Datatilsynet (Norway) - 20/03293
|Datatilsynet (Norway) - 20/03293|
|Relevant Law:||Article 30 GDPR|
Norwegian Personal Data Act of 2000 §14
Norwegian Regulation on personal data processing §2-4
Norwegian Regulation on personal data processing §2-7
|Parties:||Directorate of Norwegian Correctional Service|
|National Case Number/Name:||20/03293|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA has requested the Directorate of Correctional Service to establish records of processing activities as per Article 30 GDPR, explain controller roles and responsibilities and document their internal controls.
English Summary[edit | edit source]
Facts[edit | edit source]
On their own initiative, the Norwegian DPA requested information from the Directorate of Norwegian Correctional Service (DCS) regarding their processing of personal data, specifically an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Execution of Sentences Act, and details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally.
The DCS responded that they lack an overview of personal data processing activities, despite having procured a dedicated system for this purpose. They had initiated the work, but could only document ten processing activities - which are insufficient as per the GDPR, their own view. The DCS further stated that they process several - and many to a great extent - sensitive personal data related to sentencing. Consequently, it's important that the directorate has a good overview and control of personal data processing.
Holding[edit | edit source]
The DPA held that the Directorate of Correctional Service (DCS) must 1) establish records of processing activities in line with the Norwegian Personal Data Act of 2000 § 14 and the associated Regulation on personal data processing § 2-4, 2) describe how the responsibility for personal data processing is structured and distributed in the directorate, both organisationally and practically, cf. the Regulation on personal data processing § 2-7, and 3) send the DPA their internal controls documentation, cf. the Personal Data Act of 2000 § 14. Relevant documentation must be enclosed.
Comment[edit | edit source]
In June 2021, the DPA notified the controller of a second decision they intend to make as part of the audit.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE DIRECTOR OF THE CRIMINAL CARE PO Box 694 4302 SANDNES Their reference Our reference Date 202105340 20 / 03293-13 26.08.2021 Decision on order - Letter control with the Prison and Probation Service's processing of personal information 1 Introduction We refer to our notification of a decision on an order, dated 28 June 2021. The Norwegian Prison and Probation Service had a deadline to submit comments on the notice on 13 August 2021. We have not received any comments, and the decision is identical to the notification. For the record, we take the same text as stated in the notice. 2. Decision on order The Data Inspectorate adopts the following order: 1. In accordance with the Personal Data Act 2000 § 14 and associated regulations § 2-4 establish an overview of all the treatments of personal data made in the directorate. 2. The Norwegian Prison and Probation Service must account for how the responsibility for treatment follows The Personal Data Act is organizationally and practically located and distributed in the organization, cf. the Personal Data Regulations § 2-7. We request that applicable delegation documents are attached. 3. The Norwegian Prison and Probation Service must submit the current internal control to the agency, cf. the Personal Data Act 2000 § 14. Postal address: Office address: Telephone: Org.nr: Homepage: 1 PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 0105 OSLO 0191 OSLOOur legal basis for issuing orders is Article 58 no. 2 of the Privacy Ordinance. We refer to our review of the legal order later in this letter. The deadline for implementing the orders is September 21, 2021. By this deadline, you must send us a written confirmation that the orders have been implemented. You must also send the documents to which the orders apply. Background 3.1 The Data Inspectorate's requirements for reporting The Norwegian Data Protection Authority decided on its own initiative to request information from The Norwegian Prison and Probation Service on the Directorate's processing of personal data. In letter dated On December 10, 2020, we requested the following: - The Norwegian Prison and Probation Service has an overview of the processing of personal data (corresponding processing protocol according to Article 30 of the Privacy Regulation and Directive 2016/680 article 24) which takes place in the Prison and Probation Service for purposes after the Penal Code? If this is available, we ask that this be sent to us. If this is not available, we ask for an explanation of why this is missing. - Who is responsible for processing the various treatments that take place in the penal care? Describe the responsibilities internally in the agency. 3.2 Summary of report from the Norwegian Prison and Probation Service The Norwegian Prison and Probation Service writes in the report that as of today there is no central office overview of processing of personal data in the directorate. The Directorate went to last year purchase of a computer system (DraftIt) to be used to create a central overview. Directorate present a draft based on the work in the system. This treatment protocol contains ten treatment activities. The Directorate writes in the report that they do not consider this to be an adequate overview of processing activities, as required by the privacy regulations. In the report, the directorate emphasizes that many and in some cases very sensitive people are treated personal data in connection with the execution of sentences. It is therefore important that the directorate has a good overview and control. Furthermore, the directorate writes that one has happened strengthening of resource input on ICT security. 4. More about the requirements of the Personal Data Act 4.1 The Data Inspectorate's competence The Norwegian Prison and Probation Service's processing of personal data after Chapter 1A and 1B of the Execution of Sentences Act are still regulated by Act no. 31 of 14 April 2000 on the processing of personal data with associated regulations, cf. regulations on transitional rules on the processing of personal data § 1 a. The Execution of Sentences Act 2 rules apply to the execution of prison sentences, etc., cf. section 1 of the Act. Section 4c of the Execution of Sentences Act exhaustively states the purposes through which this can be achieved processing of personal data in the Prison and Probation Service. The Personal Data Act of 2018 § 20 third paragraph letter a states that the Data Inspectorate's authority pursuant to Article 58 of the Privacy Regulation, the same applies to supervision of compliance with provisions given in the Act here and in regulations issued pursuant to the Act. The Data Inspectorate therefore finds that our competence to impose measures is stated in the Personal Data Act 2018 § 20 third paragraph, cf. the Privacy Ordinance article 58 no. 2. 4.2 Requirements for treatment protocol Pursuant to Article 30 of the Privacy Regulation (and Article 24 of Directive (EU) 2016/680) the person responsible for treatment has a duty to have a treatment protocol. Corresponding duty to have an overview of the treatments that take place in one the person responsible for processing follows from the Personal Data Act 2000 § 14 and associated regulations § 2- 4. Such an overview must be considered necessary in order to have a suitable system for internal control. 4.3 Requirements for internal control Section 14 of the Personal Data Act and Chapter 3 of the Personal Data Regulations provide rules on internal control system. Pursuant to the Personal Data Act § 14 first paragraph, it shall treatment managers «establish and maintain planned and systematic measures that are necessary to meet the requirements of or pursuant to this Act, including ensuring the quality of personal data ». A number of different measures may be relevant in this connection, but a key part of internal control will often be to establish routines to fulfill the duties and the rights under the law. The data controller must document the measures, and the documentation must be available to employees of the data controller and at the data processor, as well as for the Data Inspectorate and the Privacy Board, cf. section 14, second paragraph. In accordance with the regulations § 3-1 first paragraph, the measures shall be adapted to the nature of the business, activities and size, and special emphasis shall be placed on compliance with the requirements information security in the Personal Data Act § 13. The requirements for measures are specified in the regulations § 3-1 second paragraph, which requires that the person responsible for processing, among other things ensure knowledge of current rules and adequate and up-to-date documentation implementation of routines. The third paragraph, letters a to f, provides a non-exhaustive overview of duties and rights the data controller must have routines for, including collection and control of consent, assessment of the purpose of processing and fulfillment of the request for insight and information. 4.4 Location of treatment responsibilities The Execution of Sentences Act § 4e letter c states that the king gives regulations on who is treatment manager. 3In the preparatory work for the Execution of Sentences Act, Chapters 1a and 1b, the Ministry emphasizes that it is especially important to regulate who has the responsibility for treatment. Furthermore, it follows: A key question is who should have the responsibility for treatment in the penal care. Pursuant to section 2 no. 4 of the Personal Data Act, the person responsible for processing is the one who decides the purpose of the processing of personal data and what kind of aid can used. The definition used by the Ministry in the draft § 4b, take nevertheless, as the submission of a new Police Register Act, based on the definition in the Privacy Directive in instead of the corresponding definition in the Personal Data Act. It The person responsible for treatment is after this defined as the one who by law or regulation determines the purpose of the treatment. When it comes to the background and the rationale for this position, one refers to Ot.prp.nr.108 (2008–2009) «On the Act on the processing of information in the police and the prosecuting authority (the Police Register Act) »pages 59-60. When the purpose of the processing is determined by law, as the Ministry submits, the main tasks of the person in charge of treatment will be to look after and relate to ensure that the regulations for the treatment are followed. The treatment manager has for for example, the responsibility for safety and aids, for the treatment to be reported The Norwegian Data Protection Authority, and for the protection of the rights that the data subject has by virtue of the law, cf. Ot.prp.nr.108 (2008–2009) page 60. The Norwegian Data Protection Authority points out that one best takes care of the processing responsibility by placing responsibility in close connection with the treatment itself, and asks the ministry to reconsider its position from the consultation note. The ministry is well on its way to views from the Data Inspectorate and believes that prison tenants and probation tenants should be treatment manager at the local level. But prison care treats personal information at several levels - both centrally, regionally and locally. Such the ministry sees it, should the specific location of the processing responsibility regulated in regulations in the same way as for the police, see below. The question of who is to be responsible for treatment in the penal care system will be considered in more detail when the regulations are to be prepared. 5. The Data Inspectorate's assessment We further assume that the chief executive of the Norwegian Prison and Probation Service has the processing responsibility for the processing of personal data in the agency. The Norwegian Data Protection Authority finds that the Norwegian Prison and Probation Service has not presented a satisfactory report overview of the directorate's processing of personal data. The requirement for an overview of the treatments that are done in a company is fundamental to be able to comply with other obligations under the regulations. The Prison and Probation Service has not provided any justification for the lack of this central overview. 4There is also no documentation or description of the internal responsibilities in agencies. The Directorate has only referred to its general right to delegate responsibilities in the steering line in agencies. This is considered to constitute a deviation from the requirements in the privacy regulations that are reproduced above. As the directorate itself emphasizes in the report, the Prison and Probation Service processes large quantities personal information. Among other things, many sensitive personal data are processed, including special categories of personal data. Through what we have experienced through our treatment of cases concerning the protection of the privacy regulations in the Prison and Probation Service, which reports of breaches of personal data security, guidance requests and complaints from inmates, we believe that there is reason to check the Prison and Probation Service's compliance closer. In order to investigate the Prison and Probation Service's compliance with the privacy regulations, it is necessary for the Norwegian Data Protection Authority to be sent an overview of which treatments of personal information made in the agency, see our notified order no. 1. Furthermore, we find it necessary to receive an overview of how the treatment responsibility is exercised in practice in the agency, see our notified order no. 2. This means that you must send us one overview of where and how responsibility for the processing of personal data, including personal data security requirements, are delegated to the various units and subordinate agencies to The Norwegian Prison and Probation Service. Finally, we also consider it appropriate and relevant to impose Correctional Care submit the overall documented internal control that applies to the agency's processing of personal information. We refer to the requirements that follow from the Personal Data Act § 14, cf. associated regulations chapters 2 and 3. The documentation you submit will form the basis for our assessment of any further control of the agency's compliance with the privacy regulations. 6. Concluding remarks 6.1 Coercive fine We will consider the use of a coercive fine if the orders have not been implemented by the deadline (cf. the Personal Data Act § 29.) 6.2 Opportunity to appeal You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received (cf. the Public Administration Act §§ 28 and 29). If we maintain our decision will we forward the case to the Privacy Board for complaint processing. 6.3 Transparency and publicity You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform that all documents are in principle public (cf. the Public Access to Information Act § 3.) 5If you believe there are grounds for exempting all or part of the document from public view insight, we ask you to justify this. If you have any questions, you can contact Embla Helle Nerland on telephone number 22 39 69 54. With best regards Camilla Nervik section chief Embla Helle Nerland legal adviser The document is electronically approved and therefore has no handwritten signatures Copy to: THE DIRECTOR OF THE CRIME CARE CENTER, Per Ketil Andersen 6