Datatilsynet (Norway) - 20/03293 (decision 2): Difference between revisions
From GDPRhub
(Update after final decision was issued) |
|||
| Line 79: | Line 79: | ||
}} | }} | ||
After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA has | After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA has ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organization. | ||
== English Summary == | == English Summary == | ||
| Line 88: | Line 88: | ||
As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization. | As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization. | ||
During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere. | |||
Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers | Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization. | ||
The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing. | The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing. | ||
=== Holding === | |||
The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organization. | |||
The controller must comply with the order within six months. If they fail to do so (within the deadline 19 April 2023), the DPA will consider a daily penalty until the order has been complied with in full. | |||
== Comment == | == Comment == | ||
The daily penalty is an option under the Norwegian Personal Data Act § 29. | |||
== Further Resources == | == Further Resources == | ||
| Line 107: | Line 109: | ||
<pre> | <pre> | ||
DIRECTORATE OF CRIMINAL CARE | |||
PO Box 694 | PO Box 694 | ||
4302 SANDNES | 4302 SANDNES | ||
Your reference Our reference Date | |||
20 / 03293- | 201819876 20/03293-62 19.10.2022 | ||
Submission of | Submission of final inspection report and decision on order | ||
We refer to local supervision of the correctional service and subsequent correspondence. | |||
In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at | |||
The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike | |||
prison, Bredtveit prison and detention center and Oslo probation office). The control was | |||
the Personal Data Act 2018 § 20. | carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art. | ||
58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority | |||
The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out | |||
penalty. | |||
Proceedings | |||
The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by | |||
24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in | |||
pursuant to § 20 of the Personal Data Act: | |||
1. The Directorate of Correctional Services must ensure that clear responsibilities and | |||
authority relations, cf. the personal data regulations § 2-7. We refer to the report | |||
chapter 6.1. | |||
2. The Directorate of Correctional Services must carry out a review of the internal control system for | |||
information security, and update this to ensure that the Personal Data Act becomes | |||
complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and | |||
chapter 3 of the personal data regulations. We refer to the report's chapter 6.2. | |||
Deadline for making comments on the preliminary inspection report and the notice of decision | |||
was set for 22 August 2022. | |||
KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the | |||
preliminary report. KDI's assessment is that the report contains some smaller ones | |||
mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The | |||
Postal address: Office address: Telephone: Org. | Postal address: Office address: Telephone: Org. no: Website: | ||
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 | PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 | ||
0105 OSLO 0191 OSLO | 0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have | ||
have been identified during the supervision period. | |||
KDI states that in future they will complete the work of updating and preparing them | |||
formal instructions to the correctional service which are necessary to be able to document clear | |||
responsibilities and internal control. At the same time, KDI requests that a deadline of six be set | |||
months to carry out orders as notified. It has been shown that it will take some time to secure one | |||
joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this | |||
the | area throughout the organization. KDI believes this is best done by them - in addition to designing | ||
formal guidelines - give these topics the necessary space at management meetings, subject meetings and | |||
seminars in the future. In this way, training will be provided, questions will be clarified and KDI will | |||
could ensure an agreed understanding and practice. | |||
Regulations | |||
The Probation Service's processing of personal data is regulated by various sets of rules. | |||
The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate | |||
processing of personal data on inmates, convicts, etc. related to the execution of sentences | |||
and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for | |||
criminal enforcement purposes in regulations on transition rules to the Personal Data Act of | |||
2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018 | |||
pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other | |||
joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on | |||
1 | |||
directive (EU) 2016/680 . | |||
of | It follows from Section 4c of the Execution of Sentences Act that the correctional service can process | ||
personal data that is necessary for the following purposes: | |||
a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act, | |||
b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large, | |||
c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to | |||
counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting | |||
adaptation of inmates and convicts to society, | |||
d. ensure children's right to visit their parents under safe and secure conditions, | |||
e. notify the aggrieved party or his next of kin, cf. § 7 b, | |||
f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14. | |||
For the processing of personal data in the Infoflyt system, special rules set out in | |||
Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf. | |||
regulation on transition rules to the Personal Data Act of 2018 § 1 letter a. | |||
and | 1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing | ||
personal data to prevent, investigate, uncover or prosecute offenses or the execution of | |||
penal reactions, and on the free exchange of such information and repeal of the council's framework decision | |||
2008/977/JIS | |||
2Other processing of personal data, including for administrative, administrative purposes | |||
and private law purposes, the Personal Data Act of 2018 and the EU's apply | |||
privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act. | |||
The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so | |||
it is difficult to understand which rules apply, and that this has had an impact on the agency | |||
compliance with the privacy rules. | |||
The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant | |||
for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added | |||
reason that processing responsibility can be shared between two processors. This was considered to | |||
be practical for central systems, such as Kompis. At the same time it was stated that | |||
the specific distribution of tasks must be determined in regulations or guidelines. However, it is | |||
no regulations or guidelines have been drawn up in this regard. | |||
Without clear instructions for the processing of personal data in the correctional service, will | |||
The Norwegian Data Protection Authority | compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize | ||
that it is a management responsibility to ensure uniform understanding of the regulations in a complex | |||
organization. | |||
Final inspection report | |||
The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report. | |||
The report is therefore finalized without changes. The final inspection report is attached. | |||
Decision on orders | |||
Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order: | |||
1. The Directorate of Correctional Services must ensure that clear responsibilities and | |||
authority relations, cf. the personal data regulations § 2-7. We refer to | |||
the control report's chapter 6.1. | |||
2. The Directorate of Correctional Services must carry out a review of the internal control system for | |||
information security, and update this to ensure that the Personal Data Act becomes | |||
complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and | |||
chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2. | |||
Deadline for implementation | |||
On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to | |||
carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19. | |||
April 2023. By this deadline, you must send us a written confirmation that the orders are | |||
carried out. | |||
If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf. | |||
Section 29 of the Personal Data Act. | |||
2 | |||
Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of | |||
personal data in correctional facilities, access to pardon cases, etc.). | |||
3 Access to complaints | |||
The decision can be appealed. Any complaint must be sent to us within three weeks of this | |||
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will | |||
the case will be forwarded to the Personal Protection Board for complaint processing. | |||
Party transparency and publicity | |||
As a party to the case, you have the right to access the case's documents in accordance with the provisions of | |||
Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in | |||
the starting point is public, cf. section 3 of the Public Information Act. | |||
If there are questions related to the decision, you can contact the case manager by telephone | |||
22 39 69 80 or email (maren.vaagan@datatilsynet.no). | |||
With best regards | |||
Camilla Nervik | |||
section manager | |||
Maren Vaagan | |||
senior legal advisor | |||
The document is electronically approved and therefore has no handwritten signatures | |||
Appendix: Final control report | |||
</pre> | </pre> | ||
Revision as of 05:54, 2 November 2022
| Datatilsynet - 20/03293 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Norwegian Execution of Sentences Act Chapter 1A and 1B Norwegian Personal Data Act of 2000 Norwegian Personal Data Act of 2018 Norwegian Personal Data Act of 2018 Norwegian Regulation on personal data processing §2-7 Norwegian Regulation on personal data processing Chapter III |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 09.11.2021 |
| Decided: | 24.06.2022 |
| Published: | 07.07.2022 |
| Fine: | n/a |
| Parties: | Directorate of Norwegian Correctional Service |
| National Case Number/Name: | 20/03293 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Norwegian Norwegian |
| Original Source: | Datatilsynet (in NO) Preliminary inspection report (in NO) |
| Initial Contributor: | Rie Aleksandra Walle |
After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA has ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organization.
English Summary
Facts
In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a first decision issued in August 2021.
As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.
During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.
Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.
The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.
Holding
The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organization.
The controller must comply with the order within six months. If they fail to do so (within the deadline 19 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.
Comment
The daily penalty is an option under the Norwegian Personal Data Act § 29.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
DIRECTORATE OF CRIMINAL CARE
PO Box 694
4302 SANDNES
Your reference Our reference Date
201819876 20/03293-62 19.10.2022
Submission of final inspection report and decision on order
We refer to local supervision of the correctional service and subsequent correspondence.
In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at
The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike
prison, Bredtveit prison and detention center and Oslo probation office). The control was
carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art.
58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority
The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out
penalty.
Proceedings
The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by
24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in
pursuant to § 20 of the Personal Data Act:
1. The Directorate of Correctional Services must ensure that clear responsibilities and
authority relations, cf. the personal data regulations § 2-7. We refer to the report
chapter 6.1.
2. The Directorate of Correctional Services must carry out a review of the internal control system for
information security, and update this to ensure that the Personal Data Act becomes
complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
chapter 3 of the personal data regulations. We refer to the report's chapter 6.2.
Deadline for making comments on the preliminary inspection report and the notice of decision
was set for 22 August 2022.
KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the
preliminary report. KDI's assessment is that the report contains some smaller ones
mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The
Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have
have been identified during the supervision period.
KDI states that in future they will complete the work of updating and preparing them
formal instructions to the correctional service which are necessary to be able to document clear
responsibilities and internal control. At the same time, KDI requests that a deadline of six be set
months to carry out orders as notified. It has been shown that it will take some time to secure one
joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this
area throughout the organization. KDI believes this is best done by them - in addition to designing
formal guidelines - give these topics the necessary space at management meetings, subject meetings and
seminars in the future. In this way, training will be provided, questions will be clarified and KDI will
could ensure an agreed understanding and practice.
Regulations
The Probation Service's processing of personal data is regulated by various sets of rules.
The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate
processing of personal data on inmates, convicts, etc. related to the execution of sentences
and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for
criminal enforcement purposes in regulations on transition rules to the Personal Data Act of
2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018
pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other
joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on
1
directive (EU) 2016/680 .
It follows from Section 4c of the Execution of Sentences Act that the correctional service can process
personal data that is necessary for the following purposes:
a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act,
b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large,
c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to
counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting
adaptation of inmates and convicts to society,
d. ensure children's right to visit their parents under safe and secure conditions,
e. notify the aggrieved party or his next of kin, cf. § 7 b,
f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14.
For the processing of personal data in the Infoflyt system, special rules set out in
Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf.
regulation on transition rules to the Personal Data Act of 2018 § 1 letter a.
1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing
personal data to prevent, investigate, uncover or prosecute offenses or the execution of
penal reactions, and on the free exchange of such information and repeal of the council's framework decision
2008/977/JIS
2Other processing of personal data, including for administrative, administrative purposes
and private law purposes, the Personal Data Act of 2018 and the EU's apply
privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act.
The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so
it is difficult to understand which rules apply, and that this has had an impact on the agency
compliance with the privacy rules.
The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant
for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added
reason that processing responsibility can be shared between two processors. This was considered to
be practical for central systems, such as Kompis. At the same time it was stated that
the specific distribution of tasks must be determined in regulations or guidelines. However, it is
no regulations or guidelines have been drawn up in this regard.
Without clear instructions for the processing of personal data in the correctional service, will
compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize
that it is a management responsibility to ensure uniform understanding of the regulations in a complex
organization.
Final inspection report
The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report.
The report is therefore finalized without changes. The final inspection report is attached.
Decision on orders
Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order:
1. The Directorate of Correctional Services must ensure that clear responsibilities and
authority relations, cf. the personal data regulations § 2-7. We refer to
the control report's chapter 6.1.
2. The Directorate of Correctional Services must carry out a review of the internal control system for
information security, and update this to ensure that the Personal Data Act becomes
complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2.
Deadline for implementation
On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to
carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19.
April 2023. By this deadline, you must send us a written confirmation that the orders are
carried out.
If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf.
Section 29 of the Personal Data Act.
2
Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of
personal data in correctional facilities, access to pardon cases, etc.).
3 Access to complaints
The decision can be appealed. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will
the case will be forwarded to the Personal Protection Board for complaint processing.
Party transparency and publicity
As a party to the case, you have the right to access the case's documents in accordance with the provisions of
Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in
the starting point is public, cf. section 3 of the Public Information Act.
If there are questions related to the decision, you can contact the case manager by telephone
22 39 69 80 or email (maren.vaagan@datatilsynet.no).
With best regards
Camilla Nervik
section manager
Maren Vaagan
senior legal advisor
The document is electronically approved and therefore has no handwritten signatures
Appendix: Final control report
