– It started when I was sick after a car accident. Then I discovered that many people at work in Nav knew a lot about me and my health, and I suspected that they had been snooping in my folder, says Janne Cecilie Thorenfeldt, who works daily in Nav as a consultant. Thorenfeldt asked for access to logs of who had been in her folder, and after a while she got it. Then she understood that the suspicion was correct. Both managers and a number of colleagues had accessed her personal Nav folder one or more times. The postings took place in the years from 2017 to 2022. – Many Nav employees have been inside my personal folder, and read very private things about me. It has been a big burden. Nav sits on unimaginable amounts of personally sensitive information on all Norwegians, on over 5 million people, while the access management and systems are deficient. This is what I want to focus on, says Thorenfeldt. A few colleagues needed to access her file to process her sick leave. – There are perhaps 3–5 colleagues who had official needs, but not all the others who have been in my file, says Thorenfeldt. She is a shop steward in Nav, and is not afraid to stand on the barricades. Nav’s computer systems are outdated and do not protect the privacy of the 20,000 employees and over 5 million users well enough, she believes. PERSONAL DATA: NAV sits on sensitive personal information about the finances, health, family life and work of more than 5 million Norwegians Photo: Caroline Bergli Tolfsen / news Nav’s management has for a long time received offers to be interviewed in this matter, but has not wanted to . Instead, news has received an e-mail from legal director Trond Eirik Schea at Nav, which states: “Over the years, the requirements for privacy protection have become stricter, and Nav has therefore carried out several large projects to modernize IT solutions and meet the new privacy requirements . Today, we have both new and some older IT systems, and we are continuously working to modernize the older systems.” System failure in Nav Thorenfeldt went to a compensation case against his own employer, but lost the case both in the district court and the court of appeal now in the spring of 2023. SYSTEM FAILURE: Judge determines that Nav has had major weaknesses in the system for processing personal data. Legal director Trond Erik Schea says that they take the criticism from the judgments seriously and have implemented several measures to improve the systems. Photo: David Vojislav Krekling / news The judgments nevertheless contained clear criticism of Nav’s IT security and privacy. Both the Borgarting Court of Appeal and the Oslo District Court determined that there had been a breach of the rules on the processing of personal data at Nav. It appears from the court documents that 130 Nav employees had been in Thorenfeldt’s personal folder, and that there had been a total of 1,400 notices on her. The claim for compensation was rejected, because the court believed that it could not be proven that all the insights from colleagues had led to any concrete damage to Thorenfeldt or had led to financial loss. This is stated in the judgment from Borgarting’s Court of Appeal: “The violations are a general “system failure” in Nav’s routines and systems, not a violation directed specifically at Thorenfeldt. (…) If, in such situations, compensation were to be granted to individuals, in the view of the Court of Appeal, it could have a financial scope that is difficult to assess.” Janne Cecilie Thorenfeldt also notified the Norwegian Data Protection Authority about the shortcomings of Nav’s IT system and the poor privacy protection. At the same time, the Norwegian Data Protection Authority received several tips about Nav employees’ privacy. The supervisory authority gave Nav several orders to improve the privacy of employees, such as improving access management, and establishing an arrangement with a set office, confirms section head Camilla Nervik in the Norwegian Data Protection Authority. Nav says they have followed up on the orders. Taking the case to Strasbourg Thorenfeldt has now received help from law professor Mads Andenæs at the University of Oslo. Together with former president of the EFTA Court, Professor Carl Baudenbacher, he brings the case before the European Court of Human Rights in Strasbourg (ECtHR). Law professor Mads Andenæs has faith in winning in Strasbourg. – This is an important and principled matter, and the judgment is unfortunate because it does not provide effective protection for people who have been exposed to privacy violations, this can lead to more violations, and these system errors are not resolved, says Mads Andenæs. STRASBOURG: The Court of Human Rights deals with cases where states are an international court that judges in cases where states are sued for violations of the European Convention on Human Rights. Photo: NTB The professor elaborates: – It is important to get this case before the Human Rights Court in Strasbourg. Because the Human Rights Court sees this in the opposite way to what the Norwegian legal system does; This can have major financial consequences and therefore they will want to look into the matter, says Andenæs. HUMAN RIGHTS: Law professor Mads Andenæs is confident of winning in the European Court of Human Rights in Strasbourg Photo: Benjamin Vorland Andersrød – We believe the Norwegian legal system has not handled human rights here, says Andenæs. To this, Nav’s legal director replies: – Nav has taken the criticism in the judgment from the Norwegian courts seriously and in recent years has implemented several measures to improve employees’ privacy. If the case were to be dealt with in the Human Rights Court, we will of course have to take a position on it when the time comes, emphasizes Schea in the e-mail. Varsler Thorenfeldt is overwhelmed by the support from the professors. – I am very grateful for this help. It has been a lonely struggle. Several colleagues have supported me in secret, but not many who dare to come forward, says Thorenfeldt. SUPPORT: Chief Protection Officer Jens Eskedal in Nav Oslo has been a supporter of Janne Cecilie Thorenfeldt. Photo: Anne Cecilie Remen / news She also singles out the chief protection officer Jens Eskedal in Oslo as a valuable supporter. – It has been very important for me to have this support from the chief protection officer, says Thorenfeldt. Chief protection officer Jens Eskedal believes Thorenfeldt has done an important job as a whistleblower. – Janne Cecilie has acted orderly and submitted a legal notification about weaknesses in Nav’s privacy system at an early stage, when many of us were not aware of the weakness, but she has not been heard. The case could have been solved in a completely different way, it has been very difficult for her to stand in this case almost completely alone, and she has taken this case on her own account. In addition to everything else, it has been a big financial burden, says chief protection officer Eskedal. Eskedal and Thorenfeldt believe Nav has a poor culture for treating whistleblowers. Nav rejects this. – On a general basis, we can say that we do not recognize that we have a culture that does not take care of whistleblowers. We process notifications in line with the rules in the Working Environment Act, highlights legal director Schea in the email. Hey, do you have any thoughts on this matter? Feel free to send me an email. I work a lot with working life, privacy and IT security, and would like input or tips on other matters I should look into. Get in touch then.
ttn-69
Taking the case against Nav to Strasbourg – news Norway – Overview of news from different parts of the country
