– It started when I was sick after a car accident. “I discovered that many people who worked at the language knew a lot about me and my health, and I suspected that they had been flirting with my folder,” says John Cicely Thorenfeld, who works daily as a consultant at the language.
Thorenfeld asked for access to the records of the people in his folder, and received it shortly after. Then she realized that her suspicions were correct. Both managers and many colleagues have accessed his personal Nav folder one or more times.
The postings took place in the years 2017 to 2022.
– A lot of Nav staff were in my personal folder and read personal stuff about me. It has become a big burden. With access management and systems flawed, more than 5 million people, Nav sits on unimaginable amounts of personally sensitive information of all Norwegians. That’s what I want to focus on, says Thorenfeld.
Some colleagues had to access his file to process his sick leave.
– Maybe 3-5 colleagues had professional needs, but not all the others in my file, says Thorenfeld.
She’s a shop assistant on the tongue, and isn’t afraid to stand up to barricades. He believes Nav’s computer systems are outdated and do not protect the privacy of its 20,000 employees and more than 5 million users.
Now management has long been offered an interview in the case, but has not wanted to. Instead, NRK received an email from Legal Director Trond Eirik Schea, which stated:
“Over the years, privacy requirements have become stricter, so Nav has undertaken several major projects to modernize IT solutions and meet new privacy requirements. Today, we have new and some older IT systems, and we continue to work to modernize older systems.”
System failure in Nav
Thorenfeld sued his own employer for damages, but lost the case in the District Court and the Court of Appeals in the spring of 2023.
The rulings contained clear criticism of Nav’s IT security and privacy practices.
Both the Borgarding Court of Appeal and the Oslo District Court determined that Nav had breached the rules in processing personal data. Court documents show that 130 Nav employees were in Thorenfeld’s personal folder, and a total of 1,400 notices were sent to him.
The claim for compensation was rejected because the court believed that it was not possible to prove that all of the co-workers’ insights caused Thorenfeld any concrete damage or financial loss.
As stated in the Borgarding Court of Appeal judgment:
“The violations were a general “systemic failure” in the language’s practices and systems, not the violation specifically aimed at Thorenfeld. (…) In such circumstances, if compensation were awarded to individuals, it may, in the view of the Court of Appeals, have a financial purpose that is difficult to assess.”
Janne Cecilie Thorenfeldt notified the Norwegian Data Protection Authority about deficiencies in Nav’s IT system and poor privacy protection.
At the same time, the Norwegian Data Protection Authority received several references about the privacy of Nav employees. The supervisory authority gave Nav a number of directives to improve employee privacy, such as improving access management and establishing an arrangement with a set office, confirmed Kamila Nervik, head of division at the Norwegian Data Protection Authority.
Nau says they followed orders.
Taking the case to Strasbourg
Thorenfeld is now assisted by Mats Antenes, professor of law at the University of Oslo. He is bringing the case to the European Court of Human Rights (ECtHR) in Strasbourg, together with the former President of the EFTA Court, Professor Carl Baudenbacher.
Law professor Mads Andenæs is confident of success in Strasbourg.
– This is an important and principled matter, and it is unfortunate that the ruling does not provide effective protection for victims of privacy violations, which will lead to further violations and the system errors will not be solved, says Mads Andenæs.
The professor elaborates:
– It is important to get this case to the Court of Human Rights in Strasbourg. Because the Court of Human Rights sees this against what the Norwegian legal system does; Andenes says that could have big financial ramifications, so they’ll want to look into the matter.
– We believe that the Norwegian legal system does not deal with human rights here, says Antenes.
Now’s Legal Director responds:
– Nau has taken the criticism in the Norwegian courts’ ruling seriously and has implemented a number of measures to improve employee privacy in recent years. Shea insists in an email that if the case is brought to the Human Rights Court, it will certainly take a position when the time comes.
Thorenfeld is overwhelmed by the professors’ support.
– I am very grateful for this help. It is a lonely struggle. Many colleagues have secretly supported me, but many have not dared to come forward, says Thorenfeld.
He also cites Jens Eskedel, chief security officer in Oslo, as a valued supporter.
– Getting this support from the Chief Security Officer is very important to me, says Thorenfeld.
Chief Security Officer Jens Eskedel believes Thorenfeld has done an important job as a whistleblower.
– Janne Cecilie has acted properly and submitted legal notice of weaknesses in Now’s privacy system. The case could have been solved in a completely different way, it is very difficult to stand completely alone in this case and she took this case on her own account. Above all else, it’s a huge financial burden, says Chief Defense Officer Eskdal.
Eskdal and Thorenfeld believe Now has a poor culture of treating whistleblowers.
Now rejects this.
– In general terms, we can say that we don’t recognize that we have a culture that ignores whistleblowers. We process notices in accordance with the provisions of the Working Environment Act, highlighted Legal Director Shea in an email.
Do you have any ideas on this matter? Feel free to email me. I work a lot with work life, privacy and IT security and would love input or tips on other things I should be looking into. Get in touch later.
“Music geek. Coffee lover. Devoted food scholar. Web buff. Passionate internet guru.”