– This is embarrassing and paradoxical that Nav, which sits on the largest collection of personally sensitive information of Norwegians, does not have better control over privacy, says Harald Langstad, agency trust representative in Nav. In August, the extensive privacy breach in Nav was uncovered. Employees who work with employment agencies have created candidate lists with several job seekers. In the recruitment tool, personal and sensitive information such as the jobseeker’s health data, information on social and economic conditions, mental health and ethnicity is registered. Personal information about the user’s close relatives is also contained in lists, which may also contain subjective and negative comments about the candidate. Likewise, it has been registered whether the users receive social services. For some candidates there may be a lot of sensitive information, for others less. The lists of sensitive personal information about job seekers have been on lists that are accessible to most Nav employees. This is not legal according to the GDPR and the Personal Data Act. Nav has stored and processed personal data about users without having a legal basis, it appears from Nav documents that news has access to. COMPREHENSIVE: Sonja Skinnarland is responsible for cleaning up all the illegal lists Photo: NAV No overview of the extent Nav knows not how many Norwegians have been exposed to the privacy breach. But there can be many. Since 2018, employees have established such lists. After a year, the lists disappear automatically and then new ones have been created. It is therefore not certain that Nav will find all Nav users who have been victims of the privacy breach. At any given time there are several tens of thousands of unemployed people in Norway, this autumn the figure is around 54,000. Nav admits that they still do not know how many users have been affected by the privacy breach. – We are working to map and close the deviations, and to get an overview of the users we have to contact about the privacy breaches, says director of work and services Sonja Skinnarland in Nav. – It was discovered by chance that lists were used for something other than the purpose of advertising for jobs. We then discovered that personally sensitive information had been entered, and that should not happen. There shouldn’t be anything personally sensitive there, it’s an offence, says Skinnarland. MUST CLEAN UP: Nav director Hans Christian Holte has asked for a full clean-up in breach of GDPR and privacy in Nav. Photo: NTB – How many people may have had access to these lists? – It will be most of the people who work in Nav, she says. – So 20,000 employees? – Yes, says Skinnarland. This is also apparent from Nav’s notice of deviation to which news has gained access. Here it says, among other things: “All Nav employees with access to the system can see the lists, which means that over 20,000 employees in Nav who can see the lists and their content.” Nav currently does not have an overview of how many employees have been included in the lists. – We see that the supervisors in Nav have not had good enough tools to carry out their job effectively, since the tool we have now uncovered breaches in has been used for more than it is intended for, she says. Not the first time The union representatives are upset that Nav has not learned from its own experiences. – Time after time, Nav goes on a rampage without learning. It is a management problem that privacy protection has not been better addressed, says Langstad. EMBARRASSED: Government representative Harald Langstad thinks it is embarrassing that Nav does not have better control over privacy. Photo: private Nav has previously received a fine of NOK 5 million from the Norwegian Data Protection Authority for breach of privacy when the CVs of job seekers were available so that all employers could read this in Nav’s database. Nav has previously acknowledged that they have had poor access management and that this has affected the agency’s own employees as colleagues have snuck into their folders. – It is scandalous that Nav’s management has not given the employees better training and follow-up in privacy. It should be in the backbone of all employees, and it is the management’s responsibility to provide such training, says agency union representative Harald Langstad. – I agree that this is not good, and we are now working to improve privacy in the entire organization with, among other things, getting privacy coordinates in all the county offices to strengthen privacy, says director of employment and services Sonja Skinnarland. Hey, do you have any thoughts on this matter? Feel free to send me an email. I work a lot with working life, privacy and IT security. Currently, I also work a lot with the fish farming industry. I would like to have input or tips on other matters that I should look into. Get in touch then.
ttn-69
Extensive breach of privacy in Nav – news Norway – Overview of news from different parts of the country
