Datatilsynet (Norway) - 20/03293 (decision 2)

From GDPRhub
Revision as of 14:32, 8 November 2022 by Kk (talk | contribs) (just small linguistic changes to Brisith English (organisation instead of organization))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 20/03293
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law:
Norwegian Execution of Sentences Act Chapter 1A and 1B
Norwegian Personal Data Act of 2000
Norwegian Personal Data Act of 2018
Norwegian Personal Data Act of 2018
Norwegian Regulation on personal data processing §2-7
Norwegian Regulation on personal data processing Chapter III
Type: Investigation
Outcome: Violation Found
Started: 09.11.2021
Decided: 19.10.2022
Published: 01.11.2022
Fine: n/a
Parties: Directorate of Norwegian Correctional Service
National Case Number/Name: 20/03293
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Final inspection report (in NO)
Initial Contributor: Rie Aleksandra Walle

After auditing the Norwegian Directorate of Correctional Service for 1,5 years, the DPA ordered it to sort out and document its controller responsibilities and update internal controls for managing privacy and personal data protection throughout the organisation.

English Summary[edit | edit source]

Facts[edit | edit source]

In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a first decision issued in August 2021.

As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization.

During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere.

Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization.

The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data related to sentencing.

Holding[edit | edit source]

The DPA held that controller must sort out and document the responsibilities related to their role as controller, as well as review and update the internal control system for managing privacy and personal data protection in the organisation.

The controller must comply with the order within six months. If they fail to do so (with the deadline set to 9 April 2023), the DPA will consider a daily penalty until the order has been complied with in full.

Comment[edit | edit source]

The daily penalty is an option under the Norwegian Personal Data Act § 29.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

DIRECTORATE OF CRIMINAL CARE
PO Box 694
4302 SANDNES


Your reference Our reference Date
 201819876 20/03293-62 19.10.2022


Submission of final inspection report and decision on order

We refer to local supervision of the correctional service and subsequent correspondence.


In the period November 2021 - April 2022, the Norwegian Data Protection Authority carried out local inspections at
The Directorate of Correctional Services and three subordinate units (department Ullersmo at Romerike
prison, Bredtveit prison and detention center and Oslo probation office). The control was

carried out in accordance with the Personal Data Act 2018 § 20 and the Personal Protection Ordinance art.
58 no. 1. The subject of the inspection was processing responsibility and internal control. In the supervisory authority
The Danish Data Protection Authority is particularly focused on the processing of personal data when carrying out
penalty.


Proceedings
The preliminary control report was sent to the Directorate of Correctional Services (KDI) in our letter by

24 June 2022. In the same letter, it was notified that the Norwegian Data Protection Authority would make a decision on orders in
pursuant to § 20 of the Personal Data Act:

    1. The Directorate of Correctional Services must ensure that clear responsibilities and

        authority relations, cf. the personal data regulations § 2-7. We refer to the report
        chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for

        information security, and update this to ensure that the Personal Data Act becomes
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
        chapter 3 of the personal data regulations. We refer to the report's chapter 6.2.


Deadline for making comments on the preliminary inspection report and the notice of decision
was set for 22 August 2022.


KDI states in a letter of 22 August 2022 that the directorate and the three units have reviewed the
preliminary report. KDI's assessment is that the report contains some smaller ones
mistakes/misunderstandings, but that they do not see it as appropriate to submit comments on this. The



Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO It appears to KDI that the report provides a correct overall description of the challenges that have

have been identified during the supervision period.

KDI states that in future they will complete the work of updating and preparing them
formal instructions to the correctional service which are necessary to be able to document clear

responsibilities and internal control. At the same time, KDI requests that a deadline of six be set
months to carry out orders as notified. It has been shown that it will take some time to secure one
joint and comprehensive understanding of responsibilities and the safeguarding of the internal control over this
area throughout the organization. KDI believes this is best done by them - in addition to designing
formal guidelines - give these topics the necessary space at management meetings, subject meetings and

seminars in the future. In this way, training will be provided, questions will be clarified and KDI will
could ensure an agreed understanding and practice.

Regulations

The Probation Service's processing of personal data is regulated by various sets of rules.

The Criminal Enforcement Act chapter 1A and the Personal Data Act of 2000 regulate
processing of personal data on inmates, convicts, etc. related to the execution of sentences
and custody. The Personal Data Act of 2000 has otherwise been repealed, but continued for

criminal enforcement purposes in regulations on transition rules to the Personal Data Act of
2018(FOR-2018-06-15-877) § 1 letter a. The regulations are laid down by royal decree no. 15 June 2018
pursuant to Act 15 June 2018 no. 38 on the processing of personal data § 33 other
joint. At the same time, the Ministry of Justice and Emergency Preparedness has notified new legislation based on
                         1
directive (EU) 2016/680 .

It follows from Section 4c of the Execution of Sentences Act that the correctional service can process
personal data that is necessary for the following purposes:


     a. plan, administer and implement reactions and coercive measures in accordance with Section 1 of the Enforcement of Penalties Act,
     b. maintain peace and order and safeguard the safety of employees, inmates, convicts and society at large,
     c. ensure satisfactory conditions for inmates and convicts during the implementation and offer them content that will contribute to
       counteract new crime, including creating the right conditions for services from other agencies with the aim of promoting
       adaptation of inmates and convicts to society,
     d. ensure children's right to visit their parents under safe and secure conditions,
     e. notify the aggrieved party or his next of kin, cf. § 7 b,
     f. carry out personal investigations, cf. the Criminal Procedure Act chapter 14.

For the processing of personal data in the Infoflyt system, special rules set out in
Criminal Procedure Act chapter 1B in addition to the Personal Data Act of 2000, cf.

regulation on transition rules to the Personal Data Act of 2018 § 1 letter a.





1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons when processing
personal data to prevent, investigate, uncover or prosecute offenses or the execution of
penal reactions, and on the free exchange of such information and repeal of the council's framework decision

2008/977/JIS



                                                                                                  2Other processing of personal data, including for administrative, administrative purposes
and private law purposes, the Personal Data Act of 2018 and the EU's apply
privacy regulation, which has been implemented in Norwegian law through § 1 of the Personal Information Act.


The Danish Data Protection Authority believes that there is reason to assume that a complex and fragmented set of regulations has done so
it is difficult to understand which rules apply, and that this has had an impact on the agency
compliance with the privacy rules.

The Norwegian Data Protection Authority further believes that the lack of regulation of processing responsibility has been significant
for compliance. In the preparations for the amendments to the Penal Enforcement Act, it has been added

reason that processing responsibility can be shared between two processors. This was considered to
be practical for central systems, such as Kompis. At the same time it was stated that
the specific distribution of tasks must be determined in regulations or guidelines. However, it is
no regulations or guidelines have been drawn up in this regard.


Without clear instructions for the processing of personal data in the correctional service, will
compliance with the regulations may vary from unit to unit. The Norwegian Data Protection Authority will emphasize
that it is a management responsibility to ensure uniform understanding of the regulations in a complex
organization.

Final inspection report

The Norwegian Data Protection Authority takes it to mean that KDI has no comments on the preliminary inspection report.
The report is therefore finalized without changes. The final inspection report is attached.

Decision on orders
Pursuant to the Personal Data Act § 20, the Norwegian Data Protection Authority decides on the following order:


    1. The Directorate of Correctional Services must ensure that clear responsibilities and
        authority relations, cf. the personal data regulations § 2-7. We refer to
        the control report's chapter 6.1.
    2. The Directorate of Correctional Services must carry out a review of the internal control system for

        information security, and update this to ensure that the Personal Data Act becomes
        complied with at all levels of the agency, cf. the Personal Data Act 2000 § 14 and
        chapter 3 of the personal data regulations. We refer to the control report's chapter 6.2.

Deadline for implementation
On the basis of KDI's request, the Norwegian Data Protection Authority decides to set a deadline of six months to

carry out orders as mentioned above. The deadline for carrying out the orders is therefore set to 19.
April 2023. By this deadline, you must send us a written confirmation that the orders are
carried out.

If the orders are not carried out within the deadline, we will consider the use of compulsory fines, cf.

Section 29 of the Personal Data Act.

2
 Prop. L (2009-2010) Amendments to the Administration Act and the Execution of Sentences Act (treatment of
personal data in correctional facilities, access to pardon cases, etc.).


                                                                                                 3 Access to complaints
The decision can be appealed. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we maintain our decision will
the case will be forwarded to the Personal Protection Board for complaint processing.

Party transparency and publicity

As a party to the case, you have the right to access the case's documents in accordance with the provisions of
Administration Act §§ 18 et seq. We also draw attention to the fact that the case's documents in
the starting point is public, cf. section 3 of the Public Information Act.

If there are questions related to the decision, you can contact the case manager by telephone
22 39 69 80 or email (maren.vaagan@datatilsynet.no).



With best regards


Camilla Nervik
section manager
                                                                 Maren Vaagan

                                                                 senior legal advisor

The document is electronically approved and therefore has no handwritten signatures

Appendix: Final control report