The Norwegian Data Protection Authority is investigating why 17,200 Nav employees have had access to sensitive notes about 1,377 doctors. These accesses have existed since 2011. The notes have contained details and assessments of doctors’ collaboration with Nav, as well as personal relationships about the doctors. These reports have been made by Nav when they have not been satisfied with the doctors’ follow-up of the patients and cooperation. The files have described sanctions against doctors who have lost the right to practice at the expense of the social security. The content could also reveal health information about the doctor’s patients who have been Nav users. This is revealed in documents to which news has access. Must explain – We have asked Nav for an explanation as to why Nav has had a mix-up of systems, says lawyer Ingrid Helene Espolin Johnson in the Norwegian Data Protection Authority. The Norwegian Data Protection Authority wants a justification for the fact that there was a mix-up of checks with doctors with case management of Nav users. The control reports on the doctors have been in the Treatment folder in the Arena system, which almost all Nav employees use. When people are on long-term sick leave, Nav communicates both with doctors and with workplaces, as well as users. All this information has been available in the same IT system to which most Nav employees have had access. Control of doctors Nav describes the discrepancy as follows: “It means that too many people had access to information that was not strictly necessary for the work they do in Nav, and it is a breach of privacy.” The agency has now closed access to the doctor’s notes, with the exception of nine employees. – It is positive that Nav has discovered the discrepancy and that the solution has been closed, says Espolin Johnson in the Norwegian Data Protection Authority. Insufficient logging The Norwegian Data Protection Authority also wants answers to why the Nav system has lacked logging. Because this means that Nav does not have an overview of which employees have read control reports and personal information about doctors and about users. MIXING: Ingrid Helene Espolin Johnson (left) investigates the breaches of personal data security at Nav, here together with communications manager Janne Dahl Stand and director Line Coll at the Norwegian Data Protection Authority. Photo: Anne Cecilie Remen / news – We know who has had access, but not who has been inside the Handler folder, explains Nav’s communications advisor Nina Tuv in an email to news. Nav writes in its statement to the Norwegian Data Protection Authority that they are unable to find which assessments were made when the “Processor folder” was created in 2011. Nor can Nav explain why a log was not established and control over employees who entered. – The fact that it has not been possible to track and log employees’ movements in the Handler folder is a decisive reason why this is a privacy breach, and that we have now closed the Handler folder for use, says Tuv. Nav investigates whether doctors must be notified of a possible privacy breach. Serious shortcomings In 2023, the Norwegian Data Protection Authority gave Nav a fine of 20 million for 12 breaches of the law on privacy. The Norwegian Data Protection Authority believes that Nav has deliberately broken the law for a number of years. This is disputed by Nav, which has appealed the case to the Norwegian Personal Protection Board. The new discrepancy in the personal data protection was discovered after the Norwegian Data Protection Authority had finished the inspection report that proposed the 20 million kroner proposal. – This discrepancy is reflected in several of the findings from the inspection case, which are about serious deficiencies in Nav’s confidentiality safeguards. What distinguishes this case from the supervision case is the mixing of service provision and control purposes. The access management for these functions should probably be arranged differently, and we have asked Nav to explain this, says Espolin Johnson in the Norwegian Data Protection Authority. The Norwegian Data Protection Authority has not yet processed the report from Nav and cannot yet say whether they will demand more measures. – We have to get back to that, says Espolin Johnson. Published 13.12.2024, at 09.32
ttn-69

