Datatilsynet - 20/02291

From GDPRhub
Datatilsynet - 20/02291-4
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24 GDPR
Article 32 GDPR
Health Records Act §§ 22-23
Personal Data Act § 26(1)
Type: Investigation
Outcome: Violation Found
Decided: 22.10.2020
Published: 27.10.2020
Fine: 750000 NOK
Parties: Sykehuset Østfold HF
National Case Number/Name: 20/02291-4
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined Østfold Hospital NOK 750,000 (approx. €64400) for insufficiently protecting patient data (Articles 32 and 5(1)(f) GDPR) and inadequate internal controls (Articles 24 and 5(2) GDPR).

English Summary[edit | edit source]

Facts[edit | edit source]

Østfold Hospital notified the DPA about a personal (patient) data breach, including insufficient security (lack of access controls and logs, not adhering to own policies and procedures) and storing personal data longer than necessary. Datatilsynets launched an investigation, which was concluded with a fine on 22 October 2020.

Dispute[edit | edit source]

How serious was the personal data breach submitted by Østfold Hospital? Did they breach the former Personal Data Act and/or the updated one, with the GDPR incorporated?

Holding[edit | edit source]

The DPA held that Article 32, cf. Article 24 and 5(1)(f), as well as the Health Records Act § 22, were breached due to unauthorized access to patient data; that Article 32, cf. Article 24 and 5(2), as well as the Health Records Act § 23, were breached due to unauthorized access to and possible unauthorized alteration of patient data; that Article 32, cf. Article 24 and 5(1)(f) and 5(2), as well as the Health Records Act §§ 22 and 23, were breached due lack of confidentiality, integrity and availability and that Article 32, cf. Article 24 and 5(1)(e), as well as the Health Records Act § 23, were breached due to unlawfully storing personal data. The DPA finally held that the medical records system's option for extracting patient reports was not in line with the principles of data protection by design and default, cf. Article 25, cf. Articles 32 and 24, and that Østfold Hospital failed to adhere to the requirements as per Article 30 for this processing activity.

Comment[edit | edit source]

It's interesting to note how the DPA reasons around which law is applicable in this case, as the personal data breach first happened in 2013, before the GDPR came into effect. Since the data breach extended into January 2019, the DPA held that the updated Personal Data Act, including the GDPR, was applicable in this case, increasing the potential level of fines from NOK 1,000,000 (approx. EUR 89,800) to NOK 107 000 000 (up to EUR 10,000,000).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

THE HOSPITAL ØSTFOLD HF
PO Box 300
1714 GRÅLUM

Their reference Our reference Date
19/00251 20 / 02291-4 22.10.2020

Decision on infringement fines and orders

The Data Inspectorate refers to previous correspondence in connection with reports of violations
personal data security (non-conformance report) with reference AR300186895, as you
sent 14.01.2019.


In a letter dated 16.07.2019, we asked for an account of several matters related to the discrepancy.
Østfold HF Hospital reported on the case in a letter dated 13.08.2019.


On 22.06.2020, we notified Østfold HF Hospital that we would consider making a decision
infringement fines and orders. The hospital has commented on the warning in a letter dated 29.06.2020.


We apologize for the long processing time.


Decision on infringement fines and orders
The Data Inspectorate has today made the following decision:


            Pursuant to Article 58 (2) (i) of the Privacy Ordinance, cf.
                the Personal Data Act § 26 second paragraph and the Patient Records Act § 29, cf.
                Article 83 of the Privacy Ordinance, Østfold HF Hospital is ordered to pay a

                infringement fine of 750,000 NOK - seven hundred and fifty thousand Norwegian kroner
                To the Treasury, for violation of the requirements for security and internal control by
                processing of personal data, cf. the Privacy Ordinance Article 32, cf.

                the Personal Data Act § 26 first paragraph, cf. the Privacy Ordinance article
                24, and the Patient Records Act §§ 22 and 23.


            2. Pursuant to Article 58 (2) (d) of the Privacy Regulation, the following is imposed
                Østfold HF Hospital to ensure that the management system for the treatment of
                personal data is suitable for meeting the requirements of the privacy regulations and

                patient record law. We refer in particular to the routines for access control and storage
                of personal information. The management system must involve follow-up of that
                the routines are followed, including follow-up that only safe systems are used


Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 OSLO processing of sensitive personal data. We refer to
               Article 32 of the Privacy Ordinance, cf. Article 24, and the Patient Records Act §
               23.

2. Description of the facts of the case
From August 2013 until January 2019, Østfold HF Hospital has been missing
access control on report extracts from electronic patient records (EHR).


The extracts from EHR are lists of patients ready for discharge (USK lists) and include special
categories of personal information (sensitive patient information). The lists are based on
the Patient Records Act § 6 second paragraph and aims to support the administration of
package process, deadline breach and breach of promise, interaction, surgery and medical coding.

The discrepancy includes three different lists:

    a) An updated USK list that includes approx. 25-30 patients. This list is updated
        every 15 minutes.
    b) A historical USK list from 2013 to 2019, with 13,800 patients and 26,596
        printouts.
    c) Two lists with birth number and reason for admission, with approx. 30 patients.

The personal information in the lists includes demographic information and name, date of birth,

municipality, department affiliation and any information about arrangements for the transfer of
patient to municipality. Two of the lists contained, as mentioned, the birth number and reason for admission.

According to Sykehuset Østfold HF, there are no indications that personal information has been obtained
balance and that the duty of confidentiality has thus been breached. All employees at Østfold HF Hospital have
duty of confidentiality and has signed for this.


2.1 Access control
Østfold HF Hospital has an established routine for access control, which was attached
the statement to the Norwegian Data Protection Authority. We understand that the discrepancy is a violation of internal routines to
provide access to employees with service needs.

There has been no access control in the area / folders where the extracts of special categories

personal data from the EHR was stored and / or temporarily stored.

The personal information from the report extracts has been available to 118 employees at
Østfold HF Hospital, of which many employees have not had an official need for such access.
The hospital says in its letter that the personal information "was in an area that was not natural
for most employees to go into "and that personal information" was difficult to access
in the form that they were stored in subfolders among a larger amount of anonymized or strongly

deidentified information ». It further states: «[The] information has not been available
for persons who have not signed a declaration of confidentiality ».







                                                                                                22.2 Logging
There is no functionality for logging in the folder structure used. This
the folder structure was used since there was no other ICT tool that could take care of it
the need for report and extraction.

2.3 Internal management system
Østfold HF Hospital has decided that revision of personal registers will be included in the Hospital

Østfold HF's overall, two-year audit plan.

Østfold HF Hospital has not carried out an audit of, or otherwise controlled,
content or functionality in the relevant folder structure, including access control on it
current area. The Norwegian Data Protection Authority assumes that neither the storage location and storage time for
the extracts from EPR have been checked.


2.4 Storage routines
Østfold HF Hospital has established routines for storing health information and
personal information. We understand that the discrepancy is a violation of internal storage routines
and storage time.

2.5 Built-in privacy and privacy by default
Østfold HF Hospital carried out a preliminary and main project in connection with the new one

the Personal Data Act and the Privacy Ordinance entered into force on 20.07.2018. The project was to
«Detect discrepancies in that the entire organization was better informed about the requirements in
the Personal Data Act ».

According to the project plan, the project identified a need for mapping of accesses and
automated access control (idM) in DIPS, and one should consider the need for the introduction of one

regional standard. This item has status completed, and the system owner DIPS was responsible.

It does not appear that the project included whether the medical record system DIPS has built-in
privacy and privacy as the default setting or that the project aimed to uncover
weaknesses in the routines for storing personal data.

2.6 Treatment protocol

Østfold HF Hospital has established a complete and updated protocol of treatment
the activities of the hospital. As we have understood it, the USK lists were entered into the hospital's
protocols in June 2018. Østfold HF Hospital has stated that they ensure control over all
processing of personal data by risk assessment of any establishment or change of
personal registers.

2.7 Implemented measures

Østfold HF Hospital has pointed out that the following immediate measures have been implemented:
    • Folders have been reviewed and historical personal information has been deleted.
    • The folders have been moved, and only the analysis department's employees have access. The approach
        governed by affiliation to organizational unit.





                                                                                                3 • Reports with anonymized information for statistical needs have been moved to folders
        with access control, where 118 employees now have access.
    • Personal information related to patient logistics is "copied" to access controllers
        folders. The need for access for employees has been revised.

Of the long-term measures, Østfold HF Hospital refers to the following:

    • Introduction of an analysis platform that enables a smaller degree of manual routines.
        The project has started, and we understand it so that the analysis platform is established.
    • A reception project has been established to decide on the use of the solution.

2.8 Information to the registered
Information is not provided to patients affected by the abnormality. The reason is that the Hospital

Østfold HF believes that the deviation does not include loss or dissemination of personal information, and that
has not been revealed that personal data has been used for other purposes. Østfold HF Hospital shows
also that all employees have signed that they have a duty of confidentiality.

3. Legal basis
The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. privacy
Article 57 of the Regulation.


We are also the supervisory authority under the Patient Records Act, cf. section 26 of the Act. The Patient Records Act
applies to all processing of health information that is necessary to, among other things
quality-assured health care for individuals, cf. section 3 of the Act.

3.1 On choice of law
The new Personal Data Act, which incorporates the EU Privacy Regulation into Norwegian law,

entered into force on 20.07.2018. The law also repealed the Personal Data Act (2000) and the rules
in the Personal Data Regulations (2000).

This case concerns matters that arose in 2015, ie before the entry into force of
the Personal Data Act (2018), but which has persisted in the time since. We must therefore take a stand
whether the case is to be assessed in accordance with the Personal Data Act (2018) or the Personal Data Act

(2000).

The Personal Data Act (2018) § 33 first paragraph contains a special transitional rule
infringement charge, which reads:

        «The rules on the processing of personal data that applied at the time of the action,
        shall be used as a basis when a decision is made on an infringement fee. The legislation on

        the time of the decision shall nevertheless be used when this leads to a more favorable one
        result for the person responsible ».

The question of choice of law must therefore be assessed on the basis of what is considered the time of action.
The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted
until the discrepancy was discovered in January 2019. The time of action in this case has thus





                                                                                                4waited over time and in the time after the Personal Data Act (2018) came into force. It follows then
of the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with this Act.

We also refer to the preparatory work for the Personal Data Act (2018), Prop. 56 LS (2017-2018)
page 196, where the Ministry states, among other things, the following on the question of choice of law between
the Personal Data Act (2000) and the Personal Data Act (2018):


        «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to
        is made on the basis of the material rules in force at any given time ».

The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law
entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and
PVN-2018-06.


Against this background, it is in our assessment clear that the case must be assessed accordingly
the Personal Data Act (2018) and the Privacy Ordinance.

3.2 About health information and confidential information
Health information about patients is a so-called special category of personal information, cf.
Article 9 (1) of the Privacy Regulation. Such information will be covered by various
confidentiality provisions, see for example the Health Personnel Act § 21. We also refer to the prohibition

in the Health Personnel Act § 21 a against unlawful acquisition of confidential information.

Pursuant to section 16 of the Health Personnel Act, enterprises in the health service must organize themselves in such a way that
health professionals will be able to comply with their statutory obligations under, among other things
the Health Personnel Act.


3.3 The basic principles
The basic principles for the processing of personal data are set out in
Article 5 of the Privacy Regulation. We refer in particular to Article 5 (1) (f), where it
appears:

        «1. Personal information shall (…)
           f) processed in a manner that ensures sufficient security for the personal data,

              including protection against unauthorized or illegal treatment (…), by the use of appropriate
              technical or organizational measures ("integrity and confidentiality") ".

It is the data controller's responsibility that the principles are complied with, and the data controller must be able to
demonstrate this, cf. Article 5 (2).

3.4 The requirements for personal data security and management systems

3.4.1 The Privacy Ordinance
Article 32 of the Privacy Regulation regulates the security requirements when processing
personal information. The following is an excerpt from relevant parts of Article 32:






                                                                                               5 «1. Taking into account the technical development, implementation costs and
        the nature, scope, purpose and context of the treatment, as well as the risks of
        varying degrees of probability and severity for the rights of natural persons and
        freedoms, the data controller and the data processor shall implement appropriate
        technical and organizational measures to achieve a level of security that is suitable with
        consideration of the risk, including, inter alia, as appropriate, (…)
           b) ability to ensure lasting confidentiality, integrity, availability and

              robustness in treatment systems and services, (…)
           d) a process for regular testing, analysis and assessment of how effective
              the treatment's technical and organizational security measures are.

        2. In assessing the appropriate level of safety, special consideration shall be given to the risks
        associated with the processing, in particular as a result of (…) unauthorized disclosure of
        or access to personal information that has been transferred, stored or otherwise

        treated".

The obligation to implement appropriate technical and organizational measures is correspondingly stated in
Article 24 of the Privacy Regulation, which regulates the data controller's responsibilities separately.

Built-in privacy and privacy by default, cf. the Privacy Ordinance
Article 25, entails a requirement that the principles of privacy are observed throughout the processing. We

refers again to the principle of integrity and confidentiality, cf. the Privacy Ordinance article
5 no. 1 letter f. The data controller has a duty to ensure that the electronic solutions such as
used has built-in privacy.

Pursuant to Article 30 (1) of the Privacy Regulation, the data controller has a duty to keep minutes
over the treatment activities performed. The protocol shall, among other things, contain one

description of the categories of personal data processed, cf. Article 30, paragraph 1, letter
c, and the categories of recipients to whom the personal data will be disclosed, cf. Article 30 no.
1 letter d.

3.4.2 Patient Records Act
The requirements for the data controller when processing journal information are also stated in
patient record law.


The Patient Records Act § 22 first paragraph on information security reads:

        «The data controller and data processor shall carry out technical and organizational
        measures to achieve a level of safety that is suitable with regard to the risk, cf.
        Article 32 of the Privacy Regulation
        otherwise ensure access control, logging and subsequent control ».










                                                                                                6 The Patient Records Act § 23 on internal control reads:

        «The data controller shall implement technical and organizational measures to ensure and
        demonstrate that the processing is carried out in accordance with the Privacy Ordinance,
        the Personal Data Act and this Act, cf. Article 24 of the Regulation.

        The data controller must document the measures. The documentation must be

        available to the employees of the data controller and the data processor.
        The documentation must also be available to the supervisory authorities.

        The Ministry may in regulations issue further provisions on internal control ».

3.5 Information for affected persons
If it is probable that the breach of security will entail a high risk for natural persons

rights and freedoms, the data controller shall without undue delay notify those affected
persons about the breach, cf. the Privacy Ordinance Article 34 No. 1.

The supervisory authority may order the data controller to inform affected persons, cf. article
34 (4). The detailed requirements for the content of such a notification are set out in Article 34 (2)
and 3.


3.6 In particular on the imposition of infringement fines
Article 58 no. 2 letter i of the Privacy Ordinance, cf. the Personal Data Act § 26 other
paragraph and the Patient Records Act § 29, it appears that the Data Inspectorate may impose public
authorities and bodies infringement fines under the rules of Article 83 of the Privacy Regulation
in case of violation of provisions of the respective laws.


Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision
contains, among other things, an overview of which aspects are to be taken into account, both in
the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee.

The relevant parts of Article 83 (1) and (2) are reproduced below:

        «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with

        this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each
        case is effective, stands in a reasonable relation to the violation and works
        deterrent.

        2. (…) When a decision is made on whether to impose an infringement fee and
        on the amount of the infringement fee, it must be duly taken into account in each individual case
        following:

           a) the nature, severity and duration of the infringement, taking into account
              to the nature, extent or purpose of the treatment concerned as well as the number of registered as
              are affected, and the extent of the damage they have suffered,
           b) whether the infringement was committed intentionally or negligently,





                                                                                                7 c) any measures taken by the data controller or data processor to
              limit the damage suffered by the data subjects,
           d) the degree of responsibility of the data controller or data processor, as taken
              with regard to the technical and organizational measures they have implemented in accordance with

              Articles 25 and 32,
           e) any relevant previous violations committed by the data controller
              or the data processor,
           (f) the degree of cooperation with the supervisory authority to remedy the infringement; and
              reduce the possible negative effects of it,
           g) the categories of personal data affected by the infringement,

           (h) the manner in which the supervisory authority became aware of the infringement, in particular:
              and, if so, to what extent the data controller or data processor has
              notified of the infringement,
           (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
              data controller or data processor with respect to the same subject matter,

              that the said measures are complied with,
           (j) compliance with approved standards of conduct in accordance with Article 40 or approved
              certification mechanisms in accordance with Article 42 and
           k) any other aggravating or mitigating factor in the case, e.g. economic
              benefits gained, or losses avoided, directly or indirectly, such as
              consequence of the infringement ».


Article 83 also sets out the framework for the magnitude of the infringement fine. We show in this
in connection with Article 83 (4). The relevant parts of the provisions are:

        «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2

        infringement fine of up to EUR 10,000,000 (…):
           (a) the obligations of the controller and the processor in accordance with
              Articles 8, 11, 25-39 and 42 and 43 (…) '.

Section 26, first paragraph, of the Personal Data Act states that Article 83 of the Privacy Ordinance
Paragraph 4 shall apply mutatis mutandis to infringements of Article 24 of the Regulation.


4. The Data Inspectorate's assessment
In the account of our assessment of the discrepancy, we will follow the same chronology as below
"Description of the facts of the case" above.


4.1 Access control
Østfold HF Hospital has an established routine for access control, and the deviation represents one
violation of internal routines to only provide access to employees with service needs. It has not
been access control on the site / folders where the extracts of (special categories of)
personal data from the EHR was stored and / or temporarily stored. We assume that 118 employees



1
 To our understanding, the term "service need" includes not only needs that arise in clinical patient work,
but also needs related to, for example, administrative work, technical support and management functions.



                                                                                                   8at the hospital in the period 2013-2019 has had access to the files, many of which employees do not
has had an official need for access.

In our assessment that sensitive personal information has been available to employees without
service needs, it is not of particular importance that the hospital believes that the information was
stored in an area where it was not natural for most employees to enter. The risk of
breaches of the confidentiality and integrity of the information have nevertheless been present.


Furthermore, Østfold HF Hospital points out that the employees who have had access to the folder and
the personal data has signed that they have a duty of confidentiality. In our view, this is not the case
relevant for the assessment of which patient information an employee should have access to. We refer to
the requirement that employees must not have access to personal information they do not have a service need for
for, regardless of whether the employee has a duty of confidentiality or not.


The Data Inspectorate's assessment:

The personal information in the report extracts has been available to 118 employees at the Hospital
Østfold HF, of which many employees have not had an official need for such access. The hospital has
thus not preventing unlawful access to personal data. This is a violation
Article 32 of the Privacy Regulation, cf. Article 24 and Article 5 (1) (f), and
Patient Records Act § 22.


4.2 Logging
Østfold HF Hospital has not logged the activity in the area where the report extracts were stored.
If the hospital had had a routine for logging the activity and followed up the logs on one
systematically, the hospital could have confirmed and / or denied whether employees have used
of access to and / or changed the personal information / lists. The lack of logging is increasing

the risk of losing track of where personal information / patient data is located. We
are unsure whether Sykehuset Østfold HF has now established a sufficient system and routine for
logging and follow-up of logs in the hospital.

The Data Inspectorate's assessment:

Østfold HF Hospital has not logged the activity where the extracts from EPR were stored, and

the hospital has thus not been able to follow up the activity and uncover unauthorized access and
any compromise of the personal data. This is a breach of privacy
the regulation, article 32, cf. articles 24 and 5 no. 2, and the Patient Records Act § 23.

4.3 Internal control system
Østfold HF Hospital has not carried out regular checks on employees' access to folders, storage
and deletion on the server.


In the procedure "Health information - storage, archiving and deletion" all levels are in the hospital
given a responsibility to ensure that the routines are complied with. In connection with saving the report extracts
from EPR, the hospital has not followed up on the overall responsibility of the CEO





                                                                                                 9for access control at the hospital to work. Nor can we see that other leaders have
provided that the access control functioned as intended.

This could, for example, have been done by requesting internal reporting on compliance with
the said procedure. Internal audit of access control as well as follow-up of logs and storage
should be carried out regularly, so that you have an overview of the risk picture at all times. Security Manager,
who has the executive responsibility for information security, can be a key part of such

Activity. The hospital can also consult with the privacy representative in the process of ensuring that
only employees with service needs have access to patient information from which the report extracts
EPJ.

The Data Inspectorate's assessment:

Østfold HF Hospital has not had control over the employees' access to report extracts

sensitive personal data in the years 2013-2019. The management, which has overall responsibility for
storage, access control and deletion, did not ensure that the access control functioned as
provided in connection with the report extracts from the EHR. This is a violation
Article 32 of the Privacy Ordinance, cf. Articles 24 and 5 no. 2, and Section 23 of the Patient Records Act.

Due to the deficient management, Sykehuset Østfold HF has not been able to correct the solution
in terms of confidentiality, integrity and availability. This is a violation

Article 32 and 5 (1) (f) and (2) of the Privacy Regulation, and
Sections 22 and 23 of the Patient Records Act.

4.4 Storage routines
The personal information in the report extracts from EHR has not been deleted as the purpose
with the processing of the information has been fulfilled. Østfold HF Hospital thus does not have

complied with the principle of storage limitation.

The Data Inspectorate's assessment:

Østfold HF Hospital has stored report extracts from EPR from 2013-2019 long after the purpose
with the processing of the information was achieved and the need for storage of the information
ceased. This is a violation of Article 32 of the Privacy Regulation, cf. Articles 24 and 5 (1)

letter e, and the Patient Records Act § 23.

4.5 Built-in privacy and privacy by default
Østfold HF Hospital is responsible as a treatment manager for having programs, systems and / or
solutions that have built-in privacy and privacy by default. We can not see
that there has been a focus on built-in privacy in the hospital's project to ensure the transition to
new privacy regulations or in other measures described.










                                                                                              10Datatilsynet's assessment:

The solution for report extraction from EHR was not in accordance with the requirements for built-in
privacy / privacy as the default setting in the Privacy Ordinance Article 25, cf.

Articles 32 and 24.

4.6 Treatment protocol
The report extracts from EPR were not integrated in the protocols at Østfold HF Hospital until in
2018. Østfold HF Hospital states that safety assessments are always made of new or
changed treatments. The Norwegian Data Protection Authority has doubts about whether the minutes were kept in June

2018 was complete. In our opinion, this should have meant that a need was identified
security measures for the solution - such as access control, logging and deleting
the personal information in the extracts.

The Data Inspectorate's assessment:


The requirement for a protocol in Article 30 of the Privacy Regulation has not been complied with in connection with
the report extracts from the EHR.

4.7 Implemented measures
Østfold HF Hospital implemented immediate measures after the discrepancy was discovered. It is also

implemented long-term measures that indicate that the hospital has understood the seriousness of the discrepancy.
Østfold HF Hospital must ensure that the measures have the desired effect and that the hospital has
satisfactory level of safety. We refer to point 4.3 Internal management system above.

The Data Inspectorate's assessment:


The Norwegian Data Protection Authority has no comments on the immediate measures implemented.

We nevertheless believe that Østfold HF Hospital has not established sufficient management when it comes to
processing of personal data, including for access control and storage routines, cf.
Article 32 of the Privacy Ordinance, cf. Article 24, and Section 23 of the Patient Records Act.


4.8 Information to the registered
The affected patients have not been informed about the storage and access control of
the report extracts with some very sensitive information about them.


Østfold HF Hospital believes that the deviation does not include loss or spread of
personal data, and it has not been revealed that the personal data has been used for other purposes.
Patients have a legitimate expectation of confidentiality when treated at a hospital.
They expect that only health professionals with service needs will have access to information about
themselves and their state of health.




2
 See our understanding as it appears in footnote 1.



                                                                                                  11The fact that employees have a duty of confidentiality is not relevant for the assessment of which information
employee shall have access to. The duty of confidentiality may nevertheless limit the harmful effects of
unauthorized access to personal data. There is a precondition in the duty of confidentiality that
healthcare professionals should not disseminate confidential patient information.

Pursuant to Article 34 of the Privacy Regulation, the obligation to notify the persons concerned is triggered
if the breach of security entails a "high risk" for the rights and freedoms of natural persons.


In this case, the information has been available to many employees who have not had
official need for the information. Due to the lack of logging, it is impossible to
check whether employees have actually accessed or otherwise processed the information,
and in the case of how many. As we have understood it, most of the 118 employees have not had
official need for access to the information. There is also information about several thousand
patients through approx. six years.


Nevertheless, we have made sure that there is a limited number of employees that everyone has
duty of confidentiality. According to the information, the folder structure where the information has been open has
we have been difficult to access.

Overall, we have therefore come to the conclusion that Østfold HF Hospital is not obliged to inform them
affected patients.


We will nevertheless encourage Østfold HF Hospital to be open about the deviation. Information can for
example is made available via the hospital's website. The information should be designed on
a way that enables patients to understand the scope and content of
the security breach.


The Data Inspectorate's assessment:

Østfold HF Hospital is not obliged to notify those registered who are affected by the deviation, cf.
Article 34 of the Privacy Regulation.

4.9 Summary
Patient information shall not be stored so that employees without service needs have access to it.

At Østfold HF Hospital, patient information in the form of report extracts from EPR has been
stored on a server and in a folder structure without access control.

As the primary purpose of health personnel is health care, the hospital must have established a technical
support system that meets the requirements for privacy and information security. The hospital must
also facilitate that only secure systems are used in the handling of sensitive information.
In this way, healthcare professionals' duty of confidentiality and information security regarding patient information

maintained throughout the treatment chain. It is a management responsibility that such technical solutions are
established and functioning as intended.

We believe there have been fundamental shortcomings in the internal management system and
information security in the processing of report extracts at Østfold HF Hospital.




                                                                                               124.10 Assessment of whether an infringement fee is to be imposed
The Norwegian Data Protection Authority has come to the conclusion that Østfold HF Hospital has violated the Privacy Ordinance
Article 32, cf. 24 and the Patient Records Act §§ 22 and 23.

The offense has largely occurred before the Personal Data Act (2018) and
the Privacy Regulation entered into force. The Data Inspectorate could also impose earlier
infringement fee, cf. the Personal Data Act (2000) § 46, but the amount was then limited to

up to 10 times the National Insurance basic amount (currently approx. NOK 1,000,000).

However, we refer to the discussion under section 3.1 and assume that the fee will be measured
according to new regulations. In principle, there is thus a basis for imposing Østfold Hospital
HF a violation fee of up to 10,000,000 euros (currently approx. 107,000,000 NOK), cf.
Article 83 (4) of the Regulation. Nevertheless, we will ensure that the offenses have also taken place in
the period when previous privacy regulations applied.


Below we review the factors that we consider relevant for the assessment of whether
infringement fines must be imposed.

(a) the nature, gravity and duration of the infringement, taking into account it;
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered

The discrepancy related to the report extracts has been going on for approx. six years, and health information about
Thousands of patients have been available to many staff without the need for service
the information. Although there is no evidence that employees have done wrong
access to the report extracts, it is not possible to review whether such access has taken place and whether
patient information has gone astray. Lack of opportunity for follow-up contributes in itself
even to increase the severity of the discrepancy.


b) whether the infringement was committed intentionally or negligently
Østfold HF Hospital has carried out risk assessments related to information security and
has routines for access control. The storage of report extracts with health information without
access control has nevertheless not emerged through the management's follow-up in the years 2013-
2019. The offense must be described as negligent.


c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects
Østfold HF Hospital has now taken care of shielding or deleting the report extracts.

d) the degree of responsibility of the data controller or data processor, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32
Østfold HF Hospital has had a management system that includes access control

confidential information. However, the control system has not been suitable for capture
storing the report snippets in folders without access control. The Data Inspectorate believes that this provides
expression of shortcomings in the internal management system.






                                                                                               13g) the categories of personal data affected by the infringement
In this case, health information has been available to many employees without service needs.
Pursuant to Article 9 (1) of the Privacy Ordinance, health information is designated as a special
category personal information, ie very sensitive information. This is increasing
the severity of the offense.


h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified
the infringement
Østfold HF Hospital itself reported the deviation to the Norwegian Data Protection Authority.

4.11 Measurement of the fee
In assessing the size of the fee, we have ensured that Østfold HF Hospital quickly took care of it

deletion or shielding of the report extracts and that the hospital itself reported the deviation
The Data Inspectorate. It is also not known that the practice has had concrete consequences for
individual patients, although this is given less weight.

We have emphasized that the offense partly took place before the Personal Data Act (2018) and
the Privacy Regulation entered into force. Pursuant to the previously applicable Personal Data Act (2000)
the fee was limited to a maximum of approx. NOK 1,000,000.


Initially, the Data Inspectorate understood the case so that the personal data had in principle been lying
available to all of the hospital's employees, a total of over 5,000 people. However, there is talk
about up to 118 employees. However, many of these have not had an official need for access.
The discrepancy also extends over several years.


In addition, we believe that the discrepancy illustrates shortcomings in Sykehuset Østfold HF's management system when
this applies to internal access control.

The Danish Data Protection Agency has concluded that an infringement fee of NOK 750,000 is reasonable in this
the case.

4.12 Assessment of whether an order is to be issued

Østfold HF Hospital has not had sufficiently good management with the employees' access to
report extract with sensitive personal information in the years 2013-2019. The folders there
the report snippets were stored were not access controlled and the activity in the folders was not logged.

The report extracts have also been stored long after the lists were no longer needed.
We believe that such extensive storage of unprotected health information could take place over a long period of time
indicates deficiencies in the internal management system.


We have therefore found grounds to order Sykehuset Østfold HF to supervise the management system
for the processing of personal data is suitable to meet the requirements of the privacy regulations and
Patient Records Act:


                                                                                               14Datatilsynet believes that Østfold HF Hospital has not established a system for access control
which is sufficient to prevent similar deviations from occurring in the future. We find it therefore
necessary to impose an order on Sykehuset Østfold HF to ensure that the management system for
processing of personal data is suitable to meet the requirements of the privacy regulations and
patient record law. We refer in particular to the routines for access control and storage
personal information. The management system must involve follow-up that the routines are followed, including
follow-up that only secure systems are used in the processing of sensitive personal data.

We refer to Article 32 of the Privacy Ordinance, cf. Article 24, and Section 23 of the Patient Records Act.

5. Right of appeal and further proceedings
This decision can be appealed within three weeks after you have received this letter, cf.
Sections 28 and 29 of the Public Administration Act. Any complaint is sent to the Danish Data Protection Agency. If we do not take
as a result of the complaint, the case will be sent to the Privacy Board for processing complaints, cf.
the Personal Data Act § 22.


If you do not complain about the order, we ask that Sykehuset Østfold HF document that
the management system is in line with the order by 01.12.2020.


If you have any questions, you can contact caseworker Susanne Lie (tel. 22 39 69 57,
e-mail suli@datatilsynet.no).



With best regards


Bjørn Erik Thon

director
                                                                  Susanne Lie
                                                                  senior legal adviser

The document is electronically approved and therefore has no handwritten signatures.