Datatilsynet (Norway) - 20/01879

From GDPRhub
Datatilsynet (Norway) - DT-20/01879
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 24 GDPR
Article 32(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 20.09.2021
Published: 30.09.2021
Fine: 400000 NOK
Parties: Høylandet kommune (municipality)
National Case Number/Name: DT-20/01879
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a municipality €40,478 (NOK 400,000) for not managing a breach in which people with no affiliation to the municipality had their highly sensitive personal data exposed, thus breaching Article 32(1)(b) GDPR and Article 32(2), cf. Article 24.

English Summary

Facts

An employee in a municipal health care center had access to highly sensitive personal data (image files) through an incorrectly configured script in a system used for creating letters. When adding images to the letters, they could access personal data about people with no affiliation to the municipality, including information about medical appointments, doctors' referrals, epicrisis and various medical examinations. The breach lasted from 01.01.2018 to 15.11.2019.

When the municipality discovered the breach, they chose not to contact the processor because of the gravity of the breach. Instead, the only informed employees using the system to avoid opening image files not created by the municipality, and sent a breach notification to the DPA. The DPA had to contact the processor about the breach, who consequently deleted the image files immediately and corrected the script.

Despite having an internal controls systems in place, the municipality admitted that it had been a challenge to ensure sufficient compliance throughout the organisation. Following the dialogue with the DPA, they increased their focus on information security and breach management, including procuring external assistance.

Holding

The DPA fined the municipality €40,478 (NOK 400,000) for breaching Article 32(1)(b) GDPR and Article 32(2), cf. Article 24 and requires them to submit to the DPA documentation on new policies and procedures.

The DPA found it aggravating that the municipality only took action to rectify the breach after the DPA sent their notification of the intent to issue a fine and corrective measures, i.e., about 11 months after they discovered the breach. Also, the fact that the case pertains to special category personal data as per Article 9 GDPR, increased the gravity of the breach.

Finally, the DPA assumed that the chief municipal executive (Norwegian "rådmann"), as the main responsible on behalf of the municipality, is the one who had acted negligently and partly with intent.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 HØYLANDET MUNICIPALITY
 Vargeia 1

 7877 HØYLANDET








Their reference Our reference Date
19 / 7825-9-EJF 20 / 01879-7 20.09.2021



Decision on infringement fine


The Norwegian Data Protection Authority refers to previous correspondence on non-conformance reports dated 20.11.2019.

We apologize for the long processing time.


 1. Decision on infringement fines
Pursuant to the Personal Data Act § 26 and the Privacy Ordinance Article 58 no. 2

letter i, cf. Article 83, the Data Inspectorate has today made the following decision:

        Høylandet municipality is fined NOK 400,000 - four hundred
        thousand Norwegian kroner - for violation of the requirements for security in the processing of

        personal data, including special categories of personal data, cf.
        Article 32 (1) (b) and (2) of the Privacy Regulation, cf. Article 24.


 2. Proceedings
After receiving the non-conformance report on 20.11.2019, the Data Inspectorate requested further
information in the case by letter dated 21.02.2020.


Høylandet municipality did not reply to the letter. We therefore sent a reminder in a letter dated
29.05.2020. The municipality responded to this inquiry in a letter dated 08.06.2020.


In our letter of 20.10.2020, Høylandet municipality was given advance notice of a decision on
infringement fines and orders.


The municipality has commented on the notification in a letter dated 26.11.2020.

 3. Detailed description of the deviation
The deviation in question occurred at a health station in the health and care service in the Highlands

municipality and occurred in the period 01.01.2018 to 15.11.2019.




Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 OSLO The discrepancy relates to an employee gaining access to several image files (Bitmap) when she was to
create new letter templates and insert an image logo from file.

The health station (and also the school health service in the municipality) uses a system provided by
CompuGroup Medical Norge AS (CGM). The employee at the health station logged in
administration (CGM admin).


The image files the employee was given access to contained sensitive information about people who did not
is connected to Høylandet municipality. The information included information about real
persons' appointments, answers to referrals, epicrisis and various surveys.

 4. Statements from Høylandet municipality
The Data Inspectorate asked Høylandet municipality for an account of the municipality's possible dialogue
with CGM on the matter. We also asked what measures the municipality had initiated in connection

with the deviation.

In a letter dated 08.06.2020, the municipality explained that due to the severity of the deviation, they chose
not to contact CGM. With regard to measures, the municipality had informed other employees that
uses the relevant computer program about the discovery, and the employees were asked to avoid opening
Bitmap files that have not been created by Høylandet municipality.


In a letter dated 26.11.2020, the municipality has commented on the notification of a decision on
infringement fines and orders.

Høylandet municipality states that they understood that the deviation was very serious. The municipality received
the understanding that the discrepancy was with CGM as supplier / data processor and that the discrepancy was the most
probably also affected other municipalities. The municipality therefore chose to notify the Data Inspectorate

and not CGM. Høylandet municipality strongly regrets that they did not have good enough
knowledge of the Data Inspectorate's role and that the municipality by mistake failed to notify CGM.

After receiving the Data Inspectorate's notification of a decision, the municipality has been in contact with CGM and
notified of the discrepancy.

In a letter to the municipality dated 26.11.2020, CGM has explained which measures have been implemented

and given a thorough justification for the potential for damage. CGM assumes responsibility for the error as
has occurred and considers the error resolved. The files were deleted immediately. The reason for the discrepancy was
detected and caused by a misconfigured script. It appears that CGM has not received notification
about similar deviations. However, there are no logs that can rule out that similar opening of
image files have occurred.

Høylandet municipality states that their role as treatment manager should have been clearer

them and more clarified at the time the discrepancy was discovered.

With regard to the municipality's routines for access control and protection of health information, are
it pointed out that Høylandet municipality has used Compilo as an internal control system. IN
The system includes procedures for administering authorizations, access to




                                                                                              2health information and protection of these as well as a system for reporting deviations. The municipality has
procedure for establishing a computer user contract with all employees who have access to
the municipality's computer network.

The municipality states that a challenge has been to ensure continuity in the implementation of
the internal control system throughout the organization. This work is now given high priority, with
special focus on making all employees aware of information security and non-conformance management.

Høylandet municipality has also entered into an agreement with external expertise to assist in increasing
the municipality's understanding of the responsibility as responsible for processing.

Høylandet municipality requests that no infringement fee be imposed. The municipality refers to
the work it is accounted for. Furthermore, the municipality points out that other municipalities that have used
CGM's solution has had access to the same health information without it having resulted in the same
economic consequence for them.


 5. Legal basis
The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf.
Article 57 of the Regulation.

5.1 On choice of law
The new Personal Data Act, which incorporates the EU Privacy Regulation into Norwegian law,

entered into force on 20.07.2018. The law also repealed the Personal Data Act (2000) and the rules
in the Personal Data Regulations (2000).

This case concerns matters that arose in January 2018, ie before the entry into force of
the Personal Data Act (2018), but which has mainly persisted in the time since. We must
therefore decide whether the case should be assessed in accordance with the Personal Data Act (2018) or

the Personal Data Act (2000).

There is a special transitional rule in the Personal Data Act (2018) § 33 first paragraph
infringement fine, which reads:

        «The rules on the processing of personal data that applied at the time of the action,
        shall be used as a basis when a decision is made on an infringement fee. The legislation on

        the time of the decision shall nevertheless be used when this leads to a more favorable one
        result for the person responsible ».

The question of choice of law must therefore be assessed on the basis of what is considered the time of action.
The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted
until the discrepancy was discovered in November 2019. The time of action in this case has thus
persisted over time and mainly in the time after the Personal Data Act (2018) came into force.

It then follows from the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with this Act.

We also refer to the preparatory work for the Personal Data Act (2018), Prop. 56 LS (2017-2018)
page 196, where the Ministry states, among other things, the following on the question of choice of law between
the Personal Data Act (2000) and the Personal Data Act (2018):




                                                                                              3 «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to
        is made on the basis of the material rules in force at any given time ».

The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law
entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and
PVN-2018-06.


Against this background, it is in our assessment clear that the case must be assessed accordingly
the Personal Data Act (2018) (hereinafter only the Personal Data Act) and
the Privacy Regulation.

5.2 About health information
Health information about patients is a so-called special category of personal information, cf.

Article 9 (1) of the Privacy Regulation
special protection requirements.

5.3 The basic principles
The basic principles for the processing of personal data are set out in
Article 5 of the Privacy Regulation. We refer in particular to Article 5 (1) (f), where it
appears:


        «1. Personal information shall (…)
           f) processed in a manner that ensures sufficient security for the personal data,
              including protection against unauthorized or unlawful processing (…), using appropriate means
              technical or organizational measures ("integrity and confidentiality") ".


It is the responsibility of the data controller to ensure that the principles are complied with, and that
persons responsible for processing must be able to demonstrate this, cf. Article 5 (2).

5.4 The requirements for personal data security and management systems
Article 32 of the Privacy Regulation regulates the security requirements when processing
personal information. The following is an excerpt from the relevant sections of Article 32:


        «1. Taking into account the technical development, implementation costs and
        the nature, scope, purpose and context of the treatment, as well as the risks of
        varying degrees of probability and severity for the rights of natural persons and
        freedoms, the data controller and the data processor shall implement appropriate
        technical and organizational measures to achieve a level of security that is appropriate with
        consideration of the risk, including, inter alia, as appropriate, (…)
           b) ability to ensure lasting confidentiality, integrity, availability and

              robustness in treatment systems and services (…).

        2. In assessing the appropriate level of safety, special consideration shall be given to the risks
        associated with the processing, in particular as a result of (…) unauthorized disclosure of





                                                                                               4 or access to personal information that has been transferred, stored or otherwise
        treated".

The obligation to implement appropriate technical and organizational measures is correspondingly stated in
Article 24 of the Privacy Regulation, which regulates the liability of the controller
separately.


5.5 In particular on the imposition of infringement fines
Article 58 no. 2 letter i of the Privacy Ordinance, cf. the Personal Data Act § 26 other
paragraph, it is stated that the Data Inspectorate may impose public authorities in the event of a breach of the regulations
and bodies infringement fines under the rules of Article 83 of the Privacy Regulation.
Violation fees are a tool to ensure effective compliance and enforcement of
the personal data regulations.


In accordance with the Supreme Court's practice, cf. Rt. 2012 page 1556, we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights
Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to impose
fee.

Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision
contains, among other things, an overview of which aspects are to be taken into account, both in

the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee.

The relevant parts of Article 83 (1) and (2) are reproduced below:

        «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with
        this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each
        case is effective, stands in a reasonable relation to the violation and works

        deterrent.

        2. (…) When a decision is made on whether to impose an infringement fee and
        on the amount of the infringement fee, it must be duly taken into account in each individual case
        following:
           a) the nature, severity and duration of the infringement, taking into account
              to the nature, scope or purpose of the treatment concerned as well as the number of registered as

              are affected, and the extent of the damage they have suffered,
           b) whether the infringement was committed intentionally or negligently,
           c) any measures taken by the data controller or data processor to
              limit the damage suffered by the data subjects,
           d) the degree of responsibility of the data controller or data processor, as taken
              with regard to the technical and organizational measures they have implemented in accordance with

              Articles 25 and 32,
           e) any relevant previous violations committed by the data controller
              or the data processor,
           (f) the degree of cooperation with the supervisory authority to remedy the infringement; and
              reduce the possible negative effects of it,




                                                                                                 5 g) the categories of personal data affected by the infringement,
           (h) the manner in which the supervisory authority became aware of the infringement, in particular:
              and possibly to what extent the data controller or data processor has
              notified of the infringement,
           (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
              data controller or data processor with respect to the same subject matter,
              that the said measures are complied with,

           (j) compliance with approved standards of conduct in accordance with Article 40 or approved
              certification mechanisms in accordance with Article 42 and
           k) any other aggravating or mitigating factor in the case, e.g. economic
              benefits gained, or losses avoided, directly or indirectly, such as
              consequence of the infringement ».

Article 83 also sets out the framework for the magnitude of the infringement fine. We show in this

in connection with Article 83 (4). The relevant parts of the provisions are:

        «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2
        infringement fine of up to EUR 10,000,000 (…):
           (a) the obligations of the controller and the processor in accordance with
              Articles 8, 11, 25-39 and 42 and 43 (…) '.


Section 26, first paragraph, of the Personal Data Act states that Article 83 of the Privacy Ordinance
Paragraph 4 shall apply mutatis mutandis to infringements of Article 24 of the Regulation.

 6. The Danish Data Protection Agency's assessment
6.1 Assessment of the deviation
Health information shall not be stored so that employees without service needs have access to it. IN

Høylandet municipality has image files with health information about people without connection to
the municipality been available to employees at a health station.

The municipality discovered this discrepancy, but did not take adequate measures. An invitation to those
employees not to open the relevant image files is not a sufficient
information security measures or a satisfactory deviation follow-up. This indicates that
the municipality has not been aware of the requirements of the privacy regulations

personal data security or the content of the processing responsibility.

The municipality must be responsible for processing health information and other personal data
have established routines that meet the requirements for privacy and information security. The routines must
include principles of shielding and access control. It is a management responsibility that routines are
established and functioning as intended.


We believe that the handling of the discrepancy indicates that there have been fundamental shortcomings
Høylandet municipality's routines for shielding health information at the relevant
the health station as well as the municipality's non-conformance management. We seriously consider that the municipality does not
implemented adequate measures when the discrepancy was discovered, including did not seek to uncover how
information about people without a connection to the municipality had entered the system.




                                                                                               6Datatilsynet has come to the conclusion that Høylandet municipality has violated the requirements
personal data security in the Privacy Ordinance Article 32, cf. Article 24. We add
reason that the councilor, as chief responsible for the municipality, has acted negligently and partly also
intentional - see more about this under point 6.1 b) below.

Høylandet municipality has now implemented the internal control system Compilo, where it has been included

procedure for access to / shielding of health information and system for reporting deviations.
Furthermore, the municipality establishes computer user contracts with all employees, and the employees are made
at the same time familiar with the municipality's procedures and guidelines. The municipality has prioritized
the work of implementing the routines for information security and non-conformance management, and
the municipality has obtained external assistance.

On this basis, we have not found a basis for ordering further measures

Høylandet municipality. However, see point 8 on requirements for reporting.

6.2 Assessment of whether an infringement fee is to be imposed
The Norwegian Data Protection Authority has concluded that the municipality has violated Articles 24 and 32 of the Privacy Ordinance.

The offense took place in part before the Personal Data Act (2018) and the Privacy Ordinance
came into force. The Danish Data Protection Agency could also previously impose an infringement fee, cf.

the Personal Data Act (2000) § 46, but the amount was then limited to up to 10 times
the National Insurance basic amount (currently approx. NOK 1,000,000).

However, we refer to the discussion under section 3.1 and assume that the fee will be measured
according to new regulations. Basically, there is thus a basis for imposing a municipality
infringement fine of up to 10,000,000 euros (currently approx. 107,000,000 NOK), cf. the regulation

Article 83 No. 4. We will look at the fact that the offenses have also occurred in the period then earlier
privacy regulations applied.

Below we review the factors that we consider relevant for the assessment of whether
infringement fines must be imposed.

(a) the nature, gravity and duration of the infringement, taking into account it;

the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered
The discrepancy has been going on for almost two years, and health information about an unknown number of people without
affiliation with the municipality has been available to an unknown number of employees without service
need for the information. There is no log over the area, it is thus impossible to
uncover whether, or to what extent, employees may have gained unlawful access to
the information.


b) whether the infringement was committed intentionally or negligently
We consider it negligent that image files with health information about persons without affiliation
until the municipality has been made available in the system at the health station. It was a long time before





                                                                                               Steps were taken to remove the image files. After the discrepancy was discovered, has thus
the offense more character of being intentional.

c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects
Høylandet municipality initially implemented no measures other than encouraging employees not to
to open the relevant image files.


Only when the municipality received the Data Inspectorate's notification of infringement fines and orders, ie
about. 11 months after the discrepancy was discovered, the municipality took action to rectify the situation.

d) the degree of responsibility of the data controller or data processor, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32
As mentioned, Høylandet municipality did not take adequate measures to prevent further offenses

after the discrepancy was discovered. We believe this points in the direction of fundamental shortcomings
the routines for shielding health information and handling deviations.

Later, the municipality, with the help of CGM, did a lot of work to correct the discrepancy.

f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it

The Data Inspectorate had to urge Høylandet municipality to get answers to the questions in our requirement
statement. The municipality's first response letter was also marked by the municipality not understanding the seriousness of it
and the extent of the discrepancy.

g) the categories of personal data affected by the infringement
Pursuant to Article 9 (1) of the Privacy Regulation, health information is designated as a special

category personal information, ie very sensitive information. This is increasing
the severity of the offense. We also take a serious view of the health information
people who are not connected to the municipality and that it was unknown how these
the information has entered the municipality's system.

h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified

the infringement
Høylandet municipality itself reported the deviation to the Norwegian Data Protection Authority.

Conclusion
The Norwegian Data Protection Authority has come to the conclusion that Høylandet municipality must be fined. IN
In the assessment, we have placed particular emphasis on the fact that this is very sensitive information and that
the municipality did not take adequate measures to prevent further offenses after the deviation occurred

discovered. The municipality only understood the seriousness of the case when they received our notice if possible
infringement fines and orders.







                                                                                               86.3 Measurement of the fee
In assessing the size of the fee, we have taken into account that Høylandet municipality did not provide
deletion of the relevant image files or took measures to prevent similar deviations until after approx.
11 months. Adequate measures were only implemented after the municipality was notified if possible
infringement fines and orders.
In our view, the municipality has not handled the deviation in an adequate manner, and we assume
that the municipality's routines for shielding health information and non-conformance handling have not been

sufficient.

The municipality itself reported the deviation to the Norwegian Data Protection Authority, which should count in the municipality's favor. It is
nor is it known that the lack of protection of health information has become concrete
consequences for individuals, although this is given less weight.

Furthermore, we have emphasized that the offense partly took place before the Personal Data Act (2018)

and the Privacy Regulation entered into force. According to the previously applicable Personal Data Act
(2000) the fee was limited to a maximum of approx. NOK 1,000,000.

The Danish Data Protection Agency has come to the conclusion that an infringement fee of NOK 400,000 is reasonable in this
the case.

 7. Right of appeal

The decision on the infringement fee can be appealed within three weeks after you have received this
the letter, cf. the Public Administration Act §§ 28 and 29.

A possible complaint is sent to the Norwegian Data Protection Authority. If we uphold our decision, we will
send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22.


 8. Requirement for a statement
Høylandet municipality has informed about the ongoing work to incorporate new routines for
protection of personal data and non-conformance handling.

    - We ask for an account of the status of this work, including an account of
        training plans or the like
    - Furthermore, we ask to be sent a copy of new routines / guidelines that are relevant to

        this case, including the computer user contract the municipality enters into with the employees.

For the sake of clarity, we point out that the Data Inspectorate pursuant to the Personal Data Act § 23 and
Article 58 (1) of the Privacy Regulation may require the information we deem necessary
to solve our statutory tasks.

After the report and documentation has been received, we will decide whether it is needed

further supervisory follow-up.








                                                                                               9If you have any questions, you can contact caseworker Susanne Lie (e-mail
suli@datatilsynet.no).


With best regards



Bjørn Erik Thon
director
                                                                Susanne Lie
                                                                senior legal adviser

The document is electronically approved and therefore has no handwritten signatures










































                                                                                          10