Datatilsynet (Norway) - 23/00708

From GDPRhub
Datatilsynet - 23/00708
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 32(1) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Article 57(1)(a) GDPR
Article 57(1)(h) GDPR
Article 58(1)(f) GDPR
Article 58(1)(b) GDPR
Article 58(1)(e) GDPR
Article 58(1)(a) GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started: 01.03.2023
Decided: 27.11.2023
Published: 28.11.2023
Fine: 20000000 NOK
Parties: The Labour and Welfare Administration (NAV)
National Case Number/Name: 23/00708
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
NAV (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined the Labour and Welfare Administration (NAV) €1,754,678 (NOK 20 million) and issued several orders for 12 violations, attributed to "serious neglect over an extended period" in their information security and IT systems.

English Summary

Facts

"NAV", the Norwegian Labour and Welfare Administration, is a government agency that collaborates with local municipalities to provide a unified access to public labor and welfare services. Its primary functions include promoting employment and ensuring financial and social security. NAV administers a significant portion of the state budget and is one of the country's largest employers with about 22,000 employees. Almost all citizens of Norway are in contact with NAV at some point of their life.

On 1 March 2023, the Norwegian DPA Datatilsynet notified NAV (the controller) of a physical inspection as per Article 57(1)(a) GDPR, Article 57(1)(h) GDPR, cf. Article 58(1)(a) GDPR, Article 58(1)(b) GDPR, Article 58(1)(e) GDPR and Article 58(1)(f) GDPR.

The DPA conducted their inspection on 6 September. They focused on the controller's IT systems for processing personal data related to their government-related services, including technical and organisational measures related to access controls, logging and log control, as per Article 32 GDPR and Article 5(1)(f) GDPR, including if the controller had established an appropriate management system in line with Article 24 GDPR and Article 5(2) GDPR.

The DPA sent the controller the preliminary audit report on 1 November, to which the controller responded on 22 November. The DPA then submitted their final report on 27 November, along with a notification of their intent to impose a fine and issue several orders.

The controller has three weeks to respond to the DPA's preliminary conclusions, after which the DPA will make their final decision.

Holding

Overall, the DPA found that many of the controller's employees work on cases from across the country, in several service areas, with broad access rights. Despite this, there isn't systematic control over how they use systems; this relies instead on trust. The employees also lack the necessary tools to manage this trust and the responsibility they're given, due to a lack of routines and supervision.

Following the audit, the DPA draws two main conclusions. First, the controller's management system is not suited to ensuring adequate security for protecting personal data. Second, confidentiality in their systems, in practice, is not adequate. This resulted in 12 violations:

  • Violation 1: The controller has not established an adequate management system to provide adequate technical and organisational measures to ensure and demonstrate that processing personal data is done in line with Article 5(2) GDPR and Article 24(1) GDPR and Article 24(2) GDPR.
  • Violation 2: The controller's governing documentation for access controls fails to incorporate adequate technical and organisational measures, necessary for ensuring and demonstrating compliance with Article 32(1) GDPR and Article 32(2) GDPR, see also Article 5(2) GDPR and Article 24(1) GDPR and Article 24(2) GDPR.
  • Violation 3: The controller does not regularly review its governing documentation for access controls, as required by Article 32(1)(d) GDPR.
  • Violation 4: The controller has not implemented sufficient organisational measures to ensure that risk assessments are done as per Article 32(2) GDPR, when establishing and developing IT systems.
  • Violation 5: Access to meta data of documents in one system is too general and broad, violating the confidentiality principle of Article 5(1)(f) GDPR and the security requirements set out in Article 32(1) GDPR.
  • Violation 6: The controller has not implemented sufficient organisational measures for training identity control administrators, violating Article 32(1) GDPR and Article 32(4) GDPR.
  • Violation 7: The routines for granting accesses are out of date and fail to provide guidance for discretionary assessments, violating Article 32(1) GDPR and Article 32(4) GDPR.
  • Violation 8: Access to personal data only processed for archive purposes in historical cases is too general and broad, violating the confidentiality principle of Article 5(1)(f) GDPR and the security requirements set out in Article 32(1) GDPR.
  • Violation 9: The controller has chosed to organise their access controls in a way that allows a significant number of users access to systems with no real work-related need for it. Combined with an inadequate system for access controls, this violates the confidentiality principle of Article 5(1)(f) GDPR and the security requirements set out in Article 32(1) GDPR.
  • Violation 10: The controller has inadequate technical and organisational measures for safeguarding personal data of certain categories of data subjects (own employees, people with secret addresses etc.), violating Article 32(1) GDPR and Article 32(2) GDPR.
  • Violation 11: The controller has inadequate routines for controlling unit leaders' yearly revision of accesses, violating Article 32(1)(d) GDPR.
  • Violation 12: The controller has not established a systematic access log control. Combined with the fact that a significant number of employees have broad accesses (see violation 9), this violates the requirement to implement sufficient technical and organisational measures to ensure and demonstrate that the processing of personal data is done in line with the GDPR, thus violating Article 32(1) GDPR and Article 32(2) GDPR, see also Article 5(2) GDPR, Article 24(1) GDPR and Article 24(2) GDPR, as well as the requirements for periodic control as per Article 32(1)(d) GDPR.

First, the DPA intends to order the controller to rectify the 12 violations. This includes establishing a comprehensive and suitable systematic approach for organisational measures to ensure and demonstrate compliance with the GDPR, including necessary routines. Further, the controller must establish technical and organisational measures for access controls and access control logs to ensure confidentiality in their processing of personal data, including limiting access to what's necessary.

Second, the DPA intends to fine the controller €1,754,678 (NOK 20 million) for violating Article 5(1)(f) GDPR, Article 32(1) GDPR, Article 32(2) GDPR, Article 32(4) GDPR, as well as Article 5(2) GDPR, Article 24(1) GDPR and Article 24(2) GDPR.

The controller has three weeks to respond to the DPA's preliminary conclusions, after which the DPA will make their final decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

LABOR AND WELFARE AGENCY
PO Box 354
8601 MO IN RANA









Your reference Our reference Date
23/4873 23/00708-23 27.11.2023



Submission of final inspection report - Notice of decision on order and
infringement fee

1 Introduction

We refer to the local inspection at the Norwegian Labor and Welfare Agency (NAV) on 6 September 2023, which was

notified in our letter of 1 March 2023. The inspection was carried out pursuant to
the personal protection regulation article 57 no. 1 letter a and letter h, cf. article 58 no. 1 letter
a, b, e and f. The Personal Data Protection Regulation has been implemented in Norwegian law by incorporation, see
§ 1 of the Personal Data Act.


It appears from § 20 of the Personal Data Act that the Norwegian Data Protection Authority is the supervisory authority
Article 51 of the Personal Data Protection Regulation.


Our powers to issue orders and to impose infringement fees are respectively
the personal protection regulation article 58 no. 2 letter d and article 58 no. 2 letter i. We show
also to § 26 second paragraph of the Personal Data Act, which states that the Norwegian Data Protection Authority can impose

public authorities and bodies infringement fee according to the rules in the personal data protection regulation
Article 83.


Preliminary inspection report was submitted to NAV on 1 November 2023. NAV submitted its comments to
the report on 22 November 2023.



2. Final inspection report and notice of decision

Our final inspection report is attached. Based on NAV's comments, we have done so
some changes in the report. The changes are marked continuously with footnotes.


In the audit, we have checked whether NAV ensures satisfactory confidentiality in the IT solutions
(the "professional systems") that are used to process personal data in connection with
service provision.



Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO The inspection included technical and organizational measures related to access control, log and
log control, cf. the personal protection regulation article 32 and article 5 no. 1 letter f, including re
NAV has established a suitable management system, cf. Article 24 and Article 5 of the Personal Protection Ordinance
No. 2.

The control was limited to the processing of personal data in professional systems that are part of it
the governmental part of NAV's service provision.


Our main conclusions are that NAV's management system is not suitable for ensuring a
satisfactory level of security for personal data, and that the safeguarding of confidentiality i
NAV's subject systems in practice are also not satisfactory.


In the report we have identified 12 offenses (in the report and in the notice here also referred to as
"deviation") that NAV is required to rectify.

We have come to the conclusion that NAV should also be subject to an infringement fee as a result of the offences.


Our assessments and the factual and legal conditions underlying the notified
the orders and the notified infringement fee appear below.

We also refer to our assessments, and to the descriptions of the factual and legal conditions in

the case, as described in the final inspection report.


3. Notice of decision on order

In accordance with Section 16 of the Public Administration Act, we hereby notify you that, pursuant to
the personal protection regulation article 58 no. 2 letter d, is considering making the following decision:

    1. NAV is required to establish a comprehensive and suitable system for organizational measures
        to ensure and demonstrate compliance with the privacy regulations, cf. the privacy regulation

        article 5 no. 2, article 24 no. 1 and 2 and article 32 no. 1, 2 and 4, as the local
        the inspection has revealed that the existing measures do not meet the requirements of the law. See point 4
        and 5 (deviations 1 and 2) in the inspection report.

        Below this, NAV must establish:
                Routines for regular revision of the governing documentation for
            a.
                access management, as the local inspection revealed that it is not subject to
                regular audit in accordance with the requirements of the Personal Data Protection Regulation article
                32 no. 1 letter d. See point 5.2.2 (deviation 3) in the inspection report.

            b. Routine for carrying out risk assessments in the establishment and development of
                professional systems, when the local inspection revealed that the existing routines did not
                ensures that risk assessments are carried out in accordance with the Personal Data Protection Regulation
                article 32 no. 2. See point 5.2.2 (deviation 4) in the inspection report.





                                                                                                  2 c. Routine for training identity administrators, as the local inspection revealed
            that no satisfactory organizational measures have been established for the training of
            this group, cf. the personal protection regulation article 32 no. 1 and no. 4. See point
            5.3.2 and 5.4.2 (deviation 6) in the inspection report.

        d. Updated and suitable routines for granting access in the various subject systems,
            when the local inspection revealed that the existing routines are outdated and
            deficient, and thus do not meet the requirements of the Personal Data Protection Ordinance
            article 32 no. 1 and no. 4. See point 5.4.2 (deviation 7) in the inspection report.

        e. Routine for checking unit managers' annual audit of accesses, then that
            The local inspection revealed that the existing routines do not meet the requirements of
            the personal data protection regulation article 32 no. 1 letter d. See point 5.8.2 (deviation 11) in
            the supervision report.

2. NAV is required to establish technical and organizational measures related to access management
    which provides satisfactory confidentiality protection of personal data, cf.

    the personal protection regulation article 5 no. 1 letter f and article 32 no. 1, then the local
    the inspection revealed that the existing measures do not meet the requirements of the law. See point 5
    (deviation 9) in the inspection report.

    Below this, NAV must establish:

        a. Technical and organizational measures for the archive system Joark which limit
            access to metadata about documents across disciplines to cases where it
            is necessary, as the local inspection revealed that the availability of such
            data is too general and broad, and thus does not meet the requirements of
            personal protection regulation article 5 no. 1 letter f and article 32 no. 1. See point
            5.3.2 (deviation 5) in the inspection report.

        b. Technical and organizational measures to limit access to
            personal data that is only processed for archival purposes (historical matters) to
            cases where it is necessary, when the local inspection revealed that access to

            historical matters are too general and broad, and thus do not meet the requirements of
            personal protection regulation article 5 no. 1 letter f and article 32 no. 1. See point
            5.4.2 (deviation 8) in the inspection report.

        c. Technical and organizational measures that provide the opportunity to adapt
            personal data security based on risk based on specific user needs,
            when the local inspection revealed that the existing measures do not provide such
            possibility, and consequently do not meet the requirements for the security measures to be adapted
            the risk of the processing cf. the personal data protection regulation article 32 no. 1. See
            point 5.7.2 (deviation 10) in the inspection report.

3. NAV is required to establish technical and organizational measures related to log control such as
    provides satisfactory confidentiality protection of personal data, cf.
    the personal protection regulation article 5 no. 1 letter f and article 32 no. 1 letter d and no.

    4, when the local inspection revealed that the existing measures do not comply with the law
    claim. See point 7 (deviation 12) in the inspection report.




                                                                                                3 The Norwegian Data Protection Authority requests a timetable for the implementation of the notified orders, which will be
considered taken into account during the design of the final decision.


4. Notification of a decision to impose an infringement fee

In accordance with Section 16 of the Public Administration Act, we hereby notify you that, pursuant to
the personal data protection regulation article 58 no. 2 letter i, cf. personal data act § 26,

considers making the following decision:

     NAV is charged with an infringement fee of NOK 20,000,000 – twenty million – for
     violation of

       a) the personal protection regulation article 5 no. 1 letter f and article 32 no. 1, 2
           and 4, as a result of processing personal data in a way that does not
           ensures sufficient security for the personal data, and

       b) the personal protection regulation article 5 no. 2 and article 24 no. 1 and 2, which
           as a result of not having implemented suitable technical and organizational measures
           to ensure and demonstrate that the processing of personal data is carried out in
           compliance with the Personal Data Protection Regulation.



5. Privacy in NAV
NAV is a nationwide public enterprise, and consists of both municipal and state agencies
services. NAV consists of the state employment and welfare agency and the partnership with each

single municipality. NAV is responsible for managing welfare services as labor market measures,
social security benefits and social assistance. Almost all residents of Norway are in contact with NAV during
life.

NAV is in a special position from a privacy perspective. The tasks are imposed on NAV
entails the processing of personal data on an enormous scale, including highly sensitive ones
information. According to figures from NAV's annual report for 2022, last year there were approx. 3.2 million people

who received benefits from NAV.

There is therefore a built-in high privacy risk in NAV's operations, which entails
strict requirements for personal data security.

This risk was identified and pointed out already at the adoption of Act 16 June 2006 no. 20

on the employment and welfare administration (NAV Act). In the consultation round, the Norwegian Data Protection Authority expressed
concern that the reform would lead to a significant availability of sensitive
information about the individual. The Norwegian Data Protection Authority's consultation opinion is reproduced as follows in the preparatory work for
NAV Act (on page 66 of Ot.prp. no. 47 (2005-2006)):

        "Overall, the proposal does not appear, in the opinion of the Norwegian Data Protection Authority, to be suitable for
        create trust in the new agency in the population. For the Norwegian Data Protection Authority, it will be unacceptable




                                                                                                4 if a principle is not established during the merger - also for the development
        of the ICT system, that no one should have access to more personal data than those who
        they need to carry out their duties properly, and that any notice they
        employees do must be logged and the logs checked."

The Ministry of Labor and Inclusion commented on our view and that of other hearing bodies as follows
on page 71 of the proposal:

        "Consideration of confidentiality and privacy must be ensured by the sum of the legal rules,
        security measures, process and mechanisms for managing access to information in ICT

        the systems and the regime for control and follow-up of this which is arranged. In order to
        safeguard information security, including ensuring the principle that no one should have access
        to more personal data than they need to carry out their work tasks, is
        the importance of a control regime that follows up information security.

        Both the agency and the joint local offices will manage large amounts of sensitive information
        personal data. If a clear regime is not established for

        information security, this is a risk.”

In other words, it has been a known assumption, ever since the establishment of NAV, that
safeguarding personal data security - especially in the form of confidentiality protection - must
be a central part of the business.


6. Overall findings

The main findings of the inspection are that NAV has organized itself in such a way that a large number of employees work together
cases from all over the country, within several service areas, and consequently have correspondingly wide access.
At the same time, no systematic control of employees' use of the subject systems has been established.

The result of this is, as we see it, that the use of the professional systems is largely based on trust.
A lack of routines and management mean that employees do not have the tools they need to manage it
the trust and responsibility they are given.

As mentioned, we have identified 12 offences. We refer to our assessments and to the descriptions
of the factual and legal circumstances in the case, as described in the final inspection report.
The conclusions are as follows:


    • Deviation 1: NAV has not sufficiently established a management system that provides suitable
        technical and organizational measures to ensure and demonstrate that their processing of
        personal data is processed in accordance with the Personal Data Protection Regulation, cf. Article 5 no. 2
        and article 24 nos. 1 and 2. See report point 4.


    • Deviation 2: NAV's governing documentation for access management lacks suitable technical specifications
        and organizational measures to ensure and demonstrate that their processing of
        personal data is processed in accordance with the Personal Data Protection Regulation, cf. Article 32 no.
        1 and 2, cf. also article 5 no. 2 and article 24 no. 1 and 2. See report point 5.2.





                                                                                                 5• Deviation 3: NAV's governing documentation for access management is not subject to
    regular audit in accordance with the requirements of the Personal Protection Regulation Article 32 No. 1
    letter d. See report point 5.2.

• Deviation 4: NAV has not established satisfactory organizational measures to ensure that
    risk assessments are carried out in accordance with the Personal Protection Ordinance Article 32 No. 2

    in the establishment and development of professional systems. See section 5.2 of the report.

• Deviation 5: The availability of metadata about documents in Joark is too general and
    vid and is not compatible with the confidentiality principle in the personal data protection regulation
    article 5 no. 1 letter f and the requirements for personal data security in article 32 no. 1.
    See section 5.3 of the report.


• Deviation 6: NAV has not established satisfactory organizational measures for training
    by identity administrators. Our conclusion is that this is a deviation from the requirements in
    the personal protection regulation article 32 no. 1 and no. 4. See the report points 5.3 and 5.4.

• Deviation 7: The routines for granting access are outdated and do not provide guidance

    linked to discretionary assessments. This is to be considered a deviation from the requirements of
    organizational measures according to the personal protection regulation article 32 no. 1 and no. 4. See
    report section 5.4.

• Deviation 8: The provision of personal data that is only processed for
    archival purposes (historical matters) are too general and broad and are not compatible with

    the confidentiality principle in the personal protection regulation article 5 no. 1 letter f and
    the requirements for personal data security in article 32 no. 1. See report point 5.4.

• Deviation 9: NAV has organized itself in such a way that a significant proportion of
    users have a utilitarian need to have wide access. In combination with a
    deficient system for log control (see report point 7) this is not compatible with
    the confidentiality principle in the personal protection regulation article 5 no. 1 letter f and

    the requirements for personal data security in article 32 no. 1. See report section 5.4.

• Deviation 10: NAV's lack of technical and organizational measures for shielding
    based on individual needs is a deviation from the requirement that security measures be adapted
    the risk of the processing, cf. the personal protection regulation article 32 nos. 1 and 2. See
    report section 5.7.


• Deviation 11: NAV has not established satisfactory routines for the control of unit managers
    annual audit of accesses. This is a deviation from the requirement in the Personal Data Protection Regulation
    article 32 no. 1 letter d. See report point 5.8.

• Deviation 12: NAV has not established a systematic log check. In combination with that

    a significant proportion of NAV's employees have wide access (see report point 5.4/deviation 9
    above), this will be considered a deviation from the requirement to introduce suitable technical and
    organizational measures to ensure and demonstrate that the processing of personal data



                                                                                             6 is carried out in accordance with the Personal Protection Ordinance, cf. Article 32 no. 1 and 2, cf. also
        article 5 no. 2 and article 24 no. 1 and 2, and from the requirements for regular control according to
        article 32 no. 1 letter d. See report point 7.

We observed during the inspection that NAV's security framework is being revised. NAV has a
target of completing this work in 2026. We therefore specify that our assessments take
based on NAV's practice and compliance with the regulations at the time of the inspection.


We would also like to clarify that we have exclusively looked at internal personal data security.
Wide access and lack of use of logs can also make NAV vulnerable to outsiders
security threats.


7. Previous supervision and evaluations etc.

7.1 Supervision in 2007

The Danish Data Protection Authority checked personal data security in NAV through four inspections in 2007
(case numbers 07/01456, 07/01457, 07/01458 and 07/01459). Inspection with case number
07/01456 was aimed at NAV centrally, while the other inspections were aimed at different people
local office.


The Norwegian Data Protection Authority found deviations related to access management, logging and log control. This resulted in
blue. the following order (case 07/01456):

    1. "The Directorate of Labor and Welfare must establish satisfactory information security
        as regards access control and logging in accordance with § 13 of the Personal Data Act,
        cf. § 2-11 of the Personal Data Regulations. Reference is made to section 8.1.5.1 of the control report.

    2. The Directorate of Labor and Welfare must limit access granted at NAV Lier in accordance
        with § 13 of the Personal Data Act, cf. § 2-11 of the Personal Data Regulations.
        refer to section 8.1.5.2 of the control report.
    3. The Directorate of Labor and Welfare must end the use of Arena as a joint
        follow-up tools unless security measures are established in accordance with
        § 13 of the Personal Data Act, cf. Personal Data Regulations §§ 2-7, 2-8, 2-11 and
        2-14. Reference is made to section 8.2.3 of the control report.'


Among the main findings in the inspection report was that the individual employee had received a significant
greater access to personal data through the NAV reform, and that NAV seemed to have chosen a
tools to follow up the individual service recipient without any basic principles being established
information security measures.

7.2 Supervision in 2010

The Norwegian Data Protection Authority checked personal data security in NAV again in 2010 (case 10/01228).

The deviations related to access management, logging and log control, which were ascertained in 2007, were then
not closed. The inspection resulted in, among other things, in the following order to NAV:





                                                                                                 7 1. "The Directorate of Labor and Welfare must establish logging of notices on individuals in
        its subject systems in accordance with § 13 of the Personal Data Act, cf.
        §§ 2-8 and 2-14 of the Personal Data Regulations. Reference is made to the section of the control report
        6.4.3.
    2. The Directorate of Labor and Welfare must establish satisfactory confidentiality protection
        as regards access control and the use of logs in accordance with the Personal Data Act
        § 13, cf. §§ 2-11 and 2-14 of the Personal Data Regulations. It is referred to

        section 6.5.3 of the control report."

7.3 Supervision in 2011

In 2011, the Norwegian Data Protection Authority carried out an inspection (case 11/00797) with a focus on the distribution of responsibilities
between the state and the municipal part of NAV. The Norwegian Data Protection Authority also checked whether
the deviations found in 2007 and 2010 were closed.

From the summary of the inspection report, the following can be found:


      "The safeguarding of confidentiality in NAV is not satisfactory. This is because it is given very wide
      accesses, and logging and use of logs is deficient. This has previously been documented in
      the control with the directorate in 2010. In addition, sufficient routines have not been established for
      allocation of access. Lack of confidentiality protection applies to both municipal and
      state subject system."


From the Norwegian Data Protection Authority's notice of an order in the case, the following can be found:

    "Deviations documented in the present control report confirm findings from earlier
    checks with the Norwegian Directorate of Labor and Welfare and previously issued orders. This applies:

        1. The need for the Directorate of Labor and Welfare to establish satisfactory
            confidentiality protection in terms of access management and use of logs in accordance

            with § 13 of the Personal Data Act, cf. Personal Data Regulations §§ 2-11 and 2-
            14. Reference is made to section 7.4.6.1 of the control report.

    Reference is made here to the Norwegian Data Protection Authority's decision on orders of 6 May 2011. The relationship is followed up in
    previous control case."

NAV confirmed in a letter on 21 January 2013 that the discrepancies had been closed. The Norwegian Data Protection Authority based this and

closed the case on 8 February 2013.













                                                                                                 87.4 BDO and Wiersholm's evaluation of NAV in 2016

Audit company BDO AS and Advokatfirmaet Wiersholm AS prepared a report on
access controls in NAV in 2016, commissioned by NAV. Their overall assessment is

worded as follows on page 4 of the report:

        "It is BDO's and Wiersholm's overall assessment and conclusion that NAV does not have
        able, to a sufficient extent, to understand the meaning of that treatment of
        personal data is central to NAV's operations and the strict requirements that follow

        of this. NAV has several times been made aware of conditions that should
        caused users' privacy and processing of personal data to be lifted
        on the strategic agenda and thus given the work to look after the users
        privacy the necessary priority. This does not seem to have been done.”


7.5 PwC's evaluation of NAV in 2020
                                                        2
In 2020, PwC AS carried out a maturity assessment of the entire Swedish Employment and Welfare Agency,
with a focus on i.a. information security. PwC also uncovered a number of weaknesses in
the security work at NAV, particularly related to the management system.


7.6 NOU 2023: 11 – Fast and correct

NOU 2023: 11 is an investigation of the complaint and appeal system in the Norwegian Labor and Welfare Agency and
The social security right. The committee behind the study concludes that NAV's work to increase
the quality of performance management appears to be not comprehensive and systematic. The committee has
recommended that a comprehensive quality system be drawn up, which will ensure a focus on quality i
the services to the users, as well as the processes behind these.


7.7 Final note – previous supervisory significance for this case

In light of the history described above, we consider the findings from the last inspection to be very important
serious. In the areas of access management and log control, we assess the current state as
similar or worsened since the previous inspection. In our assessment of the necessity to impose
an infringement fee in this case, we have taken into account previous orders issued by the Norwegian Data Protection Authority

have not been shown to be sufficiently effective.


8. Violation fee

8.1 General information on infringement fees

In accordance with the Personal Data Protection Regulation article 58 no. 2 letter i, cf. Personal Data Act §
26 second paragraph, the Norwegian Data Protection Authority may impose infringement fees on public authorities in line with
the rules in the regulation article 83 in the event of a breach of the regulations.


1
 Access controls in NAV - Review, analysis and proposals for improvements (13 October 2016), BDO and
Wiersholm. Available via the website https://jusboka.no/wp-content/uploads/2016/11/Rapport-om-
2access-controller-in-NAV.pdf?x22677.
 Security maturity assessment (November 2020), PwC AS. The report is exempt from public disclosure.



                                                                                                 9 Only violations of the provisions listed in Article 83 nos. 4 and 5 can
is sanctioned with an infringement fee, cf. the legal requirement in section 44 first paragraph of the Public Administration Act.

Violation fees are to be considered a penalty according to the European
human rights convention article 6. A clear preponderance of probability is therefore required for
offense in order to be able to impose a fee.

According to section 46 first paragraph of the Public Administration Act, subjective fault (negligence) is required on the part of the person or them
who has acted on behalf of the company when imposing an infringement fee, unless otherwise stated
otherwise is determined.

The right to impose infringement fees is given as a means of ensuring effective

compliance with and enforcement of the Personal Data Act. It follows from the regulation article
83 no. 1 that each supervisory authority must ensure that the imposition of infringement fees in each
single case is "effective, is in a reasonable relationship to the infringement and works
deterrent".

This is elaborated in point 148:

        "In order to strengthen the enforcement of the provisions of this regulation, it should
        Violation of this regulation is subject to sanctions, including an infringement fee, i
        in addition to or instead of suitable measures that the supervisory authority imposes accordingly

        this regulation."

The conditions for imposing a fee appear in the regulation article 83. The provision provides i
basic instruction that the imposition of infringement fees is based on a discretionary
overall assessment, but lays down guidelines for the exercise of discretion by highlighting elements such as
shall be given particular weight, cf. article 83 no. 2 letter a to k.

As regards the amount of the fee, Article 83 nos. 4 and 5 state maximum rates depending on
which provisions of the regulation have been breached.

The same points as when assessing whether a fee should be imposed must be given particular weight
also during the measurement. The fee should be set so high that it also has an effect beyond the specific one

the case, while the amount of the fee must be in a reasonable proportion to the infringement and
the business, cf. Article 83 no. 1.


8.2 Assessment of whether an infringement fee should be imposed

8.2.1 The legal requirement

The Danish Data Protection Authority has come to the conclusion that NAV has breached Article 5 No. 1 letter of the Personal Data Protection Ordinance
f and article 32 no. 1, 2 and 4. In addition, we have come to the conclusion that article 5 no. 2 and article 24 no. 1
and 2 are broken.

Article 24 is not mentioned in the list in Article 83 nos. 4 and 5. Breach of this
the provision can therefore only be sanctioned with an infringement fee if it is stipulated in





                                                                                               10national law. For Article 24, such an authority is given in Section 26 first of the Personal Data Act
joint.

There are thus several offenses that can provide grounds for the imposition of an infringement fee,
cf. the Public Administration Act § 44 first paragraph.


8.2.2 The liability claim

The Norwegian Data Protection Authority cannot designate individuals at NAV who are to blame for the violations. Out from
case law, however, there is no requirement that the blame be individualized. Both anonymous and

cumulative errors can form a basis for liability when imposing corporate penalties, cf. HR-2022-
1271-A, paragraphs 46-50.

As shown above in point 7, the violations are linked to conditions that NAV has several times
has been made aware that it does not meet the requirements of the law. NAV has been aware of this for a long time
time. Based on this, we must conclude that it has been a conscious choice on NAV's part to go
further with technical and organizational solutions that do not meet the requirements of

the privacy regulations. NAV has thus demonstrated intent in the infringements. The debt claim after
Section 46 of the Public Administration Act is thus fulfilled, as general negligence is in any case
sufficient.


8.2.3 Assessment points that must be given particular weight

The regulation, article 83 no. 2 letter a to k sets out elements that must be taken into account

the decision on whether to impose an infringement fee as well as the infringement fee
size. Below follows our assessment of the points we consider relevant in the assessment
of whether an infringement fee is to be imposed;

a) the nature, severity and duration of the infringement, taking into account it
the nature, extent or purpose of the processing concerned as well as the number of registered persons who are affected, and

the extent of the damage they have suffered

NAV has breached fundamental principles for the processing of personal data
the violations of article 5 no. 1 letter f and article 5 no. 2. the violations of article 24
and 32 nos. 1, 2 and 4 show a pervasive systemic weakness and insufficient control related to

personal data security and the obligations NAV has as data controller, both in
routines and in practice. The violations indicate that NAV has not seen employees as one
risk factor in assessments related to personal data security.
The data minimization price cut does not seem to be taken into account through NAV's management principle
"official need".


The violations are extensive and have been going on for many years, probably ever since the creation of NAV,
cf. point 7 above. A very large number of registered users are affected. We refer to the fact that NAV in 2022 had
about. 3.2 million service recipients.




                                                                                                11In the audit, we looked at selected systems in the state part of NAV's service provision. We have
not a basis for assessing the purposes of each individual treatment. In general, we add
reason that the processing purposes are linked to the administration of the population's rights according to
welfare legislation. Many of these rights exist for people in vulnerable life situations.

As regards the extent of the damage the data subjects have suffered, we have only investigated

the risk of damage. Lack of management from the management, very wide access for employees and absence of
log control entails a high risk of damage in the form of employees' unauthorized appropriation
personal data. We have not investigated the extent to which this risk actually exists
realized. The extent of the damage the data subjects have suffered is therefore not known.


However, we consider it a clear breach of integrity vis-à-vis the registered that
their personal information is more or less openly available to all employees of NAV.
This is a serious breach of the confidentiality principle enshrined in the Personal Data Protection Ordinance
article 5 no. 1 letter f.

b) whether the infringement was committed intentionally or negligently

We have come to the conclusion that NAV has shown intent in the infringements, cf. point 8.2.2 above. This

weight is added in the aggravating direction.

c) any measures taken by the controller or data processor to limit
the damage that the data subjects have suffered

NAV's security framework is being revised and will be completed in 2026. We add
for this reason that this work will in the future remedy the violations of Article 24.


The work on the security framework can also limit some of the damage that follows
the violations of articles 5 and 32. Nevertheless, we do not perceive that NAV has any intention to
restricting employee access to subject systems or introducing systematic log control. We can
therefore do not emphasize this measure in a mitigating direction when it comes to limiting damage

as a result of the violations in these areas.

d) the controller's or data processor's degree of responsibility, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32

The violations in this case are based precisely on the fact that NAV has not implemented sufficiently
suitable technical and organizational measures to ensure that the processing of personal data

performed legally. There is therefore basically a high degree of responsibility.

As regards the violations of Article 5 no. 1 letter f and Article 32 nos. 1, 2 and 4,
the degree of responsibility is particularly high, as NAV has been made aware of the infringements
several times in the past - and in addition has not complied with orders to improve the conditions,

cf. points 7.1, 7.2 and 7.3 above. See also letters e and i below.





                                                                                                 12As mentioned, we understand that NAV has no intention yet of limiting employees' rights
access in the subject systems or introduce systematic log control. We have the impression that NAV
has established several technical possibilities for restricting access, but that these in very
is in use to a limited extent. This applies, for example, to the subject system Arena. It appeared below
the supervisory authority that the "expandable" roles in Arena, where employees must justify postings outside in writing

core accesses, can no longer be used as intended. NAV has changed its organization over time
of the task solution so that it is no longer natural to use technical limitations associated with it
to e.g. geography.

We believe that through this NAV has demonstrated an inability to carry out the necessary actions

improvements to personal data security, despite the knowledge that this entails
offences. There is therefore no doubt that the degree of responsibility is moving in a stricter direction.

e) any relevant previous violations committed by the data controller or
the data processor

We have not previously checked NAV's compliance with Article 24. Where applicable

violation of this provision, there are therefore no previously known violations
which are considered relevant to the case.

Regarding the violations of Article 5 no. 1 letter f and Article 32 no. 1, 2 and 4
through inadequate access management and log control, there are several relevant ones in the past
violations. We point out that, on these points, violations of the law were detected through supervision in

2007, 2010 and 2011, cf. points 7.1, 7.2 and 7.3 above. The violations are linked
provisions in the Personal Data Act (2000) which have now been continued through Article 5 No. 1
letter f and article 32 nos. 1, 2 and 4. This is given weight in a stricter direction.

f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it

the possible negative effects of it

Throughout the supervisory process, NAV has acted in an accommodating and cooperative manner. NAV
has complied with deadlines and presented requested information in a systematic and orderly form.
Compliance with the statutory duty to provide all information to the supervisory authority
need to carry out their tasks, cf. Article 58 no. 1, cannot, however, be given weight i
mediating direction, cf. the Personal Protection Board's decision in PVN-2022-03.


As described under letter h below, NAV itself has not considered the violations to be deviations.
The assessment element in letter f has therefore not come to the fore in this case. We find
no basis for emphasizing this point.

g) the categories of personal data affected by the breach

The subject systems at NAV may contain or provide access to detailed information about, among other things,
family relationships, health, education, working conditions, finances, faith and ethnicity,

institutional stays, criminal convictions and offences. Information about which of the NAVs
benefits you receive can in themselves be health information. The subject systems have no time



                                                                                               13delimitation, so that employees have access to information about individuals from all phases of life.
Several of the information affected by the violations constitute special categories
personal data in accordance with Article 9 no. 1.

These points are given increasing weight.

h) in what way the supervisory authority became aware of the infringement, in particular if and where applicable

to what extent the data controller or data processor has notified
the violation

The Norwegian Data Protection Authority became aware of the violations through the local inspection and orders to NAV
to provide relevant information.

The violations largely concern systematic, organizational weaknesses that NAV itself does not
has considered as a deviation. In conversations with NAV, their representatives have emphasized explaining
why the systems must be set up the way they are. With this, it cannot be said that NAV has notified

The Norwegian Data Protection Authority about the violations. However, we find no basis for adding this
the assessment moment weight in an aggravating direction.

i) if measures mentioned in Article 58 no. 2 have previously been taken against the person concerned
data controller or data processor with regard to the same subject matter, that mentioned
measures are observed

No measures have previously been taken against NAV with regard to violations of

Article 24.

NAV was ordered by the Norwegian Data Protection Authority to establish a satisfactory
personal data security through access management, logging and log control in 2007, 2010 and
2011. We refer to points 7.1, 7.2 and 7.3 above. The orders are linked to provisions in
the Personal Data Act (2000) which has now been continued through article 5 no. 1 letter f and

article 32 nos. 1, 2 and 4. We therefore believe that the orders, both factually and legally, relate to
"same subject matter", cf. letter i.

The order to establish logging from the decision in 2010 is considered to have been complied with. In the areas
access management and log control, we consider the current state to be similar or worse

since the last inspection. The orders to establish satisfactory access management and log control
is therefore not considered to have been complied with. This is given weight in an aggravating direction.

j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms pursuant to Article 42

Not relevant to the case.


k) any other aggravating or mitigating factor in the case, e.g. financial benefits
gained, or loss avoided, directly or indirectly, as a result of the breach





                                                                                                14 In a mitigating way, we emphasize that NAV gives the registered parties access to the employee log
notices in the subject systems. Admittedly, this cannot be considered a security measure, but may have one
certain preventive effect.

In a stricter direction, we emphasize that NAV, by virtue of its role, has a particular responsibility to
ensure that personal data is processed in a secure manner. We also emphasize that
NAV has not responded adequately to repeated calls, through supervision and external parties

evaluations, about giving the work with personal data security the necessary priority.
In addition, we emphasize in a stricter direction that it is largely left to the registered to

detect illegal notices in the subject systems.


8.2.4 Overall assessment

The offenses that have been uncovered show structural, organizational weaknesses and a lack
understanding of the importance of privacy and what expectations are placed on NAV in this regard
the area. We consider it very serious that an authority such as NAV does not adequately
degree has safeguarded the population's personal data in a secure manner. It is clear that
the work with personal data security has not been given sufficient priority and resources. It is

a managerial responsibility to ensure that privacy is adequately safeguarded in a business.

The way the management system linked to access management and log control is set up today, it is very difficult
demanding to verify whether the use of the professional systems takes place within the framework of the law. Local
offices are given great freedom to organize themselves in their own ways. This means that NAV's

management principle of "service need" in practice is defined far down in the organisation. The
leads to the management seemingly largely abdicating both responsibility for and
the possibility to check compliance with the data protection regulation in practice. Missing
governance entails a high risk of compliance being due to chance. It is not

acceptable for an authority such as NAV.
After an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that NAV should impose a

infringement fee. In this assessment, we have taken into account that previous orders have not been proven
to be sufficiently effective. The imposition of an infringement fee is therefore considered necessary.


8.3 Assessment of the fee

The same points as when assessing whether a fee should be imposed must be given particular weight
also during the measurement. In accordance with Article 83 no. 1, the infringement fee shall be
effective, be in a reasonable relationship to the infringement and act as a deterrent. This

means that the supervisory authority must make a concrete, discretionary assessment in each individual case
case.

NAV has breached the basic principle for the processing of personal data, cf. Article 83
no. 5 letter a, cf. article 5 no. 1 letter f and article 5 no. 2. There is thus a basis for
impose on NAV an infringement fee of up to 20,000,000 euros (currently approx. NOK 230,000,000).




                                                                                                15In assessing the size of the fee, we have emphasized that NAV has made available special
categories of personal data for a very long time about a large number of people, without being necessary
safety mechanisms are established.

We have also placed emphasis on the fact that NAV has demonstrated intent in the infringements, i.a. by not arranging
according to previous orders related to the same subject matter. The violations are

pervasive, and are very serious, seen in light of the processing of personal data
a central part of NAV's operations and that therefore particularly high demands must be placed on NAV
safeguards personal data in a secure manner.

In a mitigating way, we have only found that NAV has ongoing work to
revise the security framework, and that NAV gives registered persons log access.

After an overall assessment of the above-mentioned points, and seeing to it that the legislation's requirement that
the imposition of an infringement fee in each individual case must be effective and proportionate

and deterrent, we have come to the conclusion that an infringement fee of 20,000,000 – twenty million –
kroner is considered correct. When measuring, we have taken into account that also the orders notified in
point 3 will entail a financial burden.

The rules for calculating infringement fees are basically the same for public and private companies
actors. Due to the seriousness of this case, compared to other cases where

The Norwegian Data Protection Authority has imposed an infringement fee, we find it necessary to explain why the fee
is not set higher.

Article 83 no. 7 of the Ordinance allows for national law to lay down rules about "when and in
to what extent" public authorities can be charged infringement fees. IN
Section 26 of the Personal Data Act, second paragraph, it is determined that public authorities can be imposed
infringement fee in the same way as private actors.

In the hearing on the Personal Data Act (2018), several hearing bodies advocated that

the infringement fees that can be imposed on public authorities should be limited in terms of amount3
The explanation that this opportunity was not used is expressed as follows in the preparatory work:

        "The department has noted the concern of certain public consultation bodies
        has expressed, but the ministry assumes that within the rules of the regulation
        article 83, which also specifies the elements that must be emphasized when measuring out
        administrative fees, there is room for considerable discretion with regard to the size of

        the fee. The amount limits in the regulation article 83 specify maximum limits for
        assessment of administrative fees, while no minimum limits have been set."

We interpret this to the extent that the legislator's intention has been to facilitate an unequal
measurement practice vis-à-vis public and private actors.

In addition, the criteria in Article 83 no. 1 entail that infringement fees in each individual case
must be effective and a deterrent, in our view, that the assessment should turn out differently for
public and private actors. For comparison, Sweden has introduced an amount-wise


3Prop.56 LS (2017-2018) p. 142.



                                                                                                16 limit of SEK 10,000,000 for public authorities, see chapter 6 § 2 of the Law (2018:218) with
supplementary provisions to the EU's data protection regulation. In the absence of such a limit, have
in this case we considered it necessary to adopt a relatively high fee. At the same time, we will
emphasize that violations of a similar degree of severity by a private actor would lead to a
far higher fee than what we have arrived at in this case.



9. Further proceedings
This is an advance notice of a decision on an order and infringement fee, cf. Public Administration Act §
16. If you have comments on the notice, we ask that these be sent to us within three weeks

after receipt of this letter.

If you have any questions, you can contact Ingrid H. Espolin Johnson on phone 22 39 69 42, or e-
mail ingrid.johnson@datatilsynet.no.


10. Transparency and publicity

You have the right to inspect the case's documents, cf. Section 18 of the Public Administration Act. We also provide information
that all the documents are basically public, cf. section 3 of the Public Disclosure Act.




With best regards


Line Coll
director
                                                                   Ingrid H. Espolin Johnson
                                                                   senior legal advisor


The document is electronically approved and therefore has no handwritten signatures


Copy to: LABOR AND WELFARE DEPARTMENT, Anders Holt
               LABOR AND WELFARE DEPARTMENT, Odd-Erik Røste


Appendix: Final inspection report













                                                                                               17