Logo and page links

Main menu

Moss Municipal Council fined

The Norwegian Data Protection Authority has imposed a NOK 500,000 fine on Moss Municipal Council for failing to adequately protect personal data. The error has been corrected and the case closed.

Moss Municipal Council fined
Moss Municipal Council fined

In connection with the amalgamation of the municipalities of Rygge and Moss in January 2020, efforts were made to combine the use of IT systems for various municipal service areas. The case relates to an administrative system that Moss Council had used for many years and that employees in the health service for children and young people in the former municipality of Rygge began to use after the merger. Moss Council discovered the error after conversion of the system’s users and data.

Personal data and health data

The administrative system processes personal data and health data, and covers people who live in the municipality and make use of the child health clinic. The system applies to services relating to the municipality’s vaccination programme, as well as baby and child health checks and antenatal care.

Moss Council itself reported that aspects of its data processing violated the requirements for confidentialityintegrity and accessibility. The case involves personal data about both adults and children.

The following violations were reported:

  • Incorrect registration of vaccines. Some people were registered as having received vaccines when they had not, while vaccines administered to others were not entered in their records. The error creates a risk of incorrect vaccination, and a risk of errors in the Norwegian National Immunisation Registry.
  • Errors in patient records. The errors found relate to the follow-up of expectant mothers, including incorrect number of weeks of pregnancy, errors in weight and height recorded by the school health service, and errors in details of the mother’s use of alcohol/narcotic substances.
  • In one department, patient data was made accessible to healthcare personnel who had no professional need for it, and without access being traceable.
  • Errors relating to routine administration, such as appointment books, and patient record keeping.

The error has been corrected

While 2,000 people could have been affected, no specific individuals were identified as actually having been impacted by the error. The error was quickly rectified and is under control.

Based on an overall assessment of the case, to which Moss Municipal Council has contributed, the Norwegian Data Protection Authority decided to impose a NOK 500,000 fine.