Datatilsynet - 20/01865

From GDPRhub
Datatilsynet - 20 / 01865-1 (19/03054)
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 2 GDPR
Article 4(1) GDPR
Article 5 GDPR
Article 6 GDPR
Article 9 GDPR
Article 57 GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 21.08.2020
Published: n/a
Fine: None
Parties: Bodø Kommunale Pensjonskasse (BKP)
National Case Number/Name: 20 / 01865-1 (19/03054)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: www.datatilsynet.no (in NO)
Initial Contributor: Marco Blocher

The Norwegian DPA (Datatilsynet) issued a reprimand to a Norwegian pension fund (Bodø Kommunale Pensjonskasse - BKP) for unnecessarily processing and transferring data in violation of Article 6 and 9 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Datatilsynet received a notification that Bodø Kommunale Pensjonskasse (BKP), a Norwegian pension fund, would obtain unnecessary medical certificates, lack control over archives and share sepecial categories of personal data with third parties. Based on this notification, the Datatilsynet started an independent investigation in November 2019.

Results of the investigation[edit | edit source]

The Datatilsynet found two violation of Article 6 and 9 GDPR in that the BKP

  • has processed special categories of personal data in statistics that do not appear to be necessary and
  • has transferred special categories of personal data to Bodø Municipality without a legal basis und Article 6 and 9 GDPR.

In essence, the Datatilsynet considered it very problematic that the BKP had a practice of creating statistics, that still contained personal data of the BKP's customers under Article 4(1) GDPR. These statistics even included health data which qualify as a special category of personal data under Article 9(1) GDPR. The Datatilsynet considered, that such processing might be based on Article 6(1)(f) GDPR (legitimate interest) and - regarding health data - on Article 9(2)b) GDPR (fulfilling obligations under social security law). However, the Datatilsynet was not convinced that statistics containing personal data were truly necessary and whether the BKP could not have compiled the statistics in a manner that would result in anonymised data.

With regard to the transmission of this statistics that still contained personal data to Bodø Municipality , the Datatilsynet held that there is no legal basis under Article 6 and 9 GDPR and that such processing should be stopped.

The alleged obtaining of unnecessary medical certificates in order to assess a person's entitlement to a disability pension was not considered to amount to a GDPR violation as these certificates might indeed be necessary for purpose achievement.

Regarding the access of the BKP's board to data about the BKP's customers (e.g. gender, year of birth, position, information on membership and pensions, reason for retirement, medical conditions) the Datatilsynet could also not conclude that this was not necessary.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

BODØ MUNICIPAL PENSION FUND
PO Box 319 8001 BODØ

Their reference Our reference Date
20 / 01865-1 (19/03054) / JHN 21.08.2020


Advance notice of reprimand

The Data Inspectorate has received notification, which concerns Bodø Kommunale Pensjonskasse (BKP), pursuant to the Working Environment Act § 2a-1 no. 1 on breaches of personal data security, cf. § 2a-1 no. 2 letter f.

The documents in the notification are exempt from public access also for the parties to the case, cf. the Working Environment Act § 2a-7. The Norwegian Data Protection Authority reminds of the prohibition against retaliation in the Working Environment Act § 2a-4.

The notification stated that BKP had a practice in cases of disability pension where unnecessary medical certificates were obtained, lack of control over archives and a collection and sharing of statistics where sensitive personal data was shared with units outside BKP.

Based on the notification, the Data Inspectorate chose to initiate an independent investigation and sent a request for a report on 06.11.2019 and received a response from BKP on 26.02.20. Additional requests were sent for a statement on 17 April 2020, which was answered on 08 May 2020.


1. Notice of decision on reprimand

This is a prior notice pursuant to the Public Administration Act § 16, that the Data Inspectorate makes a decision on reprimand against Bodø Kommunale Pensjonskasse, org.nr. 940 027 365, for:

Violation of Articles 6 and 9 GDPR in that BKP has processed sensitive personal data in statistics that do not appear to be necessary.
• BKP has handed over sensitive personal information to Bodø Municipality without a legal basis in art. 6 and 9.

Our legal basis for issuing a reprimand is Article 58 (2) (b) GDPR.


Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO

2. Background of the case

The case concerns allegations of illegal processing of personal data in Bodø Kommunale Pensjonskasse.

Although the Data Inspectorate has initiated its investigation on the basis of a notification, the case processing and decision are directed at BKP, and based on the factual basis that has emerged from BKP on the basis of the Data Inspectorate's questions.

Alerts are not a party to the case as the alleged illegal processing of personal data does not concern alerts themselves, and only BKP will have the right to appeal, cf. § 28.

The Norwegian Data Protection Authority has considered three factors to be central: obtaining medical certificates, handing over personal information to outsiders and the board's processing of personal information.


3. Legal basis

The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. Article 57 GDPR.

3.1. Choice of law

The Personal Data Act (2018) and the GDPR entered into force on 20 July 2018. Prior to this, the processing of personal data was regulated by the Personal Data Act of 14 April 2000 no. 31 and the now repealed Personal Data Regulations of 15 December 2000 no. 1265. (2018) § 33.

According to the Personal Data Act (2018) § 33, the rules «which applied at the time of action» shall be used as a basis when a decision on infringement fines is made, unless the legislation at the time of the decision leads to a more favorable result for the person responsible.

It follows from the Personal Data Act § 28 that the right to impose an infringement fee becomes obsolete five years after the infringement has ceased. The deadline is interrupted by the Data Inspectorate giving prior notice of or making a decision on the infringement fee.

Although the main part of the illegal treatment took place before 2015, there are also circumstances in 2015 and onwards that could have resulted in an infringement fee under the old law.

The Data Inspectorate nevertheless processes the case in accordance with the rules in the Personal Data Act and the GDPR, which entered into force on 20 July 2018. The previous regulations do not allow for reprimand as a form of reaction. Treatment according to new regulations will therefore also lead to a more favorable result for BKP.

3.2 More about the requirements of the Personal Data Act

The Personal Data Act implements the European Privacy Regulation in Norwegian law.

The rules in the Act and the Regulation apply to fully or partially automated processing of personal data, cf. the Personal Data Act § 2 and the GDPR Article 2. The initial condition for the Regulation to apply is that a processing of personal data takes place.

Article 4 (1) of the Regulation defines personal data as follows:

"Any information about an identified or identifiable natural person (" the data subject "); an identifiable natural person is a person who can be directly or indirectly identified, in particular by means of an identifier, e.g. a name, identification number, location information, a network identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ».

The definition of personal data is broad. The relevant thing is that the information is suitable for identifying a person, also with aids.

All processing of personal data must be in line with the basic principles of Article 5 of the Regulation. The principles imply that the processing must be lawful, fair and transparent (letter a). The treatment must only take place for predetermined purposes, and not be reused for new purposes that are contrary to the original ones (letter b). The treatment must be adequate, relevant and limited to the specific purpose (letter c). The information must be correct (letter d), and it must only be stored for a limited period of time according to what is necessary for the purpose (letter e). The processing shall take place in a manner that ensures the integrity and confidentiality of the personal data (letter f). This principle means that personal data must be secured against outsiders gaining unauthorized access, through appropriate organizational and technical measures.

The controller is responsible for ensuring that these principles and the regulation as a whole are complied with (Article 5 (2)).

One of the GDPR's requirements for the processing to be considered legal is that there is a basis for processing. The various forms of treatment basis can be found in Article 6 of the Regulation.

Health information is a special category of personal data, cf. the GDPR Article 9 no. 1. In order for the processing of health data to be lawful, the processing must also fulfill one of the conditions in Article 9 no. 2 letters a to j. This may, for example, be that the data subject has consented to the treatment (letter a) or that the treatment is necessary to provide or manage health services (letter h).


4. Obtaining medical certificates

BKP states in its report that it has been practice in applications for gross pensions (disability pensions) to obtain health information / medical certificate, also in those cases where NAV has concluded that the degree of disability is 50% or higher.

It is stated that 27 declarations were obtained in 2017, 12 in 2018 and 20 declarations in 2019. The Data Inspectorate also requested figures for 2014, 2015 and 2016, but has not received this.

The legal basis for this practice is stated to be the Main Collective Bargaining Agreement for the public sector, Appendix 5 §§ 8-1 (1) and 8-4 (2). Reference is also made to a corresponding requirement for documentation for the Government Pension Fund (SP) pursuant to the Act on SP § 20 and the National Insurance Act § 21-
3.

BKP states that they changed their practice in 2017 so that medical certificates are no longer obtained in cases where NAV has granted a disability pension based on a degree of disability of 50% or more, which is in line with practice in other pension funds.

It is clear that this is the processing of special categories of personal data, cf. art. 4 No. 1, cf. art. 9.

In Datatilsynet's assessment, this may fulfill the conditions for a basis for processing in Article 6. no. 1 letter b) when the processing is necessary to fulfill an agreement to which the data subject is a party, cf. art. 9 no. 2 letters a and b. The question is whether the personal data that has been processed has been adequate, relevant and limited to the specific purpose, cf. the GDPR art. 5 No. 1 letter c.

The purpose of the treatment has been to assess which degree of disability is to be used as a basis for the payment of a pension, and in that connection a doctor's certificate will be relevant and sufficient.

The principle of data minimization is a key principle in privacy law and one should always seek to process as little personal data as possible, and it therefore appears effective and in line with this principle to base NAV's assessment in cases where the degree of disability is 50% or more, which is practice in other pension funds. It is nevertheless difficult to say that there is a clear violation of Art. 5 no. 1 letter c as BKP has the authority to independently assess the degree of disability and has the opportunity to base a disability percentage that deviates from NAVs


5. Collection of statistics - sharing of personal information with outsiders

BKP has reported that from 2000 to 2015, an overview was prepared and sent to Bodø Municipality, which is the pension fund's largest customer.
In total, information was sent about 1028 people who were employed in Bodø municipality and 25 people who were employed externally.

The information contained gender, age, diagnosis category, department in the municipality, position. In some wards, only one person was listed.

The diagnoses were divided into 8 categories with varying degrees of precision where e.g. category F was bone fractures, while category S were special diseases and contained 18 diagnoses such as alcoholism or tinnitus. There were 4 departments, but also three units outside Bodø municipality.

An example based on the categories could be:

Female, 35 years, diagnosis category D (Depression, anxiety, burnout),… .. ward, auxiliary nurse

Article 4 (1) of the Regulation defines personal data as follows:

"Any information about an identified or identifiable natural person (" the data subject "); An identifiable natural person is a person who can be directly or indirectly identified

Even if the entries do not contain names, due to age, occupational title and place of employment, which are partly small units, it will be easy to identify the registered person. As the entries contain health information, they will fall under art. 9 and the rules on special categories of personal data.

Statistics that are anonymised will not fall under the rules of the GDPR, but this is not the case here as the statistics contain personal data. In addition, the processing of personally identifiable information into statistics will often involve processing that falls under the privacy regulations. One must then look at whether, firstly, BKP's internal processing was in line with the rules for processing personal data and then whether there was a legal basis for handing over the data to Bodø municipality.

The processing of personal data must always have a legal basis in Art. 6, but for special categories of information, the conditions in art. 9 also be fulfilled.

Preparation of statistics containing personal data may have a legal basis art. 6 no. 1 letter f if the processing is necessary for purposes related to the legitimate interests pursued by the data controller or a third party, unless the data subject's interests or fundamental rights and freedoms take precedence and require protection of personal data, especially if the data subject is a children.

Here one might think that BKP has a legitimate interest in using personal data to compile statistics in order to effectively run the pension fund, but there will still be questions related to whether it is necessary that the statistics are in such a form that the registered can identified.
With regard to the conditions in art. 9, explicit consent under letter a or to fulfill obligations within social security law under letter b may be relevant grounds, but it may still be questioned whether statistics containing personal data were necessary and whether the statistics could not have been compiled on another manner.

The Data Inspectorate finds that the preparation and processing of this type of statistic is not compatible with the rules in art. 6 and 9.

When it comes to extradition to Bodø municipality which is a customer of BKP, so can not
The Data Inspectorate sees that there is a legal basis for extradition. Bodø municipality is a customer of BKP and there must therefore be both a basis for extradition and a legal basis for Bodø municipality's processing. The Data Inspectorate cannot see that this exists


6. Collection of statistics - processing of personal data by the board

BKP has stated that the board has processed personal information about the pension fund's customers and has been asked to submit documentation for the period 2014-18 and 2018 to 2019.

The information has been provided in the following form:

Gender, year of birth, position, information on membership and pensions, and reason for retirement.

The information on health status has been partly imprecise in the absence of specific diagnoses, as well as very close e.g. lung cancer, breast cancer, mental overload, heart problems, mental illness, anxiety, illness after birth etc.

BKP has changed its practice with regard to what information is presented to the board, and from 15.03.18 the cause of incapacity for work has no longer been included.

The Data Inspectorate refers to the discussion above regarding the legal basis for preparing and processing statistics that contain personal data and the deficiencies in fulfilling the conditions in Art. 6 and 9.

It can also be questioned here whether it was necessary for the board to process statistics that contained special categories of personal data, but the Data Inspectorate can not conclude that it was not necessary, but it is clear that any business should minimize that type of processing.


7. Further proceedings

This letter is a prior notice of a decision on reprimand, cf. the Public Administration Act § 16, cf. the GDPR Art. 58 No. 2 letter b.


Reprimand is an administrative reaction with the purpose of marking criticism of the alleged violation of the rules.

The imposition of a reprimand may be emphasized in a possible later assessment of the imposition of an infringement fee if there is a corresponding breach of the regulations, cf. the GDPR art. 83 No. 2 letter i.

The Norwegian Data Protection Authority will emphasize that the case has been processed under new regulations as it has led to a milder reaction, cf. the Personal Data Act § 33.

If you have comments on this notice, we ask that they be sent to us as soon as possible and no later than 17.09.2020.

If you have any questions, you can contact the undersigned caseworker (e-mail:
jani@datatilsynet.no).


With best regards
Jan Henrik Nielsen
senior legal adviser


This letter has been approved electronically by the Norwegian Data Protection Authority and therefore has no signature.