PVN - PVN-2023-23

From GDPRhub
PVN - PVN-2023-23
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 9(2)(b) GDPR
Article 57(1)(f) GDPR
Article 77 GDPR
Decided: 06.02.2024
Published: 06.02.2024
Parties: Datatilsynet (DPA)
Data subject
NAV (controller)
National Case Number/Name: PVN-2023-23
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
22/05273-4
Appeal to:
Original Language(s): Norwegian
Original Source: Personvernnemnda (in Norwegian)
Initial Contributor: Maximilien Hjortland

In Norway, The Privacy Appeals Board upheld a decision by the DPA not to reconsider a rejected case where the Labour and Welfare Administration (NAV) unlawfully and repeatedly read the data subject's case files.

English Summary

Facts

NAV, the Norwegian Labour and Welfare Administration, is a government agency that collaborates with local municipalities to provide a unified access to public labor and welfare services. Its primary functions include promoting employment and ensuring financial and social security. NAV administers a significant portion of the state budget and is one of the country's largest employers with about 22,000 employees. Nearly all citizens of Norway are in contact with NAV at some point of their life.

NAV, in a letter to the data subject, admitted that it had unlawfully read his case files, equaling a violation of confidentiality. This formed the basis of the original complaint (Article 77 GDPR), which was declined by the DPA on the following basis:

The Norwegian DPA Datatilsynet argued it is not the competent authority to assess the legality of isolated access to individual case files, and the potential violation of NAV employees' obligation to confidentiality.

PVN related this appeal to a larger DPA investigation in September 2023 of NAV's insufficient logging, access and log controls. (Datatilsynet (Norway) - 23/00708).

On 6 February 2024, PVN unanimously decided to uphold the DPA's decision not to further investigate this case.

Holding

PVN underscored that this case does not concern the lawfulness of processing under Article 6 GDPR or the processing of special categories of personal data under Article 9 GDPR. Rather, the crux is whether one of the controller's employees had a valid reason to access a particular case file.

PVN further argues that isolated incidences of "unnecessary" access to case files do not necessarily amount to a violation of Articles 24 and 25 GDPR, thereby not resulting in any corrective measures under Article 58(2) GDPR.

Comment

NAV may lawfully process personal data of registered individuals based on Articles 6(1)(c), 6(1)(e), and 9(2)(b) GDPR and in agreement with national law.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Privacy Board's decision on 6 February 2024 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Malin Tønseth and Hans Marius Tessem)
The case concerns a complaint from A about the Norwegian Data Protection Authority's decision on 7 June 2023 to close the case regarding illegal processing of personal data at NAV, without issuing an order.
Background of the case
A approached the Norwegian Data Protection Authority on 23 April 2023 and complained about unjustified snooping on his personal data by an employee at NAV. As an attachment to the complaint, there was correspondence with NAV after As's request for access to logs at NAV had revealed a lookup of his personal data from an NAV employee without an official need for access.
In a letter to A on 7 June 2023, the Norwegian Data Protection Authority closed the case without deciding whether NAV had breached the Personal Data Act and without assessing any corrective measures. The Danish Data Protection Authority stated that they had dealt with A's inquiry, but had decided not to carry out further investigations into the matter. In the letter, the Norwegian Data Protection Authority stated that the decision not to carry out further investigations was a single decision that could be appealed to the Personal Protection Board.
A complained about the Norwegian Data Protection Authority's closing of the case on 12 June 2023.
The Norwegian Data Protection Authority processed the complaint and upheld its decision not to carry out further investigations.
The case was forwarded to the Personal Protection Board on 20 September 2023. A was informed about the case in a letter from the board, and was given the opportunity to make comments. The tribunal has not received any further comments.
The case was dealt with in the board's meeting on 6 February 2024. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Hans Marius Tessem and Malin Tønseth. Investigation leader Anette Klem Funderud was also present.
The Norwegian Data Protection Authority's assessment in brief
According to the Personal Data Protection Ordinance, Article 57 no. 1 letter f, the Norwegian Data Protection Authority must process and investigate complaints to the extent that it is appropriate. The inspectorate assesses which further investigations the case requires, based, among other things, on how serious a potential offense will be.
A's inquiry has been dealt with and the inspectorate has come to the conclusion that it is not appropriate to carry out further investigations.
The Norwegian Data Protection Authority cannot assess the legality of individual postings in records at NAV. This depends on whether the person who made the posting had a factual reason for doing so. Such an assessment must be based on the employee's work duties. It is NAV that knows the employee's work duties, and consequently it is NAV that must assess whether the postings were factual. Furthermore, it is the case that inappropriate postings are considered a breach of the rules on confidentiality in the Public Administration Act. If A believes that the duty of confidentiality of NAV employees has been breached, this may have to be complained to NAV or via the courts. The Norwegian Data Protection Authority is not the right authority to enforce the regulations relating to public employees' duty of confidentiality.
The Norwegian Data Protection Authority states that NAV users' privacy rights are a topic the Norwegian Data Protection Authority is concerned with, and that the Norwegian Data Protection Authority follows up on NAV centrally in areas such as log control and management of access to personal data. The inspection shows that they take the information from A into this work.
As's view of the case in brief
A wishes to complain that the Norwegian Data Protection Authority does not take his case into consideration.
It is likely that there has been a breach of the law in that NAV, in a letter which he has attached to the complaint, has admitted that illegal postings have been discovered in his files.
A assumes that NAV would have taken the matter seriously if the Norwegian Data Protection Authority had made contact and carried out further investigations.
NAV has already admitted to unauthorized disclosure of his personal data and breach of confidentiality. He is concerned about the indifferent way in which NAV handled the privacy breach.
The reason for his submitting the complaint was a call from the Norwegian Authority's information service. He explained carefully on the phone what the case was about and was asked to submit this as a written inquiry.
The Norwegian Privacy Board's assessment
NAV can process information about its users on the basis of the personal protection regulation article 6 no. 1 letter c (legal obligation), article 6 no. 1 letter e (exercising public authority), as well as article 9 no. 2 letter b (fulfilling one's obligations in the area social law), to the extent that this is permitted under national law.
The Norwegian Data Protection Authority's duties follow from Article 57 of the Personal Data Protection Regulation. According to the provision, the Danish Data Protection Authority must process a complaint submitted by a registered person and investigate, to the extent that it is appropriate, the subject of the complaint, as well as inform the complainant of the course and outcome of the investigation within a reasonable period, cf. the personal data protection regulation article 57 no. 1 letter f.
In a number of cases, the tribunal has assumed that the supervisory authority has a certain freedom to decide how extensive investigations the individual case requires. However, this does not mean that the Norwegian Data Protection Authority can freely choose which complaints to process and which it chooses not to process. The tribunal has assumed that the Danish Data Protection Authority is initially obliged to process and make a decision on whether the Personal Data Act has been breached when they receive a complaint under Article 77, but that the Act allows for a certain flexibility when it comes to how extensive investigations of the facts are necessary and/ or appropriate.
In cases where the Norwegian Data Protection Authority has closed a case without taking a decision on whether the Personal Data Act has been breached, the Personal Data Protection Board has in its practice assumed that the decision must be assessed as a decision on rejection, which can be appealed under the Public Administration Act. As Article 77, according to the tribunal's assessment, imposes a duty on the Norwegian Data Protection Authority to process complaints, such decisions have been revoked and the case has been returned to the Norwegian Data Protection Authority for new processing.
In this case, the Norwegian Data Protection Authority has not found it appropriate to carry out further investigations, and has closed the case without deciding whether the Personal Data Act has been breached. In the letter to A, the Authority has referred to a more extensive investigation case which includes log control and management of access to personal data at NAV. The Norwegian Data Protection Authority writes that the information from A is included in the work on that case, without a further explanation of the connection between them.
The Personal Data Protection Regulation must ensure both individual rights and the data controller's general compliance with the data protection rules. In the past, the tribunal has in some cases concluded that it has been prudent for the Norwegian Data Protection Authority not to pursue an inquiry from a data subject as a separate case, but to allow the complaint to form part of a broader supervisory case against a data controller. In the broader supervision case, individual registrants will not have rights as parties, see for example PVN-2022-12.
In this case, the tribunal has not found it appropriate to return the case to the Norwegian Data Protection Authority for the Norwegian Data Protection Authority to decide whether the law has been broken. The tribunal has emphasized that the case is not about whether or not a data controller has a valid processing basis for its processing of personal data, but about whether an employee of the data controller has a factual reason for posting it in a journal at NAV.
NAV itself has concluded that there has been publication of information about A which is not justified by official need, and which thus represents a breach of NAV's internal guidelines. If this is also to result in a breach of the Personal Data Act, corresponding findings must be made to such an extent that as a result one can conclude that it is due to inadequate technical and organizational measures on the part of the data controller, cf. the Personal Data Protection Regulation articles 24 and 25, and represents a breach of the general principles for the processing of personal data in Article 5. Individual cases of "unnecessary" postings do not necessarily mean that the data controller has breached the Personal Data Protection Regulation Articles 24 and 25 so that it may lead to "corrective measures", cf. the Personal Data Protection Regulation Article 58 no. 2.
In the autumn of 2023, the Norwegian Data Protection Authority carried out an inspection at NAV and it is mentioned both in the media and on the Norwegian Data Protection Authority's website that the Norwegian Data Protection Authority has sent NAV a notification of a decision which entails several orders to rectify breaches of information security. At the same time, notice is given of the imposition of a fee of NOK 20 million for breaking the law. One of the key shortcomings that the Norwegian Data Protection Authority points out in its notice is the lack of "a comprehensive and suitable system for organizational measures related to access management", which could be a likely reason for the pointed out posting without official need in this case.
Even if the Norwegian Data Protection Authority has for the time being only sent advance notice of a decision, cf. Section 16 of the Public Administration Act and the case has thus not been concluded with the Norwegian Data Protection Authority, the investigations carried out by the Danish Data Protection Authority in the extensive supervisory case are more suitable as a basis for making decisions about violations of the Act and a assessment of any corrective measures for this, rather than a single case of unfounded posting of information to which this case applies. In such a case, it is not appropriate to return the case to the Norwegian Data Protection Authority to request that the Norwegian Data Protection Authority take a position on this individual case.
The Norwegian Data Protection Authority's decision to close the case without further investigations is upheld.
The decision is unanimous.
Resolution
The Norwegian Data Protection Authority's decision is upheld.
Oslo, 6 February 2024
Mari Bø Haugstad
Manager