Data protection fine for the City of Oslo

Date: 18.12.2019

Responsible body: City of Oslo

Type of infringement: City of Oslo fined for incorrect processing of patient data

The Norwegian Data Protection Authority has imposed a data protection fine of 49,300 euros on the City of Oslo for storing patient data outside the electronic health record system in the city's nursing homes / health centres from 2007 to 2018.

"This is a serious breach, given the long period of time and the considerable volume of processing", stressed Bjørn Erik Thon, Director General of the Norwegian Data Protection Authority.

The case started when the City of Oslo sent a notification of data breaches to the Data Protection Authority in November 2018. In this notification it was reported that the city's 30 or so care institutions had practiced the use of so-called worksheets. These worksheets would contain information about the residents, describing their daily needs and care routines. Personal data of the residents, such as their full name and national identity numbers, initials or room numbers were also listed.

The working papers were stored electronically in the internal area of the individual nursing home or health centre, to which all the unit's employees and some employees of the social welfare agency had access. About 90 percent of the employees in these nursing homes / health centres are medical staff, but the remaining 10 percent - such as members of the cleaning service or caretakers - could theoretically also log in and have access to this information.

According to statements by the nursing homes / health centres, the worksheets were allegedly continuously overwritten, so that this point in time only contained information about current residents and no former residents. However, employees working in a single nursing home / health centre over a longer period of time would have had access to information on a large number of residents.

In calculating the amount of the fine, the DPA emphasized that the City reported the breach to the DPA on its own initiative and took prompt action to delete the data. Moreover, it took into account that the breach occurred in the first place before the entry into force of the GDPR took place. Under the old Personal Data Act, fines were limited to approximately 100,000 euros. A fine of 49,300 euros was therefore considered appropriate in this particular case.
The Authority concluded that the practice of storing identifiable patient data outside the electronic health record system is clearly contrary to the security and internal control requirements of Article 32 of the GDPR  and §§ 22 and 23 of the German Health Records Act.

Categories of data: Name, first name, health data, ID numbers

Country: Norway, Oslo

Source: European Data Protection Board

Back to the overview of the data breaches