A. Implementation of Directive 95/46/EC
Significant changes to privacy or data protection law
None to report.
Significant changes to other laws affecting privacy or data protectioN
New Political Parties’ Act
A new Act relating to political parties entered into force on 1 January 2006. In a privacy protection perspective, the central provisions are those relating to the creation of a central register and the disclosure of private individuals’ financial support to political parties, as well as the prohibition against accepting anonymous contributions.
One comment of the Data Inspectorate in the round of consultations was that:
“Private individuals may have quite legitimate reasons for not wanting their name to be known in connection with a donation. Our legislation should also reflect the fact that financial contributions to political parties may be a private matter”.
Whistle-blowing
On 1 January 2007, new provisions entered into force relating to whistle-blowing in working life. Pursuant to the new rules, business enterprises must establish solutions for whistle-blowing as required. The provisions open for anonymous notification. The routines for data, disclosure, storage, etc follow from the Personal Data Act. The new provisions do not interfere with privacy protection in any radical way, but are mentioned nevertheless, as whistle-blowing is a subject frequently discussed in the Art. 29 Group.
Amendments to the Act relating to Child Welfare Services:
Due to the amendments to the Child Welfare Act, in force from 1 January 2006, employees at private crisis centres receiving operating subsidies have a duty of disclosure to the Child Welfare Authorities if they have reason to believe that children of women/men coming to a crisis centre are being neglected. The Data Inspectorate was strongly opposed to this provision and believes that it represents a serious infringement of the integrity of persons who contact a crisis centre in an emergency situation.
Act relating to the Labour and Welfare Administration
NAV is the Norwegian Labour and Welfare Organisation. It was established on 1 July 2006, and is a comprehensive welfare reform. NAV has an enormous amount of sensitive data about just about every person resident in Norway, from birth to death. The Act led to pressure on privacy protection, hereunder on the statutory duty of confidentiality. The most problematic issue is that the number of persons with access to sensitive personal data was virtually doubled, and that no adequate access restrictions exist in the ICT system.
The Regulations relating to the Armed Forces’ Health Register were adopted in February 2005, but only came into force on 24 April 2006. The Armed Forces’ Health Register may contain identifying personal, service and health data about Defence personnel. The Armed Forces’ Health Register may also contain information about physical and social environments. The Register contains a great amount of health information about Armed Forces personal, without these persons having given their consent to such registration.
Amendments to the family allowance regulations
Schools may now be instructed to submit routine reports to the National Insurance Service when pupils are absent and their absence may be due to stays abroad. The amendments came into force in April 2006.
The Foreign Exchange Register Act came into force on 1 January 2005. In January 2006, amendments were proposed that would give the police extended access. Previously, access was only permitted in connection with investigations that had been started. Under the amended Act, the criterion for access is the government agencies’ need for information in their work to prevent and combat crime.
Section 7 of the Nationality Act has been given a new third section, and pursuant to this, the presentation of a police certificate is now required when applying for Norwegian nationality. The Data Inspectorate called for an assessment of whether the infringement of certain penal provisions could be considered as less relevant, but this was not followed up. The police certificate will also contain preliminary charges and indictments, even in cases where the offence has been clarified and has not been followed up by a reaction on the part of the prosecuting authorities. Fortunately, the proposal of suspending the duty of confidence of all public authorities, and at the same time subjecting them to a disclosure requirement if the immigration authorities needed information in their processing of nationality applications, was not adopted.
B: Major case law
None to report
C: Major specific issues
Traffic surveillance
The Data Inspectorate continues to work with issues regarding new surveillance infrastructures in road traffic and public transport. The Inspectorate notes that some EU programs, such as e-call, presuppose the implementation of new surveillance infrastructures. In addition to this, Norway has built fully automatic toll stations, using RFID-technology. These stations make anonymous use of certain roads, or the entering of two Norwegian towns by car, impossible.
Biometrics
The Data Inspectorate denied several applicants to use biometrics in a variety of systems, reaching from a wardrobe service to access control to buildings or data systems. Five applicants complained to the Data Inspectorate’s complaints commission, the Privacy Appeals Board. Only one of these complaints had been concluded by the Board when this report was written. The Data Inspectorate will work further with this topic in 2007.
Insufficient protection of Electronic Health Records
The Data Inspectorate conducted inspections at two Norwegian hospitals in 2006 in cooperation with the Norwegian Board of Health Supervision. The inspections focused on whether the health records were adequately protected. For both hospitals, the inspections revealed an insufficient level of information protection. It was especially pointed out that employees had wider access to health records than they needed, and that the professional secrecy thereby was compromised.
Criminalization of child grooming
In 2006, the Ministry of Justice proposed to criminalize the deliberate preparation to sexually abuse a child (“Child grooming”). The Data Inspectorate asked if any new police methods were intended to follow the proposition. The search for a person who has not made an offence, but intends to do so, can result in extensive surveillance of innocent people.