– We find the situation regarding privacy in Nav very serious. That is why we have notified Nav that we are giving a record fee of NOK 20 million to show that this is serious, says director Line Coll at the Norwegian Data Protection Authority to news. In September, the Norwegian Data Protection Authority carried out a notified inspection at Nav to examine the agency’s IT security and privacy. The result after the inspection was 12 different breaches of the law relating to privacy, in particular the access management and log control are poor. Nav sits on sensitive personal data about our physical and mental health, our family relationships and finances. Almost all of Nav’s 22,500 employees have access to this information, while the access management and log control are inadequate, the report points out. – Nav safeguards the privacy of all citizens in Norway from cradle to grave. Nav has organized itself in such a way that it has given nearly all employees access to personally sensitive information, which is unfortunate and against the law, says Coll. INVESTIGATORS: Legal senior adviser Ingrid Espolin Johnsen, director of communications Janne Stang Dahl and director of the Norwegian Data Protection Authority Line Coll with the supervisory report Nav received on Tuesday Photo: Anne Cecilie Remen / news Nav’s breach of the law The Norwegian Data Protection Authority writes in the report that the reason they issue such a large subpoena is due to: 1. The privacy claim article 5. no. 1 as a result of processing privacy in a way that does not ensure sufficient security for the personal data. 2. The Personal Data Protection Regulation article 5, no. 2 as a result of not having carried out suitable technical and organizational measures to ensure and demonstrate that the processing of personal data is carried out in accordance with the privacy requirement. Here are the offenses Nav has not sufficiently established a management system that provides suitable technical and organizational measures to ensure and demonstrate that their processing of personal data is carried out in accordance with the Personal Data Protection Regulation. Nav’s governing framework for access management lacks suitable technical and organizational measures to ensure and demonstrate that their processing is carried out in accordance with the data protection regulation. Nav’s governing framework for access management is not subject to regular audit in accordance with the requirements of the privacy claim. Nav has not established satisfactory organizational measures to ensure risk assessments as should be done when establishing and developing professional systems. The provision of personal data through the use of metadata is too general and is not considered compatible with the confidentiality principle in the Personal Data Protection Regulation. Nav has not established satisfactory organizational measures for the training of identity administrators. The routines for granting access are outdated and do not provide any guidance related to discretionary assessments. The disclosure of personal data that is only processed for archival purposes, historical matters is too general and is not considered compatible with the principle of confidentiality. Nav has organized itself in such a way that a significant proportion of employees have a professional need to have wide access. In combination with a deficient system for log control, this is not considered compatible with the confidentiality principle. Nav’s lack of technical and organizational measures for screening based on individual needs is considered a deviation from the requirement that security measures are adapted to the risk of the treatment. Nav has not established satisfactory routines for checking unit managers’ annual audit of access. Nav has not established a systematic log check. In combination with the fact that a significant proportion of NAV’s employees have wide access, this is considered a deviation from the requirement for suitable technical and organizational measures to protect privacy. Nav’s lack of technical and organizational measures for shielding based on individual needs is a deviation from the fact that security measures are adapted to the risk of processing. Serious Nav employees have access to all information collected about a person in the Nav system during a lifetime. Nothing about us disappears from the computer systems. – This is a serious message that we have challenges in safeguarding privacy well enough. It is an important message to Nav about things we need to work on better in the future. The inspection report points to things that we are working on a lot today, but at the same time we see that we have to do more, says the chief executive of Nav, Hans Kristian Holte. The Danish Data Protection Authority has not had such comprehensive supervision and control of Nav since 2011. Even then, the Danish Data Protection Authority was critical of Nav’s access management and pointed out that privacy was too poorly safeguarded. Also at the time it was pointed out that far too many Nav employees had the opportunity to access the case files of most Norwegians. Nav was ordered to improve privacy, and Nav promised at the time that new comprehensive measures would be implemented. The Norwegian Data Protection Authority believes that Nav has not implemented the measures that they have said have been implemented. Deliberate breaches of the law The Nav director believes that the agency has taken several measures to improve privacy in recent years, and that privacy is better than before – We have improved privacy for people who need special protection and we have improved privacy for employees. A lot of good privacy work has been done in recent years, but we are not there, says Hans Kristian Holte. SHOULD CLEAN UP: Hans Kristian Holte got the job as head of Nav in 2020, and was supposed to clean up the big business. But the Norwegian Data Protection Authority believes this is not true. Privacy has deteriorated in recent years and they believe Nav has deliberately broken the law. The agency has known about the offenses without cleaning it up and without notifying the authorities, emphasizes the Norwegian Data Protection Authority. According to the report, the violations have been going on for years and many of them ever since Nav was established. The Danish Data Protection Authority believes that it is reprehensible that Nav has not followed up on previous orders from the inspectorate in 2010 and 2011. Record-breaking fine – That is why we are announcing such a large fee. We believe that Nav has deliberately broken the law, they have deliberately broken the law and failed to clean up and change their operations so that they comply with the law. The amount of 20 million is large and is the largest fee a public enterprise has ever been notified of. But if Nav had been a private enterprise, the challenge would have been significantly greater, says Coll. Nav’s CEO Hans Kristian Holte denies that the offenses were committed deliberately. – There are strong words in the supervisory report from the Norwegian Data Protection Authority. But when they say that it was done on purpose, I feel that they are saying that we have not interpreted privacy well enough seen from their eyes. We may have underestimated what is required to have good enough privacy for such large systems as we have in Nav, says Holte. news revealed earlier in November that Nav has extensive failures and deviations when it comes to privacy in its employment service. This matter is not dealt with in the report, and the Norwegian Data Protection Authority is now investigating this as well. Managerial responsibility According to the report, the Nav management does not have enough focus on privacy, access management and logging. – Complying with the privacy regulations is a management responsibility, and not ensuring consistent compliance in one’s own organization is very serious, says Coll. Holte agrees that it is a managerial responsibility, but he does not want to say anything about whether the offenses have any consequences. – It is too early to say, emphasizes Holte. Last year, Nav received a fine of 5 million from the Norwegian Data Protection Authority in connection with the fact that CVs with personal information were placed in a database to which employers had access. – At the time, that notice was the largest we had issued to a public enterprise, but now we are notifying a notice that is four times as large and we are also ordering Nav to take measures quickly to correct the deviations, says Coll. According to news’s knowledge, both the internal audit and external consulting companies have demonstrated in recent years that Nav has major challenges with privacy and access management. Nav has three weeks to respond to the submission and all orders. If Nav does not accept this, they can complain to the Personal Data Protection Board. Hey, do you have any thoughts on this matter? Feel free to send me an email. I work a lot with working life, privacy and IT security. Currently, I also work a lot with the fish farming industry. I would like to have input or tips on other matters that I should look into. Get in touch then.
ttn-69
The Norwegian Data Protection Authority slaughters Nav’s privacy and IT security – news Norway – Overview of news from different parts of the country
