Datatilsynet (Norway) - 20/03293 (decision 2)

From GDPRhub
Datatilsynet - 20/03293
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law:
Norwegian Execution of Sentences Act Chapter 1A and 1B
Norwegian Personal Data Act of 2000
Norwegian Personal Data Act of 2018
Norwegian Personal Data Act of 2018
Norwegian Regulation on personal data processing §2-7
Norwegian Regulation on personal data processing Chapter III
Type: Investigation
Outcome: Violation Found
Started: 09.11.2021
Decided: 24.06.2022
Published: 07.07.2022
Fine: n/a
Parties: Directorate of Norwegian Correctional Service
National Case Number/Name: 20/03293
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Preliminary inspection report (in NO)
Initial Contributor: Rie Aleksandra Walle

After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA has notified them of an order to sort out and document their controller responsibilities and update internal controls for managing privacy and personal data protection.

English Summary[edit | edit source]

Facts[edit | edit source]

In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a first decision issued in August 2021.

As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.

Holding[edit | edit source]

The DPA found several discrepancies. During the audit, the controller created an instruction to place their responsibilities throughout the whole organization. The DPA, however, noted that not all underlying organizational units shared the same understanding of this.

Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers very few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.

The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.

In conclusion, the DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organization. The controller has until August 2022 to submit any comments before the DPA will make a final decision.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

THE DIRECTOR OF THE CRIMINAL CARE
PO Box 694
4302 SANDNES


Their reference Our reference Date
20 / 03293-53 24.06.2022


Submission of preliminary inspection report and notification of decision - Supervision of
prison care



    1 Introduction
The Danish Data Protection Agency refers to on-site inspections of the probation service on 9 November 2021, 4 April 2022,
April 6, 2022 and April 7, 2022. The inspection was carried out in accordance with

the Personal Data Act 2018 § 20.

The control concerned processing responsibility and internal control. The deviations from the regulations are closer
described in the attached control report. The control report covers the entire audit, from the opening of

letter control for on-site inspections of prisons and probation offices. The report describes
the observations made by the Norwegian Data Protection Authority during the audit, and include information collected
through documents and group interviews. The control report describes the Data Inspectorate

assessments of compliance in penal care. Any objections to the descriptions of
factual matters must be addressed to the Norwegian Data Protection Authority in connection with the response to this notification.

    2. Notice of decision

This is a notice that the Data Inspectorate, pursuant to the Personal Data Act § 20, will take
decision on the following order:

    1. The Norwegian Prison and Probation Service must ensure that clear responsibilities and

        authority, cf. section 2-7 of the Personal Data Regulations. We refer to the report
        Chapter 6.1.
    2. The Norwegian Prison and Probation Service must conduct a review of the internal control system for

        information security, and update this to ensure that the Personal Data Act becomes
        complied with in all sections of the agency, cf. the Personal Data Act 2000 § 14 and
        Chapter 3 of the Personal Data Regulations. We refer to Chapter 6.2 of the report.


The Prison and Probation Service is free to implement measures within the framework of the law. We will ask for one
feedback on the time of implementation of the orders. Furthermore, we will ask for one



Postal address: Office address: Telephone: Org.nr: Homepage:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, feedback from the prison service on the implementation of the orders, with descriptions. See
more about this in point 4 of the notice.


    3. Legal basis
3.1 Current regulations for the processing of personal data in the penal care system
The Prison and Probation Service's processing of personal data is regulated in several different sets of rules.
Chapter 1A of the Execution of Sentences Act and the Personal Data Act of 2000 regulate

processing of personal data about prisoners, convicts, etc. directly related to
sentencing and custody. The Personal Data Act of 2000 has otherwise been repealed, however
continued for the purpose of execution of sentence in § 1 of the regulations on transitional rules to
the Personal Data Act of 2018. The Ministry of Justice and Emergency Preparedness has notified a new law
based on Directive (EU) 2016/680.


For the processing of personal data in the Infoflyt system, separate rules laid down in apply
Chapter 1B of the Execution of Sentences Act.

All other processing of personal data, including administrative,

administrative and private law purposes, etc., are regulated in KDI's opinion by
the Personal Data Act of 2018, cf. Regulation (EU) 2016/679.

3.2 Regulations to the Execution of Sentences Act, Chapter 1A
When the Execution of Sentences Act was amended in 2009, the legislature proposed further regulations

of processing of personal data should be laid down in regulations. One regulation is given in
pursuant to section 4e of the Execution of Sentences Act.

The preparatory work for the Execution of Sentences Act § 4b states that the responsibility for processing pursuant to this
the provision could be shared between two data controllers. It appears further



         The specific division of tasks must be specified in regulations or
         guidelines. The daily responsibility for treatment - the practical
         implementation - can be delegated.


Regulations on treatment responsibility in the penal care have not been issued by the Ministry.


3.3 Comments on the regulations
Prior to the audit, as well as along the way, references to various documents have appeared
both different and incorrect regulations. Among other things, the Data Inspectorate has observed references to
the Personal Data Act of 2018 for processing that is still regulated by the 2000 Act

and Chapter 1A of the Execution of Sentences Act.




1
2Regulations on transitional rules on the processing of personal data, FOR-2018-06-15-877
 Regulations on the processing of personal data in the penal care, FOR-2013-09-20-1099



                                                                                               2, the Norwegian Data Protection Authority believes that there is reason to assume that a complex and motley set of rules has done so
difficult to understand which rules and laws apply, which has since become significant
compliance.

The Data Inspectorate also believes that a lack of regulatory regulation of the processing responsibility has been given
significance for compliance. The Ministry must bear part of the responsibility for partial deficiencies
compliance with the privacy regulations of the agency. At the same time, it is clear from the preparatory work for

Section 4 b of the Execution of Sentences Act states that the specific division of tasks must be determined in regulations
or guidelines. No regulations or guidelines have been prepared.

During the consultation round for the amendments to the Execution of Sentences Act in 2009 noted
The Norwegian Data Protection Authority states that the term "daily processing responsibility" does not exist in the privacy regulations.
The legal responsibility must be placed. The Danish Data Protection Agency emphasizes that the responsibility cannot be delegated, i
as opposed to the tasks related to compliance with the treatment responsibility, which can be delegated.


If there are no clear instructions for processing personal data in
penal care, it could lead to differential treatment of prisoners' right to privacy.
Compliance with the regulations may differ from unit to unit. It is a
management responsibility to ensure a uniform understanding of the regulations in a composite organization.

    4. Deadline for feedback

If you have any comments on this notice or the attached inspection report, you must
send us a feedback on this. We ask that you send us a suggested date for when
you can close the discrepancies we describe in the control report. The Norwegian Data Protection Authority will take this into account
the proposal when we in our final decision set a deadline for when all deviations must be closed and
the decision implemented.


We ask that you send us deadlines for closing deviations and any comments within 15.
August 2022. If it is documented that deviations have been closed within the deadline for feedback, will
we include this in the assessment when we make the final decision.

    5. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
that all documents in the case are in principle public, cf. the Public Access to Information Act § 3.

If you have specific comments to the public about the documents, you can make them
these to the Danish Data Protection Agency.

With best regards


Camilla Nervik

section chief
                                                                    Embla Helle Nerland
                                                                    legal adviser

The document is electronically approved and therefore has no handwritten signatures




                                                                                                 3, Copy to: THE MINISTRY OF JUSTICE AND EMERGENCY PREPAREDNESS

Attachments:

Control report from the Norwegian Data Protection Authority, dated 24 June 2022