Data Protection Academy » Data Protection News » Data protection fine for the City of Oslo

A person holds five euro notes in his hand. A symbolisation for the data protection fine for the city of Oslo

Data protection fine for the City of Oslo

Date: 18.12.2019

Responsible body: City of Oslo

Type of infringement: City of Oslo fined for incorrect processing of patient data

The Norwegian Data Protection Authority has imposed a data protection fine of 49,300 euros on the City of Oslo for storing patient data outside the electronic health record system in the city's nursing homes / health centres from 2007 to 2018.

“Dies ist angesichts der langen Frist und des beträchtlichen Umfangs der Verarbeitung ein schwerer Verstoß”, betonte Bjørn Erik Thon, Generaldirektor der norwegischen Datenschutzbehörde.

The case started when the City of Oslo sent a notification of data breaches to the Data Protection Authority in November 2018. In this notification it was reported that the city's 30 or so care institutions had practiced the use of so-called worksheets. These worksheets would contain information about the residents, describing their daily needs and care routines. Personal data of the residents, such as their full name and national identity numbers, initials or room numbers were also listed.

The working papers were stored electronically in the internal area of the individual nursing home or health centre, to which all the unit's employees and some employees of the social welfare agency had access. About 90 percent of the employees in these nursing homes / health centres are medical staff, but the remaining 10 percent - such as members of the cleaning service or caretakers - could theoretically also log in and have access to this information.

According to statements by the nursing homes / health centres, the worksheets were allegedly continuously overwritten, so that this point in time only contained information about current residents and no former residents. However, employees working in a single nursing home / health centre over a longer period of time would have had access to information on a large number of residents.

In calculating the amount of the fine, the DPA emphasized that the City reported the breach to the DPA on its own initiative and took prompt action to delete the data. Moreover, it took into account that the breach occurred in the first place before the entry into force of the GDPR took place. Under the old Personal Data Act, fines were limited to approximately 100,000 euros. A fine of 49,300 euros was therefore considered appropriate in this particular case.
The Authority concluded that the practice of storing identifiable patient data outside the electronic health record system is clearly contrary to the security and internal control requirements of Article 32 of the GDPR  and §§ 22 and 23 of the German Health Records Act.

Categories of data: Name, first name, health data, ID numbers

Country: Norway, Oslo

SourceEuropean Data Protection Board

Back to the overview of the data breaches

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Data protection fine imposed on the Municipality of Oslo Education Authority

120.000 € because the security of the app "Skolemelding" for communication between school staff, parents and pupils was not guaranteed.

Data protection fine Swedish company

35,000 euros fine for violation of three Swedish laws at once. Information about creditworthiness published.

Highest data protection fine to date hits Delivery Hero

In August, the Berlin data protection commissioner had already imposed the highest German fine to date, amounting to 195,407 euros.