Datatilsynet (Norway) - DT-20/01879 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 24 GDPR Article 32(1)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 20.09.2021 |
Published: | 30.09.2021 |
Fine: | 400000 NOK |
Parties: | Høylandet kommune (municipality) |
National Case Number/Name: | DT-20/01879 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined a municipality €40,478 (NOK 400,000) for not managing a breach in which people with no affiliation to the municipality had their highly sensitive personal data exposed, thus breaching Article 32(1)(b) GDPR and Article 32(2), cf. Article 24.
English Summary
Facts
An employee in a municipal health care center had access to highly sensitive personal data (image files) through an incorrectly configured script in a system used for creating letters. When adding images to the letters, they could access personal data about people with no affiliation to the municipality, including information about medical appointments, doctors' referrals, epicrisis and various medical examinations. The breach lasted from 01.01.2018 to 15.11.2019.
When the municipality discovered the breach, they chose not to contact the processor because of the gravity of the breach. Instead, the only informed employees using the system to avoid opening image files not created by the municipality, and sent a breach notification to the DPA. The DPA had to contact the processor about the breach, who consequently deleted the image files immediately and corrected the script.
Despite having an internal controls systems in place, the municipality admitted that it had been a challenge to ensure sufficient compliance throughout the organisation. Following the dialogue with the DPA, they increased their focus on information security and breach management, including procuring external assistance.
Holding
The DPA fined the municipality €40,478 (NOK 400,000) for breaching Article 32(1)(b) GDPR and Article 32(2), cf. Article 24 and requires them to submit to the DPA documentation on new policies and procedures.
The DPA found it aggravating that the municipality only took action to rectify the breach after the DPA sent their notification of the intent to issue a fine and corrective measures, i.e., about 11 months after they discovered the breach. Also, the fact that the case pertains to special category personal data as per Article 9 GDPR, increased the gravity of the breach.
Finally, the DPA assumed that the chief municipal executive (Norwegian "rådmann"), as the main responsible on behalf of the municipality, is the one who had acted negligently and partly with intent.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
HØYLANDET MUNICIPALITY Vargeia 1 7877 HØYLANDET Their reference Our reference Date 19 / 7825-9-EJF 20 / 01879-7 20.09.2021 Decision on infringement fine The Norwegian Data Protection Authority refers to previous correspondence on non-conformance reports dated 20.11.2019. We apologize for the long processing time. 1. Decision on infringement fines Pursuant to the Personal Data Act § 26 and the Privacy Ordinance Article 58 no. 2 letter i, cf. Article 83, the Data Inspectorate has today made the following decision: Høylandet municipality is fined NOK 400,000 - four hundred thousand Norwegian kroner - for violation of the requirements for security in the processing of personal data, including special categories of personal data, cf. Article 32 (1) (b) and (2) of the Privacy Regulation, cf. Article 24. 2. Proceedings After receiving the non-conformance report on 20.11.2019, the Data Inspectorate requested further information in the case by letter dated 21.02.2020. Høylandet municipality did not reply to the letter. We therefore sent a reminder in a letter dated 29.05.2020. The municipality responded to this inquiry in a letter dated 08.06.2020. In our letter of 20.10.2020, Høylandet municipality was given advance notice of a decision on infringement fines and orders. The municipality has commented on the notification in a letter dated 26.11.2020. 3. Detailed description of the deviation The deviation in question occurred at a health station in the health and care service in the Highlands municipality and occurred in the period 01.01.2018 to 15.11.2019. Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO The discrepancy relates to an employee gaining access to several image files (Bitmap) when she was to create new letter templates and insert an image logo from file. The health station (and also the school health service in the municipality) uses a system provided by CompuGroup Medical Norge AS (CGM). The employee at the health station logged in administration (CGM admin). The image files the employee was given access to contained sensitive information about people who did not is connected to Høylandet municipality. The information included information about real persons' appointments, answers to referrals, epicrisis and various surveys. 4. Statements from Høylandet municipality The Data Inspectorate asked Høylandet municipality for an account of the municipality's possible dialogue with CGM on the matter. We also asked what measures the municipality had initiated in connection with the deviation. In a letter dated 08.06.2020, the municipality explained that due to the severity of the deviation, they chose not to contact CGM. With regard to measures, the municipality had informed other employees that uses the relevant computer program about the discovery, and the employees were asked to avoid opening Bitmap files that have not been created by Høylandet municipality. In a letter dated 26.11.2020, the municipality has commented on the notification of a decision on infringement fines and orders. Høylandet municipality states that they understood that the deviation was very serious. The municipality received the understanding that the discrepancy was with CGM as supplier / data processor and that the discrepancy was the most probably also affected other municipalities. The municipality therefore chose to notify the Data Inspectorate and not CGM. Høylandet municipality strongly regrets that they did not have good enough knowledge of the Data Inspectorate's role and that the municipality by mistake failed to notify CGM. After receiving the Data Inspectorate's notification of a decision, the municipality has been in contact with CGM and notified of the discrepancy. In a letter to the municipality dated 26.11.2020, CGM has explained which measures have been implemented and given a thorough justification for the potential for damage. CGM assumes responsibility for the error as has occurred and considers the error resolved. The files were deleted immediately. The reason for the discrepancy was detected and caused by a misconfigured script. It appears that CGM has not received notification about similar deviations. However, there are no logs that can rule out that similar opening of image files have occurred. Høylandet municipality states that their role as treatment manager should have been clearer them and more clarified at the time the discrepancy was discovered. With regard to the municipality's routines for access control and protection of health information, are it pointed out that Høylandet municipality has used Compilo as an internal control system. IN The system includes procedures for administering authorizations, access to 2health information and protection of these as well as a system for reporting deviations. The municipality has procedure for establishing a computer user contract with all employees who have access to the municipality's computer network. The municipality states that a challenge has been to ensure continuity in the implementation of the internal control system throughout the organization. This work is now given high priority, with special focus on making all employees aware of information security and non-conformance management. Høylandet municipality has also entered into an agreement with external expertise to assist in increasing the municipality's understanding of the responsibility as responsible for processing. Høylandet municipality requests that no infringement fee be imposed. The municipality refers to the work it is accounted for. Furthermore, the municipality points out that other municipalities that have used CGM's solution has had access to the same health information without it having resulted in the same economic consequence for them. 5. Legal basis The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. Article 57 of the Regulation. 5.1 On choice of law The new Personal Data Act, which incorporates the EU Privacy Regulation into Norwegian law, entered into force on 20.07.2018. The law also repealed the Personal Data Act (2000) and the rules in the Personal Data Regulations (2000). This case concerns matters that arose in January 2018, ie before the entry into force of the Personal Data Act (2018), but which has mainly persisted in the time since. We must therefore decide whether the case should be assessed in accordance with the Personal Data Act (2018) or the Personal Data Act (2000). There is a special transitional rule in the Personal Data Act (2018) § 33 first paragraph infringement fine, which reads: «The rules on the processing of personal data that applied at the time of the action, shall be used as a basis when a decision is made on an infringement fee. The legislation on the time of the decision shall nevertheless be used when this leads to a more favorable one result for the person responsible ». The question of choice of law must therefore be assessed on the basis of what is considered the time of action. The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted until the discrepancy was discovered in November 2019. The time of action in this case has thus persisted over time and mainly in the time after the Personal Data Act (2018) came into force. It then follows from the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with this Act. We also refer to the preparatory work for the Personal Data Act (2018), Prop. 56 LS (2017-2018) page 196, where the Ministry states, among other things, the following on the question of choice of law between the Personal Data Act (2000) and the Personal Data Act (2018): 3 «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to is made on the basis of the material rules in force at any given time ». The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and PVN-2018-06. Against this background, it is in our assessment clear that the case must be assessed accordingly the Personal Data Act (2018) (hereinafter only the Personal Data Act) and the Privacy Regulation. 5.2 About health information Health information about patients is a so-called special category of personal information, cf. Article 9 (1) of the Privacy Regulation special protection requirements. 5.3 The basic principles The basic principles for the processing of personal data are set out in Article 5 of the Privacy Regulation. We refer in particular to Article 5 (1) (f), where it appears: «1. Personal information shall (…) f) processed in a manner that ensures sufficient security for the personal data, including protection against unauthorized or unlawful processing (…), using appropriate means technical or organizational measures ("integrity and confidentiality") ". It is the responsibility of the data controller to ensure that the principles are complied with, and that persons responsible for processing must be able to demonstrate this, cf. Article 5 (2). 5.4 The requirements for personal data security and management systems Article 32 of the Privacy Regulation regulates the security requirements when processing personal information. The following is an excerpt from the relevant sections of Article 32: «1. Taking into account the technical development, implementation costs and the nature, scope, purpose and context of the treatment, as well as the risks of varying degrees of probability and severity for the rights of natural persons and freedoms, the data controller and the data processor shall implement appropriate technical and organizational measures to achieve a level of security that is appropriate with consideration of the risk, including, inter alia, as appropriate, (…) b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services (…). 2. In assessing the appropriate level of safety, special consideration shall be given to the risks associated with the processing, in particular as a result of (…) unauthorized disclosure of 4 or access to personal information that has been transferred, stored or otherwise treated". The obligation to implement appropriate technical and organizational measures is correspondingly stated in Article 24 of the Privacy Regulation, which regulates the liability of the controller separately. 5.5 In particular on the imposition of infringement fines Article 58 no. 2 letter i of the Privacy Ordinance, cf. the Personal Data Act § 26 other paragraph, it is stated that the Data Inspectorate may impose public authorities in the event of a breach of the regulations and bodies infringement fines under the rules of Article 83 of the Privacy Regulation. Violation fees are a tool to ensure effective compliance and enforcement of the personal data regulations. In accordance with the Supreme Court's practice, cf. Rt. 2012 page 1556, we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to impose fee. Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision contains, among other things, an overview of which aspects are to be taken into account, both in the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee. The relevant parts of Article 83 (1) and (2) are reproduced below: «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each case is effective, stands in a reasonable relation to the violation and works deterrent. 2. (…) When a decision is made on whether to impose an infringement fee and on the amount of the infringement fee, it must be duly taken into account in each individual case following: a) the nature, severity and duration of the infringement, taking into account to the nature, scope or purpose of the treatment concerned as well as the number of registered as are affected, and the extent of the damage they have suffered, b) whether the infringement was committed intentionally or negligently, c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, d) the degree of responsibility of the data controller or data processor, as taken with regard to the technical and organizational measures they have implemented in accordance with Articles 25 and 32, e) any relevant previous violations committed by the data controller or the data processor, (f) the degree of cooperation with the supervisory authority to remedy the infringement; and reduce the possible negative effects of it, 5 g) the categories of personal data affected by the infringement, (h) the manner in which the supervisory authority became aware of the infringement, in particular: and possibly to what extent the data controller or data processor has notified of the infringement, (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with, (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 and k) any other aggravating or mitigating factor in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, such as consequence of the infringement ». Article 83 also sets out the framework for the magnitude of the infringement fine. We show in this in connection with Article 83 (4). The relevant parts of the provisions are: «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2 infringement fine of up to EUR 10,000,000 (…): (a) the obligations of the controller and the processor in accordance with Articles 8, 11, 25-39 and 42 and 43 (…) '. Section 26, first paragraph, of the Personal Data Act states that Article 83 of the Privacy Ordinance Paragraph 4 shall apply mutatis mutandis to infringements of Article 24 of the Regulation. 6. The Danish Data Protection Agency's assessment 6.1 Assessment of the deviation Health information shall not be stored so that employees without service needs have access to it. IN Høylandet municipality has image files with health information about people without connection to the municipality been available to employees at a health station. The municipality discovered this discrepancy, but did not take adequate measures. An invitation to those employees not to open the relevant image files is not a sufficient information security measures or a satisfactory deviation follow-up. This indicates that the municipality has not been aware of the requirements of the privacy regulations personal data security or the content of the processing responsibility. The municipality must be responsible for processing health information and other personal data have established routines that meet the requirements for privacy and information security. The routines must include principles of shielding and access control. It is a management responsibility that routines are established and functioning as intended. We believe that the handling of the discrepancy indicates that there have been fundamental shortcomings Høylandet municipality's routines for shielding health information at the relevant the health station as well as the municipality's non-conformance management. We seriously consider that the municipality does not implemented adequate measures when the discrepancy was discovered, including did not seek to uncover how information about people without a connection to the municipality had entered the system. 6Datatilsynet has come to the conclusion that Høylandet municipality has violated the requirements personal data security in the Privacy Ordinance Article 32, cf. Article 24. We add reason that the councilor, as chief responsible for the municipality, has acted negligently and partly also intentional - see more about this under point 6.1 b) below. Høylandet municipality has now implemented the internal control system Compilo, where it has been included procedure for access to / shielding of health information and system for reporting deviations. Furthermore, the municipality establishes computer user contracts with all employees, and the employees are made at the same time familiar with the municipality's procedures and guidelines. The municipality has prioritized the work of implementing the routines for information security and non-conformance management, and the municipality has obtained external assistance. On this basis, we have not found a basis for ordering further measures Høylandet municipality. However, see point 8 on requirements for reporting. 6.2 Assessment of whether an infringement fee is to be imposed The Norwegian Data Protection Authority has concluded that the municipality has violated Articles 24 and 32 of the Privacy Ordinance. The offense took place in part before the Personal Data Act (2018) and the Privacy Ordinance came into force. The Danish Data Protection Agency could also previously impose an infringement fee, cf. the Personal Data Act (2000) § 46, but the amount was then limited to up to 10 times the National Insurance basic amount (currently approx. NOK 1,000,000). However, we refer to the discussion under section 3.1 and assume that the fee will be measured according to new regulations. Basically, there is thus a basis for imposing a municipality infringement fine of up to 10,000,000 euros (currently approx. 107,000,000 NOK), cf. the regulation Article 83 No. 4. We will look at the fact that the offenses have also occurred in the period then earlier privacy regulations applied. Below we review the factors that we consider relevant for the assessment of whether infringement fines must be imposed. (a) the nature, gravity and duration of the infringement, taking into account it; the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered The discrepancy has been going on for almost two years, and health information about an unknown number of people without affiliation with the municipality has been available to an unknown number of employees without service need for the information. There is no log over the area, it is thus impossible to uncover whether, or to what extent, employees may have gained unlawful access to the information. b) whether the infringement was committed intentionally or negligently We consider it negligent that image files with health information about persons without affiliation until the municipality has been made available in the system at the health station. It was a long time before Steps were taken to remove the image files. After the discrepancy was discovered, has thus the offense more character of being intentional. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects Høylandet municipality initially implemented no measures other than encouraging employees not to to open the relevant image files. Only when the municipality received the Data Inspectorate's notification of infringement fines and orders, ie about. 11 months after the discrepancy was discovered, the municipality took action to rectify the situation. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 As mentioned, Høylandet municipality did not take adequate measures to prevent further offenses after the discrepancy was discovered. We believe this points in the direction of fundamental shortcomings the routines for shielding health information and handling deviations. Later, the municipality, with the help of CGM, did a lot of work to correct the discrepancy. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it The Data Inspectorate had to urge Høylandet municipality to get answers to the questions in our requirement statement. The municipality's first response letter was also marked by the municipality not understanding the seriousness of it and the extent of the discrepancy. g) the categories of personal data affected by the infringement Pursuant to Article 9 (1) of the Privacy Regulation, health information is designated as a special category personal information, ie very sensitive information. This is increasing the severity of the offense. We also take a serious view of the health information people who are not connected to the municipality and that it was unknown how these the information has entered the municipality's system. h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement Høylandet municipality itself reported the deviation to the Norwegian Data Protection Authority. Conclusion The Norwegian Data Protection Authority has come to the conclusion that Høylandet municipality must be fined. IN In the assessment, we have placed particular emphasis on the fact that this is very sensitive information and that the municipality did not take adequate measures to prevent further offenses after the deviation occurred discovered. The municipality only understood the seriousness of the case when they received our notice if possible infringement fines and orders. 86.3 Measurement of the fee In assessing the size of the fee, we have taken into account that Høylandet municipality did not provide deletion of the relevant image files or took measures to prevent similar deviations until after approx. 11 months. Adequate measures were only implemented after the municipality was notified if possible infringement fines and orders. In our view, the municipality has not handled the deviation in an adequate manner, and we assume that the municipality's routines for shielding health information and non-conformance handling have not been sufficient. The municipality itself reported the deviation to the Norwegian Data Protection Authority, which should count in the municipality's favor. It is nor is it known that the lack of protection of health information has become concrete consequences for individuals, although this is given less weight. Furthermore, we have emphasized that the offense partly took place before the Personal Data Act (2018) and the Privacy Regulation entered into force. According to the previously applicable Personal Data Act (2000) the fee was limited to a maximum of approx. NOK 1,000,000. The Danish Data Protection Agency has come to the conclusion that an infringement fee of NOK 400,000 is reasonable in this the case. 7. Right of appeal The decision on the infringement fee can be appealed within three weeks after you have received this the letter, cf. the Public Administration Act §§ 28 and 29. A possible complaint is sent to the Norwegian Data Protection Authority. If we uphold our decision, we will send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22. 8. Requirement for a statement Høylandet municipality has informed about the ongoing work to incorporate new routines for protection of personal data and non-conformance handling. - We ask for an account of the status of this work, including an account of training plans or the like - Furthermore, we ask to be sent a copy of new routines / guidelines that are relevant to this case, including the computer user contract the municipality enters into with the employees. For the sake of clarity, we point out that the Data Inspectorate pursuant to the Personal Data Act § 23 and Article 58 (1) of the Privacy Regulation may require the information we deem necessary to solve our statutory tasks. After the report and documentation has been received, we will decide whether it is needed further supervisory follow-up. 9If you have any questions, you can contact caseworker Susanne Lie (e-mail suli@datatilsynet.no). With best regards Bjørn Erik Thon director Susanne Lie senior legal adviser The document is electronically approved and therefore has no handwritten signatures 10