Datatilsynet (Norway) - 20/01893: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/...")
 
 
(9 intermediate revisions by 3 users not shown)
Line 54: Line 54:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Rie Aleksandra Walle
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
|
|
}}
}}


The Norwegian DPA fined the Public Service Pension Fund (SPK) €99,940 (NOK 1 million) for obtaining unnecessary income data for approximately 24,000 people receiving disability pension, in breach of Articles 5(1)(b) and (e) and 6(1), cf. 9(2).
The Norwegian DPA fined the Public Service Pension Fund (SPK) € 99,940 (NOK 1,000,000) for obtaining unnecessary income data of approximately 24,000 people receiving disability pension, in breach of [[Article 5 GDPR#1c|Article 5(1)(c)]], [[Article 5 GDPR#1e|Article 5(1)(e)]], [[Article 6 GDPR#1|Article 6(1)]], and [[Article 9 GDPR#2|Article 9(2) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Norwegian Public Service Pension Fund  (SPK - Statens pensjonskasse) reported a personal data breach in September 2019. Between 2016-2019, they obtained a large amount of personal data from the Norwegian Tax Administration, much which was not needed for their purpose. The data was meant to be used for correcting disbursed disability pensions, however SPK lacked a filter to prevent receiving and storing unnecessary data, and they also lacked functionality and routines for deleting the superfluous data.  
The Norwegian Public Service Pension Fund  (SPK - Statens pensjonskasse) reported a personal data breach in September 2019. Between 2016-2019, they obtained a large amount of personal data from the Norwegian Tax Administration, much of which was not needed for their purpose. The data was meant to be used for correcting disbursed disability pensions. However, SPK lacked a filter to prevent receiving and storing unnecessary data, as well as organisational measures for deleting the superfluous data.  


SPK themselves categorized the breach as serious, as it involved processing highly sensitive personal data about a vulnerable group of people (those receiving disability pensions). In total, about 44,000 people were affected by the breach, of which about 24,000 receiving disability pension.
SPK themselves categorized the breach as serious, as it involved processing highly sensitive personal data about a vulnerable group of people (those receiving disability pensions). In total, about 44,000 people were affected by the breach, of which about 24,000 receiving disability pension.


=== Holding ===
=== Holding ===
The Norwegian DPA held that the Public Service Pension Fund (SPK) had obtained excess personal data not needed for the purpose of calculating correct disability pension disbursements, thus breaching Article [[Article_5_GDPR#1f|5(1)(c)]]. In addition, SPK lacked sufficent routines for assessing what personal data was needed and for deleting superfluous data, thus breaching [[Article 5 GDPR#1e|Article 5(1)(e)]]. Finally, the DPA found that SPK had breached the necessity requirement in [[Article 6 GDPR#1|Article 6(1)]], cf.  [[Article 9 GDPR#2|Article 9(2)]].  
First, the DPA stated that, although the SPK could rely on both [[Article 6 GDPR#1c|Article 6(1)(c)]] and [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], the processing must have been necessary. The same necessity requirement follows from [[Article 9 GDPR#2b|Article 9(2)(b) GDPR]], since SPK processed health data. Because SPK processed unnecessary income information that was obtained from the Tax Authority, the necessity requirement was not met, in violation of [[Article 6 GDPR#1|Article 6(1)]] and [[Article 9 GDPR#2|Article 9(2) GDPR]]. In addition, the DPA found that the Public Service Pension Fund (SPK) had obtained excess personal data not needed for the purpose of calculating correct disability pension disbursements, in breach of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. Lastly, SPK lacked sufficient routines for assessing what personal data was needed and for deleting superfluous data, in breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].  


For these breaches, SPK was fined €99,940 (NOK 1 million).
Although the DPA found that the violations were not found intentional, but negligent, and SPK took measures to limit the damage, SPK violated basic principles of the GDPR, special categories of personal data were involved, and a large number of persons was affected. Hence, the DPA concluded that SPK needed to be fined, and considered the fine of € 99,940 (NOK 1 million) to be sufficient.  


== Comment ==
== Comment ==

Latest revision as of 15:30, 12 January 2022

Datatilsynet (Norway) - 20/01893
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 6(1) GDPR
Article 9(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 24.11.2021
Published: 08.12.2021
Fine: 1000000 NOK
Parties: Statens pensjonskasse (SPK - The Norwegian Public Service Pension Fund)
National Case Number/Name: 20/01893
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined the Public Service Pension Fund (SPK) € 99,940 (NOK 1,000,000) for obtaining unnecessary income data of approximately 24,000 people receiving disability pension, in breach of Article 5(1)(c), Article 5(1)(e), Article 6(1), and Article 9(2) GDPR.

English Summary

Facts

The Norwegian Public Service Pension Fund (SPK - Statens pensjonskasse) reported a personal data breach in September 2019. Between 2016-2019, they obtained a large amount of personal data from the Norwegian Tax Administration, much of which was not needed for their purpose. The data was meant to be used for correcting disbursed disability pensions. However, SPK lacked a filter to prevent receiving and storing unnecessary data, as well as organisational measures for deleting the superfluous data.

SPK themselves categorized the breach as serious, as it involved processing highly sensitive personal data about a vulnerable group of people (those receiving disability pensions). In total, about 44,000 people were affected by the breach, of which about 24,000 receiving disability pension.

Holding

First, the DPA stated that, although the SPK could rely on both Article 6(1)(c) and Article 6(1)(e) GDPR, the processing must have been necessary. The same necessity requirement follows from Article 9(2)(b) GDPR, since SPK processed health data. Because SPK processed unnecessary income information that was obtained from the Tax Authority, the necessity requirement was not met, in violation of Article 6(1) and Article 9(2) GDPR. In addition, the DPA found that the Public Service Pension Fund (SPK) had obtained excess personal data not needed for the purpose of calculating correct disability pension disbursements, in breach of Article 5(1)(c) GDPR. Lastly, SPK lacked sufficient routines for assessing what personal data was needed and for deleting superfluous data, in breach of Article 5(1)(e) GDPR.

Although the DPA found that the violations were not found intentional, but negligent, and SPK took measures to limit the damage, SPK violated basic principles of the GDPR, special categories of personal data were involved, and a large number of persons was affected. Hence, the DPA concluded that SPK needed to be fined, and considered the fine of € 99,940 (NOK 1 million) to be sufficient.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 STATE PENSION FUND

 MANAGEMENT COMPANY
 PO Box 10 Skøyen
 0212 OSLO








Their reference Our reference Date
19/029514 20 / 01893-12 24.11.2021



Decision on infringement fine

The Norwegian Data Protection Authority refers to previous correspondence in connection with a deviation report dated

24.09.2019, latest their response to notification of decision on infringement fee dated 12.05.2021.

We apologize for the long case processing time and a somewhat messy procedure, cf. our letter to

dated 27.04.2021.

 Decision on infringement fine

The Norwegian Data Protection Authority hereby imposes the following decision on the Government Pension Fund:

        Pursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.
        § 26 of the Personal Data Act, the Government Pension Fund is imposed an infringement fee of

        NOK 1,000,000 - one million Norwegian kroner - to the Treasury, for violation of
        the principles for the processing of personal data in the Privacy Regulation article
        5 no. 1 letter c and e and the requirement of necessity pursuant to Article 6 no. 1, cf. Article 9

        No. 2.

 2. Description of the deviation

The deviation report states that the Government Pension Fund (hereinafter SPK) in the period 01.07.2015
until 24.09.2019 collected larger amounts of personal information they did not need for it
stated purpose. SPK has stated that the discrepancy was discovered on 15.02.2019.


The discrepancy relates to the collection of accrued income information from the Tax Administration in
in connection with SPK's annual post-settlement for disability pension. The information is used to
correct paid pension (too much or too little).


The transfer of information has taken place in accordance with the Tax Administration Act § 3-6 other
paragraph, which gives the Tax Administration authority to disclose information on «pensionable income»




1Incomes earned in a specified time interval within a year.

Postal address: Office address: Telephone: Org.nr: Homepage: 1
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no
0105 OSLO 0191 OSLO to SPK, and in line with an information exchange agreement between the parties. The transfer has
happened via a technical interface (API).

The information submitted by the Tax Administration is current, accrued income information
                        2
(raw data) from the a-scheme. The information is partly special categories of personal information in the form
of information on disability pension from other than SPK and the National Insurance Scheme. Otherwise, it's about
very detailed income information, such as taxable portion of insurance, purchase of
shares at a discount, benefits in kind, etc.

SPK has lacked a filter to prevent the import and storage of unnecessary

income information, and one has not had a delete function for the data. SPK employees
have had access to the redundant information at the individual level.

At the time of the deviation report, SPK summarized the reasons for the deviation as follows:
     insufficient assessment of the legal basis for treatment of

        personal data, including the term «pensionable income»
     lack of follow-up of the requirement for data minimization
     missing deletion routines / deletion function
     lack of access control in the caseworker system


SPK considers the discrepancy to be serious, as it is an illegal treatment of very
personal information about a generally vulnerable group of persons (people on disability benefits).

SPK also refers to the possible consequences of the illegal treatment of
personal information. The follow-up may trigger a claim for reimbursement from the individual

recipient, and a claim for recovery of an overpaid disability pension will constitute a
coercive basis for disbursement. SPK's decisions on repayment are made by fully automated
(machine) decisions without regard to the guilt of the person on disability benefits.

SPK states that taxpayers are subject to a comprehensive duty to provide information to

the tax authorities. It is pointed out that taxpayers must be able to feel confident that they have reported
information is not reused for incompatible purposes without a legal basis.

Furthermore, SPK points out that they generally do not provide active information about which personal information
which is obtained, which makes it difficult for the data subjects to exercise their right to
the privacy regulations for, for example, deleting unnecessary information.


As a result of the deviation, SPK had planned and / or implemented the following measures:
     dialogue with the Ministry of Labor and Social Affairs on changes to the legal basis for
        gathering of information

     block the internal access to the information
     delete data
     establish filters to avoid importing unnecessary data


2
 An electronic solution for coordinated reporting from employers.



                                                                                               2 3. Statement from the Government Pension Fund
In a letter dated 18.02.2020, the Norwegian Data Protection Authority requested a more detailed account of the measures that were in place
implemented after the deviation. SPK responded to the inquiry in a letter dated 16.03.2020. SPK has also provided
information in a meeting on 16.04.2021.

SPK emphasizes that post-settlement is not a control activity to uncover prohibited actions,
but a statutory task where SPK makes an annual settlement that can result in a

payment or repayment claims.

SPK also states that income information was obtained from the Tax Administration for the first time in October
2016 (ie not in July 2015, as previously stated). Only SPK employees with access to
disability pension in the caseworker system has had the opportunity to access the information. This
amounts to approx. 50 of a total of 450 employees.


For approx. 44,000 people (out of a total of approx. 1,000,000) have received income information for use
in post-settlement without sufficient legal basis. For approx. 24,000 of these are not
obtained surplus information, as the persons only have a disability pension as income.

SPK emphasizes that they take the case very seriously. As a result of the deviation, SPK has implemented
the following measures:

     The legal basis for obtaining accrued income information has been changed and
        specified.
     The internal access to redundant information was blocked in September 2019.
     Surplus information was deleted on 11.10.2019.
     SPK established a deletion routine where all income information that is not relevant for

        the post-settlement is deleted immediately after loading into the database. Afterwards is a filter
        to avoid the import of unnecessary data introduced in collaboration with the Tax Administration.

In the time after the non-conformance report was sent, SPK has assessed the legal basis for
the collection of income information in more detail. SPK now considers that they have had a legal basis in
the Tax Administration Act § 3-6 second paragraph to collect a wide range of
income information. The provision was somewhat unclear when it came to obtaining accruals

income information, and SPK therefore took the initiative to change the wording of the provision.
SPK nevertheless wishes to emphasize that they believe that income information is not obtained without
legal basis in special legislation.

A main reason why SPK has obtained unnecessary income information is that SPK found it
expedient to obtain information from the Tax Administration. The income information from
The tax authorities were only available in a predefined data set that also contained information

SPK did not need in connection with post-settlement.

In the meeting on 16.04.2021, SPK explained that the scheme was disability pension was changed in 2015
("Disability reform"). After the reorganization, it was unclear to SPK what income information
which were relevant to the annual post-settlement. What information has been shown to be
relevant has also changed over time. This has led to the collection of unnecessary
income information. SPK did not realize the implications of this at an early enough time. SPK




                                                                                               Has not had a system for reviewing and deleting surplus information during the period
the discrepancy persisted.

SPK further explained that a closer assessment had to be made of which income information
which were necessary for post-settlement when the discrepancy was discovered. This is the reason why
the information was first blocked and then deleted.


 4. The Government Pension Fund's comments on the notice letter
The Government Pension Fund has provided further comments and clarifications in a letter dated
12.05.2021.

The letter points out that the disability pension must be adjusted based on how much a person has had
earned income a given year. The disability pension is paid as a starting point on the basis of what it is
disabled people think their income will be in the coming year. It can be difficult for a person to

Predict exactly what the annual income will be, and SPK is dependent on that person continuously
reports income changes. The reform presupposes that a post-settlement is carried out
subsequent year, where SPK calculates whether the disabled person will be paid back, or must repay, a
part of the performance. Post-settlement is largely done mechanically, and the annual tax settlement is made
as a basis for the calculations.

However, the tax settlement does not sufficiently differentiate between different types of income, ie

the types of income that are to be included or excluded from the basis for calculation, respectively
of the disability benefit - and thus also the post-settlement. Furthermore, the tax settlement indicates income for
year as a whole and not as accrued income figures.

In the post-settlement, SPK needs information about the tax settlement's pensionable income
broken down by income type and accrued by month. It will most often be demanding and

complicated for the disabled self to document this properly, and manual submission of
documentation will usually provide surplus information that is difficult to sort out. SPK
therefore chose to obtain accrued data broken down by income type data directly from the Tax Administration.
The post-settlement takes place once a year, in the autumn after the tax settlement for the previous year is ready.
Correspondingly, the data is obtained from the Tax Administration once a year.

Despite the lack of better solutions, SPK acknowledges that the deviation from the privacy regulations

should have been discovered earlier.

SPK has collected and stored profit information a total of three times: in October 2016,
2017 and 2018. Two of the collections took place before the new Personal Data Act came into force (in July
2018). In October 2019, surplus information was obtained, but deleted immediately. IN
October 2020, only necessary income information was obtained.


SPK developed a filter which from July 2019 ensured that only necessary information about
pensionable income was available to caseworkers. Before SPK collected data for
After the settlement in October 2019, a system solution was implemented that deleted all
surplus information from the database. The solution also ensured that all profit information





                                                                                                4which in 2019 and later had to be retrieved, would be deleted continuously and immediately. A new
data extraction with only necessary information was in place as of 27.08.2020.

SPK also points out that they spent a long time on the non-conformance report because they were "untrained" in sending
such messages. The discrepancy was therefore strictly interpreted and explained in detail in the first message. SPK
indicates that today they would present the case differently and more nuanced.


Among other things, SPK points out that the disabled who are covered by the deviation participate in working life in
positions of between 20 and 80%. It was not SPK's intention to stigmatize the group as
generally vulnerable. Furthermore, it appears that SPK strives to provide the registered with their good information
through website.

In summary, SPK acknowledges that the discrepancy should have been discovered earlier. It is pointed out, however
that the impact on those affected has been limited. The surplus information was subject

access control, and SPK has done its utmost to rectify the situation when the deviation occurred
discovered. In light of this, SPK believes that the notified infringement fee is too high
in relation to the nature of the deviation.

 5. Current legal basis for the assessment
The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. the personal data
section 20 of the Act and Article 57 of the Privacy Ordinance.


 5.1 On choice of law
The new Personal Data Act, which incorporates the EU Privacy Regulation into Norwegian law,
entered into force on 20.07.2018. The law also repealed the Personal Data Act (2000) and the rules
in the Personal Data Regulations (2000).


This case concerns circumstances that arose in 2016, ie before the entry into force of
the Information Act (2018), but which has persisted in the time since. We must therefore decide whether
the case shall be assessed in accordance with the Personal Data Act (2018) or the Personal Data Act
(2000).

There is a special transitional rule in the Personal Data Act (2018) § 33 first paragraph
infringement fine, which reads:


        «The rules on the processing of personal data that applied at the time of the action,
        shall be used as a basis when a decision on an infringement fine is made. The legislation on
        the time of the decision shall nevertheless be used when this leads to a more favorable one
        result for the person responsible ».

The question of choice of law must therefore be assessed on the basis of what is considered the time of action.


The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted
until the discrepancy was discovered in September 2019. The time of action in this case has thus
persisted over time and in the time after the Personal Data Act (2018) came into force. It follows then
of the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with this Act.




                                                                                               5We also refer to the preparatory work for the Personal Data Act (2018), Prop. 56 LS (2017-2018)
page 196, where the Ministry states, among other things, the following on the question of choice of law between
the Personal Data Act (2000) and the Personal Data Act (2018):

        «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to
        is made on the basis of the material rules in force at any given time ».


The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law
entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and
PVN-2018-06.

Against this background, in our assessment it is clear that the case must be assessed accordingly
the Personal Data Act (2018) and the Privacy Ordinance.


 5.2 The principles for the processing of personal data
The basic principles for the processing of personal data are set out in the Privacy Ordinance
Article 5. The relevant parts of the provision read:

        «1. Personal information must (…)
        c) be adequate, relevant and limited to what is necessary for the purposes they

          processed for ("data minimization"), (…)
        e) is stored so that it is not possible to identify the data subjects for longer periods than that
          necessary for the purposes for which the personal data are processed (…)
          ("Storage restriction"),
        f) processed in a manner that ensures adequate security of personal data,
          including protection against unauthorized or illegal treatment and against unintentional loss,

          destruction or damage, using appropriate technical or organizational measures
          («Integrity and confidentiality») ».

 5.3 Legal basis for the processing
Any processing of personal data must have a legal basis in the Privacy Ordinance
Article 6 (1) to be lawful. The relevant parts of the provision read:


        «1. The treatment is only legal if and to the extent that at least one of the following conditions is
        fulfilled: (…)
          c) the processing is necessary to fulfill a legal obligation that is incumbent
             the data controller, (…)
          e) the processing is necessary to perform a task in the public interest
             or exercise public authority imposed on the controller (…) ».


Processing of so-called special categories of personal data, for example
health information, is in principle prohibited, cf. the Privacy Ordinance, Article 9, No. 1.
For the processing of such information to be lawful, at least one of the conditions set out in Article 9 must apply
No. 2 be fulfilled. The relevant parts of the provision read:





                                                                                              6 «2. Nr. 1 does not apply if one of the following conditions is met: (…)
           b) The processing is necessary for the data controller or the data subject
              shall be able to fulfill their obligations and exercise their special rights
              the area of labor law, social security law and social law to the extent this is permitted under
              Union law or the national law of the Member States, or a collective agreement pursuant to
              to the national law of the Member States which provides the necessary guarantees for it
              registered fundamental rights and interests. (…) ».


 5.4 In particular on the imposition of infringement fines
Article 58 no. 2 letter i of the Privacy Ordinance, cf. the Personal Data Act § 26 other
paragraph, it appears that the Data Inspectorate may impose on public authorities and bodies
infringement fine according to the rules of the Privacy Regulation Article 83 in case of violation
provisions in the privacy regulations.


Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision
contains, among other things, an overview of which aspects should be taken into account, both when and when
it is considered whether an infringement fee should be imposed and in determining the size of the fee.
The relevant parts of Article 83 (1) and (2) are reproduced below:

        «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with
        this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each

        case is effective, stands in a reasonable relation to the violation and works
        deterrent.

        2. (…) When a decision is made on whether to impose an infringement fine and
        on the amount of the infringement fee, it must be duly taken into account in each individual case
        following:

        a) the nature, severity and duration of the infringement, taking into account
           the nature, scope or purpose of the treatment concerned and the number of registered persons who are
           affected, and the extent of the damage they have suffered,
        b) whether the infringement was committed intentionally or negligently,
        c) any measures taken by the data controller or data processor to
           limit the damage suffered by the data subjects,
        d) the degree of responsibility of the data controller or data processor, as taken

           with regard to the technical and organizational measures they have implemented in accordance with
           Articles 25 and 32, (…)
        (f) the degree of cooperation with the supervisory authority to remedy the infringement; and
           reduce the possible negative effects of it,
        g) the categories of personal data affected by the infringement,
        (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
           possibly to what extent the data controller or data processor has

           notified of the infringement, (…)
        k) any other aggravating or mitigating factor in the case, e.g. economic
           benefits gained, or losses avoided, directly or indirectly, as a result
           of the infringement ».





                                                                                                 Article 83 also sets out the framework for the amount of the infringement fine. We show in this
in connection with Article 83, paragraphs 4 and 5. The relevant parts of the provisions are:

        «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2
        infringement fine of up to 10,000,000 euros (…):
        (a) the obligations of the controller and the processor in accordance with Article
           8, 11, 25-39 and 42 and 43 (…).


        In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2
        infringement fine of up to EUR 20,000,000 (…):
        (a) the basic principles of treatment, including conditions for consent; i
           pursuant to Articles 5, 6, 7 and 9 ».

 6. The Danish Data Protection Agency's assessment

In the following, we will first assess SPK's legal basis for processing
surplus information obtained from the Tax Administration for follow-up of disability pension. We will
then assess whether SPK has complied with the principles for the processing of personal data.

 6.1 Legal basis for the processing
SPK has pointed out that post-settlement for disability pension is a statutory task. A current legal
basis under the privacy regulations could thus be to fulfill a legal obligation

according to national law, cf. the Privacy Ordinance Article 6 No. 1 letter c. One can also consider
the post-settlement as an exercise of public authority under national law, cf. Article 6 (1)
letter e. Both provisions require that the treatment be necessary.

Regarding the treatment information about disability pension from others than SPK itself and
the National Insurance Scheme, the processing must also be permitted under the Privacy Ordinance, Article 9 no.

2. Information that a person receives a disability pension is in itself a health information,
as the granting of a disability pension in itself presupposes a reduced ability to work due to
illness / health problems. We will confine ourselves to pointing out that the relevant provision of Article 9
No. 2 letter b (fulfill obligations in the area of social security law) also requires that the treatment
is necessary.

SPK has stated that the transfer of information has taken place pursuant to the tax administration

§ 3-6 second paragraph of the Act, which states that the Tax Administration may disclose information about
«Pensionable income» to SPK without prejudice to the duty of confidentiality.

SPK has stated that they have had authority in the Tax Administration Act § 3-6 second paragraph to obtain
a wide range of income information. SPK has nevertheless reported and acknowledged that
Unnecessary income information was obtained from the Tax Administration in the predefined data set
from the Tax Administration.


After the Disability Reform in 2015, it was unclear what income information was needed
for post-settlement, and the understanding also changed over time. The Data Inspectorate will nevertheless point out that
SPK must be responsible for clarifying within a reasonable time what information they needed
for in this work, so that only necessary information was obtained from the Tax Administration.




                                                                                                8We assume that SPK obtained between October 2016 and October 2019
surplus information on four occasions. In October 2019, it became unnecessary
the information obtained but deleted immediately.

The Norwegian Data Protection Authority has concluded that SPK has violated the requirement of necessity
Article 6 (1) of the Privacy Regulation, cf. Article 9 (2), in connection with the collection of

income information from the Tax Administration for use in post-settlement for disability pension.

 6.2 The principles for the processing of personal data
6.2.1 The principle of data minimization
The principle of data minimization is set out in the Privacy Ordinance, Article 5, paragraph 1, letter c.
It is stated that the processing of personal data shall be limited to the information that is
necessary for the purpose.


In connection with the collection of income information, SPK has obtained
surplus information that was not necessary for the post-settlement for disability pension. Eventually
a technical solution for obtaining only necessary information has later come up
space, we assume that it has been practically possible to only collect information such as SPK
need.


This constitutes a breach of the principle of data minimization, cf. Article 5, paragraph 1, letter c.

6.2.2 The principle of storage limitation
Pursuant to Article 5 (1) (e), personal data shall not be stored longer than they are
necessary for the purpose.


An injury-limiting measure when obtaining surplus information can be good routines
to assess what information is needed and delete unnecessary information. SPK
has until October 2019 had no routines for deleting unnecessary income information
which was obtained from the Tax Administration.

This constitutes a breach of the principle of storage limitation, cf. Article 5 (1) (e).


6.2.3 The principle of confidentiality
The principle of confidentiality is set out in the Privacy Ordinance, Article 5, paragraph 1, letter f
and means, among other things, that only those who have service needs should have access to
personal information.

SPK has reported that after the Disability Reform in 2015 it has had to be reviewed
the income information to assess what information is necessary for post-settlement.

Only employees who work with disability pension have had access to the surplus information as
has been obtained from the Tax Administration.

After a comprehensive assessment, the Data Inspectorate has concluded that SPK has not violated the principle of
confidentiality, cf. Article 5 (1) (f).




                                                                                               9 6.3 Assessment of whether an infringement fee is to be imposed
The Norwegian Data Protection Authority has concluded that SPK has violated the Privacy Ordinance, Article 5, No. 1, letter
c and e as well as the necessity requirement in Article 6 (1), cf. Article 9 (2).
offenses that may provide a basis for imposing an infringement fine.

The offense has largely occurred before the Personal Data Act (2018) and
the Privacy Regulation entered into force. The Data Inspectorate could also impose earlier

infringement fee, cf. the Personal Data Act (2000) § 46, but the amount was then limited to
up to 10 times the National Insurance basic amount (currently approx. 1,010,000 NOK).

However, we refer to the discussion under section 3.1 and assume that the fee will be measured
according to new regulations. In principle, there is thus a basis for imposing a SPK on one
infringement fine of up to 20,000,000 euros (currently approx. 213,000,000 NOK), cf.
Article 83 (5) of the Privacy Regulation. We will nevertheless consider that three of the four cases of

collection of surplus information has taken place in the period when previous privacy regulations
applied.

Below we review the factors that we consider relevant for the assessment of whether
infringement fines must be imposed.

a) the nature, severity and duration of the infringement, taking into account it

the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered
We have come to the conclusion that SPK has violated the basic requirements for the processing of personal data - that
that is, the basic principles of the Privacy Regulation Article 5 (1) and the requirement to
necessity in Article 6 (1), cf. Article 9 (2). This is serious.


The collection of profit information has been going on for almost three years, from October 2016 to
October 2019.

About. 44,000 people are affected. Although this is a relatively low proportion of SPKs
members, there is still a high number of people.

b) whether the infringement was committed intentionally or negligently

SPK first became aware of the discrepancy in February 2019. SPK has explained why afterwards
took time to assess specifically which information was not necessary for post-settlement, so
that neither blocking nor deletion could be carried out immediately.

After an overall assessment, the Data Inspectorate considers that SPK, represented by the managing director
director, has been negligent in connection with the offense.


c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects
SPK implemented several measures after the discrepancy was discovered; access to the information was blocked
in September 2019, and a solution for deletion was in place in October of the same month.





                                                                                                10Some measures have taken longer to implement, including a solution for filtering
the information obtained.

In our view, SPK has overall done a good job of implementing relevant measures and shown that
they take the situation seriously.

 d) the degree of responsibility of the data controller or data processor, taking into account

the technical and organizational measures they have implemented in accordance with Articles 25 and 32
SPK has obtained a predefined data set from the Tax Administration, without any
review of the content to assess the necessity of the various pieces of information.

SPK has also not had a routine for deleting surplus information.

With regard to access control, only employees with official access to disability pension have been able to

see the excess income information, although it has been shown that neither
the persons should have had access to the information.

g) the categories of personal data affected by the infringement,
The information obtained illegally is partly special categories of personal data,
as they include information on disability pension from other than SPK and the National Insurance Scheme. This
makes the offense more serious, as special categories of personal data have a

special protection under Article 9 of the Privacy Regulation.

In other respects, this is very detailed income information that most people will perceive as
private.

h) in what way the supervisory authority became aware of the infringement, in particular if and if so

the extent to which the data controller or data processor has notified
the infringement
SPK itself notified the Norwegian Data Protection Authority of the violation and has otherwise contributed to the information in the case.

It took a long time before the discrepancy was reported, as the discrepancy was discovered in February 2019,
but was first reported in September of that year. SPK has admittedly explained the reasons for this
the delay, but it is nevertheless clearly contrary to the 72-hour deadline set out in

Article 33 of the Privacy Regulation.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement
We have noticed that three out of four collections of surplus information were made before a new one
Personal Data Act came into force in July 2018.


The Data Inspectorate has in total used approx. 1 year to process the case. This will also get something
significance for the case, cf. the Privacy Board's decisions PVN-2021-09 and PVN-2021-03.







                                                                                                11Overall assessment
The case concerns the collection of unnecessary income information, including special categories
of personal data, and SPK has violated several basic principles for the processing of
personal information. This is so serious that the Danish Data Protection Agency has come to the conclusion that SPK must be imposed
infringement fine.

 6.4 Measurement of the fee

In assessing the size of the fee, we have emphasized that SPK has violated the basics and
principal provisions of the Privacy Regulation. SPK has collected intervention
income information without this being necessary for the purpose. Furthermore, special categories
of personal data are affected, as the information applies to disability pension.

The purpose of the collection was post-settlement for disability pension, which may result
financial consequences (repayment claims) for the affected persons. The case includes

in total approx. 44,000 people, ie a significant number of disability pensioners.

It is also pointed out that the inhabitants in general have a broad duty to provide information
the tax authorities. Illegal use of collected information can be detrimental to trust
to the public.

The discrepancy also persisted for over three years before it was discovered. SPK has not done during this period

sufficient to clarify what income information they have needed for the purpose
post-settlement disability pension.

On the other hand, we have seen to it that SPK implemented relevant measures after the deviation
discovered, and SPK has shown that they take the case seriously.


We have also seen to it that SPK itself reported the deviation to the Norwegian Data Protection Authority, albeit much later than
the regulations dictate.

Furthermore, we have emphasized that the offense partly took place before the Personal Data Act (2018)
and the Privacy Regulation entered into force. According to the previously applicable Personal Data Act
(2000) the fee was limited to a maximum of approx. NOK 1,010,000.


The Data Inspectorate's case processing time of approx. 1 year will also have some effect on the size of the fee,
see PVN-2021-09 and PVN-2021-03.

The Data Inspectorate has come to the conclusion that the infringement fee must be set at NOK 1,000,000 in this
the case.

The amount has been adjusted downwards somewhat from the notified fee of NOK 1,500,000 based on our weighting of

the moments that appear above.

 7. Right of appeal
This decision can be appealed within three weeks after you have received this letter, cf.
Sections 28 and 29 of the Public Administration Act. Any complaint is sent to the Danish Data Protection Agency. If we do not take




                                                                                              As a result of the complaint, the case will be sent to the Privacy Board for complaint processing, cf.
the Personal Data Act § 22.


If you have any questions, you can contact director Bjørn Erik Thon or
caseworker Susanne Lie (e-mail: suli@datatilsynet.no).



With best regards


Bjørn Erik Thon
director
                                                             Susanne Lie

                                                             senior legal adviser

The document is electronically approved and therefore has no handwritten signatures


Copy to: GOVERNMENT PENSION FUND ADMINISTRATION COMPANY, Gry-Helen
            Henriksen

            THE TAX AUTHORITY































                                                                                      13