The Norwegian Supervisory Authority (Datatilsynet) has taken enforcement action, imposing a fine of EUR 1.7 million (USD $1.85 million) on Arbeids- og velferdsetaten, the Norwegian Labor and Welfare Administration (NAV). As part of its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. For example, the IT systems were not adequately secured. In addition, an excessive number of employees had access to personal data, including very sensitive data in some cases. At the same time, the controller failed to carry out systematic controls regarding employee use of IT systems. When assessing the fine, the DPA took into account the fact that the data had been handled insecurely over a long period of time.
The regulator found 12 violations. Read more about the investigation and findings.