Datatilsynet (Norway) - 20/02165

From GDPRhub
Datatilsynet (Norway) - 20/02165
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5 GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Health Records Act §22 (pasientjournalloven)
Type: Investigation
Outcome: Violation Found
Decided: 04.06.2021
Published: 24.06.2021
Fine: 500,000 NOK
Parties: Moss municipality (kommune)
National Case Number/Name: 20/02165
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a municipality approximately €47,700 (NOK 500,000) for breaching Article 32(1)(b) and (d) GDPR by merging two IT systems for health records. This led to, among other things, incorrect information about vaccines and substance abuse during pregnancy.

English Summary[edit | edit source]

Facts[edit | edit source]

The two municipalities Rygge and Moss merged in January 2020. In the process of merging their IT systems for health records, several errors occurred:

  • Incorrect registration of vaccines. Some people were registered as having received vaccines, when they in reality had not, and others were incorrectly registered as not having been given a vaccine, when they in fact had.
  • Errors in health records for pregnant women, including error in the number of weeks into the pregnancy and related to information about the mother’s use of drugs/alcohol/nicotine.
  • Patient health data was made accessible to unauthorized healthcare personnel and it was not possible to trace any unauthorized access (in Norway a patient has the opportunity and right to view who has accessed their medical information).
  • Errors relating to daily operations (administration), such as appointment books.

28,000 people were transferred during the merger of the IT systems and about 2,000 could potentially have been affected by errors. However, no one were actually affected and the errors were rectified and are under control.

Moss municipality notified the DPA themselves about the personal data security breaches. The DPA found, in the end, that the municipality had breached § 22 of the Norwegian Health Records Act (pasientjournalloven) and Article 32(1)(b) and (d) GDPR (cf. Article 5 GDPR).

Holding[edit | edit source]

The DPA fined Moss municipality NOK 500,000 (€47,700) for insufficient technical and organisational measures to ensure a sufficient level of security when merging the IT systems. The DPA commented that the breaches were very serious and that the municipality should have conducted a data protection impact assessment (DPIA), as well as more testing before making the changes.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 PO Box 175
 1501 MOSS

 Their reference Our reference Date
20 / 10671-12- INAN 20 / 02165-9 04.06.2021

Decision on infringement fee - Moss municipality

1 Introduction

We refer to the submitted report of 4 February 2020 on breaches of personal data security,
as well as follow-up e-mail of 12 February 2020, and final notification of breach
personal data security of 27 April 2020. We also refer to correspondence with Moss
municipality's privacy representative, i.a. email of November 2, 2020.

Finally, reference is made to the Data Inspectorate's notification of infringement fines of 9 December 2020 and response
on this from Moss municipality of 21 January 2021, as well as, as well as other correspondence in the case.

Based on the municipality's response of 21 January 2021, and previous cases, we have adjusted
the violation fee down to 500,000 kroner.

Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance Article 58
no. 2 letter i), cf. article 83, we impose an infringement fee of 500,000 on Moss Municipality
kroner for failing to implement appropriate technical and organizational measures to achieve a

a level of security suitable for ensuring the continued confidentiality of treatment systems and
the services, cf. section 22 of the Patient Records Act, cf. section 32 no. 1 letter of the Privacy Ordinance
(b) and (d), in accordance with Article 5.

The background and reasons for the decision follow below.

2. The case

In connection with the merger of Rygge and Moss municipality which took place on 1 January 2020,
The municipality has sought to merge the use of IT systems for different service areas in
the municipality. This applies to the use of the subject system CGM Journal, which Moss municipality has used
for a number of years, and which Rygge municipality's employees in the health service children and young people used

the merger. In that context, a conversion of users and the system was made
data 13 and 14 January 2020.

Postal address: Office address: Telephone: Homepage:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 1
0105 OSLO 0191 The OSLO subject system handles personal information and health data and includes persons residing in
the municipality, and which uses the health station. The system applies to services associated with
vaccination programs in the municipality, and other health checks as well as follow-up of pregnant women.

Moss municipality has discovered errors in connection with the conversion from HSPro to CGM
Journal. The plan was that all changes involving health information would be resolved on Friday 7.
February, and the rest on Thursday 13 February. A test environment was established so that the superuser

tested solutions before they were used in the production environment, and that the super user did
samples that the corrections worked as they should.

Errors have been corrected from 7 February to 4 March, when some errors were also discovered
what was originally reported to the Norwegian Data Protection Authority. These are stated in the final report of 27.
April 2020.

Moss municipality states that some of the violations represent violations
personal data security, including breaches of confidentiality, integrity and
availability. The breaches include both adults and children.

The violations reported are as follows:

        • Errors in the registration of vaccines, including registered vaccines that persons do not have
            received, and vaccines that individuals have received and that are not registered in
            vaccine overview. The errors represent a danger of incorrect vaccination, and risk of
            errors in the National Vaccine Register

        • Error in journal data. Errors that have been found are related to follow - up of mothers in

            pregnancy, i.a. errors in the number of weeks of pregnancy, weight and goals in the school health service
            and in information about the mother's drug use.

        • Patient information is made available to healthcare professionals at a department such as
            does not have an official need for access, without access being traceable.

        • Faults that have been found are related to daily operations, such as time books and
            journal manager.

The number of registered records in the subject system that was transferred was a total of 28,000. 2,000 people are
potentially affected, but it has not been revealed that any people are specifically affected by the errors.
The errors have been corrected and are under control per. February 11, 2020.

3 The offense
The discrepancies concern breaches of confidentiality, integrity and availability. IN
Article 32 of the Privacy Regulation states:

«Taking into account the technical development, the implementation costs and the nature of the treatment,
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
severity of the rights and freedoms of natural persons, the data controller and

                                                                                               The data processor implements appropriate technical and organizational measures to achieve a level of security
which is suitable in terms of risk, including, inter alia, as appropriate,
     a) pseudonymisation and encryption of personal data,
     b) ability to ensure lasting confidentiality, integrity, availability and robustness in
        treatment systems and services,
     c) ability to restore the availability and access to personal information in a timely manner if necessary

        a physical or technical event occurs,
     d) a process for regular testing, analysis and assessment of the effectiveness of treatment
        technical and organizational security measures are. "

Patient information has been available to healthcare professionals, without service needs, at
department Bredsand Rygge. The errors in the conversion have led to the danger that
patient information is no longer correct, valid and complete as a result of an error in

registration of vaccines and errors in medical records related to follow-up of mothers during pregnancy.
During the conversion, errors were registered in information about intoxication / alcohol / smoke during pregnancy.
The error occurred as a result of it being incorrectly registered that everyone has "ended the pregnancy"; something
which would be interpreted as meaning that everyone used drugs during pregnancy. This has now been corrected.

This constitutes a breach of Article 32 (1) (b) of the Privacy Regulation, which requires that
a level of security is established that is suitable for ensuring continued confidentiality, integrity and


In connection with the conversion, many and very serious errors occurred which could have had
major consequences for those affected. Lack of risk assessment has been a contributing factor
to the errors that occurred in the conversion. This is a violation of the Privacy Ordinance
Article 32 (1) (d).

The incident also indicates inadequate test runs prior to the process. In e-mail of 2.
November 2020, CGM (data processor) states that testing was performed at Rygge municipality
its database in connection with the conversion tool had to be further developed, in order to
handle exactly this conversion, but that it has not been adequately tested in
this case.

In a case involving the conversion of large amounts of sensitive data, it is reasonable to
expect that a test regime consisting of different test scenarios suitable for is established in advance
to be able to detect different types of errors that can occur during this type of conversion activity.
The results of such tests should be documented in a test report that is approved or
approved by the data controller before the actual conversion is carried out.
The information in such a test report could provide valuable information to super users and
other test personnel after the conversion and would have provided a good basis for testing that

all information has been converted correctly.

This would be a breach of Article 32 (1) (d) of the Privacy Regulation.

                                                                                                  35 Assessment of the Privacy Ordinance's rules on infringement fines
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
authorities and bodies infringement fines under the rules of the Privacy Regulation Article
58, cf. Article 83 no. 7. It is stated here that «without prejudice to the authority of the supervisory authorities

to adopt corrective measures in accordance with Article 58 (2), each Member State may provide
rules on when and to what extent public authorities and bodies are established in the said
Member State may be fined. '

The right to impose infringement fines shall be a tool to ensure effective
compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as

punishment under Article 6 of the European Convention on Human Rights.

The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.

In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.

By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights

For companies, the guilt assessment is unique. Section 46 (1) of the Public Administration Act states:

       "When it is stipulated by law that an administrative sanction may be imposed on an enterprise,
       the sanction can be imposed even if no individual has shown guilt ».

In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that‘ none
individual has shown guilt ’is taken from the section on corporate punishment in the Penal Code § 27
first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ».

Article 83 provides in principle that the imposition of infringement fines depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting
moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure
that the imposition of infringement fines in each individual case is effective is reasonable
relation to the violation and acts as a deterrent.

In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following


a) the nature, severity and duration of the infringement, taking into account
    the nature, extent or purpose of the action concerned and the number of data subjects affected,
    and the extent of the damage they have suffered

                                                                                               4 The breach of personal data security includes breaches of confidentiality, integrity and
availability. Patient information is made available to others at a ward that does not
have service needs. Who has had access to the patient data is not traceable.

The conversion errors have also meant that for a period of time one could not be sure that
the personal information was correct. For example. all pregnant women were classified as drug addicts
without being so.

No risk assessments and assessments of the privacy implications have been carried out
at the conversion. The breaches of personal data security also indicate deficiencies
test drive prior to conversion.

The breach of personal data security has meant that the data subject has lost control of
information about themselves. This applies both in relation to the accuracy of the information and who

who has seen the information. Health information has been available to healthcare professionals at
Bredsand Rygge, without it being traceable who has seen these.

The Data Inspectorate takes a serious view of the fact that the municipality has not implemented sufficient measures
technical measures to ensure a secure conversion of health information from the system in Rygge
municipality to system in Moss municipality.

b) whether the infringement was committed intentionally or negligently
The breach of personal data security has meant that the data subject has lost control of
information about themselves. No risk assessment has been carried out, assessment of
the privacy implications or adequate test runs before the conversion became
completed. The case shows that there has been a routine failure in the municipality. The breach includes special
categories of personal information, which should have led to extra caution from

the municipality's side. The Data Inspectorate considers the municipality's action to be negligent.

c) any measures taken by the data controller or data processor to
    limit the damage suffered by the data subjects
The municipality has been in contact with those affected and informed about the incident. The municipality
first considered that the breach of personal data security would not entail a high risk of
the rights and freedoms of those affected. The Danish Data Protection Agency assesses this differently and has come to

the extent and nature of the breach means that Moss municipality is in the core area for
the duty to notify, cf. Article 34. That the municipality has not registered any of the consequences
has occurred shall be given importance. This was announced to the municipality in a letter dated 9 March 2020.

d) the degree of responsibility of the data controller or data processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and

In this case, CGM admits that those who process data must bear the main responsibility
the test drive, but that the municipality had the main responsibility for quality assurance of converts
data. The Data Inspectorate shares this view.

                                                                                              5e) any relevant previous violations committed by the data controller or
    the data processor
No previous violations have been established that have been committed by the data controller
or data processors relevant to the case.

f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
    possible negative effects of it

There has been no cooperation between the Norwegian Data Protection Authority and Moss municipality to remedy
the damage.

g) the categories of personal data affected by the infringement
The breach of personal data security includes health information, which is a special category
of personal data, which is covered by Article 9. That the breach includes special categories of
personal information makes the incident extra serious.

h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
    possibly to what extent the data controller or data processor has
    notified of the infringement
Moss municipality, through the privacy ombudsman, notified the Danish Data Protection Agency of the breach
personal data security by e-mail of 4 February 2020

(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
    data controller or data processor with respect to the same subject matter, that
    the said measures are complied with
Not relevant to the case.

(j) compliance with approved standards of conduct in accordance with Article 40 or approved

    certification mechanisms in accordance with Article 42
Not relevant to the case.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits
    which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
    the infringement

The Data Inspectorate views positively that Moss municipality quickly took action when the breach
personal data security was discovered. The municipality has also implemented measures that should
prevent similar offenses in the future.

The Data Inspectorate has not established that Moss municipality has had financial benefits, or avoided
direct or indirect loss as a result of the infringement.

The Norwegian Data Protection Authority has also not taken into account Moss municipality's financial ability.

                                                                                              66 Overall assessment
It is very serious that the municipality in connection with the conversion of patient information from
Rygge municipality to Moss municipality completed this conversion without one
risk assessment or assessment of the privacy implications. Nor has it been
conducted adequate testing prior to conversion.

In the Data Inspectorate's assessment, the case is important in principle. Moss municipality should have been equipped

to meet the requirements for personal data security in the event of this case
includes. In this respect, a decision on infringement fines can have an important signal effect.

After an overall assessment, the Data Inspectorate has come to the conclusion that Moss municipality should be imposed a
infringement fine.

7 The size of the fee
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that

        «As a starting point, the same rules for infringement fines shall apply
        public bodies as for private, as this is the scheme under current
        Personal Data Act. »

The ministry further writes that they have noted the concern as some public
consultation bodies have expressed, but the Ministry assumes that within the rules of
Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement
of administrative fees, there is room for considerable consideration with regard to the size of
fee. The Ministry states that «[t] he flow limits in the regulation Article 83 state
maximum limits for the calculation of administrative fees, while no one has been set

minimum limits. "

With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the violation and the activity, cf. art. 83 No. 1.

The Data Inspectorate agrees with the municipality's input on the size of the infringement fee, seen in
in relation to similar cases that the Data Inspectorate has dealt with, and finds it possible to adjust this downwards
to NOK 500,000.

After an overall assessment of the case, and then especially with regard to the seriousness of the violation and
the legislation's requirement that the imposition of infringement fines in each individual case shall be
effective, proportionate and dissuasive, we have come to the conclusion of an infringement charge

NOK 500,000 is considered correct.

                                                                                              78 Deadline for fulfillment and right of appeal

You can appeal the decision. Any complaint must be sent within three weeks of this letter
has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will send
the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22.

If you do not appeal the order for an infringement fee, the fulfillment deadline is four weeks

after the expiry of the appeal period, cf. the Personal Data Act § 27.

With best regards

Bjørn Erik Thon

                                                                Knut Brede Kaspersen
                                                                legal director

The document is electronically approved and therefore has no handwritten signatures