The Norwegian Data Protection Authority notifies NAV of a NOK 20 million infringement fee and several orders. Notice follows control conducted this fall. During this inspection, several serious ones were found derogations in terms of information security in their IT systems.
- Norwegian Data Protection Authority takes this matter very seriously. NAV is in a special place situation from a privacy perspective, and the tasks to which NAV is assigned involve processing of personal data Large-scale. Contains very sensitive information. We are warning of a high infringement fee as our investigations have revealed gross failures in the handling of such information over a long period of time. director of Norwegian data protection authority Line Coll.
Also read: The history of Norwegian oil in 5 minutes
NAV management systems are not sufficient to ensure compliance with privacy regulations
The Norwegian Data Protection Authority carried out an inspection in NAV on September 6 this year. The initial inspection report was sent to NAV on 1 November. NAV presented its comments on the report on November 22. Norwegian Office The Data Protection Office has just prepared the final audit report and announces its decision on this matter.
Our main conclusions are that management systems NAVs are not sufficient to ensure regulatory compliance regarding privacy, and the protection of confidentiality in IT systems is also not satisfactory. As this is a notice, NAV will also have the opportunity to submit any comments on this notice.
12 violations
When assessing the amount of the infringement fee, the Norwegian Data Protection Authority emphasized that NAV provides special categories data personal data concerning a large number of people. This happened without establishing the necessary security mechanisms. It also highlighted the fact that NAV had demonstrated intent to commit breaches, including by failing to comply with previous orders issued by the Norwegian Data Protection Authority in the same case.
– Infringement fees must be effective, reasonably related to the infringement and have a deterrent effect, which is why we have opted for a high infringement fee in this case, says Coll.
NAV will now have three weeks to respond to the request. The Norwegian Data Protection Authority will then decide how to address this issue in our final decision.
Like us on Facebook and share our post with others
Source: Norwegian Data Protection Authority
Also read: Now you can reserve your PESEL number