Datatilsynet (Norway) - 20/03293 (decision 2)
|Datatilsynet - 20/03293|
Norwegian Execution of Sentences Act Chapter 1A and 1B
Norwegian Personal Data Act of 2000
Norwegian Personal Data Act of 2018
Norwegian Personal Data Act of 2018
Norwegian Regulation on personal data processing §2-7
Norwegian Regulation on personal data processing Chapter III
|Parties:||Directorate of Norwegian Correctional Service|
|National Case Number/Name:||20/03293|
|European Case Law Identifier:||n/a|
|Original Language(s):||Norwegian |
|Original Source:||Datatilsynet (in NO) |
Final inspection report (in NO)
|Initial Contributor:||Rie Aleksandra Walle|
After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organisation.
English Summary[edit | edit source]
Facts[edit | edit source]
In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a first decision issued in August 2021.
As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.
During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.
Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.
The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.
Holding[edit | edit source]
The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organisation.
The controller must comply with the order within six months. If they fail to do so (with the deadline set to 9 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.
Comment[edit | edit source]
The daily penalty is an option under the Norwegian Personal Data Act § 29.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
DIRECTORATE OF CRIMINAL CARE PO Box 694 4302 SANDNES Your reference Our reference Date 201819876 20/03293-62 19.10.2022 Submission of final inspection report and decision on order We refer to local supervision of the correctional service and subsequent correspondence. In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike prison, Bredtveit prison and detention center and Oslo probation office). The control was carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art. 58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out penalty. Proceedings The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by 24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in pursuant to § 20 of the Personal Data Act: 1. The Directorate of Correctional Services must ensure that clear responsibilities and authority relations, cf. the personal data regulations § 2-7. We refer to the report chapter 6.1. 2. The Directorate of Correctional Services must carry out a review of the internal control system for information security, and update this to ensure that the Personal Data Act becomes complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and chapter 3 of the personal data regulations. We refer to the report's chapter 6.2. Deadline for making comments on the preliminary inspection report and the notice of decision was set for 22 August 2022. KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the preliminary report. KDI's assessment is that the report contains some smaller ones mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The Postal address: Office address: Telephone: Org. no: Website: PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have have been identified during the supervision period. KDI states that in future they will complete the work of updating and preparing them formal instructions to the correctional service which are necessary to be able to document clear responsibilities and internal control. At the same time, KDI requests that a deadline of six be set months to carry out orders as notified. It has been shown that it will take some time to secure one joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this area throughout the organization. KDI believes this is best done by them - in addition to designing formal guidelines - give these topics the necessary space at management meetings, subject meetings and seminars in the future. In this way, training will be provided, questions will be clarified and KDI will could ensure an agreed understanding and practice. Regulations The Probation Service's processing of personal data is regulated by various sets of rules. The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate processing of personal data on inmates, convicts, etc. related to the execution of sentences and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for criminal enforcement purposes in regulations on transition rules to the Personal Data Act of 2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018 pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on 1 directive (EU) 2016/680 . It follows from Section 4c of the Execution of Sentences Act that the correctional service can process personal data that is necessary for the following purposes: a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act, b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large, c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting adaptation of inmates and convicts to society, d. ensure children's right to visit their parents under safe and secure conditions, e. notify the aggrieved party or his next of kin, cf. § 7 b, f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14. For the processing of personal data in the Infoflyt system, special rules set out in Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf. regulation on transition rules to the Personal Data Act of 2018 § 1 letter a. 1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing personal data to prevent, investigate, uncover or prosecute offenses or the execution of penal reactions, and on the free exchange of such information and repeal of the council's framework decision 2008/977/JIS 2Other processing of personal data, including for administrative, administrative purposes and private law purposes, the Personal Data Act of 2018 and the EU's apply privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act. The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so it is difficult to understand which rules apply, and that this has had an impact on the agency compliance with the privacy rules. The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added reason that processing responsibility can be shared between two processors. This was considered to be practical for central systems, such as Kompis. At the same time it was stated that the specific distribution of tasks must be determined in regulations or guidelines. However, it is no regulations or guidelines have been drawn up in this regard. Without clear instructions for the processing of personal data in the correctional service, will compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize that it is a management responsibility to ensure uniform understanding of the regulations in a complex organization. Final inspection report The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report. The report is therefore finalized without changes. The final inspection report is attached. Decision on orders Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order: 1. The Directorate of Correctional Services must ensure that clear responsibilities and authority relations, cf. the personal data regulations § 2-7. We refer to the control report's chapter 6.1. 2. The Directorate of Correctional Services must carry out a review of the internal control system for information security, and update this to ensure that the Personal Data Act becomes complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2. Deadline for implementation On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19. April 2023. By this deadline, you must send us a written confirmation that the orders are carried out. If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf. Section 29 of the Personal Data Act. 2 Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of personal data in correctional facilities, access to pardon cases, etc.). 3 Access to complaints The decision can be appealed. Any complaint must be sent to us within three weeks of this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will the case will be forwarded to the Personal Protection Board for complaint processing. Party transparency and publicity As a party to the case, you have the right to access the case's documents in accordance with the provisions of Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in the starting point is public, cf. section 3 of the Public Information Act. If there are questions related to the decision, you can contact the case manager by telephone 22 39 69 80 or email (email@example.com). With best regards Camilla Nervik section manager Maren Vaagan senior legal advisor The document is electronically approved and therefore has no handwritten signatures Appendix: Final control report