Norweigan Data Protection Authority fines City of Oslo

Updated: Apr 14, 2020

The Norwegian data protection Authority has issued an administrative fine of EUR 49 300 to the city of Oslo for having stored patient data outside the electronic health record system at the city’s nursing homes/health centres from 2007 to November 2018.

The source of this article can be found here

“This is a serious violation, given the extended time period and considerable scope of processing,” stressed Bjørn Erik Thon, Director general of the Norwegian data protection Authority. “An indeterminable quantity of health data has been available to a large number of employees for at least 11 years. The city of Oslo has the largest population of all Norwegian municipalities and should, therefore, be especially well placed to comply with relevant information security requirements.”

The case commenced when the city of Oslo despatched a data breach notification to the data protection Authority in November 2018. The city of Oslo reported that its 19 nursing homes/health centres under the Nursing home agency, as well as nine private nursing homes under contract with the city, had been practising using so-called worksheets. These worksheets would include information about the residents, detailing their daily needs and care routines, and residents were identified by their complete names and national identity numbers, initials or room numbers.

The worksheets were stored electronically in the individual nursing home’s/health centre’s internal zone, where all unit employees, as well as some employees in the Nursing home agency, had access. Approximately 90 percent of the employees at those nursing homes/health centres are health personnel, but the last 10 percent – such as members of the cleaning or janitorial employees – could, in theory, also log on and gain access to this information.

The sheets were allegedly continuously overwritten so that they contained data about current residents only – and no former residents – at any given time. However, employees who worked at an individual nursing home/health centre for any prolonged period of time would have had access to information about a big number of residents.

In calculating the size of the fine, the data protection Authority emphasised that the city reported the violation to the data protection authority on its own initiative and quickly took steps to delete the information. It was furthermore taken into account that the violation happened before the new personal data Act/GDPR. Under the old personal data Act, fines were limited to approximately EUR 100 000. A fine of EUR 49 300 was therefore deemed appropriate in this particular case.

The data protection Authority found that the Nursing home agency for many years had failed to apply a sufficiently comprehensive mindset in its approach to handling nursing home/health centre practices for data protection. The Authority concluded that the practice of storing identifiable patient data outside the electronic health record system violated the requirements for security and internal control provided in Article 32 of GDPR and Sections 22 and 23 of the health record Act.

When the practice of worksheets was discovered, the Nursing home agency sent out an e-mail to all nursing homes/health centres, instructing them to delete all worksheets immediately. Due to the way that worksheets were stored, there is no log detailing which employees have accessed the list, and there is no way of finding out whether any unauthorised persons have gained access to the data. To prevent similar situations from happening again, the Nursing home agency has implemented various measures related to an internal audit, follow-up by using management and training, among other things.

The city of Oslo did not appeal the decision.