The Norwegian Data Protection Authority has imposed a EUR 50,000 (NOK 500,000) fine on Moss Municipal Council for failing to adequately protect personal data. The error has been corrected and the case closed.
In connection with the amalgamation of the municipalities of Rygge and Moss in January 2020, efforts were made to combine the use of IT systems for various municipal service areas. The case relates to an administrative system that Moss Council had used for many years and that employees in the health service for children and young people in the former municipality of Rygge began to use after the merger. Moss Council discovered the error after conversion of the system’s users and data.
Personal data and health data
The administrative system processes personal data and health data, and covers people who live in the municipality and make use of the child health clinic. The system applies to services relating to the municipality’s vaccination programme, as well as baby and child health checks and antenatal care.
Moss Council itself reported that aspects of its data processing violated the requirements for confidentiality, integrity and accessibility. The case involves personal data about both adults and children.
The following violations were reported:
• Incorrect registration of vaccines. Some people were registered as having received vaccines when they had not, while vaccines administered to others were not entered in their records. The error creates a risk of incorrect vaccination, and a risk of errors in the Norwegian National Immunisation Registry.
• Errors in patient records. The errors found relate to the follow-up of expectant mothers, including incorrect number of weeks of pregnancy, errors in weight and height recorded by the school health service, and errors in details of the mother’s use of alcohol/narcotic substances.
• In one department, patient data was made accessible to healthcare personnel who had no professional need for it, and without access being traceable.
• Errors relating to routine administration, such as appointment books, and patient record keeping.
The error has been corrected
While 2,000 people could have been affected, no specific individuals were identified as actually having been impacted by the error. The error was quickly rectified and is under control.
Based on an overall assessment of the case, to which Moss Municipal Council has contributed, the Norwegian Data Protection Authority decided to impose a EUR 50,000 fine.
For further information, please contact the Norwegian DPA: international@datatilsynet.no
The original press release is available in Norwegian here
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.