Personvernnemnda (Norway) - PVN-2023-05
Personvernnemnda - Pvn-2023-05 | |
---|---|
Court: | Personvernnemnda (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1) GDPR Article 13 GDPR |
Decided: | |
Published: | |
Parties: | |
National Case Number/Name: | Pvn-2023-05 |
European Case Law Identifier: | |
Appeal from: | Datatilsynets |
Appeal to: | |
Original Language(s): | Norwegian |
Original Source: | pvn-2023-05 (in Norwegian) |
Initial Contributor: | sh |
The Norwegian Data Protection Appeals Board overturned a reprimand from the Norwegian DPA. While the municipality still breached Article 13 GDPR, they did have a valid legal basis for processing under Article 6(1)(c) GDPR.
English Summary
Facts
On October 14, 2019, a kindergarten contacted a health center and asked for assistance in relation to a child in the kindergarten who they perceived to have a major anger problem. It was decided that the municipal psychologist would visit the kindergarten to observe the boy and provide guidance to the staff. The boy's parents had consented to cooperation with other agencies, including cooperation with the municipal psychologist.
Before the municipal psychologist began his observations, on October 22, 2019, a situation arose in the kindergarten's cloakroom where the boy in question had an outburst of anger. The incident was filmed by one of the staff. The recording was made on a municipal phone that was not logged on to the cloud service. The film was shown to seven employees in the kindergarten (those who worked in the department where the boy attended), the unit manager and the municipal psychologist. The child himself was also shown the video. The recording was deleted after 10 days, on November 1, 2019.
On 7 July 2020, the Norwegian DPA received a notification of non-compliance from the municipality (the data controller) under Article 33. On the 7 December 2023, the Norwegian DPA imposed a reprimand on the municipality under Article 58(2)(b) GDPR, for processing personal data without a valid basis for processing under Article 6(1), and failing to comply with the obligation to provide information under Article 13 GDPR.
On the topic of Article 6(1) GDPR the Norwegian DPA had decided that the consent covered neither the purpose nor the specific processing. They pointed out that three processing operations related to the recording took place: filming of the data subject, storage of the recording and showing the recording to others. In the opinion of the DPA it was clear that these consents did not cover the processing carried out in connection with the camera recording of the child.
Norwegian Data Protection Authority also believed that the municipality violated the requirements for transparency and information under Article 13 GDPR. The parents did not become aware of the processing of the child's personal data until six months after the recording was made. They had no reason to expect that recordings of this type would be made, as no consent had been obtained.
This decision was appealed to the Norwegian Data Protection Appeals Board (Personvernnemnda) by the municipality.
Holding
The appeals board upheld the appeal and overturned part of the DPA’s decision.
In regard to a legal basis for processing, the board considered the municipality had a valid legal basis under Article 6(1)(c) GDPR due to the Norwegian Kindergarten Act and regulations for processing personal data about the children in the kindergarten. The legal basis covers any form of processing and places no limits on the choice of collection method, including the use of video recordings. It is unfortunate that the municipality was not aware of this basis for processing at the time they collected the information. However, if you have a legal basis for processing under Article 6(1)(c) (legal obligation), you do not lose this legal basis for processing by mistakenly believing that you need consent for processing
On Article 13 GDPR the Board agrees with the Norwegian DPA that the municipality has not complied with its duty to inform parents. The parents should have received more information about the kindergarten's procedures and planned processing of personal data, including storage, deletion and sharing. Since the municipality had a legal basis for processing, the breach of Article 13 GDPR was not serious and so a reprimand was not necessary.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The Privacy Board's decision 10 October 2023 (Mari Bø Haugstad, Gunn Elin Lode, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Malin Tønseth) The case concerns a complaint from X municipality against the Norwegian Data Protection Authority's decision on 7 December 2023 to impose a reprimand on the municipality, cf. the Personal Protection Regulation article 58 no. 2 letter b, for having processed personal data without a valid basis for processing, cf. article 6 no. 1, as well as for not having complied with the obligation to provide information pursuant to Article 13. The course of action The Danish Data Protection Authority received a notification of a breach of personal data security (notification of deviation), cf. article 33, from X municipality on 7 July 2020. The deviation had occurred in one of the municipality's kindergartens in October the previous year. In the notice of deviation, the municipality explained that "An employee filmed a child in a fit of anger when dressing in the changing room. The intention with the filming was to show it to the municipal psychologist by way of guidance for the staff on how to deal with such outbursts of anger. The child subsequently asked the employee to watch the film. The child got to see the film. Parents have consented to filming for internal use in the nursery." The municipality stated that the recording was deleted on 1 November 2019, and informed about planned and implemented measures to handle the vulnerability and limit the consequences of the breach. "Human failure" was given as the reason for the deviation. The municipality writes in the deviation notice that "the consent given probably does not cover the purpose of this particular filming and that parents should have been asked in advance of the filming". It is further stated that those affected have been informed that "the notice of deviation is sent to the parents' lawyer for information". The following day, the municipality sent a letter to the parents' lawyer with information that the Norwegian Data Protection Authority had been notified of the discrepancy. The Norwegian Data Protection Authority assumed that the municipality recognized the lack of processing grounds for the filming and that the municipality would follow up on the measures taken and provide employees with the necessary training. The Norwegian Data Protection Authority closed the case in a letter to the municipality on 22 July 2020 and writes, among other things: "We see that you have taken the matter seriously, and that you have implemented and are planning a number of good measures. You do not state whether you wish to continue processing the type of information to which this case applies. If you are going to do so, it is important that you, among other things, prepare routines for this internally, cf. the Personal Data Protection Regulation Article 24 no. 2. You must also assess the suitability of the device with which the film is to be filmed and the computer system in which the films are to be stored, including suitable measures to ensure the confidentiality, integrity and availability of the videos in accordance with the regulation's article 32. In connection with that, you must also consider how you can communicate both the video files and the assessments to the municipal psychologist in a secure way. The consent you obtain must be in accordance with the conditions for this in the regulation's article 7. It may be appropriate to include the information you are obliged to provide under the regulation's article 13 in the consent form. In connection with the obligation to provide information, it is particularly worth mentioning clearly specifying the purpose of the filming, with whom the video files are to be shared and how long the films are to be stored. Information about the guardians' right to access, deletion and withdrawal of consent is also worth highlighting. In addition to the above, we assume that you follow up that the measures you have implemented work and are sufficient, and that employees receive the necessary training. We close the case with this.” In a letter on 18 August 2020, the parents of the child who had been filmed contacted the Norwegian Data Protection Authority about the same notification of deviation. In the parents' view, the municipality had not given a complete picture of the situation in the notification of deviation submitted. The parents asked the inspectorate to order the municipality to provide further information, and stated that "the incident and subsequent processing of the case warrants corrective measures, cf. GDPR art 58 no. 2 letter i." The Norwegian Data Protection Authority asked the municipality for an explanation on 3 December 2020. The municipality explained the case in a letter on 5 January 2021. The municipality stated, among other things, that the reason why the case was not originally reported as a deviation was that the municipality had considered that they had a legal basis for processing in that consent which had been obtained. However, after receiving a complaint from the child's parents, it was considered that the consents could be misunderstood and a notification of non-conformity was then sent to the inspectorate. The Norwegian Data Protection Authority sent municipality X a notice of a decision on reprimand on 22 August 2022. The municipality did not comment on the notice sent. The Norwegian Data Protection Authority issued the following reprimand to X municipality on 17 December 2022: "In accordance with the personal data protection regulation article 58 no. 2 letter i, [X] municipality is given a reprimand for breaching the requirements for a legal basis and information to the data subject when processing personal data about children during video recording in kindergarten, cf. the personal data protection regulation article 6 no. 1 and Article 13.” After being granted a deferred appeal deadline, the municipality appealed in time against the Data Protection Authority's decision on 16 January 2023. In the appeal, the municipality expressed, among other things, a changed view on the question of whether there was a valid basis for processing. The inspectorate considered the complaint, but upheld its decision. The case was forwarded to the Personal Protection Board on 14 April 2023. The parties were informed about the case in a letter from the board, and were given the opportunity to make comments. Neither party has made any comments. The case was dealt with at the board's meeting on 10 October 2023. The privacy board had the following composition: Mari Bø Haugstad (chair), Gunn Elin Lode, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin and Malin Tønseth. Secretariat manager Anette Klem Funderud was also present. Fact of the matter On 14 October 2019, the nursery school contacted the health center in the municipality and asked for assistance related to a child in the nursery who they perceived had a major anger problem. The nursery stated that they needed advice and help to understand the child. It was decided that the municipal psychologist should come to the nursery and observe the boy and guide the staff. The boy's parents had agreed to cooperation with other agencies, including cooperation with the municipal psychologist. Before the municipal psychologist started his observations, on 22 October 2019 a situation arose in the changing room at the nursery where the boy in question had an outburst of anger. The incident was filmed by one of the employees. The recording was made on a municipal telephone that was not logged into a cloud service. The film was shown to seven employees in the nursery (those who worked in the department where the boy attended), the unit manager and the municipal psychologist. The child himself was also shown the film. The recording was deleted after 10 days, on 1 November 2019. The parents had previously agreed to "Use of dictaphone and video with children - internal use" on a separate consent form. Among other things, there is disagreement as to whether this, together with consent to work with the municipal psychologist, represented a valid consent to the treatment in question. The child's parents became aware of the video recording in a written statement from the municipal psychologist on 15 April 2020 in connection with her ending her work. It appears from the statement from the municipal psychologist that the incident mentioned was one of the situations used to give the staff guidance on how they could meet the boy in a more development-promoting way. On 28 April 2020, a meeting was held between the parents and the municipality where the child's outburst of anger and the kindergarten's handling of this was a topic. It appears from the minutes that the filming was also discussed: "The employees of the group have seen the film and the municipal psychologist. The film was shown to [the child]. This shall not happen again. The film has been deleted.” On 22 June 2020, the parents lodged a complaint about the municipality's handling of the case in accordance with the Kindergartens Act and notified the municipality of a lawsuit, cf. the Disputes Act § 5-2. In the inquiry, the parents also asked whether the Norwegian Data Protection Authority had been notified of the case. On 7 July 2020, the municipality sent a notice of deviation to the Norwegian Data Protection Authority, as explained above during the course of the case. The parents then sent their inquiry to the Norwegian Data Protection Authority by letter dated 18 August 2020, as explained above. Briefly about the Norwegian Data Protection Authority's decision The Norwegian Data Protection Authority has assessed whether there was consent for the relevant processing of personal data. In the Norwegian Data Protection Authority's assessment, the consent in question covers neither the purpose nor the specific processing. The Norwegian Data Protection Authority points out that three processes related to the recording took place: filming the data subject, storing the recording and showing the recording to others. In the Norwegian Data Protection Authority's opinion, it is clear that these consents do not cover the processing carried out in connection with the camera recording made by the child. The Norwegian Data Protection Authority points out in the decision that the municipality has not stated that there was any other processing basis for the camera recording than consent. The Norwegian Data Protection Authority concludes that there was no valid legal basis for the processing. There is thus a breach of the Personal Protection Ordinance's requirement for legality in the processing, cf. Personal Protection Ordinance Article 6 No. 1. The Danish Data Protection Authority further believes that the municipality has breached the requirements for transparency and information in Article 13. The parents only became aware of the processing of the child's personal data six months after the recording was made. They had no reason to expect that recordings of this type would be made as consent had not been obtained or they had been informed that it might be relevant to process personal data for such purposes. The Norwegian Data Protection Authority issued a reprimand to the municipality, cf. article 58. no. 2 letter b, for non-compliance with basic requirements in the personal data protection regulation (lack of legal basis and breach of the rules on information and transparency). The reprimand marks that the offense is of a certain degree of seriousness. In a stricter direction, the inspectorate emphasized that it was the parents' complaint to the municipality that led to the municipality sending a notice of non-conformity to the Data Protection Authority, and that the authority first became aware of this through the parents' complaint to the authority. In a stricter direction, the supervisory authority has also emphasized the municipality's lack of recognition of a lack of legal basis, despite the fact that the municipality sent a notification of a breach of personal data security to the Norwegian Data Protection Authority. The Authority believes that this is in line with the accountability principle in Article 5 No. 2. In the transmission letter to the tribunal, the Norwegian Data Protection Authority has commented on the municipality's statement in the complaint that the municipality has other grounds for processing than consent for its processing of personal data. The Norwegian Data Protection Authority writes that the Norwegian Data Protection Authority does not have the right professional expertise to assess the scope of the Kindergarten Act and current regulations for the kindergarten sector. The inspectorate further points out that the municipality cannot change the legal basis during the processing of personal data. If the municipality has assessed that the processing was consent-based, this must, according to the inspectorate's assessment, be used as a basis, and one cannot later change one's opinion and point to current legal and regulatory provisions as a basis for processing. The municipality's view on the matter in brief The municipality has a legal basis for the processing in question in the personal protection regulation article 6 no. 1 letter c (necessary to fulfill a legal obligation), letter d (necessary to protect the vital interests of the data subject or another natural person) and letter e (necessary for to carry out a task in the public interest or exercise public authority that the controller is required to do). The Norwegian Data Protection Authority cannot assume that the municipality stated in the notice of deviation that there was no legal basis for the processing. The Norwegian Data Protection Authority has not disclosed the matter well enough. The Norwegian Data Protection Authority's decision is therefore flawed and not based on correct law. The municipality has a legal duty to fulfill its obligations under the Kindergartens Act towards children in kindergartens. Observation of children in kindergarten may, depending on the circumstances, be in the public interest or the exercise of public authority. Kindergarten is a voluntary offer. Guardians who accept a kindergarten place accept the legislation and statutes that apply to the kindergarten. This follows from the Kindergarten Act. The nursery school is an educational establishment, cf. the Kindergarten Act § 2 and regulations on the framework plan for kindergartens chapter 3. The nursery school has a statutory duty to base its activities on "observation, documentation and reflection", cf. the regulations chapter 7. In this case, the nursery has documented a reaction in the child as a basis for giving staff internal guidance from the municipal psychologist, who was not present when the reaction occurred. The nursery school identified a need in the child to work on the development of social competence and communication, and a reaction in the child was documented by video recording on a mobile phone as part of internal competence raising and guidance. The municipality has a legal duty to develop the children's social competence and communication, and this is of significant interest to the child. This is work of general interest. The municipality also has processing grounds for the video recording for internal use in Article 6 no. 1 letter a (consent) Consent from the guardians covers the relevant situation. The recording had an educational purpose and was supposed to contribute to the development of the child. The consent form authorizes video recording of the child where the purpose is to contribute to the child's development. Although the municipality has previously stated that the consent was probably not comprehensive, the Norwegian Data Protection Authority should have made an independent assessment of this. The Norwegian Data Protection Authority does not have the right under general administrative law to emphasize in a stricter direction that the municipality has not acknowledged that the processing lacked a legal basis. There is no basis for the Norwegian Data Protection Authority to issue a reprimand to the municipality for breaching Article 6 of the Personal Data Protection Ordinance. Nor has the municipality breached the obligation to provide information in Article 13 of the Personal Data Protection Ordinance. It is an error in the decision that the Norwegian Data Protection Authority did not assess the exceptions from the information obligation in the Personal Data Act § 16 first paragraph letter e on internal case preparation. The municipality requests that the Norwegian Data Protection Authority's decision be declared invalid. The Norwegian Privacy Board's assessment It is the municipality that is responsible for the processing of the child's personal data that took place when the nursery school took a video recording of the child, stored the recording on the municipal service telephone and showed the recording to the employees, the unit manager and the municipal psychologist, cf. the personal protection regulation article 4 no. 2 and no. 7 The data controller is responsible for compliance with the Personal Data Act, and must be able to demonstrate that the rules have been complied with, cf. Article 5 no. 2. The Norwegian Data Protection Authority has concluded that the municipality has not met the requirements for a valid processing basis and the right to information and has imposed a reprimand on the municipality for the violation, cf. article 58 no. 2 letter b. The tribunal assumes that a reprimand is a single decision, cf. the Public Administration Act Section 2 first paragraph letter a and b, which gives the right to appeal. It is in line with the board's previous practice, see PVN-2020-11. The tribunal will first say something about the current legal basis for processing personal data about children in a kindergarten, provided that the processing is fully or partially automated or the personal data is included in a register, cf. Section 2 of the Personal Data Act. The kindergarten's operations are regulated by the Kindergarten Act (law-2005-06-17-64). Section 1 of the Kindergartens Act states, among other things, that the kindergarten, in cooperation and understanding with the home, must look after the children's needs for care and play, as well as promote learning and education as a basis for all-round development. In Chapter VIII of the act on psychosocial daycare environments, there are further provisions on the daycare center's duty to investigate and implement measures to ensure a safe and good daycare environment for the child. There is no doubt that the nursery staff, in order to fulfill this duty, must process a range of information about each individual child and that, among other things, to document the work they do, they must store this information in a personal register. The Personal Protection Regulation article 6 no. 1 letter c (legal duty), cf. the Kindergartens Act § 47 a, cf. regulations on the framework plan for kindergartens chapter 7 (the kindergarten as an educational activity) provides the municipality with the necessary processing basis for this. It appears from the regulation, among other things: "Children have the right to protection of their personal integrity. An ethical perspective must therefore be the basis for documentation of the group of children and individual children. Personal data must be processed in accordance with the Personal Data Act. The processing of personal data means all collection, registration, compilation, storage and disclosure of information and assessments that can be linked to an individual. If the nursery is to hand over personal information about the child to other bodies and there is no legal authority, the parents must consent to this. The requirement for consent from the parents does not apply, for example, in cases where the staff share personal data with the child welfare services in order to fulfill the obligation to provide information in Section 46 of the Kindergartens Act." According to the tribunal's assessment, there is no doubt that the municipality has a valid processing basis in the Kindergarten Act with regulations for processing personal data about the children in the kindergarten. The legal basis covers any form of processing, and does not set any barriers to the choice of method of collection, including the use of video recordings. It follows from the regulations that the ethical perspective must be emphasized when documenting the group of children and individual children. According to the tribunal's assessment, the municipality has therefore had processing grounds for the collection of personal data, regardless of whether this takes place by means of video recording or in some other way. The tribunal does not agree with the Norwegian Data Protection Authority that the Norwegian Data Protection Authority does not have the competence to take a decision on whether the law provides a sufficient basis for processing and agrees with the municipality that this is a central task for the Norwegian Data Protection Authority as a supervisory authority. According to the tribunal's assessment, the parents' consent to "Use of voice recorder and video with children - internal use" must be understood as consent to the processing of information through the use of voice recorder and video beyond the cases for which the law authorizes, namely "when it is necessary to carry out tasks according to the law". The tribunal notes that it is unfortunate that the municipality was not aware of the processing basis they had at the time they collected the information. The fact that the municipality, after the case was brought before the supervisory authority, and after seeking legal advice, refers to other relevant legal grounds is nevertheless not the same as changing the grounds for processing during the processing. If you have a basis for processing according to Article 6 no. 1 letter c (legal obligation), you do not lose this basis for processing by mistakenly believing that you need consent for the processing. The tribunal believes that the guidelines from the Norwegian Privacy Council, which the Norwegian Data Protection Authority refers to, deal with a different situation and are not relevant to the facts in this case. The question for the tribunal is therefore whether the kindergarten's decision to hand over the video recording to the municipal psychologist requires a different legal basis than what the Kindergarten Act provides. It follows from the quoted text in the regulation above that if the nursery is to hand over personal information about the child to other bodies and there is no legal authority, the parents must consent to this. As described in the facts of the case, several consents were obtained from the parents. The one consent concerned the use of a dictaphone and video recording for internal use. The second consent concerned, among other things, the kindergarten's collaboration with the municipal psychologist. The tribunal assumes that the consent obtained regarding the collaboration with the municipal psychologist satisfies the consent requirements under Article 4 no. 11. In the tribunal's assessment, this consent provides a processing basis for sharing the video recording with the municipal psychologist. When, as in this case, consent had been obtained from the parents for the municipal psychologist to be involved in order to give guidance to the staff at the nursery school on how to meet the boy, sharing with the municipal psychologist the information obtained, including sharing a video recording which shows a relevant incident with the boy, also be legal and covered by the consent obtained. The tribunal has not taken a decision on whether the sharing of the video recording with the child himself was justifiable. This is not part of the complaint and is a nursery professional assessment that lies outside the board's competence. According to the tribunal's assessment, the Norwegian Data Protection Authority gives the municipality good advice in its letter of 22 July 2020, where the Norwegian Data Protection Authority originally closed the case after receiving a notice of deviation from the municipality. The inspectorate writes: "You do not state whether you wish to continue processing the type of information to which this case applies. If you are going to do so, it is important that you, among other things, prepare routines for this internally, cf. the Personal Data Protection Regulation Article 24 no. 2. You must also assess the suitability of the device with which the film is to be filmed and the computer system in which the films are to be stored, including suitable measures to ensure the confidentiality, integrity and availability of the videos in accordance with the regulation's article 32. In connection with that, you must also consider how you can communicate both the video files and the assessments to the municipal psychologist in a secure way." The Norwegian Data Protection Authority points here to various conditions that must be assessed separately when the collection takes place during filming. The tribunal agrees with the Norwegian Data Protection Authority's assessment of this. The Privacy Board also agrees with the Norwegian Data Protection Authority that the municipality has not complied with its obligation to inform parents, cf. article 13. The parents should have received more information about the nursery's routines and planned processing of personal data, including storage, deletion and sharing. The exception to the obligation to provide information according to the Personal Information Act § 16 first paragraph letter e does not apply as it is obviously not about information that "exclusively exists in text prepared for internal case preparation". When the Personal Data Act has been breached, the Norwegian Supervisory Authority can choose between various "corrective measures", cf. the Personal Protection Regulation Article 58 No. 2. In this case, the case was closed at the Norwegian Supervisory Authority's first hearing without any corrective measures. After an inquiry from the child's parents in the case, the inspectorate changed its assessment and imposed a reprimand on the municipality, cf. article 58 no. 2 letter b. A reprimand is an administrative law reaction with the purpose of highlighting that the offense is of a certain degree of seriousness. The tribunal has, in contrast to the Norwegian Data Protection Authority, concluded that the municipality had a legal basis for processing personal data. In this case, the breach of the obligation to provide information is not so serious that it provides sufficient grounds for a reprimand. The tribunal also cannot see that new information came to light through the parents' inquiry to the Norwegian Data Protection Authority, after the case had been closed the first time, which justifies a different and stricter assessment of the breach than the assessment made in July 2020. The decisive factor as to whether or not a reprimand is to be imposed must, according to the tribunal's assessment, depend on the seriousness and nature of the offence. In this case, no information has been collected that should not have been collected. The information is also not shared with persons at other bodies without a legal basis. The breach consists in the nursery school not fulfilling its duty to inform the parents. The method of collection (video recording) also entails the need for special assessments related to information security, which it is critical that this has not been carried out. When assessing how serious the breach is, emphasis must nevertheless also be placed on the fact that the film was only used for the purpose it was intended for (the municipal psychologist's guidance of the staff to make them better equipped to meet the child in question in a better way), the film was kept for a limited period (10 days) and then deleted. When the municipality was made aware by the parents that the parents thought it was illegal processing (not valid consent), a notification of deviation was sent to the Norwegian Data Protection Authority and measures were planned and implemented to deal with the vulnerability and limit the consequences of the breach. The municipality shows, through its procedure in the case, that they have taken the case seriously from the moment they became aware that the parents did not think there was a sufficient basis for treatment. They notified the Norwegian Data Protection Authority of the discrepancy and planned and implemented a number of measures, including to increase the employees' privacy knowledge. When the processing of personal data in question has also benefited the boy in that the municipal psychologist gained access to observations that were useful for her planned guidance of the employees, the illegal processing is considered to be sufficiently repaired without there being any reason to impose any reprimand. The complaint from the municipality has been successful. The decision is unanimous. Resolution X municipality is not reprimanded under the Personal Data Protection Ordinance for its processing of personal data. Oslo, 10 October 2023 Mari Bø Haugstad Manager