Norway DPA Fines Skan-kontroll AS for Misusing Collected Data

Recently, the Norwegian Data Protection Agency issued a 600,000 krone ($109,000) fine against Skan-kontroll AS, a Norwegian security company specializing in providing security guards, operating CCTV systems, and providing uniformed and undercover personnel for surveillance. The fine, considered to be the largest of its kind in Norway, was issued for misuse of personal information, discovered during a June 5 audit of the company, and further detailed in the audit report. The alleged privacy violations of Norway’s Personal Data Act (4/2000) by Skan-kontroll included unsatisfactory data protection agreements with customers, flawed information-gathering and data analysis processes, illegal categorization of individuals by ethnicity, faults in the process that provides data for background checks, flaws in the storage and distribution of anonymous tips and images, and unsatisfactory data encryption routines. Although the Norwegian privacy office acknowledged that the company’s activities that were carried out on behalf of its clients actually took place within the law, the problems occurred when information gathered for one purpose was used for another purpose, such as having shop owners illegally hand out personal data that is restricted.

TIP: This case - and the fine - serves as a reminder that data security is on the forefront of regulators' minds in many countries, and failure to provide adequate protections can be seen as use "outside of the primary purpose" and thus a violation of relevant local laws.