A. Implementation of Directive 95/46/EC
Significant changes to privacy or data protection law
None to report.
Significant changes to other laws affecting privacy or data protection
Changes in the Criminal Procedure Act
A number of amendments were made to the Criminal Procedure Act in 2005. These included the possibility for electronic room surveillance when given criteria were complied with. The possibility for mass surveillance of telephone numbers in one area to locate the telephone(s) used by a suspected person was also expanded.
B. Major case law
None to report.
C. Major specific issues
Inspections
Biometric passports
On 3 October 2005, production of biometric passports was started in Norway. The Data Inspectorate has expended resources on this question during large parts of 2005. The background for this is the great uncertainty concerning security in connection with this passport, especially with a view to the possibilities for storage and reading. The Ministry of Justice has generally pointed out that international standards are the template for the security level of these passports. As per today, no such standards exist on which there is international agreement. The Data Inspectorate has therefore pointed out that it is highly criticisable that the passport has been introduced before all security issues have been clarified. In comparison, both the USA and the UK have postponed its introduction.
Doping tests in sports
In 2005, the Data Inspectorate completed a project in which the processing of personal data in sports was assessed, both at top-level sports and in recreational and fitness sports. There was special focus on doping tests of athletes and amateur sportsmen, both in and outside organised sports. This project will be followed up in 2006.
The pilot project disclosed a need for a further review of the legal framework for doping tests and its relationship to privacy protection. An assessment must be made of whether consent is an appropriate basis for doping tests at all levels or whether such tests should be more clearly anchored in the statutory framework. A further demarcation is also needed between the areas in which doping tests may be accepted and areas where such tests must be considered as a disproportionate encroachment. The level and age of the athlete will be particularly relevant factors in this connection.
Working life
Inn 2005, the Data Inspectorate has dealt with a large number of cases concerning employers who had gone a very long way to control their employees. The Data Inspectorate chose to report some of these cases to the Police, after having conducted an inspection. Two of the cases concerned employers who had entered all e-mails their employees sent or received at work, also private e-mails, without notifying their employees that this could happen. One of the cases concerned an employer who installed a hidden surveillance camera in a locker room to expose employees who were stealing. A fourth case concerned a bank using pictures from its camera surveillance system to check whether the cleaner was doing a proper job, which was not the objective of the bank’s camera surveillance.
Consultations
New employment and welfare administration
To offer better incentives to get persons receiving social security benefits back to work and to reduce the group of persons needing support who for various reasons fall outside the scope of welfare schemes, the Government and the Storting wanted a coordination of government services in the areas of employment, social security and social welfare. The Data Inspectorate criticised the proposed bill on the employment and welfare administration, considering that it had too many shortcomings in the area of privacy protection. In addition, both the Data Inspectorate and the Norwegian Board of Health pointed out that the confidentiality provisions were ambiguous and difficult to understand.
The Data Inspectorate fears the risk that the new employment and welfare administration will allow all case officers to share information about all of us, without giving the individual a chance to know where all this information is going.
To arrive at an acceptable solution, a number of principles must be followed, among them:
Nobody should have access to more personal data than what is needed for the proper performance of work tasks. Any inquiry made by an employee must be logged, and the logs must be controlled. The Data Inspectorate’s impression is that no plans have been made to limit the information each case officer will have access to in the data systems. This means that each case officer’s duty of confidentiality and integrity will in reality constitute the only guarantee for privacy protection, while at the system and official level, most inappropriate inquiries may be written off as “human failure”.
Proposal for a new Immigration Act
The proposal for a new Immigration Act raises many issues affecting privacy protection. One of the main questions is what information should be accessible to the immigration authorities in their assessment of whether a person should be granted various types of residence permits. Another central issue is what data may be collected about a person resident in Norway, a socalled “reference person”, who applies for a visitor’s visa for a foreign national. In the Data Inspectorate’ opinion, the Immigration Act Committee has clearly gone too far in proposing personal checks of reference persons. The Data Inspectorate believes that the bill opens for too wide possibilities for collecting data, both character references and unconfirmed data. It will be difficult to submit unconfirmed data, such as information provided in confidence at a crisis centre, to a reference person, and such information will therefore be impossible to refute.
Criminal record certificates
The Data Inspectorate has submitted a number of consultative statements in which the subject has been the requirement to presenting criminal record certificates. This has been an issue for both different occupational categories and the voluntary sector. The Data Inspectorate believes there is reason to ask whether adequate protection is ensured when obtaining such a certificate, or if such a measure could just as well result in a false sense of security. This issue is sensitive, and the Data Inspectorate has in these cases underlined the importance of not adopting comprehensive measures that will contribute to a false sense of security. In most of the consultation papers received, the description of the problem at hand was highly inadequate.
The Data Inspectorate observes that there is an increasing number of occupations where criminal record certificates are required, and is not surprised that this trend should also be spreading into the voluntary sector. This trend could easily become self-increasing, and will perhaps be impossible to reverse at present. The main justification for requiring a criminal record certificate to be presented in various sectors and for different occupational groups is precisely that such certificates are required in other areas, and that a sector in which a criminal record certificate is not required may consequently attract unsuitable persons not admitted elsewhere. The Data Inspectorate warns against a development in which participation in most arenas of society requires prior police clearance.
Decisions and clarifications
Testing for intoxicants
In the beginning of 2006, the Data Inspectorate’s complaints commission, the Privacy Appeals Board, reached a conclusion in a case concerning the testing of employees in a security firm for intoxicants. Pursuant to Norwegian law, an employer may only require testing for intoxicants when this follows from law or regulations, in positions entailing special risks or when the employer considers it necessary to protect life or health. Some occupational groups, such as seafarers, have a statutory obligation to accept such tests. However, this does not apply to employees in security services companies. The Privacy Appeals Board concluded that the security firm did not have the right to test all employees regardless of the work they were meant to perform.
Freedom of expression on the Internet
A group that felt it had been subjected to abuse of authority in connection with some child welfare cases published personal characterisations on the Internet of players that had been working with such cases. The Personal Data Act has important exemptions from various requirements to the use of personal data for “opinion-forming” activities. The persons concerned regarded the information about them to be both incorrect and defamatory. The Data Inspectorate dismissed the case on the grounds that an encroachment on the freedom of expression is so serious that it requires a clear legal authority, and that the authority of the Personal Data Act was not sufficiently clear. The persons in question appealed against this decision to the Privacy Appeals Board. The Board accepted that the Internet pages were opinion-forming, but did not allow the appeal.
Deleting sound recordings
A person was refused access to personal data stored on sound recordings of telephone conversations he had taken part in. The Privacy Appeals Board came to the conclusion that the case lay outside the scope of the Personal Data Act. In this connection, the Board came to a decision on whether the sound taping had been carried out with electronic appliances or not. It was concluded that if the recording was started and stopped manually, it could not be considered as having been performed with an electronic appliance, even if the recorder must technically be characterised as electronic, and regardless of whether the recording was digital or analogous.
Mapping of attitudes
Studies on privacy protection and privacy legislation
In 2005, The Data Inspectorate and the Ministry of Government Administration and Reform arranged for a privacy protection survey in the population and among businesses. In general, this survey revealed that the population is generally not very concerned about misuse of personal data, and that most people think business enterprises act reasonably. However, when businesses were questioned, it turned out that this trust may perhaps be a little misplaced. Businesses have a positive view of privacy protection, but very few of them work systematically with such questions. Moreover, most businesses possess very little knowledge about the Personal Data Act.