Datatilsynet (Norway) - 20/01516
|Datatilsynet - 20/11347|
|Relevant Law:||Article 5 GDPR|
Article 6 GDPR
Article 24 GDPR
Article 32(1)(b) GDPR
|National Case Number/Name:||20/11347|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
The Norwegian DPA investigated a personal data breach notified by a municipality. The DPA found that the municipality had violated Articles 5, 6, and 32(1)(b) GDPR by publishing personal data on their webpage without a legal basis, without appropriate measures and without implementing proper routines when handling the public records of mail.
Datatilsynet received a notification of a personal data breach from Asker municipality. The municipality had published 127 counts of personal ID numbers and information deemed confidential under the Public Administration Act in the title of the public records. The documents themselves were not published.
The DPA found that the municipality had violated Articles 5 and 6 GDPR by publishing personal data on their webpage without a legal basis, and Articles 5 and 32(1)(b) by failing to implement appropriate technical and organisational measures to ensure ongoing confidentiality and integrity in their systems, and Article 24 GDPR for not implementing proper routines when handling the public records of mail. Datatilsynet held that publishing the title of documents containing sensitive information was a breach of Article 32(1)(b) GDPR, highlighting that the breach was reported to the municipality by a private individual and not noticed by the municipality itself. Datatilsynet highlighted that the personal data in question was not covered by the Public Administration Act. As such, the municipality did not have a legal basis cf. Article 6 GDPR. In addition, Datatilsynet found that the municipality lacked routines for publishing information to the public, violating Article 24 GDPR.
The decision discusses as well, the relationship between directive 95/46/EC and GDPR. The DPA highlighted that the initial breach happened before GDPR entered into force. As the violation was continuous and carried over into when the GDPR entered into force, the issue was decided under the GDPR.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
ASKER MUNICIPALITY Katrineåsveien 20 3440 SMOKE Their reference Our reference Date 20 / 11347-143 20 / 01516-8 15.03.2021 Decision on violation fee - Asker municipality - Notification of deviations 1 Introduction We refer to the submitted report of 20 May 2020 on breaches of personal data security, follow-up letter of 22 May 2020, in which Asker municipality announces that they are looking seriously the incident, and that in this connection they want the Data Inspectorate to carry out an on-site inspection, as well as the municipality's response of 18 December 2020. For the record, the Data Inspectorate draws attention to the fact that on-site inspections are not relevant present time. This is due to the general situation related to the existing one the pandemic in the country. Asker municipality is imposed pursuant to the Personal Data Act § 26 second paragraph, cf. Article 58 (2) (i) of the Privacy Regulation, cf. Article 83, to pay a infringement fee to the Treasury of 1,000,000 - one million - kroner • for having published personal information on the municipality's website without basis for processing, cf. Article 6 of the Privacy Ordinance, cf. Article 5, and • for not having implemented appropriate technical and organizational measures to achieve a level of security suitable for achieving continuing confidentiality in the treatment systems and services, cf. Article 32 (1) of the Privacy Regulation letter b), cf. Article 5, and • for not having satisfactory routines for handling the mailing lists on the internet, cf. Article 24 of the Personal Data Act, cf. the Personal Data Act § 26 first paragraph. The background and reasons for the decision follow below. 2. The case On 20 May 2020, the Norwegian Data Protection Authority received a report of a breach of personal data security from Asker municipality. The municipality has published confidential information on its website personal information. In addition, the municipality has published 127 birth numbers (all eleven digits) on the website. Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLOU The starting point for the incident was that the municipality was notified on 19 May 2020 by a private individual that document titles from the municipality's mailing lists contained 127 names and birth numbers in to together 170 journal entries. The information available was, in addition to the name and birth number, title of the document. Several of the cases concern children, and include matters from 2009 to 2014. In some cases, this has meant that confidential information has also become available published, e.g. in connection with decisions on PPT, special education and housing subsidies. The document itself has not been publicly available. The document titles of the cases discussed was immediately removed from the municipality's website. The municipality has also conducted investigations to see if there are more cases of wrongdoing publication of personal data in the mailing lists than what appears from the notification. The municipality states that some discoveries have been made, but that the municipality will continue with further surveys. In addition, the discrepancy includes 43 document titles about 33 employees from 2018 - 2019. The breach personal data security has arisen as a result of routines not being followed. The mailing lists are proofread by two people every day. Nevertheless, the municipality has not discovered the discrepancies. The municipality states that it has not had routines for taking random samples in the old mailing lists. 3 The offense The deviations concern breaches of the personal data regulations' requirement for confidentiality. Personal information that should have been screened has been made available to unauthorized persons the municipality's website. The personal information covered by the breach is the birth number and title of the document. The title of the document makes it clear that several of the cases involve children. IN In some cases, this has meant that confidential personal information has also become available published, e.g. in connection with decisions on PPT, special education and housing subsidies, as well as other information of a confidential nature. This constitutes a breach of Article 32 (1) (b) of the Privacy Regulation, which requires that a level of security is established that is suitable for ensuring continued confidentiality. When the mailing lists published on the municipality's website, it is clear that no such has been established security level. That the incident is not discovered by the municipality, but by a private person also indicates on deficient routines for detecting such incidents. The incident includes personal information that is confidential pursuant to the Public Administration Act § 13 no. Pursuant to section 7 of the Public Administration Regulations, it is not permitted to publish birth numbers and confidentiality personal information on the internet. The consequence for those affected may have been that the mailing list has become downloaded by unauthorized persons, who may distribute these further. Public Administration Act § 10 third paragraph and Public Administration Regulations § 7 first paragraph states that enterprises which are covered by the law can publish documents for the public on the Internet. It's up to the individual business to decide if this should happen. Public Administration Regulations § 7 second paragraph regulates which personal information cannot be published on the internet. Among other things, this will 2 applies to personal information that is subject to a duty of confidentiality, birth number and special categories of information provided for in Articles 9 and 10 of the Privacy Regulation. Personal information that appears from the mailing lists, which was posted on the municipality's website, was subject to a duty of confidentiality. If personal information is published on the Internet that is not permitted under the Public Access to Information Act, the Privacy Regulation will apply. This means that the municipality must have one suitable basis for processing pursuant to Article 6 of the Privacy Regulation in order to be able to publish such information. However, when personal data is not permitted by law to be published on the Internet, none of them will other conditions for establishing a valid basis for processing in accordance with the Privacy Ordinance be fulfilled. In addition, the practice could be a violation of Article 24, then established routines for handling of the mailing lists are incomplete. 4 Which regulations are to be applied The new Personal Data Act (Personal Data Act 2018), which in § 1 incorporates the EU Privacy Ordinance in Norwegian law, entered into force on 20 July 2018. The law also repealed the law 14.04.2000 no. 31 on the processing of personal data (Personal Data Act 2000) and the rules in regulation 15.12.2000 no. 1265 on the processing of personal data (Personal Data Regulations 2000). Due to the course of events, it is necessary to decide whether the case is to be assessed in accordance with the Personal Data Act 2018 or the Personal Data Act 2000. We have come to the conclusion that the Personal Data Act of 2018 must be applied in the case. Thus comes also the provisions of the Privacy Ordinance apply, cf. section 1 of the Act. This applies to everyone aspects of the case, including those concerning the imposition of infringement fines, cf. also the Personal Data Act § 26 second paragraph and § 33. This case concerns a breach of the regulations that has occurred at a time prior to the entry into force of the Personal Data Act 2018. However, the breaches of regulations have been continuous and has persisted in time, and was discovered on 19 May 2020, ie after the date of entry into force of the new Personal Data Act. The current events have in other words, extended over a longer period, from 2004 to 2020. At the time before 20. July 2018, the Personal Data Act 2000 and the Personal Data Regulations 2000 applied. Regulations §§ 2-6, 2-11, 2-13 and 2-14 regulated such matters as the case concerns. The relevant conditions that are under consideration have thus arisen before the entry into force of the Personal Data Act 2018, but they have persisted and been continuous for some time after that The new Personal Data Act came into force on 20 July. The Personal Data Act 2018 § 33 first paragraph lays down a special transitional rule on infringement fee which reads as follows: 3 «The rules on the processing of personal data that applied at the time of the action, shall be used as a basis when a decision is made on an infringement fee. The legislation on the time of the decision shall nevertheless be used when this leads to a more favorable one result for the person responsible. " When a decision is made on an infringement fee, the question of choice of law must therefore be assessed on the basis of what must be considered the time of action. The Danish Data Protection Agency's assessment is that the time of action in this case is extended in time - the illegal act or acts have occurred before July 20, but it has been, and will continue to be, a constant and continuous breaches of regulations until the person responsible for processing takes care of bringing the treatment activities in accordance with the requirements of the regulations. As the data controller has not done anything to make sure they bring illegal treatment activities to cease and in accordance with regulatory requirements before August i year, the time of action in § 33 must be considered to be after the date of entry into force of the new one the Personal Data Act. It thus follows from the Personal Data Act § 33 that this case shall be assessed in accordance with the Personal Data Act 2018. This is also in accordance with the ECHR art 7, which refers to resp. «The time of the action» and «the time when [the action] was committed». We also refer to the preparatory work for the Personal Data Act 2018 (Prop. 56 LS (2017-2018) page 196), where the Ministry states, among other things, the following on questions of choice of law between the Personal Data Act 2000 and the Personal Data Act 2018: «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to is made on the basis of the material rules in force at any given time ». The same follows from the Privacy Board's practice in cases that do not concern infringement fines and which is submitted to the tribunal before a new law, but which is processed according to a new law. See for example PVN- 2018-005 and PVN-2018-006. Against this background, we consider it clear that cases that apply on an ongoing or ongoing basis Violations of the rules must be assessed in accordance with the Personal Data Act 2018 and the Privacy Ordinance. 5 Assessment of the Privacy Ordinance's rules on infringement fines The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public authorities and bodies infringement fines under the rules of the Privacy Regulation Article 58, cf. Article 83 no. 7. It is stated here that «without prejudice to the authority of the supervisory authorities to adopt corrective measures in accordance with Article 58 (2), each Member State may provide rules on when and to what extent public authorities and bodies are established in the said Member State may be fined. ' The right to impose infringement fines shall be a tool to ensure effective compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as 4 Penalties under Article 6 of the European Convention on Human Rights. The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required offense in order to impose a fee. The case and the question of imposing infringement fines are assessed on the basis of this evidentiary requirement. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMK). For companies, the guilt assessment is unique. Section 46 (1) of the Public Administration Act states: "When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual has shown guilt ». Prop. 62 L (2015-2016) page 199 states about § 46: «The wording that‘ none individual has shown guilt ’is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ». Article 83 provides in principle that the imposition of an infringement fine depends on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure that the imposition of infringement fines in each individual case is effective is stated in a reasonable relation to the violation and acts as a deterrent. In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following moments: a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the action concerned and the number of data subjects affected, and the extent of the damage they have suffered The breach of personal data security includes personal data of at least 120 persons, and includes 170 documents in the period 2004 - 2020. The breach of personal data security has meant that the data subject has lost control of information about oneself, and whether others have seen information about the person. The is not logged in who is in and sees or downloads personal information from the municipality's mailing list. The mailing lists contained personal information of a confidential nature. Some of the personal information is subject to a duty of confidentiality, e.g. applies to this decision on PPT, special education and housing subsidies. 5Datatilsynet takes a serious view that the municipality has not had routines that could have contributed to that the breach was discovered. Furthermore, we also consider it very serious that the offense has taken place over 16 years. b) whether the infringement was committed intentionally or negligently The Data Inspectorate finds it reprehensible that the municipality has published information about residents in the municipality where confidentiality is required. Despite routines, the breach has occurred due to of human failure. In addition, there have been insufficient routines to uncover the conditions which is mentioned in the deviation report, which the municipality itself admits. The case in question indicates that training / accountability has not had the desired effect, and that one must then consider other measures to safeguard against such violations personal data security. The incident is serious and must be described as gross negligence. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects The municipality states that they will contact the affected as soon as possible. d) the degree of responsibility of the data controller or data processor, taking into account to the technical and organizational measures they have implemented in accordance with Article 25 and 32 The data controller is responsible for the lack of organizational and technical measures that are suitable for achieving a level of safety appropriate to the risk. e) any relevant previous violations committed by the data controller or the data processor No previously relevant infringements can be identified. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it This is not relevant in the case. g) the categories of personal data affected by the infringement It can be stated that special categories of information have been published on the municipality's website, i.a. decisions on PPT, special education and housing subsidies. The documents themselves it is referred to, however, has not been published. 6h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement The Norwegian Data Protection Authority became aware of this through a reported breach personal data security 20 May 2020. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with No measures have previously been taken against Asker municipality with regard to the same case subject. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 Violation of behavioral norms has not been a topic in the deviation. k) any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement The Data Inspectorate has not established that Asker municipality has had financial benefits, or avoided direct or indirect loss as a result of the infringement. Nor can anything be stated in mitigating direction. 6 Overall assessment We refer to the submitted report of 20 May 2020 on breaches of personal data security. The Data Inspectorate views positively that Asker municipality quickly took action when the unsafe storage became discovered and reported the deviation to the Norwegian Data Protection Authority. The municipality has also implemented measures such as shall prevent similar offenses in the future. In the Data Inspectorate's assessment, however, the matter is important in principle. Asker municipality should been equipped to meet the requirements for personal data security when publishing mailing lists on their website. In this regard, a decision on infringement fines can provide an important signal effect. Among other things, the municipality has not had routines for taking random samples in old mailing lists, something the municipality states in the deviation report. This is also a consequence of the breach personal data security was discovered by a private individual. After an overall assessment, the Data Inspectorate has come to the conclusion that Asker municipality should be imposed a infringement fine. 77 The size of the fee In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that «As a starting point, the same rules for infringement fines shall apply public bodies as for private, as this is the scheme under current Personal Data Act. » The ministry further writes that they have noted the concern as some public consultation bodies have expressed, but the Ministry assumes that within the rules of Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement of administrative fees, there is room for considerable consideration with regard to the size of fee. The Ministry states that «[t] he flow limits in the regulation Article 83 state maximum limits for the calculation of administrative fees, while no one has been set minimum limits. " With regard to the size of the fee, the same factors shall apply as when assessing whether the fee shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the size of the fee must be in a reasonable proportion to the infringement and the activity, cf. art. 83 No. 1. We have in particular seen to it that the breach of personal data security is linked to one processing of personal data where confidentiality is required, and that this has happened over a period of 16 years. Furthermore, we have looked at the general expectation that citizens should be able to ensure that municipal bodies follow the rules that have been given, and especially those that give individuals rights that are intended to be a protection against the disclosure of this type of information. We refer to the general preventive considerations and the signal effect of an infringement fee in this matter, which we believe is significant. It is very important that all government agencies like processes the citizens' personal data and information about vulnerable people is their own responsibility consciously and that such incidents do not occur. After an overall assessment of the case, and in particular with regard to the duration of the infringement and seriousness and the legislation's requirement that the imposition of infringement fines in each individual case should be effective, proportionate and dissuasive, we have come to that one violation fee of NOK 1,000,000 is considered correct. 8 Right of appeal You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22 8Greetings Bjørn Erik Thon director Knut Brede Kaspersen legal director The document is electronically approved and therefore has no handwritten signatures 9