| dc.description.abstract | The Personal Data Regulations pose a strict obligation to notify the Data Protection Agency of any breaches in personal data security. Due to an increased focus on privacy and data protection, the number of reported breaches in personal data security from the municipal sector has increased. However, there is a discrepancy in the number of such cases reported by each municipality. This master’s thesis investigates how routines could aid in gaining a deeper understanding of the variation in the number of breaches reported to the Data Protection Agency in three selected Norwegian municipalities. This is done using qualitative interviews from employees in municipalities that have reported breaches in varying degrees. The research question posed by this thesis is: « How can routines aid in the understanding of the variation in the number of breaches of data protection reported to the Data Protection Agency by three selected Norwegian municipalities? ».
With basis in a theoretical framework, we explore three different aspects of this question: formal procedures and systems, concrete actions and collective norms. The theory define routines as; repetitive and recognizable action patterns that involve several actors and mutually dependent actions. Through the analysis we examine the three aspects separately and explain the complexity of routines.
The findings of this thesis show that the interaction between the various aspects of routines can contribute in gaining insights into the causes of the variation in the number of privacy breaches reported to the Data Protection Agency. In this paper, we argue that the organizational structures surrounding privacy, and in particular the Data Protection Officer’s role, could contribute to the variation in the number of breaches reported. In municipalities where the Data Protective Officer both have a high level of influence, while also focusing on and encouraging transparency and cooperation, a larger number of breaches get reported. Further, the thesis highlights how the deterrent effect of the administrative fines imposed on infringement can contribute to more attention and focus on privacy and data protection within the municipalities. We observe that previously imposed administrative fines can both positively and negatively affect the municipalities attitudes toward the reporting of breaches they discover to the Data Protection Agency, thereby affecting the number of reported cases. | en_US |
