board has assessed the Norwegian Data Protection Authority's closure of the case due to lack of competence as a decision on rejection. A decision on rejection gives the right to appeal, cf. section 28 of the Public Administration Act, cf. section 2, third paragraph. All processing of personal data by the child welfare service must, in order to be legal, have a basis for processing in one of the options in Article 6 of the Personal Data Protection Ordinance. If the information also includes information specified in Article 9 no. 1, there must also be a basis for processing in one of the alternatives in Article 9 no. 2. It is the data controller, in this case the relevant municipality or the child protection service, who must have grounds for processing according to the Personal Data Protection Ordinance. The regulation does not say anything about which employees of the data controller have access to the information. The tribunal assumes that the child protection service can process information about children and parents on the basis of the Personal Data Protection Ordinance, Article 6 no. 1 letter e (exercising public authority), as well as Article 9 no. 2 letter b (fulfilling its obligations in the area of social law), to the extent this is permitted under national law. The tasks and duties of the Child Protection Agency are regulated in national law by several laws. The most central provisions are given in the Child Protection Act and the Public Administration Act. Child welfare services are given an explicit authority to process personal data in the Child Protection Act § 6-7 c. The provision is new, but the tribunal assumes that the provision is a continuation of the applicable law at the time of the state administrator's treatment of this case. The various provisions on confidentiality, right to information and obligation to provide information that follow from the Child Protection Act and the Administration Act also regulate to some extent the individual employee's duties within the child protection service. Basically, the employees of the child protection service are subject to a duty of confidentiality regarding all personal matters according to the Child Protection Act § 6-7, cf. the Administration Act § 13. However, it follows from the Administration Act § 13 b no. 3 that the duty of confidentiality does not prevent the information "being available to other officials within the body or agency to the extent necessary for appropriate work and archive arrangements, i.a. for use in guidance in other matters." It is the state administrator who, in accordance with the Child Protection Act § 2-3 first paragraph letter a, must supervise that the law and the regulations are applied correctly and in a way that promotes the law's purpose. The state administrator has, following an inquiry from the complainant, opened a supervisory case and had a review of the access log for the child welfare record. The state administrator concluded, among other things, that the child protection service has not acted in breach of the Child Protection Act § 6-7, cf. the Administration Act § 13. The tribunal agrees with the Norwegian Data Protection Authority that the Norwegian Data Protection Authority is not the right supervisory authority when it comes to who in the child welfare service has legal access to the son's child welfare records. The state administrator has assessed the complainant's inquiry and has concluded that the various employees' logins to the son's medical record have taken place in line with the rules, cf. the Child Protection Act § 6-7, cf. the Administration Act § 13. The Norwegian Data Protection Authority does not have the competence to review this decision. It was therefore right for the Norwegian Data Protection Authority to reject the case without taking any measures or carrying out further investigations. After this, A is not successful in his appeal. The decision is unanimous. Resolution The Norwegian Data Protection Authority's decision to reject the case is upheld. Oslo, 8 November 2022 Mari Bø Haugstad Manager