Norway: Datatilsynet requests response from University Hospital of Northern Norway for breach notification involving incorrect publication of mailing lists
The Norwegian data protection authority ('Datatilsynet') announced, on 9 July 2020, that, further to a breach notification it had received from University Hospital of Northern Norway HF regarding the incorrect publication of mailing lists on the hospital's website, it has sent a letter ('the Letter') requesting an official response from University Hospital of Northern Norway. In particular, Datatilsynet highlighted that it aims to assess whether the hospital has implemented a system which meets the requirements of the Patient Records Act 2014 and of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') for internal control and adequate technical and organisational measures. More specifically, Datatilsynet asked, among other things, whether the hospital has undertaken a risk assessment to identify vulnerabilities, what type of measures were taken after the incorrect publication had been discovered, and how the hospital ensures adequate training of its staff. In addition, Datatilsynet requested that University Hospital of Northern Norway submit their responses by 3 August 2020.