Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Norway: Datatilsynet fines Østfold Hospital NOK 750,000 for failure to adequately secure patient data

The Norwegian data protection authority ('Datatilsynet') announced, on 27 October 2020, that it has fined Østfold HF Hospital NOK 750,000 (approx. €69,000) for storing health data an extended period of time without implementing sufficient measures to secure such data. In particular, Datatilsynet noted that there had been a breach involving sensitive patient information which falls under special categories of personal data and that patients ready for discharge from the hospital were affected. Furthermore, the Datatilsynet reported that the hospital had failed to have access control mechanisms in the area where reports and patient files were being kept and found that the Østfold Hospital had not established a system to prevent future breaches and that it had failed to ensure that internal control procedures were being observed with respect to employees' access to files, storage and deletion from the server. Therefore, Datatilsynet imposed the fine and ordered the hospital to monitor compliance with internal procedures for securing data, particularly when sensitive personal data is involved.  

You can read the announcement here and the decision here, both only available in Norwegian.  

UPDATE (25 November 2020)

EDPB publishes Datatilsynet's press release in English​

​At Datatilsynet's request, the European Data Protection Board ('EDPB') published, on 25 November 2020, Datatilsynet's press release in English.​​

You can read the EDPB publication here.​