Datatilsynet (Norway) - 21/01057

From GDPRhub
Revision as of 14:24, 22 November 2022 by Kk (talk | contribs)
Personvernnemnda - PVN-2022-11
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 57(1) GDPR
Article 57(1)(f) GDPR
Public Administration Act
The Child Protection Act SS1-7
Type: Complaint
Outcome: Rejected
Started: 02.05.2022
Decided: 08.11.2022
Published: 08.11.2022
Fine: n/a
Parties: A
Norwegian Data Protection Authority
National Case Number/Name: PVN-2022-11
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Personvernnernda (in NO)
Initial Contributor: Leah Fielden

The Norwegian Privacy Appeals Board upheld a decision of the Norwegian DPA to reject a complaint due to lack of competence under Article 57(1)(a) GDPR. The complaint concerned lawfulness of personal data processing and access to records from the Child Welfare Service.

English Summary

Facts

The data subject contacted the Norwegian DPA on 18 December 2020 due to a belief that unlawful entries had been made on her son's welfare record at the Child Welfare Service (the controller).

The Norwegian DPA found no basis for conducting investigations in this area and recommended that the data subject re-direct any questions about municipality controls and routines for handling personal data to the municipality Data Protection Officer (DPO) and closed the case on 29 April 2021. The data subject was granted access to the child welfare records and proceeded to complain one more time to the DPA, asking to reassess the controller's handling of confidential personal data in an e-mail on 7 December 2021.

The DPA held in its assessment that they did not possess the competence to assess who in the controller' office had legitimate access to the child welfare record and who did not. In particlar, the DPA did not have the competence to assess whether employees of the controller had acted in breach of the Child Protection Act. Moreover, the DPA did not have the necessary professional expertise in child protection to assess which employees of the controller had an official responsiility to make entries in the journal. In practice, the DPA had no opportunity to review the controller's own assessment of the legality of the posting. Therefore, the DPA decided not to carry out investigations in this case because it fell outside the scope of the their area of responsibility outlined by Article 57(1)(a) GDPR.

The data subject complained about the closing of the case to the Norwegian Privacy Appeals Board.

Holding

The Norwegian Privacy Appeals Board (the Board) assessed the DPA's closure of the case due to lack of competence as a decision on rejection. A decision on rejection gives the right to appeal, according to cf. Section 28 of the Public Administration Act, cf. section 2, third paragraph.

First, the Board recalled that all processing of personal data by a child welfare service must have a valid legal basis in Article 6 GDPR. If the information also includes sensitive data specified in Article 9(1) GDPR, there must be a basis for processing in Article 9(2) GDPR. The Board assumed that the controller had a legal basis for processing children's health data under Article 6(1)(e) GDPR (exercise of official authority) and Article 9(2)(b) GDPR (fulfilling its obligations in the area of social law), to the extent that it was permitted under national law. The tasks and duties of child welfare services are regulated by several national laws. The most central provisions are given in the Child Protection Act and the Public Administration Act. Child welfare services are given an explicit authority to process personal data in the Child Protection Act § 6-7 leter c.

Further, the DPA noted that it is the State Administrator who, in accordance with the Child Protection Act § 2-3 first paragraph letter a, must supervise that the law and the regulations are applied correctly and in a way that promotes the law's purpose. Therefore, the Board agreed with the DPA that it was not the right authority when it comes to assessing which of the controller's employees had legal access to the data subject son's welfare records.

The Board upheld the decision of the Norwegian DPA to reject the complaint based on lack of competence under Article 57(1)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Privacy Board's decision 8 November 2022 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Hans Marius Tessem, Morten Goodwin, Malin Tønseth, Heidi Talsethagen)
The case concerns a complaint from A about the Norwegian Data Protection Authority's decision on 2 May 2022 not to carry out investigations in the case because it is outside the Norwegian Data Protection Authority's competence or area of responsibility, cf. the Personal Protection Regulation article 57 no. 1 letter a.
Background of the case
A contacted the Norwegian Data Protection Authority on 18 December 2020 because she believed that unlawful entries had been made in her son's child welfare record at the child welfare service in X.
The Norwegian Data Protection Authority found no basis for conducting investigations in the matter. The inspectorate recommended that A direct questions about the municipality's access control and routines for handing over personal data to the municipality's data protection officer and closed the case on 29 April 2021.
A was given access to the child welfare service's access logs for her son's records and also complained to the State Administrator in Y about what she perceived as unlawful postings in the records.
The state administrator opened a supervisory case and concluded on 8 April 2021 as follows:
"The child protection service in [X] has not acted in breach of the Child Protection Act § 6-7, cf. Administration Act § 13.
The child protection service in [X] has not acted in violation of the Child Protection Act § 1-7."
A requested the Norwegian Data Protection Authority to reassess the child welfare service's handling of confidential personal data in an e-mail on 7 December 2021.
In an email to A on 23 February 2022, the Norwegian Data Protection Authority maintained its assessment that the Norwegian Data Protection Authority did not have the competence to assess who in the child welfare service had legitimate access to the son's child welfare record and who did not.
The Norwegian Data Protection Authority repeated its assessment in a decision on 2 May 2022 and closed the case. A complained about the Norwegian Data Protection Authority's closing of the case on the same day.
The Norwegian Data Protection Authority assessed the complaint, but found no grounds for changing its decision and forwarded the case to the Personal Protection Board on 16 May 2022. The parties were informed about the case in a letter from the board, and were given the opportunity to make any comments. A submitted his comments in a letter on 30 May 2022. The child protection service in X has not submitted any comments.
The case was dealt with in the board's meeting on 8 November 2022. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Hans Marius Tessem, Morten Goodwin, Malin Tønseth and Heidi Talsethagen. Secretariat manager Anette Klem Funderud was also present.
The Norwegian Data Protection Authority's assessment in general
The inspectorate does not have the competence to assess whether employees of the child protection service have acted in breach of the rules in the Child Protection Act § 6-5, which designates the state administrator as the appeals body. The Norwegian Data Protection Authority is also not a review body for the state administrator's decisions.
The Danish Data Protection Authority therefore closes the case as a result of a lack of competence, cf. the Personal Protection Regulation article 57 no. 1 letter a.
In any case, the Norwegian Data Protection Authority believes that it is not appropriate to carry out further investigations into the legal and substantive aspects of the complaint, cf. the Personal Data Protection Regulation Article 57 no. 1 letter f. The Danish Data Protection Authority does not have the necessary professional expertise in child protection to assess which employees of the child protection service have had an official need for to make entries in the journal. In practice, the Danish Data Protection Authority therefore has no opportunity to review the child welfare service's own assessment of the legality of the postings. The matter has also already been considered by the state administrator, and the Norwegian Data Protection Authority cannot see that the authority would have come to a different result.
As's view of the case in brief
Getting access to the child welfare service's access log was a painstaking process where she had to use a lawyer, and where the municipality used arguments both that it was in the child's best interests that she was not given this access, and later that it was for the sake of their employees .
Even with two approvals from the state administrator, the municipality would not hand over the access log to her. This supports that they would try to keep the number of deviations hidden; 9 A4 pages/ over 300 notices, where close friends of the family had also been inside and read both while the case was ongoing, after it had ended, and after they received a complaint from A. In the municipality's explanation of the number of logins by people who did not work on the case have they only given a list of names and what position they hold. It is not justified why they have been involved in the case. Why has almost the entire service been involved in the case, why have they been involved in dropped cases, why have close friends of the family been involved in the cases? And why does the service lie both verbally and in writing and claim that the folders are closed when they are not?
This is a breach of the Personal Data Act and she had expected that the Norwegian Data Protection Authority would react to this towards the municipality. The municipality has also written in response to the complaint that the case has been dealt with in line with their routines, that is to say that all cases in X municipality are dealt with as this one. As it is now, any employee in the municipality can hide behind the duty of confidentiality and log in to matters without official need without any consequences. The privacy of children who, for various reasons, have folders with the municipality is completely absent.
She is surprised that the Norwegian Data Protection Authority does not react to the municipality using cases with sensitive and confidential information for training, without anonymising them. In this case, the privacy of 10 people is violated by the fact that postings are made without an official need.
The Norwegian Privacy Board's assessment
The Personal Protection Board has assessed the Norwegian Data Protection Authority's closure of the case due to lack of competence as a decision on rejection. A decision on rejection gives the right to appeal, cf. section 28 of the Public Administration Act, cf. section 2, third paragraph.
All processing of personal data by the child welfare service must, in order to be legal, have a basis for processing in one of the options in Article 6 of the Personal Data Protection Ordinance. If the information also includes information specified in Article 9 no. 1, there must also be a basis for processing in one of the alternatives in Article 9 no. 2. It is the data controller, in this case the relevant municipality or the child protection service, who must have grounds for processing according to the Personal Data Protection Ordinance. The regulation does not say anything about which employees of the data controller have access to the information.
The tribunal assumes that the child protection service can process information about children and parents on the basis of the Personal Data Protection Ordinance, Article 6 no. 1 letter e (exercising public authority), as well as Article 9 no. 2 letter b (fulfilling its obligations in the area of social law), to the extent this is permitted under national law.
The tasks and duties of the Child Protection Agency are regulated in national law by several laws. The most central provisions are given in the Child Protection Act and the Public Administration Act. Child welfare services are given an explicit authority to process personal data in the Child Protection Act § 6-7 c. The provision is new, but the tribunal assumes that the provision is a continuation of the applicable law at the time of the state administrator's treatment of this case. The various provisions on confidentiality, right to information and obligation to provide information that follow from the Child Protection Act and the Administration Act also regulate to some extent the individual employee's duties within the child protection service.
Basically, the employees of the child protection service are subject to a duty of confidentiality regarding all personal matters according to the Child Protection Act § 6-7, cf. the Administration Act § 13. However, it follows from the Administration Act § 13 b no. 3 that the duty of confidentiality does not prevent the information "being available to other officials within the body or agency to the extent necessary for appropriate work and archive arrangements, i.a. for use in guidance in other matters."
It is the state administrator who, in accordance with the Child Protection Act § 2-3 first paragraph letter a, must supervise that the law and the regulations are applied correctly and in a way that promotes the law's purpose. The state administrator has, following an inquiry from the complainant, opened a supervisory case and had a review of the access log for the child welfare record. The state administrator concluded, among other things, that the child protection service has not acted in breach of the Child Protection Act § 6-7, cf. the Administration Act § 13.
The tribunal agrees with the Norwegian Data Protection Authority that the Norwegian Data Protection Authority is not the right supervisory authority when it comes to who in the child welfare service has legal access to the son's child welfare records. The state administrator has assessed the complainant's inquiry and has concluded that the various employees' logins to the son's medical record have taken place in line with the rules, cf. the Child Protection Act § 6-7, cf. the Administration Act § 13. The Norwegian Data Protection Authority does not have the competence to review this decision. It was therefore right for the Norwegian Data Protection Authority to reject the case without taking any measures or carrying out further investigations.
After this, A is not successful in his appeal.
The decision is unanimous.
Resolution
The Norwegian Data Protection Authority's decision to reject the case is upheld.
Oslo, 8 November 2022
Mari Bø Haugstad
Manager