he Norwegian Data Protection Authority has issued an administrative fine of EUR 49 300 to the City of Oslo for having stored patient data outside the electronic health record system at the city’s nursing homes/health centres from 2007 to November 2018.
“This is a serious violation, given the extended time period and considerable scope of processing,” stressed Bjørn Erik Thon, Director General of the Norwegian Data Protection Authority. “An indeterminable quantity of health data has been available to a large number of employees for at least 11 years. The City of Oslo has the largest population of all Norwegian municipalities and should therefore be especially well placed to comply with relevant information security requirements.”
The case commenced when the City of Oslo sent a data breach notification to the Data Protection Authority in November 2018. The City of Oslo reported that its 19 nursing homes/health centres under the Nursing Home Agency, as well as nine private nursing homes under contract with the city, had been practising the use of so-called work sheets. These work sheets would include information about the residents, detailing their daily needs and care routines, and residents were identified by their full names and national identity numbers, initials or room numbers.
The work sheets were stored electronically in the individual nursing home’s/health centre’s internal zone, where all unit employees, as well as some employees in the Nursing Home Agency, had access. Approximately 90 percent of the employees at these nursing homes/health centres are health personnel, but the remaining 10 percent – such as members of the cleaning or janitorial staff – could, in theory, also log on and gain access to this information. The sheets were allegedly continuously overwritten, so that they contained information about current residents only – and no former residents – at any given time. However, employees who worked at an individual nursing home/health centre for any extended period of time, would have had access to information about a large number of residents.
Old data protection regulations applied in assessment
In calculating the size of the fine, the Data Protection Authority emphasized that the city reported the violation to the Data Protection Authority on its own initiative and quickly took steps to delete the data. It was furthermore taken into account that the violation primarily took place before the new Personal Data Act and General Data Protection Regulation entered into force in July 2018. Under the old Personal Data Act, fines were limited to approximately EUR 100 000. A fine of EUR 49 300 was therefore deemed appropriate in this particular case.
The Data Protection Authority found that the Nursing Home Agency for many years had failed to apply a sufficiently comprehensive mindset in its approach to managing nursing home/health centre practices for information security. The Authority concluded that the practice of storing identifiable patient data outside the electronic health record system clearly violated the requirements for security and internal control provided in Article 32 of the General Data Protection Regulation and Sections 22 and 23 of the Health Record Act.
Measures to prevent future violations
When the practice of work sheets was discovered, the Nursing Home Agency sent out an e-mail to all nursing homes/health centres, instructing them to delete all work sheets immediately. Due to the way that work sheets were stored, there is no log detailing which employees have accessed the list, and there is no way of finding out whether any unauthorized persons have gained access to the data. In order to prevent similar situations from occurring again, the Nursing Home Agency has implemented various measures related to internal audit, follow-up by management and training, among other things.
The City of Oslo did not appeal the decision.