Datatilsynet (Norway) - 18/02579: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |Datatilsynet - 2019-31-1424 |- | colspan="2" style="padding: 20px;" |File:Datatilsyne...")
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |Datatilsynet - 2019-31-1424
! colspan="2" |Datatilsynet - 18/34319
|-
|-
| colspan="2" style="padding: 20px;" |[[File:DatatilsynetlogoNorwaypng.png|center|250px]]
| colspan="2" style="padding: 20px;" |[[File:DatatilsynetlogoNorwaypng.png|center|250px]]
Line 16: Line 16:
[[Category:Article 5(2) GDPR]]
[[Category:Article 5(2) GDPR]]


[[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] [[Category:Article 32(1)(d) GDPR]]
[[Article 32 GDPR#1b|Article 32(1)(b) GDPR]]
[[Category:Article 32(1)(b) GDPR]]
 
[[Article 32 GDPR#1d|Article 32(1)(d) GDPR]]
[[Category:Article 32(1)(d) GDPR]]
|-
|-
|Type:||n/a
|Type:||n/a
Line 24: Line 28:
|Decided:||11.10.2019
|Decided:||11.10.2019
|-
|-
|Published:|| 1.12.2019
|Published:||1.12.2019
[[Category:2019]]
[[Category:2019]]
|-
|-
|Fine:|| 120.000 EUR
|Fine:||120.000 EUR
|-
|-
|Parties:|| Skolemelding Vs. n/a
|Parties:||Education Agency for Oslo municipality
|-
|-
|National Case Number:||18/34319-1
|National Case Number:||18/34319-1
Line 40: Line 44:
[[Category:Norwegian]]
[[Category:Norwegian]]
|-
|-
|Original Source:||[ https://www.datatilsynet.no/contentassets/ae65e212c134455c93f36a10c5a8c792/vedtak-oslo-kommune-oktober2019.pdf(in NO)]
|Original Source:||[https://www.datatilsynet.no/contentassets/ae65e212c134455c93f36a10c5a8c792/vedtak-oslo-kommune-oktober2019.pdf Datatilsynet (in NO)] and [https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2019/gebyr-til-oslo-kommune-utdanningsetaten/ press release source (in NO)]
|}
|}


The Datatilsynet found that a pension company restricted data subject’s right of access under Article 15 GDPR.  
A fine of 1,200,000 NOK (approximately EUR 120,000) was imposed against the Education Agency of the Municipality of Oslo due to breach of personal data security in the mobile application “Skolemelding”. The fine was issued due to the application's lack of security and subsequent violations of [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] and of the principle of accountability as foreseen in [[Article 5 GDPR#2|Article 5(2) GDPR]] read in conjunction with [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].
 
==English Summary==
==English Summary==


===Facts===
===Facts===
A citizen complained that his pension company refused to give him access to his medical consultant’s assessment. Thus, the complainant filed a complaint with the Datatilsynet. Before the Datatilsynet, the pension company claimed that  such documents are considered internal and they are not shared with the clients, according to its privacy policy.  
The case concerned vulnerabilities in the  mobile app “Skolemelding”. In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils        were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school.  


===Dispute===
===Dispute===
Could a data controller limit the access right to personal data because these personal data are include in a internal document?
On which legal basis the Datatilsynet can impose a fine for a lack of security?


===Holding===
===Holding===
The Datatilsynet found that the company could not restrict the right of access to certain categories of personal data. Thus, it violated Article 15 GDPR. The Datatilsynet issued an injunction and ordered the company, as foreseen under 58(2)(c) GDPR, to carry out a concrete assessment on whether data subjects shall access personal data included in the medical consultants’ assessments.
The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f). 
 
The issued fine was 1 200 000 NOK (approximately 120 000 euro), which was lower than the initially suggested fine of 2 000 000 NOK (approximately 200 000 euro). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the Data Protection Authority, showing a will to fix the security flaws.
 
The municipality did not contest the evaluation by the Data Protection Authority regarding the scope of the security breach.


==Comment==
==Comment==
Line 63: Line 72:
==English Machine Translation of the Decision==
==English Machine Translation of the Decision==


The decision below is a machine translation of the original. Please refer to the Danish original for more details.
The decision below is a machine translation of the original. Please refer to the Norwegian original for more details.


<pre>
<pre>
 
The content of the pdf decision cannot be copied/paste. You can find the translation of the press relaese provided by the datatilsynet authority here.  
Insight into medical consultant reviews
Published 18-11-2019
Decision Private companies The Danish
 
Data Protection Agency has decided on a case in which a citizen complained that his pension company refused to give him insight into a medical consultant assessment that was prepared in connection with his case. In the case, the Danish Data Protection Agency found it necessary to issue serious criticism and to issue an injunction to the pension company.
 
Journal number: 2019-31-1424Agency
Summary The Danish
 
Data Protectionhas decided in a case in which a citizen complained that his pension company, the Jurists and Economists' Pension Fund (JØP), refused to give him access to a medical consultant's assessment.
 
In the case in question, JØP had refused to provide insights into the medical consultant's assessment in question, i.a. because it is a firm business practice for the company to obtain assessments from medical consultants to use the company's internal handling of the cases, and it is a common practice that these assessments are not shared with the clients as these are internal documents.
 
In its decision, the Data Inspectorate laid down, inter alia, emphasis is that, as a general rule, insight should be given to personal data and that a concrete assessment must always be made as to whether insight can be refused according to the exception rules. Therefore, JØP could not - as was the case in this case - generally cut off certain types of information from the right of access.
 
In the opinion of the Danish Data Protection Agency, JØP had not acted in accordance with Article 15 of the Data Protection Regulation on the right of access, which caused the Authority to give serious criticism.
 
Against this background, the Danish Data Protection Agency issued an injunction to make a concrete assessment of whether complaints can be given insight into personal data on complaints contained in the medical consultant assessment.
Decision The Danish
 
Data Protection Agency hereby returns to the case where on February 4, 2019, the Complaints complained to the Supervisor of a reply from the Jurisprudence and Economists' Pension Fund (hereafter JØP) of his request for insight under the Data Protection Regulation.
 
The Data Inspectorate has understood the complainant's request as a complaint about JØP's refusal of access to documents prepared by JØP's medical consultant and correspondence between JØP and the medical consultant, which was entered into the case regarding the grant of disability pension to the complainant.
 
The matter was discussed at a meeting of the Data Council.
1. Mandatory
 
It is DPA's opinion that JØP has not acted in accordance with the Data Protection Regulation [1] Article 15
 
Data Protection Agency is therefore reason to express severe criticism that JØP have not dealt with the complainant's request for access in accordance with Article 15
 
Data Protection must then give JØP orders to make a concrete assessment of whether complainants can be given insight into personal data on complaints contained in the medical consultant assessment. The order is issued pursuant to Article 58 (2) of the Data Protection Regulation. 2, point c.
 
The deadline for complying with the order is 18 December 2019. Data Protection Agency must request the same date to receive a confirmation that the order is complied with, and a copy of JØP's reassessment of the question of insight and answers for complaints.
 
According to section 41 (1) of the Data Protection Act [2]. Paragraph 2 (5) shall be punishable by a fine or imprisonment for up to 6 months to a person who fails to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Data Protection Regulation. 2.
2. Presentation
 
of the case It appears from the case that complaints in connection with an objection request did not receive a number of documents and internal correspondence between JØP and a medical consultant.
 
JØP has refused to give complaints to the medical consultant's opinion.
2.1. JØP's comments
 
JØP has generally stated that by letter of 6 December 2018, JØP has met the complainant's request for insight, however, so that a medical consultant's assessment was excluded from insight. This medical consultant assessment is part of JØP's decision basis for awarding disability pension complaints in accordance with his application.
 
The medical examiner's assessment was made on the basis of material that complainants are fully aware of, including specialist medical statements and supplementary health information, which complaints have been submitted to JØP.
 
JØP has stated that complaints have gained insight into all the personal data processed by the insurance company about him, however, the medical consultant assessment has been denied.
 
JØP has stated that it is a firm business practice at JØP - as is generally the case in the insurance and pension industry - that assessments are obtained from medical consultants for the purpose of JØP's internal handling of the cases. In this case, the medical consultant's task is to assess medical issues for use in JØP's decision on the case.
 
It is a common practice throughout the industry that the medical consultants' internal assessment and medical advice to the injury practitioners are not shared with the clients to whom the assessments relate. In order to ensure adequate and professional injury treatment, it is essential that the injury practitioners can obtain medical advice in confidence.
 
The need for confidentiality is partly due to the fact that medical assessments by nature contain uncertainties and arguments for and against a result. The internal assessment of the medical consultant must thus be comparable to an internal legal memorandum. On that basis, the medical consultant assessment is considered to be covered by the right to exempt internal assessments in accordance with section 22 (2) of the Data Protection Act. 1.
 
Confidentiality also ensures that, in the interaction between the claims officer and the medical consultant, all relevant questions are asked so that the whole case is covered. Confidentiality is thus in effect also for the sake of complaints themselves.
 
Furthermore, in the opinion of the JØP, the medical consultant's assessment can be exempted from the right of access for reasons of JØP's private interests, including the consideration of JØP's business basis and business practices and the possibility of defending his interests in any dispute cases.
 
JØP has finally stated that these are business secrets that can be exempted from the right of access under Article 15 (1) of the Data Protection Regulation. 4. 
2.2. Complainant's comments
 
Complainant has generally stated that complainants do not recognize that there should be business secrets or a violation of the freedoms of others.
 
Furthermore, the complainant states that JØP's refusal of access to the information in question means that the complainant cannot verify the accuracy of the personal data that has been processed.
 
Furthermore, complainants have stated that the opinion of the medical consultant is seen to have legal effect, as JØP has stated complaints that the medical consultant has assessed that complaints cannot be awarded permanent permanent pension at this time.
2.3. Forsikring & Pension's comments
 
Forsikring & Pension has, as an industry organization, at the request of JØP submitted a statement to use the case. Forsikring & Pension finds that this is a fundamental problem for the insurance and pension industry.
 
Forsikring & Pension has confirmed that medical consultants' assessments are, as a rule, not shared with clients / injured parties. The assessments are intended to contribute to the company's decision-making basis, but are not in themselves conclusive.
 
Forsikring & Pension has stated that if it is not possible to secure a room for internal assessment, there is a risk that either statements will not be obtained or that the statements will be incomplete, because doctors are aware that later insight can be given. This could damage the policyholder's case.
 
Finally, Forsikring & Pension argues that a further argument that these statements can be exempted under section 22 (2) of the Data Protection Act. 1, is the consideration of the policyholder himself. Medical assessments may include some uncertainties and considerations that may cause misunderstanding and unnecessary concern on the part of the policyholder.
3. Legal basis
3.1. The concept of personal data
 
The term personal data is defined in Article 4 (1) of the Data Protection Regulation as any form of information about an identified or identifiable natural person ('the data subject'). An identifiable natural person means a natural person who, on the basis of the information, can be identified directly or indirectly.
3.2. The right of access for data protection Article 15
 
According to the data protection of Article 15 that the data subject has the right to have the controller's confirmation of whether personal data concerning him processed and, where appropriate, access to personal information and the following information:
 
    purposes of the processing
    concerned categories of personal data means
    the recipients or categories of recipients to whom the personal data is or will be disclosed, in particular recipients in third countries or international organizations, where possible, the intended period for which the personal data will be stored or, if this is not possible, the criteria used for determining that period the
    right to request the data controller to correct or delete personal data or to limit the processing of personal data concerning the data subject or to object to such processing theobject
    right toprovide a complaint to a supervisory authority with
    all available information on where the personal data originates if it is not collected from the registered
    occurrence of automatic decisions, including profiling, as referred to in Article 22 (2). 1 and 4, and at least meaningful information about the logic therein, as well as the significance and expected consequences of such processing for the data subject.
 
The Data Protection Regulation's preamble recital No 63 states, inter alia, the following:
 
“A data subject should have the right to access personal data collected about him and to exercise that right easily and at reasonable intervals in order to ascertain and verify the legality of a processing. This includes the right of data subjects to access their health information, e.g. data in their medical records on diagnoses, examination results, medical assessments as well as any treatment and any intervention made. […] This right should not infringe on the rights or freedoms of others, including trade secrets or intellectual property, in particular the copyright of the programs. […] ”However, the
 
right of access is limited by Article 15 (2) of the Regulation. 4, according to which the right to receive a copy of the personal data processed must not infringe on the rights and freedoms of others.
 
Furthermore, section 22 of the Data Protection Act contains restrictions on the right of access. The right to access is limited, among other things. pursuant to section 22 (2) of the Act. 1, according to which the right of access does not apply if the data subject's interest in the information is found to depart from the imperative of private interests, including the interests of the data subject himself.
3.3. Case law of the European Court
 
In Joined Cases C-141/12 and C-372/12 YS and M and S v Minister for Immigration, Integration and Asylum (hereinafter the Immigration case), stated that a legal analysis prepared in an internal administrative document with a case manager's reason for draft decision in connection with an asylum applicant's application for a residence permit is not a personal information about the asylum seeker. The judgment states, inter alia, the following:
 
”40. As the Advocate General essentially states in paragraph 59 of the Opinion, and as the Netherlands, Czech and French Governments state, such a legal analysis does not constitute information on the applicant for a residence permit, but rather in so far as: it is not limited to a purely abstract interpretation of the legal rules, information on the assessment of the competent authority and the application of those legal rules in relation to the applicant's situation. is determined on the basis of the personal data of the applicant's person at the disposal of the authority. […]
 
44. As regards the rights of the data subject within the meaning of Directive 95/46, it should be noted that the protection of the fundamental right to respect for privacy inter alia: implies that the data subject must be able to ensure that the personal data of the person concerned is correct and legally processed. […]
 
45. Contrary to the information relating to an applicant for a residence permit contained in a statement and which may constitute the factual basis for the legal analysis of the statement, such analysis - as the Netherlands and French Governments have stated - is thus not in itself subject to the applicant's verification of its correctness and to an amendment under Article 12 (b) of Directive 95/46.
 
46. ​​In those circumstances, extending the right of access for an applicant for a residence permit to the legal analysis does not really serve the purpose of the directive to safeguard that applicant's right to privacy when processing information about the applicant, but the purpose to secure the right to access administrative documents in question, which, however, is not covered by Directive 95/46.
 
47. In a similar context, as regards the processing of personal data by the Union institutions, governed by Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data personal data in the Community institutions and bodies and on the free exchange of such information (OJ 2001 L 8, p. 1) and, secondly, Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 on public access to European Parliament , Council and Commission documents (OJ 1998 L 145, p. 43), the Court has already stated in paragraph 49 of Commission v Bavarian Lager (C-28/08 P, EU: C: 2010: 378) that these regulations differ and Regulation No 45/2001, unlike Regulation No 1049/2001, does not aim to ensure transparency in the decision-making process of public authorities and to promote good administrative practice by facilitating the exercise of the right of access. That finding also applies to Directive 95/46, the purpose of which essentially corresponds to the purpose of Regulation No 45/2001.
 
48. It follows from all the foregoing considerations that the first and second questions in Case C-141/12 and the fifth question in Case C-372/12 must be answered by the fact that Article 2 (a) of Directive 95 / 46 is to be interpreted as meaning that the particulars relating to an applicant for a residence permit contained in a statement and, where applicable, the information contained in the legal analysis of the statement constitute 'personal data' within the meaning of this provision, the legal analysis, on the other hand, cannot in itself be classified in the same way. ”
 
In Case C-434/16 Peter Nowak v Data Protection Commissioner (hereinafter the Nowak case), the European Court of Justice has further stated that a written reply, as a participant has provided in connection with a professional test, and any examiners' corrections and comments on this answer are considered to be personal information. The judgment states, inter alia, the following:
 
”34. The use of the term 'any type of information' in the definition of the term 'personal data' in Article 2 (a) of Directive 95/46 reflects that the EU legislature intended to give this concept a broad meaning, since it is not limited to sensitive or private information, but potentially includes any form of information, both objective and subjective in the form of expressions of opinion or judgment, provided that the information is "about" the person concerned.
 
35. As regards the latter condition, it is fulfilled if, because of its content, purpose or effect, the information is linked to a particular person. […]
 
42. Regarding the examiner's corrections and comments on the participant's answer, it should be noted that these, like the answer given by the participant in the examination, constitute information about this participant.
 
43. The content of these corrections and comments thus reflects the examiner's opinion or assessment of the participant's individual performance in the exam, and in particular of his knowledge and competence in the field concerned. Moreover, the corrections and comments are intended precisely to document the examiner's evaluation of the participant's performance and may thus have an effect on the latter as stated in paragraph 39 of this judgment. […]
 
46. ​​Contrary to the data protection supervisor and Ireland's where applicable, the qualification of the answer given by the participant in the course of a professional test, and any examiners' corrections and comments on that answer as personal data shall not be affected by the fact that this qualification, in principle, entitles the participant to insight and rectification. of Article 12 (a) and (b) of Directive 95/46. " 
Justification of the Danish Data Protection Agency's decision on access to medical consultant assessments
 
According to the case information, there is no agreement between the parties as to whether complaints - in addition to medical consultancy assessments - have been received insight.
 
The Data Inspectorate finds no basis for infringing JØP's information that JØP does not process more information about complaints than the personal data already disclosed and personal data contained in the medical consultant assessment in this case.
 
In this connection, the Data Inspectorate notes that the audit only deals with cases on a written basis and that the audit therefore does not have the opportunity to conduct an actual investigation of the case. The final assessment of such evidentiary issues may be made by the courts, which, unlike the Data Inspectorate, have the opportunity to elucidate the situation in detail, including by hearing witnesses.
4.1. Is it personal data?
 
The question of whether insight should be given to the medical consultant assessment depends initially on whether the assessment can be considered to be personal data.
 
Personal information is defined as any kind of information about an identified or identifiable natural person. Thus, there is no doubt that information about pensioners, which appears in the underlying material, including specialist medical statements, patient records, etc., must be considered personal data.
 
The question then is whether the medical assessment carried out by a medical consultant on the basis of this material can also be considered as personal data.
 
In the opinion of the Data Inspectorate, a medical assessment differs from a legal analysis - as referred to in the Immigration case - in several respects. First, the medical assessment differs from the legal analysis in that in the present case, the medical assessment will be based on personal data. A legal analysis, on the other hand, will not in the same way depend on personal data about a specific person, but will instead be based on a set of rules, processes, case law, etc. with a view to subsuming the facts of the case in relation to the given legal basis.
 
Furthermore, a medical assessment is in itself seen as being able to lead to new personal data. The actual assessment of the medical material involves a new assessment of the person's health conditions and thus specific statements about the person's health conditions, which in itself must be considered personal data. In this context, reference is made to the Article 29 Working Party's opinion on personal data [3], which refers to information about a person when the information relates to the person, and it is clear that the results of a medical analysis are considered personal data.
 
The opinion of the Article 29 Working Party also states that: will be personal data when there is a "purpose element", ie. when the information is used or can be expected to be used for the purpose of assessing a person, treating that person in a particular way, or influencing that person's status or behavior. In line with this, the opinion of the European Court of Justice in the Nowak case shows that an examiner's corrections and comments constitute personal information about the person who wrote the answer. The content of the corrections and comments reflect the examiner's opinion or judgment of the person's performance. The corrections and comments are intended to document the examiner's evaluation of the participant's performance.
 
Overall, the Data Protection Agency considers that the contents of a medical consultant analysis approaches must be considered to be personal data to the extent that there is information relating to an identified or identifiable natural person referred to in. Article 4. 1.
 
The fact that the qualification of the content of a medical consultant assessment as a personal data means that such an opinion will be covered by the Data Protection Regulation and the rights that follow, - as stated in para. 46 in the Nowak case - does not in itself affect the qualification.
4.2. Is the information subject to the right of access?
 
The Data Protection Authority is of the opinion that it follows from the Data Protection Regulation that, as a general rule, access to personal data must be provided and that a concrete assessment must always be made as to whether access can be refused according to the exception rules. Thus, as is seen in the present case, JØP cannot generally cut off certain types of information from the right of access.
 
When the content of medical consultancy assessments is classified as personal data, the complainant is in principle entitled to access the personal data in the opinions under Article 15 of the
 
Data Protection Regulation. The Data Inspectorate furthermore states that it follows from preamble recital 63 that the right of access includes the right to access health information, f. eg. medical assessments.
4.2.1. Exemption under Article 15 (1) of the Data Protection Regulation. 4 The
 
right to access is limited, among other things. Article 15 (1) of the Data Protection Regulation. 4, according to which the right of access must not infringe the rights or liberties of others. The rights or freedoms of others may include: business secrets.
 
JØP has not given any detailed reasons why these are business secrets and therefore information that can be exempted from the right of access under Article 15 (2) of the Regulation. 4.
 
In the light of the information provided by the Data Inspectorate, the personal data appearing from the medical consultant assessment from JØP's medical consultant cannot be considered as trade secrets, in particular because it has not been established that the information has a commercial value or otherwise way includes what might otherwise be considered business secrets. In this connection, the Data Inspectorate has also emphasized that JØP itself has informed the Authority of its treatment of injury cases, etc., including for what purposes and how the opinions of medical consultants are obtained. Furthermore, according to the report, there is a firm practice throughout the industry, which is why insights in these statements, in the opinion of the Authority, cannot be considered a business secret.
 
Against this background, the Data Inspectorate finds that JØP does not refer to Article 15 (2) of the Regulation. 4, may refuse to provide insight into personal data on complaints contained in medical consultant reviews.
4.2.2. Exemption under section 22 (2) of the Data Protection Act. 11) of the
 
According to section 22 (Data Protection Act. In accordance with paragraph 1, the right of access may be restricted if the data subject's interest in the information should be found to depart from the overriding considerations of private interests, including the interests of the person concerned.
 
Under this provision, JØP may, after a specific assessment, refuse to provide information if it will cause the company's business base, business practices or know-how to suffer material damage. Furthermore, after a specific assessment, it will be possible to refuse insight into internal assessments of whether the company will enter into a contractual relationship on the basis of available information, change an existing contractual relationship, impose special conditions for continuation, possibly terminate a contractual relationship and similar cases. Similarly, it will be possible to refuse insight into e.g. a note assessing whether there is a prospect of winning a particular lawsuit against a customer, or an internal note in a case that points to possible evidence that a customer has attempted to pursue insurance fraud against an insurance company or attempted to evade the obligation under e.g. a loan contract. [4]
 
There must be "decisive considerations", which means that exceptions to the right of access can only be made in cases where there is a nearby danger that private interests will suffer material damage.
 
It is clear from the Register Committee's report no. 1345/1997 on the processing of personal data, p. 311, that it is recognized that private data controllers like public data controllers need to be able to protect internal decision-making to some extent. The right of access may be limited on the basis of the company's decisive interest in being free to assess, among other things, the conclusion of contracts and existing customer relationships, and to prevent competitors from obtaining information that is purely internal assessments or business secrets. The Committee therefore considered that the right of access should be limited if disclosure of information in the specific situation would entail an imminent risk of harm. On the other hand, the fact that these are internal assessments, etc., cannot in itself justify a refusal of a request for access.
 
In the opinion of the Data Inspectorate, the personal data in the medical consultancy assessment are not, as a general rule, internal information that can be exempted from insight under section 22 (2) of the Data Protection Act. 1.
 
It is hereby emphasized that there are no such internal documents referred to in the comments to the provision, which state that exceptions to the right of access can only be made if there is an obvious danger that: private interests will suffer material damage. Concrete statements about medical conditions from medical consultants are not seen to have any content that could cause such an imminent danger that private interests will suffer material damage.
 
Nor does the fact that the statements can be involved in connection with any complaints or litigation against JØP, does not mean that the personal data in the statements can be exempted from insight according to section 22 (2) of the Act. 1. Thus, it does not appear to be notes in which it is assessed whether there is a prospect that a particular lawsuit against a customer can be won, nor is it an internal note in a case that points to possible evidence that a customer has attempted to carry out insurance fraud against an insurance company or has attempted to evade the obligation under, for example, a loan contract or other matters of a similar nature. It is, on the other hand, a contribution to the decision-making basis for the overall assessment and thus for the decision taken by JØP on the grant of invalidity pension.
 
The need for confidentiality in order to create a freer framework for being able to ask questions to the medical consultant and for the medical consultant to comment cannot, in the opinion of the Danish Data Protection Agency, justify the exclusion of personal data in the opinions.
 
The fact that JØP regards the medical consultant assessment as an internal document and as part of JØP's decision-making basis, which is requested to be confidential, and that the opinions could potentially be involved in any subsequent disputes with pensioners, does not appear to be of such crucial importance under the Data Protection Act. Section 22 (2). 1 that the data subject's right to access - and thus, among other things, the possibility of verifying the accuracy of personal data - generally can be overridden.
 
Finally, the consideration of the data subject itself does not appear to be able to result in the assessments generally being exempt from the right of access. The fact that the data subject is given insight into the information being processed about the person, and thus knowledge of any misunderstandings or erroneous information, is generally considered to weigh more heavily.
 
It should be noted that the Data Inspectorate considers that the exceptions to the right of access are very narrow. In this connection, the Danish Data Protection Authority attaches particular importance to the fact that the right of access gives the data subject access to verify the accuracy of the personal data and the lawfulness of the processing, and that this principle can only exceptionally be waived.
 
Accordingly, it is the opinion of the Data Inspectorate that JØP, when dealing with the question of access to the medical consultancy assessment, did not act in accordance with Article 15 of the
 
Data Protection Regulation. 15. The
 
Data Inspectorate must then notify JØP of a specific assessment of whether complaints can be given insight into personal data on complaints contained in the medical consultant assessment. The order is issued pursuant to Article 58 (2) of the Data Protection Regulation.2) of the
 
According to section 41 (Data Protection Act. Paragraph 2 (5) shall be punishable by a fine or imprisonment for up to 6 months to a person who fails to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Data Protection Regulation. 2nd
 
   
   
Fee to Oslo Municipality Education Agency


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).
In April 2019, the Data Inspectorate sent a notification to the Oslo Municipality Education Agency about a violation fee for breach of personal data security in the mobile application School Notification. In October, a final fee of NOK 1.2 million was adopted.


[2] Act No 502 of 23 May 2018 on additional provisions for a regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information (Data Protection Act).
The fee is given because the municipality had not taken appropriate measures to achieve a level of security appropriate to the risk. The assessment emphasized, among other things:


[3] Article 29 Group Opinion No 4/2007 on the concept of personal data (WP136) of 20 June 2007
    One of the uses of the app is for parents to send messages about their children or announce absence when using free text fields. It facilitates the communication of sensitive personal information, such as health information, about the children. There are no technical measures to prevent this from happening, nor does the app inform you not to communicate such information. Had built-in privacy been taken into consideration, it would not have been a free-text field, but for example a drop-down list or check boxes.
    Lack of security around logging in to the app has allowed unauthorized persons access to view and change personal information of more than 63,000 children in primary school in Oslo.
    Inadequate security testing prior to the launch of the app led to it being launched with vulnerabilities well known in security environments worldwide.


[4] Bill No 68, FT 2017/18, comments on section 22 of the Bill
The municipality has not been conscious of its responsibility and has launched a school messaging app with an unacceptable vulnerability without taking appropriate measures to close the vulnerabilities. They have also had insufficient control with the supplier when it comes to safety test results.


Read the entire case published in connection with the notice
Lower fee than notified


However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.
</pre>
</pre>

Revision as of 16:02, 26 November 2020

Datatilsynet - 18/34319
DatatilsynetlogoNorwaypng.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR

Article 5(2) GDPR

Article 32(1)(b) GDPR

Article 32(1)(d) GDPR

Type: n/a
Outcome: Violation found
Decided: 11.10.2019
Published: 1.12.2019
Fine: 120.000 EUR
Parties: Education Agency for Oslo municipality
National Case Number: 18/34319-1
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Norwegian
Original Source: Datatilsynet (in NO) and press release source (in NO)

A fine of 1,200,000 NOK (approximately EUR 120,000) was imposed against the Education Agency of the Municipality of Oslo due to breach of personal data security in the mobile application “Skolemelding”. The fine was issued due to the application's lack of security and subsequent violations of Article 32(1)(b) GDPR and Article 32(1)(d) GDPR and of the principle of accountability as foreseen in Article 5(2) GDPR read in conjunction with Article 5(1)(f) GDPR.

English Summary

Facts

The case concerned vulnerabilities in the mobile app “Skolemelding”. In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school.

Dispute

On which legal basis the Datatilsynet can impose a fine for a lack of security?

Holding

The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f).

The issued fine was 1 200 000 NOK (approximately 120 000 euro), which was lower than the initially suggested fine of 2 000 000 NOK (approximately 200 000 euro). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the Data Protection Authority, showing a will to fix the security flaws.

The municipality did not contest the evaluation by the Data Protection Authority regarding the scope of the security breach.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Norwegian original for more details.

The content of the pdf decision cannot be copied/paste. You can find the translation of the press relaese provided by the datatilsynet authority here. 
 
Fee to Oslo Municipality Education Agency

In April 2019, the Data Inspectorate sent a notification to the Oslo Municipality Education Agency about a violation fee for breach of personal data security in the mobile application School Notification. In October, a final fee of NOK 1.2 million was adopted.

The fee is given because the municipality had not taken appropriate measures to achieve a level of security appropriate to the risk. The assessment emphasized, among other things:

    One of the uses of the app is for parents to send messages about their children or announce absence when using free text fields. It facilitates the communication of sensitive personal information, such as health information, about the children. There are no technical measures to prevent this from happening, nor does the app inform you not to communicate such information. Had built-in privacy been taken into consideration, it would not have been a free-text field, but for example a drop-down list or check boxes.
    Lack of security around logging in to the app has allowed unauthorized persons access to view and change personal information of more than 63,000 children in primary school in Oslo.
    Inadequate security testing prior to the launch of the app led to it being launched with vulnerabilities well known in security environments worldwide.

The municipality has not been conscious of its responsibility and has launched a school messaging app with an unacceptable vulnerability without taking appropriate measures to close the vulnerabilities. They have also had insufficient control with the supplier when it comes to safety test results.

Read the entire case published in connection with the notice
Lower fee than notified

However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.