Norway: Datatilsynet notifies decision to impose NOK 1.2M fine on Østfold HF Hospital
The Norwegian data protection authority ('Datatilsynet') announced, on 1 July 2020, its decision to impose a NOK 1,200,000 (approx. €111,680) penalty on Østfold HF Hospital for its data storage practices in violation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and sent a letter ('the Letter') notifying the hospital of its intention. In particular, Datatilsynet highlighted that after assessing a non-conformity report from the hospital, it found that in the period 2013-2019, Østfold HF Hospital had stored patient data, including sensitive data, such as the cause of hospital admission, without controlling the access to the folders where the data was stored. Therefore, Datatilsynet decided that the hospital had not implemented sufficient technical and organisational measures to safeguard personal data and, therefore, acted in contravention of the GDPR and the Patient Records Act.
Datatilsynet requested that Østfold HF Hospital provide comments to its Letter by 5 August 2020.
You can read the Letter, only available in Norwegian, here.