The inspection showed that the allocation of responsibility for data processing was unclear and that internal controls were inadequate. On the basis of the inspection report, the Norwegian Data Protection Authority has instructed the Norwegian Directorate for Correctional Services to establish clear lines of responsibility and authority.
The inspection was carried out at the premises of the Norwegian Directorate for Correctional Services and three underlying entities in the period November 2021 to April 2022. The Norwegian Correctional Service processes vast quantities of personal data in connection with the execution of custodial and non-custodial sentences, including the remand sentences. This will often be data of a sensitive nature. In addition to information about prisoners and other convicted persons, it may also be necessary to process information about third parties, such as a prisoner’s family members or the victim in a criminal case. The Norwegian Correctional Service also processes data concerning its own employees and service providers.
- During this inspection, the Norwegian Data Processing Authority has focused particularly on the processing of personal data in connection with the execution of penal sentences, says Line Coll, Director of the Norwegian Data Protection Authority.
Unclear lines of responsibility and inadequate internal control
The Norwegian Data Processing Authority found non-conformances with the regulations relating to the allocation of responsibility and internal control.
The allocation of responsibility for data processing at the Norwegian Correctional Service has been unclear. During the inspection period, the Norwegian Directorate for Correctional Services drew up an instruction which places data processing responsibility for the entire service with the Directorate.
- The establishment of an instruction and the placement of responsibility with the Directorate is a positive step. However, after completing our inspection of the underlying entities, it is our assessment that the instruction has not been fully implemented in the organisation, says Line Coll, Director of the Norwegian Data Protection Authority.
Moreover, the Norwegian Correctional Service’s internal control was inadequate.
According to Coll, few non-conformances with the data protection regulations are reported in the existing non-conformance system. “It is our impression that this may be due to inadequate training and culture with respect to personal data security within the organisation,” she says.
The inspection's findings are described in more detail in our report, which has now been sent to the Directorate.
The Norwegian Data Protection Authority has instructed the Norwegian Directorate for Correctional Services to establish clear lines of responsibility and authority. The Directorate has also been instructed to conduct a review of its internal control system for information security and update this to ensure compliance with the Personal Data Act at all levels in the service. The Directorate has been given six months to fulfil these instructions.
Complex and confusing regulations
The Norwegian Correctional Service's processing of personal data is regulated by a variety of different rules.
The Norwegian Data Protection Authority’s director, Line Coll, says there is reason to believe that a fragmented and complex regulatory framework has made it difficult to understand which rules apply, and that this has affected the Norwegian Correctional Service's compliance with its statutory obligations.
Norway's Personal Data Act of 2018 and the EU's GDPR do not apply to the processing of personal data in connection with the execution of penal sentences. Since 2018, legislators have given notice of new regulations for the processing of personal data in connection with the execution of penal sentences. Until such time as a new regulatory framework comes into effect, it has been determined that the Personal Data Act of 2000 will continue to apply to this type of data processing.
- In our opinion, it is unfortunate that work on the new regulations has taken a long time and that new regulations are still not in place. Based on the inspection, we have raised the need for new regulations in a letter to the Norwegian Ministry of Justice and Public Security. We are willing to contribute input in this endeavour, says Line Coll, Director of the Norwegian Data Protection Authority.