Logo and page links

Main menu

St. Olavs Hospital fined

The Norwegian Data Protection Authority has decided to fine St. Olavs Hospital NOK 750,000 (EUR 75,000) due to a lack of access management concerning folder areas outside patient records.

The information concerned a large number of patients and related to the Clinic of Cardiology, medical equipment and child and adolescent psychiatry.

- There are particular privacy requirements for health data, and we are particularly concerned that some of the information concerns children, says Bjørn Erik Thon, General-Director of the Norwegian Data Protection Authority.

Lack of access management

The case started with three non-conformity reports in March 2020. The non-conformities concerned a lack of access management in folder areas outside patient records. The folders were in principle accessible to all authorised users within the Central Norway Regional Health Authority.

St. Olavs Hospital HF has subsequently carried out further work to introduce relevant measures in order to improve personal data security.

- We have nevertheless decided to fine the hospital for breaching fundamental requirements regarding access management, says Bjørn Erik Thon.

This constitutes a breach of the requirements regarding personal data security in Article 32 of the General Data Protection Regulation; see Articles 25 and 5, and Sections 22 and 23 of the Health Records Act.