In 2013, the regional entity for the southeastern part of Norway (Helse Sør-Øst or HSØ) took steps to prepare for outsourcing of IT operational services for the hospitals owned by HSØ, a function which was previously handled in-house by a separate IT organization also owned by HSØ. The proposed outsourcing was met with widespread criticism, from the elected employee representatives at the hospitals owned by HSØ, as well as from data privacy advocates, all expressing concerns related to personal data security. Medical records, after all, contain sensitive personal data and should be kept strictly confidential.
Nevertheless, HSØ decided to go ahead with the outsourcing, and in 2016, entered into an outsourcing agreement with Hewlett Packard Enterprise (now DXC Technology), whereby DXC would take over the storage and processing of the IT systems of the hospitals owned by HSØ, including the patient data contained by these systems. The board of directors of HSØ made it a clear prerequisite that the supplier personnel should not have access to any of the patient data.
The Data Protection Authority of Norway was also concerned about the outsourcing, and approached HSØ already in 2016, asking for further information. Although the decision to outsource the IT function was made by HSØ, the DPA found that the data controllers are in fact the individual hospitals owned by HSØ, and therefore the legal obligation to ensure that the processing is carried out in accordance with the Norwegian Personal Data Act rests upon each hospital. The nine individual hospitals received identical letters from the DPA in 2017, where they were asked to submit written descriptions of their processing of patient data under the outsourcing arrangement.
At the same time, it was disclosed to the public that DXC's sub suppliers in Bulgaria and in different Asian countries had been able to access to the personal data, despite the instruction from the board of directors at HSØ that such access should not be given. As a result, several of the directors responsible for the outsourcing process had to resign their positions, i.a. due to the fact that they had given insufficient information to the Norwegian Minister of Health who is ultimately responsible for the activities in the public hospitals.
Through its investigations, the DPA found that the outsourcing had not been carried out in compliance with the legal requirements in the Norwegian Personal Data Act. In a letter to the hospitals from 24 October 2017, each of the nine the hospitals received a written warning from the DPA of Norway, informing them of the DPA's intention to fine each hospital NOK 800,000 (approx. EUR 80,000), due to lack of security management and failure to implement appropriate technical and organisational measures to ensure an appropriate level of security. The DPA found that
- The controllers (hospitals) did not have adequate ownership to, or control over, the planned outsourcing, but had rather left this up to HSØ, who is not the controller;
- The controllers (hospitals) left it up to the data processor (DXC) to make decisions affecting the data privacy and data security of the patients, instead of making these decisions themselves;
- No risk assessment or vulnerability assessment was carried out prior to the decision to outsource the processing of data;
- No risk assessment or vulnerability assessments was carried out prior to the decision to use a sub-processor located in Bulgaria; and
- The sub-processor's personnel in Bulgaria and Asia had been given access to personal data, despite the instructions from the board of directors at HSØ.
Due to the breaches above, the DPA informed each hospital of its intention to fine the hospital NOK 800,000, which is close to the statutory maximum fine of NOK 936,340. The proposed aggregate fine for the nine hospitals is therefore NOK 7,200,000.
The hospitals were given the opportunity to comment until 24 November 2017. To my knowledge, no final decision has been made by the DPA as of present.
The outsourcing project is currently on hold, and it is unclear whether the outsourcing will be implemented. However, it is clear that the project cannot under any circumstance continue unless appropriate technical and organizational measures are implemented first.
Article provided by: Øystein Flagstad, advokatfirmaet Grette