|
|
(5 intermediate revisions by 4 users not shown) |
Line 52: |
Line 52: |
| |Appeal_To_Link= | | |Appeal_To_Link= |
|
| |
|
| |Initial_Contributor=Rie Aleksandra Walle | | |Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle] |
| | | | | |
| }} | | }} |
|
| |
|
| The Norwegian DPA fined Indre Østfold municipality €18,860 for publishing a former student's school folder openly on their website, thus breaching Article 32(1)(b), cf. Article 5, and Article 6, cf. Article 5. | | The Norwegian DPA (Datatilsynet) fined Indre Østfold municipality €18,860 for publishing a former student's school folder openly on their website, therefore breaching Articles 32(1)(b), (5), and (6) of the GDPR. |
|
| |
|
| == English Summary == | | ==English Summary== |
|
| |
|
| === Facts === | | ===Facts=== |
| A former student asked a school to share their school folder. The municipality's routine is to keep records for access requests, which meant, in this case, that the folder was scanned and made available for access. It was, however, made openly available on their website and a local journalist was able to download the entire folder with its contents. The information was confidential, cf. the Education Act. | | A former student asked a school to share their school folder. The municipality's routine is to keep records for access requests, which meant, in this case, that the folder was scanned and made available for access. It was, however, made openly available on their website and a local journalist was able to download the entire folder with its contents. The information was confidential, cf. the Education Act. |
|
| |
|
| When the error was discovered, the folder was removed and the municipality notified the DPA of the personal data breach, as well as the affected data subject. | | When the error was discovered, the folder was removed and the municipality notified the DPA of the personal data breach, as well as the affected data subject. |
|
| |
|
| The DPA concluded that the municipality had breached the required information security requirements as per Article 32(1)(b), cf. Article 5, and that they didn't have any legal grounds for this processing as per Article 6, cf. Article 5 (the latter because the information was confidential and should never have been published openly). The municipality was fined €18,860.
| | ===Dispute=== |
| | Was publishing the student's school folder online a breach of Article 32? |
|
| |
|
| === Dispute === | | ===Holding=== |
| Was publishing a student's school folder online a breach of Article 32?
| | The DPA concluded that the municipality had breached the required information security requirements as per Article 32(1)(b), cf. Article 5, and that they didn't have any legal grounds for this processing as per Article 6, cf. Article 5 (the latter because the information was confidential and should never have been published openly). The municipality was fined €18,860. |
|
| |
|
| === Holding ===
| | ==Comment== |
| The DPA held that publishing a student's school folder online was a breach of Article 32.
| |
| | |
| == Comment == | |
| It's interesting to note that the DPA also held that the municipality had breached Article 6, with the following logic: The folder and its content was subject to confidentiality as per the Freedom of Information Act. When the folder was openly published, the GDPR came into effect, meaning the municipality would require legal grounds for processing as per Article 6. However, since the personal data by law weren't allowed to be shared publically, none of the requirements for establishing legal grounds as per Article 6, were applicable, i.e. the municipality breached Article 6. | | It's interesting to note that the DPA also held that the municipality had breached Article 6, with the following logic: The folder and its content was subject to confidentiality as per the Freedom of Information Act. When the folder was openly published, the GDPR came into effect, meaning the municipality would require legal grounds for processing as per Article 6. However, since the personal data by law weren't allowed to be shared publically, none of the requirements for establishing legal grounds as per Article 6, were applicable, i.e. the municipality breached Article 6. |
|
| |
|
| == Further Resources == | | ==Further Resources== |
| ''Share blogs or news articles here!'' | | ''Share blogs or news articles here!'' |
|
| |
|
| == English Machine Translation of the Decision == | | ==English Machine Translation of the Decision== |
| The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details. | | The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details. |
|
| |
|
| <pre> | | <pre> |
| <!doctype html><html class="no-js" lang="no"><head><meta charset="utf-8" /><title>Infringement fee to Indre Østfold municipality | The Data Inspectorate </title><meta content="The Data Inspectorate has adopted & aring; give Indre & Oslash; stfold municipality an infringement fee on & aring; 200 & nbsp; 000 kroner for violation of & aring; confidentiality. Personal information that was to be screened was made available to unauthorized persons…" name="description" /><meta property="og:title" content="Violation fee to Indre Østfold municipality" /><meta property="og:description" content="The Data Inspectorate has adopted & aring; give Indre & Oslash; stfold municipality an infringement fee on & aring; 200 & nbsp; 000 kroner for violation of & aring; confidentiality. Personal information that was to be screened was made available to unauthorized persons…" /><meta property="og:type" content="website" /><meta property="og:url" content="https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2020/overtredelsesgebyr-til-indre-ostfold-kommune/" /><meta property="og:image" content="https://www.datatilsynet.no/globalassets/global/bilder/personver-pa-ulike-omrader/barn-unge/dokumenter-sikkerhet-lekkasje_lite.jpg" /><meta property="og:site_name" content="Datatilsynet" /><meta property="og:locale" content="nb_NO" /><meta name="twitter:card" content="summary" /><meta name="twitter:site" content="https://twitter.com/datatilsynet" /><link media="screen" rel="stylesheet" type="text/css" href="/Styles/main.css?bundle=637412923880000000" /><link media="print" rel="stylesheet" type="text/css" href="/Styles/print/print.css?bundle=637412923880000000" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="apple-touch-icon" sizes="57x57" href="/UI/Icons/apple-touch-icon-57x57.png"><link rel="apple-touch-icon" sizes="60x60" href="/UI/Icons/apple-touch-icon-60x60.png"><link rel="apple-touch-icon" sizes="72x72" href="/UI/Icons/apple-touch-icon-72x72.png"><link rel="apple-touch-icon" sizes="76x76" href="/UI/Icons/apple-touch-icon-76x76.png"><link rel="apple-touch-icon" sizes="114x114" href="/UI/Icons/apple-touch-icon-114x114.png"><link rel="apple-touch-icon" sizes="120x120" href="/UI/Icons/apple-touch-icon-120x120.png"><link rel="apple-touch-icon" sizes="144x144" href="/UI/Icons/apple-touch-icon-144x144.png"><link rel="apple-touch-icon" sizes="152x152" href="/UI/Icons/apple-touch-icon-152x152.png"><link rel="apple-touch-icon" sizes="180x180" href="/UI/Icons/apple-touch-icon-180x180.png"><link rel="icon" type="image/png" href="/UI/Icons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/UI/Icons/favicon-194x194.png" sizes="194x194"><link rel="icon" type="image/png" href="/UI/Icons/favicon-96x96.png" sizes="96x96"><link rel="icon" type="image/png" href="/UI/Icons/android-chrome-192x192.png" sizes="192x192"><link rel="icon" type="image/png" href="/UI/Icons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/UI/Icons/manifest.json"><link rel="shortcut icon" href="/UI/Icons/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/UI/Icons/mstile-144x144.png"><meta name="theme-color" content="#585858"><script>
| | Violation fee to Indre Østfold municipality |
| (function () {
| | |
| var docElement = document.documentElement;
| | The Norwegian Data Protection Authority has decided to give Indre Østfold municipality an infringement fee of NOK 200,000 for breach of confidentiality. Personal information that should have been protected was made available to unauthorized persons. |
| var className = docElement.className;
| | |
| className = className.replace(/\bno-js\b/, 'js');
| | Violation fee to Indre Østfold municipality |
| docElement.className = className;
| | Indre Østfold municipality, formerly Askim municipality, published the student folder of a former student on the municipality's website. The student file contained personal information that is subject to a duty of confidentiality. |
| }())
| | |
| </script><meta name='EPi.ID' content='13856'></head><body class="articlePage"><div class="page-wrapper"><header class="main-header"> <a href="#skiplinktarget" class="skiplink">To main content</a><div class="main-header__sticky"><div class="main-header__wrapper"><h2 class="sr-only"> Logo and auxiliary tools</h2><nav class="main-header__top" aria-label="Navigasjon og søk"><div class="logo"> <a href="/"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="Til startsiden til Datatilsynet" title="Logo"></a></div><div class="right mobile-buttons"> <button type="button" class="button--search" data-toggle-search><span class="sr-only">Show / hide search</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
| | Got tips from local newspaper |
| xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg><div class="mobile-modal"><div class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-search>Hide</button> </div><form method="get" action="/sok/" autocomplete="off" class="quickSearch"><div class="quick-search"><div class="quick-search__wrapper"><div class="quick-search__input-wrapper"> <label for="searchText" id="sok" class="quick-search__label">What are you looking for?</label> <input class="quick-search__text _jsAutoCompleteSearch" id="searchText" type="search" name="q" data-search-url="/sok/AutoComplete" /><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
| | |
| xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg> <button class="button--search" type="submit" value="Søk"><span class="sr-only">Search</span></button></div><div class="autocomplete-container"></div></div></div></form></div> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span class="label desktop-only" data-label>Menu</span></button><p class="sr-only"> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk">Show / hide menu</button></p> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span></span></button></div></nav><div class="main-header__bottom container"><h2 class="sr-only"> Main menu </h2><nav class="main-menu" id="main-menu" aria-label="Hovedmeny"><div class="container"><div class="utility-menu"><ul><li class="header-linklist__element"> <a href="/om-datatilsynet/">About the Data Inspectorate</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/presse/">For press / media inquiries</a></li><li class="header-linklist__element"> <a href="/en/" rel="alternate" hreflang="en">English</a> </li></ul></div><div class="main-menu__root"><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
| | The starting point for the incident was that the student needed the student file in a study context, and therefore asked the municipality to send it over. The municipality's routine is for requests for access to be recorded. This means that the document in which access has been requested is also scanned and made available for access. |
| xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-shield"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_1" data-toggle-sub-menu><span id="content_1-heading">Rights and duties</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
| | |
| xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_1" aria-labelledby="content_1-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/rettigheter-og-plikter/hva-er-personvern/">What is privacy?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personopplysninger/">What is personal information?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personvernprinsippene/">The privacy principles</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/den-registrertes-rettigheter/">The data subject's rights</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/virksomhetenes-plikter/">The companies' duties</a> </li></ul></div></div></div><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
| | The student folder was available on the municipality's website from Friday 27 September to Monday 30 September. The municipality was made aware of the case by a journalist in the local newspaper Smaalenenes Avis. The documents were removed from the mailing list and exempted from public access immediately after they were discovered. The affected person was then notified. |
| xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-people"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_2" data-toggle-sub-menu><span id="content_2-heading">Privacy in various areas</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
| | |
| xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_2" aria-labelledby="content_2-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/korona/">Corona and privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/">Workplace privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/overvaking-og-sporing/">Monitoring and tracking</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/internett-og-apper/">Internet and apps</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/skole-barn-unge/">Children, young people and school</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/bil-og-transport/">Car and transport</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/politi-justis/">Police and justice</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/forskning-helse-og-velferd/">Research, health and welfare</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/kundehandtering-handel-og-medlemskap/">Customer management, trade and membership</a> </li></ul></div></div></div><div class="main-menu__tab selected"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
| | The infringement fee does not change |
| xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-guide"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_3" data-toggle-sub-menu><span id="content_3-heading">Regulations and tools</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
| | |
| xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_3" aria-labelledby="content_3-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary up" href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/internasjonalt/">International work and cooperation</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sandkasse-for-kunstig-intelligens/">Sandbox for artificial intelligence</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/atferdsnorm/">Behavioral norms</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/rapporter-og-utredninger/">Reports and reports</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/konsesjon-og-melding/">Concession and notification</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sporsmal-svar/">Questions and answers</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordbok/">Dictionary (Norwegian - English)</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/personvernpodden/">Privacy Pod</a></li></ul></div></div></div></div><div class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-menu>Close</button> </div></div></nav></div></div></div><div class="container full-width"><nav class="breadcrumbs" aria-label="Brødsmulesti"><ul><li><a href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a href="/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/">Key decisions</a></li><li> <a href="/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2020/">2020</a></li></ul></nav></div></header><script>
| | After the Data Inspectorate sent a notification of infringement fines, we received feedback from the municipality. Here they regret that "personal sensitive information" was posted on the mailing list. The municipality also asked the Data Inspectorate to assess the size of the fee in light of the measures that were introduced afterwards. |
| document.consentCookie = '{"HaveRead":false,"FormCookies":false,"Expires":"\/Date(-62135596800000)\/"}';
| | |
| document.disableConsentPopup = false;
| | An infringement fee shall reflect the severity of the offense in question. It follows from Norwegian law that the municipality must implement the necessary measures to prevent future offenses. The Norwegian Data Protection Authority has come to the conclusion that the subsequent measures to rectify the incidents, in view of the seriousness of the breach, do not have a significant effect on the size of the infringement fee. |
| </script><div class="cookie-consent" v-bind:class="{ open: showCookieConsent }" tabindex="-1" role="dialog" aria-label="Samtykke for bruk av informasjonskapsler"><h2> We use cookies</h2><div class="user-content"><p> Our websites use cookies. If they are not necessary for our website to work, they will not be stored on your device unless you agree to this. Read about which ones we use and how we manage them at the bottom of the website.</p></div><div class="cookie-consent-section"><h3> Required cookies</h3><div class="user-content"><p> These support core functionality related to security. We have considered these to be necessary, and they are therefore stored without prior consent.</p></div></div><div class="cookie-consent-section"><h3> Form functions</h3><div class="user-content"><p> These are necessary if you want to use the form on our website. The other functionality on the website is not affected if you do not consent. The choice you make here is valid for up to 90 days. </p></div><div class="on-off"><input type="checkbox" name="on-off" id="chk-cookie-form" class="on-off-checkbox" v-model="consentCookie.FormCookies"/> <label class="on-off-label" for="chk-cookie-form"><span class="sr-only">Form functions on / off</span><span class="on-off-inner"></span><span class="on-off-switch"></span></label></div></div><div class="cookie-consent-section"><h3> Web analytics</h3><div class="user-content"><p> We are considering using an analysis tool based on cookies, but as of today we do not have this.</p></div></div><div class="cookie-consent-section"><div class="user-content"><p> You can withdraw your consent at any time by selecting "manage cookies" at the bottom of our pages.</p></div> <button type="button" v-on:click="save($event)" class="button cookie-consent-save">Save my selection</button></div> <button type="button" v-on:click="save($event)" class="cookie-consent-close">Close</button> </div><main><span id="skiplinktarget" tabindex="-1"></span><div class="article"><div class="container"><div class="article__content"><h1> Violation fee to Indre Østfold municipality</h1><div class="user-content ingress"><p> The Norwegian Data Protection Authority has decided to give Indre Østfold municipality an infringement fee of NOK 200,000 for breach of confidentiality. Personal information that should have been protected was made available to unauthorized persons. </p></div><div class="article__sidebar-main mobile-only"><div ><img alt="Violation fee to Indre Østfold municipality" src="/globalassets/global/bilder/personver-pa-ulike-omrader/barn-unge/dokumenter-sikkerhet-lekkasje_lite.jpg?width=400&quality=80" /></div></div></div><div class="article__sidebar medium-up"><div class="article__sidebar-main no-margin"><div ><img alt="Violation fee to Indre Østfold municipality" src="/globalassets/global/bilder/personver-pa-ulike-omrader/barn-unge/dokumenter-sikkerhet-lekkasje_lite.jpg?width=400&quality=80" /></div></div></div></div><div class="container"><div class="article__content"><div class="article__content-text"><div class="user-content"><p> Indre Østfold municipality, formerly Askim municipality, published the student folder of a former student on the municipality's website. The student file contained personal information that is subject to a duty of confidentiality.</p><h2> <strong>Got tips from local newspaper<br /></strong></h2><p> The starting point for the incident was that the student needed the student file in a study context, and therefore asked the municipality to send it over. The municipality's routine is for requests for access to be recorded. This means that the document in which access has been requested is also scanned and made available for access.</p><p> The student folder was available on the municipality's website from Friday 27 September to Monday 30 September. The municipality was made aware of the case by a journalist in the local newspaper Smaalenenes Avis. The documents were removed from the mailing list and exempted from public access immediately after they were discovered. The affected person was then notified.</p><h2> <strong>The infringement fee does not change</strong></h2><p> After the Data Inspectorate sent a notification of violation fees, we received feedback from the municipality. Here they regret that "personal sensitive information" was posted on the mailing list. The municipality also asked the Data Inspectorate to assess the size of the fee in light of the measures that were introduced afterwards.</p><p> An infringement fee shall reflect the severity of the offense in question. It follows from Norwegian law that the municipality must implement the necessary measures to prevent future offenses. The Norwegian Data Protection Authority has come to the conclusion that the subsequent measures to rectify the incidents, in view of the seriousness of the breach, do not have a significant effect on the size of the infringement fee.</p><p> We have therefore concluded that the infringement fee will not change.</p><h2> <strong>download</strong></h2><p class="link-download"> <a href="/contentassets/1679986c04f54694b734ab883eebfde1/endelig-vedtak-til-indre-ostfold-kommune.pdf" target="_blank" rel="noopener">Final decision to Indre Østfold municipality (pdf)</a></p></div></div></div><aside class="article__sidebar"><div class="article__sidebar-dates"><div ><span>Published:</span> <span>03.12.2020</span> </div></div></aside></div></div></main><footer class="main-footer"><div class="main-footer__wrapper"><div class="main-footer__upper"><div class="main-footer__content container"><div class="main-footer__content-column desktop-only" aria-hidden="true"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="The Data Inspectorate logo" class="main-footer__logo"></div><div class="main-footer__content-column"><p> The Data Inspectorate<br> PO Box 458 Center<br> 0105 Oslo</p><p> Org.nr 974 761 467</p><div class="user-content"><p> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></p></div><div > <a href="https://ext.mnm.as/s/2751/9366">Receive our newsletter</a></div><div class="main-footer__social"><div class="main-footer__social--twitter" > <a href="https://twitter.com/datatilsynet">The Data Inspectorate on twitter</a></div></div><div class="main-footer__personvernpodden_logo"> <a href="/regelverk-og-verktoy/personvernpodden/"><img src="/UI/personvernpodden-logo.svg" alt="The Privacy Podcast - A podcast from the Danish Data Protection Agency"></a></div></div><div class="main-footer__content-column"><ul class="clean-link-list"><li> <a href="/aktuelt/">Currently</a></li><li> <a href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a href="/regelverk-og-verktoy/sporsmal-svar/">Frequently Asked Questions</a></li><li> <a href="/om-datatilsynet/datatilsynets-personvernerklaring/">The Data Inspectorate's privacy statement</a></li><li> <a href="/om-datatilsynet/datatilsynets-cookie-erklaring/">The Danish Data Protection Agency's cookie statement</a></li><li> <a href="#" id="_jsManageCookies">Manage cookies</a> </li></ul></div></div></div><div class="main-footer__lower"><div class="main-footer__sponsors container"><p> Other sites</p> <a href="/om-datatilsynet/Andre-nettsteder/Personvernbloggen/"><img alt="The Privacy Blog" src="/globalassets/global/bilder/logoer/footer/personvernbloggennb.png?width=400&quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Du-bestmmer/"><img alt="You decide" src="/globalassets/global/bilder/logoer/footer/dubestemmernb.png?width=400&quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Slett-meg/"><img alt="slettmeg.no" src="/globalassets/global/bilder/logoer/footer/slettmegnb.png?width=400&quality=80" /></a></div></div></div></footer></div><script src="/Scripts/libs/jquery/3.2.1.min.js"> </script><script src="/Scripts/libs/jquery/jquery-ui.min.js"> </script><script src="/Scripts/libs/svg4everybody.js"> </script><script src="/Scripts/libs/jquery.sticky-sidebar.min.js"> </script><script src="/Scripts/libs/vue.min.js"> </script><script src="/Scripts/global/common/jquery.aria.js"> </script><script> window.jQuery || document.write('<script src="/Scripts/libs/jquery/3.2.1.min.js"><\/script>') </script><script src="/Scripts/site.js?bundle=637412923880000000"></script><script src="/Scripts/global/common/jquery.unobtrusive-ajax.js" async defer></script><script>
| | |
| Datatilsynet.GlossaryHighlightedWords = 'adressemekling;akseptkriterium;algoritmer;artikkel 29-gruppen;atferdsnorm;autentisering;automatisk målesystem;avidentifisert personopplysning;avindeksere;avvik;behandling av personopplysningar;behandling av personopplysninger;behandlingsansvarleg;behandlingsansvarlig;behandlingsgrunnlag;berlingruppen;big data;biometri;bransjenorm;databehandlar;databehandlaravtale;databehandler;databehandleravtale;datakommunikasjon;dataminimering;datanettverk;dataportabilitet;den registrerte;dpia;ekstern datakommunikasjon;eksternt nettverk;european data protection board;filsluse;forhåndsdrøftelse;formålsbestemthet;forordning;fødselsnummer;gdpr;helseopplysning;humant biologisk materiale;informasjonssamfunnstjeneste;informasjonssikkerhet;informasjonstryggleik;innebygd personvern;integritet;intern sone;internkontroll;ip-adresse;konfidensialitet;konfigurasjon;konsesjon;konsesjonsplikt;kontrolltiltak;kredittopplysning;kredittsjekk;kredittvurdering;kryptering;meldeplikt;nettsky;nettverkssone;personnummer;personopplysning;personprofil;personregister;personvernforordningen;personvernfremjande teknologi;personvernfremmende teknologi;personvernkonsekvens;personvernombod;personvernombud;personvernrådet;profiler;profilering;pseudonymisering;radiofrekvensidentifikasjon;reidentifisering;rfid;risiko;samtykke;schengen informasjonssystem;sensitive personopplysninger;sikker sone;sikkerhetskopiering;sikkerhetsrevisjon;sikkerhetsstrategi;sporing;stordata;særlige kategorier;teknisk sikkerhetsbarriere;tilgangskontroll;tilgangsstyring;tilgjengelighet;tilsyn;tjenstlig behov;vurdere personvernkonsekvenser;ødeleggende programvare;';
| | We have therefore concluded that the notified fee will not change. |
| Datatilsynet.HasGlossary = true;
| |
| </script><script type="text/javascript" src="/Scripts/find/find.js"></script><script type="text/javascript">
| |
| if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}
| |
| </script></body></html>
| |
| </pre> | | </pre> |
The Norwegian DPA (Datatilsynet) fined Indre Østfold municipality €18,860 for publishing a former student's school folder openly on their website, therefore breaching Articles 32(1)(b), (5), and (6) of the GDPR.
English Summary
Facts
A former student asked a school to share their school folder. The municipality's routine is to keep records for access requests, which meant, in this case, that the folder was scanned and made available for access. It was, however, made openly available on their website and a local journalist was able to download the entire folder with its contents. The information was confidential, cf. the Education Act.
When the error was discovered, the folder was removed and the municipality notified the DPA of the personal data breach, as well as the affected data subject.
Dispute
Was publishing the student's school folder online a breach of Article 32?
Holding
The DPA concluded that the municipality had breached the required information security requirements as per Article 32(1)(b), cf. Article 5, and that they didn't have any legal grounds for this processing as per Article 6, cf. Article 5 (the latter because the information was confidential and should never have been published openly). The municipality was fined €18,860.
It's interesting to note that the DPA also held that the municipality had breached Article 6, with the following logic: The folder and its content was subject to confidentiality as per the Freedom of Information Act. When the folder was openly published, the GDPR came into effect, meaning the municipality would require legal grounds for processing as per Article 6. However, since the personal data by law weren't allowed to be shared publically, none of the requirements for establishing legal grounds as per Article 6, were applicable, i.e. the municipality breached Article 6.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Violation fee to Indre Østfold municipality
The Norwegian Data Protection Authority has decided to give Indre Østfold municipality an infringement fee of NOK 200,000 for breach of confidentiality. Personal information that should have been protected was made available to unauthorized persons.
Violation fee to Indre Østfold municipality
Indre Østfold municipality, formerly Askim municipality, published the student folder of a former student on the municipality's website. The student file contained personal information that is subject to a duty of confidentiality.
Got tips from local newspaper
The starting point for the incident was that the student needed the student file in a study context, and therefore asked the municipality to send it over. The municipality's routine is for requests for access to be recorded. This means that the document in which access has been requested is also scanned and made available for access.
The student folder was available on the municipality's website from Friday 27 September to Monday 30 September. The municipality was made aware of the case by a journalist in the local newspaper Smaalenenes Avis. The documents were removed from the mailing list and exempted from public access immediately after they were discovered. The affected person was then notified.
The infringement fee does not change
After the Data Inspectorate sent a notification of infringement fines, we received feedback from the municipality. Here they regret that "personal sensitive information" was posted on the mailing list. The municipality also asked the Data Inspectorate to assess the size of the fee in light of the measures that were introduced afterwards.
An infringement fee shall reflect the severity of the offense in question. It follows from Norwegian law that the municipality must implement the necessary measures to prevent future offenses. The Norwegian Data Protection Authority has come to the conclusion that the subsequent measures to rectify the incidents, in view of the seriousness of the breach, do not have a significant effect on the size of the infringement fee.
We have therefore concluded that the notified fee will not change.