This time, our Privacy corner focuses on one special Norwegian case before Christmas that has received much attention. Over the past five years, GDPR has increased the emphasis on the fundamental rights and freedoms behind privacy, but it has also led to a significant amount of paperwork. Extensive documentation of assessments related to legitimate interests, third-country transfers, DPIAs, and much more has become the norm. Many might argue that it is too much, but regulations are regulations. At the same time, we see that this is becoming increasingly important for businesses. Major purchasers set strict compliance and documentation requirements.
The recent case with the Norwegian Labor and Welfare Administration (NAV) has garnered much attention, involving breaches related to access control and log monitoring. Some believe the case is limited to NAV and the public sector, but its implications extend far beyond. The supervisory authority has stated that the fine would have been higher if it had involved a private company. (NAV received the highest amount ever imposed on a public entity.)
Internal control is often perceived as extensive work, with the focus often being on ensuring that documentation is in place. However, it is not as simple as that. One of the breaches in the NAV case was the failure to revise guidelines for several years, constituting a clear deficiency. It is not sufficient to create a good framework if it is not used or revised.
It also seems that many companies have not grated access control sufficient attention—at least not to the extent that the Data Protection Authority now expects. Many grants broad access because it is convenient. However, access control is a crucial tool for ensuring privacy, and several of the breaches in the NAV case revolve around this.
The Data Protection Authority also had opinions on the organizational structure of NAV, stating that it made access restriction challenging. In a decentralized setup, many could be deemed to require access. The authority was critical and believed that broad access must be matched with log monitoring of actual inquiries, a practice not widespread outside the healthcare sector.
Companies with employees working across offices will often, like NAV, need to grant broad access. The Data Protection Authority argued that "business needs" were unsuitable as access criteria, posing a challenge to how a business organizes itself.
Procedures for monitoring access were also found to be inadequate as they did not provide sufficient guidance on how assessments of access needs should be conducted. It is not enough to have procedures clarifying that access control should be established—these procedures must ensure that the employee assessing the access knows the criteria for the evaluation.
Criticism was also directed at open access to historical and archive cases—a matter that others should consider as well. If such accesses can be narrowed down, they should be.
The Norwegian Data Protection Authority has become a very active supervisory body with more focus areas than just tech giants. Internal control is expected to be a key focus in the future.