Nav violates privacy rules in a number of areas, the Norwegian Data Protection Authority decided after an inspection in September. Nav has been notified of a fee of NOK 20 million.
During the inspection of Nav by the Norwegian Data Protection Authority, a total of twelve violations of the law were revealed in the way personal data is processed in internal computer systems. In its conclusion, the Norwegian Data Protection Authority wrote that the breaches are very serious, and that this has been going on for a long time, and that the Norwegian Data Protection Authority is therefore notifying a violation fee of NOK 20 million.
-It’s very dangerous. We previously issued Nav commands to make changes that they did not follow. So it was necessary to come up with the most powerful tool we have, which is now the Infringement Charge Notice. This is a clear signal to the management at Nav, says Line Coll Director from the Norwegian Data Protection Authority at NTB.
The question of whether Nav in its IT systems is able to protect confidentiality in the processing of personal data was investigated by the Norwegian Data Protection Authority. The bottom line is that the Nav system required to correct aberrations is unable to do so.
– I’m not surprised
Maritime Director Hans Christian Holt told NTB that they were not surprised that the Norwegian Data Protection Authority was cracking down on exactly the areas mentioned in the inspection report. He admits that Nav has a job to do.
-We are well aware of the central areas that the Norwegian Data Protection Authority refers to in this inspection. “We take this seriously and will work to move forward,” Holt says.
– Fortunately, it’s not about personal data that has gone astray, but the vulnerabilities that Nav has in its data solutions and how we should manage and secure them in a good way, says Holt.
He explains that many of the problems are due to legacy computer systems that are difficult to build new security around. However, he admits that the agency does not have good enough routines or systematic monitoring of records to determine who has access to user files.
Read on E24+
The last (30) is “This Year’s Savings File”: This is how you invest now
a lot of money
Nav will not dispute the reported $20 million fee, which even the Norwegian Data Protection Authority says is high for a public body.
At the same time, we would like to emphasize that violations of a similar degree of seriousness by a private party would result in a much higher fee than what we reached in this case, as the decision states.
– The Norwegian Data Protection Authority’s reason for this is that it has to be something that has an impact, and that will have an impact on our budget when it is of this large size, Holt told NTB.
Read on E24+
Can you resign when the job is downsized? This is how it is determined who should go
Previous requests were not followed
– The tasks Nav is required to perform involve processing personal data on a massive scale, including highly sensitive information. According to figures in Nav’s 2022 annual report, last year about 3.2 million people received benefits from Nav. Therefore, there are high privacy risks built into Nav’s operations, which entails strict personal data security requirements, the Norwegian Data Protection Authority writes.
The problems are not new. Since 2006, when Nav was created as a merger of several public health and social security institutions, the risk of publishing sensitive information about individuals has been pointed out.
– In our assessment of the necessity of imposing infringement charges in this case, we took into account that previous orders issued by the Norwegian Data Protection Authority were not sufficiently effective, as stated in the Statement of Reasons.
Get today’s most important economic news here!
“Coffee trailblazer. Certified pop culture lover. Infuriatingly humble gamer.”