Update 14 June 2024
The Data Protection Authority received NAV’s appeal against the decision to issue orders and impose an infringement penalty on 8 April 2024. After the Data Protection Authority’s review, the complaint was submitted to the Privacy Appeals Board for a final decision on 11 June 2024. As of 27 September, there has been no decision from the Privacy Appeals Board.
‘We take this matter very seriously,’ says Line Coll, Director General of the Data Protection Authority. ‘From a data protection perspective, NAV is in a special position, and the tasks that it is required to perform entail large-scale processing of personal data. This includes highly sensitive information, and we have therefore decided to impose a high penalty fee.’
Background
The Data Protection Authority carried out an inspection of NAV in September 2023, and announced its decision in the case in November 2023. NAV sent its comments to the decision in January. NAV broadly agrees with the non-conformities pointed out by the Data Protection Authority, but has made a number of comments on the notification of a penalty fee. Following a thorough assessment, the Data Protection Authority has now made a decision as previously announced.
The main conclusions are that NAV’s management system is not satisfactory to ensure compliance with the data protection regulations, and that securing confidentiality through access management and log control is also not satisfactory in practice.
‘The inspection has uncovered a number of offences that, in our opinion, show structural and organisational weaknesses, and a lack of management and understanding of the importance of data protection and the requirements that must be made of NAV in this area,’ says Coll. ‘We believe that the offences show that the work on personal data security has not been given sufficient priority and resources by NAV’s management.’
Inadequate management and difficult to verify
The current design of NAV’s management system for access management and log control makes it very demanding to verify whether the use of the specialised systems takes place within the framework of the law. Local offices are given great freedom to organise their work as they see fit. As a result, NAV’s management principle of access on a ‘need-to-know basis’ is in practice defined at lower levels within the organisation.
This way, management has apparently in practice largely waived responsibility for and the opportunity to control compliance with the General Data Protection Regulation in the areas we inspected. Inadequate management entails a high risk that compliance is based on chance. This is not acceptable for an authority such as NAV.
‘NAV forms the backbone of the welfare model on which our society is based. The majority of Norwegian citizens receive benefits from NAV at some point during their life. There is therefore an inherently high data protection risk in NAV’s operations, which means that strict requirements must apply to personal data security,’ says Coll.
Large scope
In assessing the size of the infringement penalty, the Data Protection Authority has emphasised that NAV has made available special categories of personal data for a long time and relating to a large number of persons, without the necessary security mechanisms having been established. We also emphasise that NAV has not responded adequately to repeated requests, through inspections and external evaluations, to give the work on personal data security the necessary priority.
‘Infringement penalties must be effective, proportionate and dissuasive, and we have in this case concluded that the infringement penalty should be high,’ says Coll.