News
Public hospitals in Norway threatened with fines of NOK 7.2 million (EUR 720,000) following outsourcing project
Public hospitals in Norway are organized in a structure where they are owned by four different regional legal entities. The regional entities are responsible for public procurement of goods and services, including IT services, for use by the hospitals within their region, as well as to fulfil other tasks of common interest.
In 2013, the regional entity for the southeastern part of Norway (Helse Sør-Øst or HSØ) took steps to prepare for outsourcing of IT operational services for the hospitals owned by HSØ, a function which was previously handled in-house by a separate IT organization also owned by HSØ. The proposed outsourcing was met with widespread criticism, from the elected employee representatives at the hospitals owned by HSØ, as well as from data privacy advocates, all expressing concerns related to personal data security. Medical records, after all, contain sensitive personal data and should be kept strictly confidential.
Nevertheless, HSØ decided to go ahead with the outsourcing, and in 2016, entered into an outsourcing agreement with Hewlett Packard Enterprise (now DXC Technology), whereby DXC would take over the storage and processing of the IT systems of the hospitals owned by HSØ, including the patient data contained by these systems. The board of directors of HSØ made it a clear prerequisite that the supplier personnel should not have access to any of the patient data.
The Data Protection Authority of Norway was also concerned about the outsourcing, and approached HSØ already in 2016, asking for further information. Although the decision to outsource the IT function was made by HSØ, the DPA found that the data controllers are in fact the individual hospitals owned by HSØ, and therefore the legal obligation to ensure that the processing is carried out in accordance with the Norwegian Personal Data Act rests upon each hospital. The nine individual hospitals received identical letters from the DPA in 2017, where they were asked to submit written descriptions of their processing of patient data under the outsourcing arrangement.
At the same time, it was disclosed to the public that DXC's sub suppliers in Bulgaria and in different Asian countries had been able to access to the personal data, despite the instruction from the board of directors at HSØ that such access should not be given. As a result, several of the directors responsible for the outsourcing process had to resign their positions, i.a. due to the fact that they had given insufficient information to the Norwegian Minister of Health who is ultimately responsible for the activities in the public hospitals.
Through its investigations, the DPA found that the outsourcing had not been carried out in compliance with the legal requirements in the Norwegian Personal Data Act. In a letter to the hospitals from 24 October 2017, each of the nine the hospitals received a written warning from the DPA of Norway, informing them of the DPA's intention to fine each hospital NOK 800,000 (approx. EUR 80,000), due to lack of security management and failure to implement appropriate technical and organisational measures to ensure an appropriate level of security. The DPA found that
- The controllers (hospitals) did not have adequate ownership to, or control over, the planned outsourcing, but had rather left this up to HSØ, who is not the controller;
- The controllers (hospitals) left it up to the data processor (DXC) to make decisions affecting the data privacy and data security of the patients, instead of making these decisions themselves;
- No risk assessment or vulnerability assessment was carried out prior to the decision to outsource the processing of data;
- No risk assessment or vulnerability assessments was carried out prior to the decision to use a sub-processor located in Bulgaria; and
- The sub-processor's personnel in Bulgaria and Asia had been given access to personal data, despite the instructions from the board of directors at HSØ.
Due to the breaches above, the DPA informed each hospital of its intention to fine the hospital NOK 800,000, which is close to the statutory maximum fine of NOK 936,340. The proposed aggregate fine for the nine hospitals is therefore NOK 7,200,000.
The hospitals were given the opportunity to comment until 24 November 2017. To my knowledge, no final decision has been made by the DPA as of present.
The outsourcing project is currently on hold, and it is unclear whether the outsourcing will be implemented. However, it is clear that the project cannot under any circumstance continue unless appropriate technical and organizational measures are implemented first.
Article provided by: Øystein Flagstad, advokatfirmaet Grette
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010