Datatilsynet (Norway) - 20/02165
|Datatilsynet (Norway) - 20/02165|
|Relevant Law:||Article 5 GDPR|
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Health Records Act §22 (pasientjournalloven)
|Parties:||Moss municipality (kommune)|
|National Case Number/Name:||20/02165|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA fined a municipality approximately €47,700 (NOK 500,000) for breaching Article 32(1)(b) and (d) GDPR by merging two IT systems for health records. This led to, among other things, incorrect information about vaccines and substance abuse during pregnancy.
English Summary[edit | edit source]
Facts[edit | edit source]
The two municipalities Rygge and Moss merged in January 2020. In the process of merging their IT systems for health records, several errors occurred:
- Incorrect registration of vaccines. Some people were registered as having received vaccines, when they in reality had not, and others were incorrectly registered as not having been given a vaccine, when they in fact had.
- Errors in health records for pregnant women, including error in the number of weeks into the pregnancy and related to information about the mother’s use of drugs/alcohol/nicotine.
- Patient health data was made accessible to unauthorized healthcare personnel and it was not possible to trace any unauthorized access (in Norway a patient has the opportunity and right to view who has accessed their medical information).
- Errors relating to daily operations (administration), such as appointment books.
28,000 people were transferred during the merger of the IT systems and about 2,000 could potentially have been affected by errors. However, no one were actually affected and the errors were rectified and are under control.
Moss municipality notified the DPA themselves about the personal data security breaches. The DPA found, in the end, that the municipality had breached § 22 of the Norwegian Health Records Act (pasientjournalloven) and Article 32(1)(b) and (d) GDPR (cf. Article 5 GDPR).
Holding[edit | edit source]
The DPA fined Moss municipality NOK 500,000 (€47,700) for insufficient technical and organisational measures to ensure a sufficient level of security when merging the IT systems. The DPA commented that the breaches were very serious and that the municipality should have conducted a data protection impact assessment (DPIA), as well as more testing before making the changes.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
MOSS MUNICIPALITY PO Box 175 1501 MOSS Their reference Our reference Date 20 / 10671-12- INAN 20 / 02165-9 04.06.2021 Decision on infringement fee - Moss municipality 1 Introduction We refer to the submitted report of 4 February 2020 on breaches of personal data security, as well as follow-up e-mail of 12 February 2020, and final notification of breach personal data security of 27 April 2020. We also refer to correspondence with Moss municipality's privacy representative, i.a. email of November 2, 2020. Finally, reference is made to the Data Inspectorate's notification of infringement fines of 9 December 2020 and response on this from Moss municipality of 21 January 2021, as well as, as well as other correspondence in the case. Based on the municipality's response of 21 January 2021, and previous cases, we have adjusted the violation fee down to 500,000 kroner. Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance Article 58 no. 2 letter i), cf. article 83, we impose an infringement fee of 500,000 on Moss Municipality kroner for failing to implement appropriate technical and organizational measures to achieve a a level of security suitable for ensuring the continued confidentiality of treatment systems and the services, cf. section 22 of the Patient Records Act, cf. section 32 no. 1 letter of the Privacy Ordinance (b) and (d), in accordance with Article 5. The background and reasons for the decision follow below. 2. The case In connection with the merger of Rygge and Moss municipality which took place on 1 January 2020, The municipality has sought to merge the use of IT systems for different service areas in the municipality. This applies to the use of the subject system CGM Journal, which Moss municipality has used for a number of years, and which Rygge municipality's employees in the health service children and young people used the merger. In that context, a conversion of users and the system was made data 13 and 14 January 2020. Postal address: Office address: Telephone: Org.nr: Homepage: PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 The OSLO subject system handles personal information and health data and includes persons residing in the municipality, and which uses the health station. The system applies to services associated with vaccination programs in the municipality, and other health checks as well as follow-up of pregnant women. Moss municipality has discovered errors in connection with the conversion from HSPro to CGM Journal. The plan was that all changes involving health information would be resolved on Friday 7. February, and the rest on Thursday 13 February. A test environment was established so that the superuser tested solutions before they were used in the production environment, and that the super user did samples that the corrections worked as they should. Errors have been corrected from 7 February to 4 March, when some errors were also discovered what was originally reported to the Norwegian Data Protection Authority. These are stated in the final report of 27. April 2020. Moss municipality states that some of the violations represent violations personal data security, including breaches of confidentiality, integrity and availability. The breaches include both adults and children. The violations reported are as follows: • Errors in the registration of vaccines, including registered vaccines that persons do not have received, and vaccines that individuals have received and that are not registered in vaccine overview. The errors represent a danger of incorrect vaccination, and risk of errors in the National Vaccine Register • Error in journal data. Errors that have been found are related to follow - up of mothers in pregnancy, i.a. errors in the number of weeks of pregnancy, weight and goals in the school health service and in information about the mother's drug use. • Patient information is made available to healthcare professionals at a department such as does not have an official need for access, without access being traceable. • Faults that have been found are related to daily operations, such as time books and journal manager. The number of registered records in the subject system that was transferred was a total of 28,000. 2,000 people are potentially affected, but it has not been revealed that any people are specifically affected by the errors. The errors have been corrected and are under control per. February 11, 2020. 3 The offense The discrepancies concern breaches of confidentiality, integrity and availability. IN Article 32 of the Privacy Regulation states: «Taking into account the technical development, the implementation costs and the nature of the treatment, the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and severity of the rights and freedoms of natural persons, the data controller and The data processor implements appropriate technical and organizational measures to achieve a level of security which is suitable in terms of risk, including, inter alia, as appropriate, a) pseudonymisation and encryption of personal data, b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services, c) ability to restore the availability and access to personal information in a timely manner if necessary a physical or technical event occurs, d) a process for regular testing, analysis and assessment of the effectiveness of treatment technical and organizational security measures are. " Patient information has been available to healthcare professionals, without service needs, at department Bredsand Rygge. The errors in the conversion have led to the danger that patient information is no longer correct, valid and complete as a result of an error in registration of vaccines and errors in medical records related to follow-up of mothers during pregnancy. During the conversion, errors were registered in information about intoxication / alcohol / smoke during pregnancy. The error occurred as a result of it being incorrectly registered that everyone has "ended the pregnancy"; something which would be interpreted as meaning that everyone used drugs during pregnancy. This has now been corrected. This constitutes a breach of Article 32 (1) (b) of the Privacy Regulation, which requires that a level of security is established that is suitable for ensuring continued confidentiality, integrity and availability. In connection with the conversion, many and very serious errors occurred which could have had major consequences for those affected. Lack of risk assessment has been a contributing factor to the errors that occurred in the conversion. This is a violation of the Privacy Ordinance Article 32 (1) (d). The incident also indicates inadequate test runs prior to the process. In e-mail of 2. November 2020, CGM (data processor) states that testing was performed at Rygge municipality its database in connection with the conversion tool had to be further developed, in order to handle exactly this conversion, but that it has not been adequately tested in this case. In a case involving the conversion of large amounts of sensitive data, it is reasonable to expect that a test regime consisting of different test scenarios suitable for is established in advance to be able to detect different types of errors that can occur during this type of conversion activity. The results of such tests should be documented in a test report that is approved or approved by the data controller before the actual conversion is carried out. The information in such a test report could provide valuable information to super users and other test personnel after the conversion and would have provided a good basis for testing that all information has been converted correctly. This would be a breach of Article 32 (1) (d) of the Privacy Regulation. 35 Assessment of the Privacy Ordinance's rules on infringement fines The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public authorities and bodies infringement fines under the rules of the Privacy Regulation Article 58, cf. Article 83 no. 7. It is stated here that «without prejudice to the authority of the supervisory authorities to adopt corrective measures in accordance with Article 58 (2), each Member State may provide rules on when and to what extent public authorities and bodies are established in the said Member State may be fined. ' The right to impose infringement fines shall be a tool to ensure effective compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as punishment under Article 6 of the European Convention on Human Rights. The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required offense in order to impose a fee. The case and the question of imposing infringement fines are assessed on the basis of this evidentiary requirement. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMK). For companies, the guilt assessment is unique. Section 46 (1) of the Public Administration Act states: "When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual has shown guilt ». In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that‘ none individual has shown guilt ’is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ». Article 83 provides in principle that the imposition of infringement fines depends on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure that the imposition of infringement fines in each individual case is effective is reasonable relation to the violation and acts as a deterrent. In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following moments: a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the action concerned and the number of data subjects affected, and the extent of the damage they have suffered 4 The breach of personal data security includes breaches of confidentiality, integrity and availability. Patient information is made available to others at a ward that does not have service needs. Who has had access to the patient data is not traceable. The conversion errors have also meant that for a period of time one could not be sure that the personal information was correct. For example. all pregnant women were classified as drug addicts without being so. No risk assessments and assessments of the privacy implications have been carried out at the conversion. The breaches of personal data security also indicate deficiencies test drive prior to conversion. The breach of personal data security has meant that the data subject has lost control of information about themselves. This applies both in relation to the accuracy of the information and who who has seen the information. Health information has been available to healthcare professionals at Bredsand Rygge, without it being traceable who has seen these. The Data Inspectorate takes a serious view of the fact that the municipality has not implemented sufficient measures technical measures to ensure a secure conversion of health information from the system in Rygge municipality to system in Moss municipality. b) whether the infringement was committed intentionally or negligently The breach of personal data security has meant that the data subject has lost control of information about themselves. No risk assessment has been carried out, assessment of the privacy implications or adequate test runs before the conversion became completed. The case shows that there has been a routine failure in the municipality. The breach includes special categories of personal information, which should have led to extra caution from the municipality's side. The Data Inspectorate considers the municipality's action to be negligent. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects The municipality has been in contact with those affected and informed about the incident. The municipality first considered that the breach of personal data security would not entail a high risk of the rights and freedoms of those affected. The Danish Data Protection Agency assesses this differently and has come to the extent and nature of the breach means that Moss municipality is in the core area for the duty to notify, cf. Article 34. That the municipality has not registered any of the consequences has occurred shall be given importance. This was announced to the municipality in a letter dated 9 March 2020. d) the degree of responsibility of the data controller or data processor, taking into account to the technical and organizational measures they have implemented in accordance with Article 25 and 32 In this case, CGM admits that those who process data must bear the main responsibility the test drive, but that the municipality had the main responsibility for quality assurance of converts data. The Data Inspectorate shares this view. 5e) any relevant previous violations committed by the data controller or the data processor No previous violations have been established that have been committed by the data controller or data processors relevant to the case. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it There has been no cooperation between the Norwegian Data Protection Authority and Moss municipality to remedy the damage. g) the categories of personal data affected by the infringement The breach of personal data security includes health information, which is a special category of personal data, which is covered by Article 9. That the breach includes special categories of personal information makes the incident extra serious. h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement Moss municipality, through the privacy ombudsman, notified the Danish Data Protection Agency of the breach personal data security by e-mail of 4 February 2020 (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with Not relevant to the case. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 Not relevant to the case. k) any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement The Data Inspectorate views positively that Moss municipality quickly took action when the breach personal data security was discovered. The municipality has also implemented measures that should prevent similar offenses in the future. The Data Inspectorate has not established that Moss municipality has had financial benefits, or avoided direct or indirect loss as a result of the infringement. The Norwegian Data Protection Authority has also not taken into account Moss municipality's financial ability. 66 Overall assessment It is very serious that the municipality in connection with the conversion of patient information from Rygge municipality to Moss municipality completed this conversion without one risk assessment or assessment of the privacy implications. Nor has it been conducted adequate testing prior to conversion. In the Data Inspectorate's assessment, the case is important in principle. Moss municipality should have been equipped to meet the requirements for personal data security in the event of this case includes. In this respect, a decision on infringement fines can have an important signal effect. After an overall assessment, the Data Inspectorate has come to the conclusion that Moss municipality should be imposed a infringement fine. 7 The size of the fee In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that «As a starting point, the same rules for infringement fines shall apply public bodies as for private, as this is the scheme under current Personal Data Act. » The ministry further writes that they have noted the concern as some public consultation bodies have expressed, but the Ministry assumes that within the rules of Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement of administrative fees, there is room for considerable consideration with regard to the size of fee. The Ministry states that «[t] he flow limits in the regulation Article 83 state maximum limits for the calculation of administrative fees, while no one has been set minimum limits. " With regard to the size of the fee, the same factors shall apply as when assessing whether the fee shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the size of the fee must be in a reasonable proportion to the violation and the activity, cf. art. 83 No. 1. The Data Inspectorate agrees with the municipality's input on the size of the infringement fee, seen in in relation to similar cases that the Data Inspectorate has dealt with, and finds it possible to adjust this downwards to NOK 500,000. After an overall assessment of the case, and then especially with regard to the seriousness of the violation and the legislation's requirement that the imposition of infringement fines in each individual case shall be effective, proportionate and dissuasive, we have come to the conclusion of an infringement charge NOK 500,000 is considered correct. 78 Deadline for fulfillment and right of appeal You can appeal the decision. Any complaint must be sent within three weeks of this letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22. If you do not appeal the order for an infringement fee, the fulfillment deadline is four weeks after the expiry of the appeal period, cf. the Personal Data Act § 27. With best regards Bjørn Erik Thon director Knut Brede Kaspersen legal director The document is electronically approved and therefore has no handwritten signatures 8