Datainspektionen - DI-2019-7024: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSK.png |DPA_Abbrevation=Datainspektionen |DPA_With_Country=Datainspektionen (Sweden) |Case_Number_Name=DI-2...") |
(Keep DPA’s old logo on old decisions) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
|Jurisdiction=Sweden | |Jurisdiction=Sweden | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo= | |DPAlogo=LogoSE-Datainspektionen.png | ||
|DPA_Abbrevation=Datainspektionen | |DPA_Abbrevation=Datainspektionen | ||
|DPA_With_Country=Datainspektionen (Sweden) | |DPA_With_Country=Datainspektionen (Sweden) | ||
Line 52: | Line 52: | ||
}} | }} | ||
The Swedish DPA (Datainspektionen) | The Swedish DPA (Datainspektionen) issued a fine of approximately €392000 at the Educational Board of Stockholm after receiving many complaints that the new IT system "Skolplattformen", used for education administration, has suffered data breaches. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
"Skolplattformen" was developed by the Educational Board of Stockholm to help administrate the students and was used for the last years. In the platform there were being processed personal data of 500000 students, education personnel and students' guardians. In the platform, a lot of special categories of personal data were being processed as well as personal data protected by the Swedish Secrecy Law. Four sub-systems were found to have "weak" protection e.g. guardians could access other students' personal data, even those of students with hidden identity. | "Skolplattformen" was developed by the Educational Board of Stockholm to help administrate the students and was used for the last years. In the platform there were being processed personal data of 500000 students, education personnel and students' guardians. In the platform, a lot of special categories of personal data were being processed as well as personal data protected by the Swedish Secrecy Law. Four sub-systems were found to have "weak" protection e.g. guardians could access other students' personal data, even those of students with hidden identity. | ||
=== Dispute === | ===Dispute=== | ||
Did the Educational Board of Stockholm breach Articles 32(1) and 35 GDPR with its new IT system which suffered data breaches? | |||
===Holding=== | |||
=== Holding === | |||
After receiving many complaints, the Datainspektionen found that the Education Board did not apply adequate technical measures to ensure the security of personal data, which has cause to data breaches and that although the Education Board had carried out DPIAs, these DPIAs did not meet the standards of Article 35 GDPR. | After receiving many complaints, the Datainspektionen found that the Education Board did not apply adequate technical measures to ensure the security of personal data, which has cause to data breaches and that although the Education Board had carried out DPIAs, these DPIAs did not meet the standards of Article 35 GDPR. | ||
== Comment == | ==Comment== | ||
Building the IT platform "Skolplattformen" was a big project and the total cost of its development costed 675 millions SEK (around €66 millions) while the operating costs were high as well. The reveal of these data breaches created a lot of frustration among Swedes, some of which see it as a bad investment of public money. | Building the IT platform "Skolplattformen" was a big project and the total cost of its development costed 675 millions SEK (around €66 millions) while the operating costs were high as well. The reveal of these data breaches created a lot of frustration among Swedes, some of which see it as a bad investment of public money. | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details. | The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details. | ||
<pre> | <pre> | ||
Page 1 | |||
Decision | |||
Diarienr | |||
1 (31) | |||
2020-11-23 | |||
DI-2019-7024 | |||
Postal address: Box 8114, 104 20 Stockholm | |||
E-mail: datainspektionen@datainspektionen.se | |||
Website: www.datainspektionen.se | |||
Phone: 08-657 61 00 | |||
City of Stockholm, Board of Education | |||
The education administration | |||
Box 22049 | |||
104 22 Stockholm | |||
Supervision according to the EU Data Protection Regulation 2016 / 679- | |||
against the Board of Education in the city of Stockholm | |||
Page 2 | |||
The Data Inspectorate | |||
DI-2019-7024 | |||
2 (31) | |||
The Data Inspectorate's decision | |||
The infringements | |||
The Data Inspectorate states that the Board of Education in the city of Stockholm has | |||
processed personal data in breach of Article 5 (1) (f) of the Data Protection Regulation 1 | |||
requiring adequate security of personal data, including | |||
protection against unauthorized or unauthorized treatment and in breach of Article 32 (1) | |||
which requires the person responsible for personal data to take appropriate technical measures | |||
and organizational measures to ensure a level of security that is | |||
appropriate in relation to the risk to the rights and freedoms of natural persons | |||
by: | |||
• in the module Compulsory school surveillance, during the period 25 May 2018 until | |||
August 27, 2020, had an eligibility award that has been more | |||
more extensive than is necessary in the light of what | |||
each role holder needs to perform their work as well | |||
by unauthorized persons having access to privacy sensitive | |||
personal data concerning students with a protected identity. | |||
• in the subsystem Student documentation, during the period 26 October 2018 | |||
until November 2019, unauthorized persons have had access to | |||
personal data concerning a very large number of students, some of whom have | |||
been privacy-sensitive / sensitive personal data. | |||
• in the subsystem Home page for guardians, during the period 27 June | |||
2019 until 24 August 2019, unauthorized persons have had access to | |||
personal data concerning guardians. | |||
• in the subsystem Administration interface, during the period 25 May | |||
2018 until 26 August 2019, unauthorized persons have had access to | |||
privacy-sensitive personal data concerning teachers with protected | |||
identity. | |||
1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 | |||
on the protection of individuals with regard to the processing of personal data and on that | |||
free movement of such data and repealing Directive 95/46 / EC (General | |||
Data Protection Regulation). | |||
Page 3 | |||
The Data Inspectorate | |||
DI-2019-7024 | |||
3 (31) | |||
The Data Inspectorate states that the Board of Education in the city of Stockholm, | |||
during the period 25 May 2018 until 27 August 2020, has dealt with | |||
personal data in the subsystems Compulsory school monitoring, Student documentation, | |||
Home page for guardians and the Administration interface in violation of | |||
Article 35, by not having carried out impact assessments for them | |||
system despite the fact that the treatments are likely to lead to a high risk of physical | |||
freedoms and rights of persons as it is a matter of large systems, with | |||
many children registered and with both sensitive and privacy sensitive | |||
personal data. | |||
Administrative penalty fee | |||
The Data Inspectorate decides on the basis of Articles 58 (2) and 83 | |||
the Data Protection Ordinance and Chapter 6 Section 2 of the Data Protection Act 2 att | |||
The Board of Education in the City of Stockholm for the violations of Article 5 (1) and | |||
Article 32 (1) of the Data Protection Regulation shall pay an administrative fee | |||
penalty fee of SEK 4,000,000 (four million). | |||
Injunctions | |||
The Data Inspectorate submits pursuant to Article 58 (2) (d) | |||
data protection ordinance education board to implement one as soon as possible | |||
impact assessment in accordance with Article 35 of the Data Protection Regulation | |||
regarding the subsystems Compulsory school surveillance, Student documentation and | |||
Home page for guardians. | |||
The Data Inspectorate submits pursuant to Article 58 (2) (d) | |||
data protection ordinance The Board of Education in the City of Stockholm to limit | |||
eligibility assignments in the module Compulsory schooling for only those | |||
persons who have a need to process personal data in order to perform their | |||
tasks. | |||
2 The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation | |||
Page 4 | |||
The Data Inspectorate | |||
DI-2019-7024 | |||
4 (31) | |||
1. Report on the supervisory matter | |||
The Data Inspectorate has through reports of personal data incidents from | |||
The Board of Education in the city of Stockholm has drawn attention to unauthorized persons | |||
access to student information in the School Platform. | |||
From the reports received, it has emerged that the digital platform | |||
used in the city of Stockholm, Skolplattformen, is a city-wide | |||
project and the platform consists of six subsystems. It has also emerged that | |||
The Board of Education in the City of Stockholm is responsible for personal data for them | |||
personal data processing in the School Platform to which the incidents relate. | |||
In the light of these reports, the Data Inspectorate has initiated the relevant case | |||
supervision on 24 June 2019 (dnr 2019-7024) by the Board of Education | |||
processing of personal data, for the purpose of reviewing the security measures for | |||
access to personal data within the framework of two modules of the subsystem | |||
Child and student register: | |||
• Compulsory school monitoring | |||
• Inter-municipal agreements | |||
After the supervision began, the education committee came in with more | |||
reports of personal data incidents. In the light of the information provided by | |||
</pre> | </pre> |
Latest revision as of 11:43, 7 April 2022
Datainspektionen - DI-2019-7024 | |
---|---|
Authority: | Datainspektionen (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 35 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 24.11.2020 |
Published: | 24.11.2020 |
Fine: | 4000000 SEK |
Parties: | n/a |
National Case Number/Name: | DI-2019-7024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | Datainspektionen (in SV) |
Initial Contributor: | Elisavet Dravalou |
The Swedish DPA (Datainspektionen) issued a fine of approximately €392000 at the Educational Board of Stockholm after receiving many complaints that the new IT system "Skolplattformen", used for education administration, has suffered data breaches.
English Summary
Facts
"Skolplattformen" was developed by the Educational Board of Stockholm to help administrate the students and was used for the last years. In the platform there were being processed personal data of 500000 students, education personnel and students' guardians. In the platform, a lot of special categories of personal data were being processed as well as personal data protected by the Swedish Secrecy Law. Four sub-systems were found to have "weak" protection e.g. guardians could access other students' personal data, even those of students with hidden identity.
Dispute
Did the Educational Board of Stockholm breach Articles 32(1) and 35 GDPR with its new IT system which suffered data breaches?
Holding
After receiving many complaints, the Datainspektionen found that the Education Board did not apply adequate technical measures to ensure the security of personal data, which has cause to data breaches and that although the Education Board had carried out DPIAs, these DPIAs did not meet the standards of Article 35 GDPR.
Comment
Building the IT platform "Skolplattformen" was a big project and the total cost of its development costed 675 millions SEK (around €66 millions) while the operating costs were high as well. The reveal of these data breaches created a lot of frustration among Swedes, some of which see it as a bad investment of public money.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Page 1 Decision Diarienr 1 (31) 2020-11-23 DI-2019-7024 Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se Website: www.datainspektionen.se Phone: 08-657 61 00 City of Stockholm, Board of Education The education administration Box 22049 104 22 Stockholm Supervision according to the EU Data Protection Regulation 2016 / 679- against the Board of Education in the city of Stockholm Page 2 The Data Inspectorate DI-2019-7024 2 (31) The Data Inspectorate's decision The infringements The Data Inspectorate states that the Board of Education in the city of Stockholm has processed personal data in breach of Article 5 (1) (f) of the Data Protection Regulation 1 requiring adequate security of personal data, including protection against unauthorized or unauthorized treatment and in breach of Article 32 (1) which requires the person responsible for personal data to take appropriate technical measures and organizational measures to ensure a level of security that is appropriate in relation to the risk to the rights and freedoms of natural persons by: • in the module Compulsory school surveillance, during the period 25 May 2018 until August 27, 2020, had an eligibility award that has been more more extensive than is necessary in the light of what each role holder needs to perform their work as well by unauthorized persons having access to privacy sensitive personal data concerning students with a protected identity. • in the subsystem Student documentation, during the period 26 October 2018 until November 2019, unauthorized persons have had access to personal data concerning a very large number of students, some of whom have been privacy-sensitive / sensitive personal data. • in the subsystem Home page for guardians, during the period 27 June 2019 until 24 August 2019, unauthorized persons have had access to personal data concerning guardians. • in the subsystem Administration interface, during the period 25 May 2018 until 26 August 2019, unauthorized persons have had access to privacy-sensitive personal data concerning teachers with protected identity. 1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on that free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). Page 3 The Data Inspectorate DI-2019-7024 3 (31) The Data Inspectorate states that the Board of Education in the city of Stockholm, during the period 25 May 2018 until 27 August 2020, has dealt with personal data in the subsystems Compulsory school monitoring, Student documentation, Home page for guardians and the Administration interface in violation of Article 35, by not having carried out impact assessments for them system despite the fact that the treatments are likely to lead to a high risk of physical freedoms and rights of persons as it is a matter of large systems, with many children registered and with both sensitive and privacy sensitive personal data. Administrative penalty fee The Data Inspectorate decides on the basis of Articles 58 (2) and 83 the Data Protection Ordinance and Chapter 6 Section 2 of the Data Protection Act 2 att The Board of Education in the City of Stockholm for the violations of Article 5 (1) and Article 32 (1) of the Data Protection Regulation shall pay an administrative fee penalty fee of SEK 4,000,000 (four million). Injunctions The Data Inspectorate submits pursuant to Article 58 (2) (d) data protection ordinance education board to implement one as soon as possible impact assessment in accordance with Article 35 of the Data Protection Regulation regarding the subsystems Compulsory school surveillance, Student documentation and Home page for guardians. The Data Inspectorate submits pursuant to Article 58 (2) (d) data protection ordinance The Board of Education in the City of Stockholm to limit eligibility assignments in the module Compulsory schooling for only those persons who have a need to process personal data in order to perform their tasks. 2 The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation Page 4 The Data Inspectorate DI-2019-7024 4 (31) 1. Report on the supervisory matter The Data Inspectorate has through reports of personal data incidents from The Board of Education in the city of Stockholm has drawn attention to unauthorized persons access to student information in the School Platform. From the reports received, it has emerged that the digital platform used in the city of Stockholm, Skolplattformen, is a city-wide project and the platform consists of six subsystems. It has also emerged that The Board of Education in the City of Stockholm is responsible for personal data for them personal data processing in the School Platform to which the incidents relate. In the light of these reports, the Data Inspectorate has initiated the relevant case supervision on 24 June 2019 (dnr 2019-7024) by the Board of Education processing of personal data, for the purpose of reviewing the security measures for access to personal data within the framework of two modules of the subsystem Child and student register: • Compulsory school monitoring • Inter-municipal agreements After the supervision began, the education committee came in with more reports of personal data incidents. In the light of the information provided by appeared in these notifications, the Data Inspectorate decided on 18 June 2020 to extend supervision to include a review of security measures for access to personal data under the subsystems: • Student documentation • Home page for guardians (Home page) • The administration interface “Contact information teacher ”(Administration interface) With regard to Intermunicipal agreements, it has emerged that it constitutes a module in The children and student register. This module has not been fully implemented and used by a limited number of users. In the module Intermunicipal agreements there have been nine students. The incident in the module did not include children protected identity as stated in the notification of the personal data incident. Against this background, the Data Inspectorate has not examined the module in more detail Inter-municipal agreements. Page 5 The Data Inspectorate DI-2019-7024 5 (31) When it comes to compulsory schooling, it is a module 3 in Children and the student register, which constitutes administrative system support for the Board of Education must be able to fulfill its obligations under the Education Act (2010: 800). Of the received reports of the personal data incident, it has it has emerged that unauthorized personnel have had the opportunity to see information about classified persons. Against this background, the Data Inspectorate has reviewed the technical measures that the board has taken to ensure one appropriate security level in the module. The inspectorate has also examined organizational measures in the form of authorization allocation in the current module. The incoming personal data incidents regarding the subsystems Student documentation, the Home page and the Administration interface have touched technical deficiencies. The Data Inspectorate has therefore only examined the technical ones measures that have been taken to ensure an appropriate level of safety in these three subsystems. The Data Inspectorate's review also refers to the obligation to perform one impact assessment in accordance with Article 35 of the Data Protection Regulation concerning the current subsystems. The Board of Education is responsible for 139 compulsory schools, 32 compulsory special schools, 28 upper secondary schools and six upper secondary special schools. The Data Inspectorate's current review does not refer to adult education or preschool activities. 2. Justification of decision 2.1 Applicable provisions The data controller is as defined in Article 4 of the the Data Protection Regulation a natural or legal person, public authority, institution or other body alone or together with others determines the purposes and means of processing personal data; if the purposes and means of processing are determined by Union law or national law of the Member States, the controller or 3 The Board of Education has stated that compulsory schooling is both a module and its own process area. Page 6 The Data Inspectorate DI-2019-7024 6 (31) the specific criteria for appointing him are laid down in Union law or in national law of the Member States. According to Article 5 (1) (f) of the Data Protection Regulation, personal data shall be processed on a way of ensuring adequate security of personal data, including protection against unauthorized or unauthorized treatment and against loss, destruction or damage by accident, using appropriate technical or organizational measures (integrity and confidentiality). Article 32 (1) of the Data Protection Regulation provides that the person responsible for personal data shall - taking into account the latest developments, implementation costs and the nature, scope, context of the treatment and purposes and the risks, of varying degrees of probability and severity, for rights and freedoms of natural persons - take appropriate technical and organizational measures to ensure an appropriate level of security in relation to the risk. This includes, in accordance with Article 32 (1), points (b) and (d) the Data Protection Regulation, where appropriate, - the ability to continuously ensure confidentiality, integrity, availability and resilience of treatment systems and services, and a procedure for regularly testing, examining and evaluating the effectiveness of the technical and organizational measures to be ensured the safety of treatment. Recital 74 of the Data Protection Regulation states: Personal data controllers should be held responsible for all processing of personal data which they perform or which is performed on their behalf. Personal data controllers should in particular be required to take appropriate and effective measures and be able to show that the treatment is compatible with it Regulation, including the effectiveness of the measures. One should within these measures take into account the nature, extent, context and purposes and the risk to the rights and freedoms of natural persons. According to Article 35, a data controller shall make an assessment of a planned processing implications for the protection of personal data, in particular whether a treatment is to be carried out with new technology and taking into account its nature, scope, context and purpose are likely to lead to a high risk of Page 7 The Data Inspectorate DI-2019-7024 7 (31) rights and freedoms of natural persons. This includes in accordance with Article 35 (3) b that an impact assessment pursuant to Article 35 (1) shall be required in particular in cases processing takes place on a large scale of specific categories of data such as referred to in Article 9 (1) or of personal data relating to convictions in criminal cases and infringements referred to in Article 10. 2.2 The responsibility for personal data What the Education Board in the city of Stockholm stated during the proceedings The Board of Education in the City of Stockholm is responsible for personal data for them personal data processing that has taken place in the subsystems Children and student register (module) Compulsory school monitoring, Student documentation, Start page and the Administration Interface. However, the Board of Education is not personal data controller for the personal data processing that has taken place in the latter subsystem within the framework of preschool activities and adult education. The Board of Education currently uses a number of systems and e-services as part of its educational and administrative activities. The committee is responsible for operation and development of municipal activities in preschool, primary school, special primary school, after-school center, upper secondary school and upper secondary special school. The Board of Education is ultimately responsible for how its own operations handles the information. Furthermore, the board is responsible for the information protected in accordance with the city's guidelines for information security and data protection legislation, such as the Data Protection Regulation. The Municipal Board is responsible for the system meeting the requirements for security and is the system owner. Following a decision by the council, the entire responsibility for the School Platform was transferred to the Board of Education from 1 January 2020. This means that The Board of Education is both a system owner and an information owner. The Data Inspectorate's assessment Nothing in the case contradicts the Board of Education's finding that they are relevant processing of personal data covered by this supervision has taken place the purpose of the Board of Education's to conduct municipal school activities. The same also applies to the Board of Education's view that it is The Board of Education in the city of Stockholm, which is responsible for personal data for them personal data processing that has taken place in the subsystems Children and student register (module) Compulsory school monitoring, Student documentation, Start page and the Administration Interface. The current supervision does not cover Page 8 The Data Inspectorate DI-2019-7024 8 (31) personal data processing that has taken place within the framework of preschool activities and adult education, therefore the question falls on personal data responsibility for the latter processing outside the current one supervision. 2.3 Compulsory school monitoring What the Education Board in the city of Stockholm stated during the proceedings General information about compulsory schooling The school platform consists of six subsystems and the Children and Pupils' Register constitutes one of these subsystems. There are 101 modules in the Children and Pupil Register that are divided into eight process areas. Compulsory schooling is one of the eight the process areas in the Children and Pupil Register. The process area Compulsory schooling supports the work with compulsory schooling within municipal primary schools and regarding pupils in independent schools there The City of Stockholm is a home municipality. The function also includes the processes around the municipal activity responsibility. The administrative system support is used to fulfill the Board of Education's obligations regarding compulsory schooling according to the Education Act (2010: 800) as well as handling and decisions in matters linked to this (mainly according to Chapter 7 of the Education Act but also Chapter 24, Section 23). The Administrative responsibility involves ensuring that students within a certain geographical area will be located at a school near the home. The module Compulsory school monitoring processes data on 1,322 active people compulsory schooling (number of registered) of which 83 students are under seven years. Of These 1,322 active compulsory school guards have 60 students protected personal data. The personal data that is processed in the current module are, among other things. a. name, address, mother tongue, school placement, guardians and contact information for these (telephone number and e-mail address) as well as history of school placement and contacts. Decisions containing personal data are also processed regarding a specific pupil where compulsory schooling has ceased, continued supervision (eg imposition of a fine or case with the Swedish Tax Agency), consent to fulfill compulsory schooling in another way and deferred compulsory schooling (special reasons). The module contains information that a student goes to a resource school or special primary school. Page 9 The Data Inspectorate DI-2019-7024 9 (31) Technical deficiencies On October 5, 2018, it was discovered that all users who had authorization to the module Compulsory schooling had the opportunity to see all classified 4 students without school placement. This deficiency is said to be due to the system lacked logic to in the functionality of compulsory school monitoring restrict the access of classified persons. The reason for that is unknown. When the module was implemented in July 2017, the Board of Education had no knowledge of any deficiencies. Compulsory school surveillance in the city municipal primary and lower secondary schools are based on residential areas. Privacy marked people who are unplaced do not have a living area in the system. The routine is that employees at the schools should not be able to see these students then this processing only happens centrally. Number of users who could potentially have been mistaken classified persons are 1,302. The Board is only aware that a school administrator incorrectly viewed the information about students marked with privacy. He must have found three students marked with secrecy in the search results. The there were a total of 60 students with confidentiality marking in compulsory schooling. It has It has not been possible to obtain the exact number of users with log history who had unauthorized access in practice because there are no specific logs for the module Compulsory school monitoring. When the defect was discovered on October 5, 2018, it was not verified by users saw more information than they were authorized to see. On 5 November 2018, ie. one month after discovery, the board was able to verify that users saw more information than they were authorized to see. The supplier worked out a correction which went into production on November 9, 2018. Organizational shortcomings Regarding the allocation of qualifications in the Compulsory School Surveillance, the board has stated that there are eight role holders with different qualifications; - Gr system manager Sthlm, - Gr Administrator Remuneration Sthlm, - Gr Titta Sthlm, - Gr Administrator Language Center Sthlm, - Gr PMO-responsible Sthlm, 4 Confidential persons refer to students with protected personal data. Page 10 The Data Inspectorate DI-2019-7024 1 0 (31) - Gr Administrator School Sthlm, - Gr compulsory schooling Central Admin Sthlm - Gr Look Economy Sthlm. The Board stated that four 5 of the eight aforementioned role holders are not need to have the access to compulsory schooling that they have. This is because that the education administration cannot see that these role holders need to have access to compulsory schooling or that it is not guaranteed that the role only has access to the tasks required to perform the tasks. The administration has therefore requested that this be adjusted. The Data Inspectorate's assessment The nature of the personal data and requirements for security The Data Inspectorate initially states that in the module Compulsory school monitoring processes information about students, such as name, address, social security numbers, guardians and contact information for these (telephone number and e-mail address), mother tongue, municipality, school location (school and grade), history of school placement and contact persons (name, address, social security number, telephone number and e-mail). It is also treated information about students who have a protected identity. Furthermore, personal data in some decisions are treated in the module as continued monitoring of a specific student relating to the imposition of a fine or investigation or matter with the Swedish Tax Agency, consent to fulfill compulsory schooling in another way (filming, Nordic schooling or travel abroad) and deferred compulsory schooling (special reasons). The Data Inspectorate considers that information on protected identity is extensive worthy of protection / privacy as the risks to the data subjects' freedoms and rights are great when processing this personal data. Information that a student attends resource school or special primary school which is also treated in Compulsory school surveillance is a sensitive personal task 6 as it reveals information about health. In view of the nature and nature of the personal data processing which has taken place in the Compulsory School Surveillance and the risks to the data subjects' freedoms 5 Gr Administrator Remuneration Sthlm, Gr Administrator Language Center Sthlm, Gr PMO- responsible Sthlm and Gr Look Economy Sthlm. 6, Article 9 of the data protection regulation. Page 11 The Data Inspectorate DI-2019-7024 1 1 (31) and rights, the Data Inspectorate considers that high demands are placed on the technical ones and organizational measures that the Board of Education had to take to ensure an appropriate level of safety in accordance with Article 32 i the Data Protection Regulation. Technical deficiencies The investigation in the case shows that unauthorized persons have been able to come to privacy-sensitive personal data concerning students with protected identities. Because there is no log follow-up in the module Compulsory schooling is not possible to state the exact number afterwards users who have had unauthorized access to this information. The The technical shortage in compulsory schooling that has now been examined has meant that Potentially 1,302 users have been able to access personal data without authorization regarding 60 students with a protected identity. The reason for this depends on the committee on weaknesses in the system that made restriction of eligibility impossible to information about students with protected identities. There is no information on when the shortage occurred but the module was implemented in July 2017 and the shortage was discovered on October 5, 2018. Organizational shortcomings The Data Inspectorate's inspection of the subsystem in question concerns both the requirements on technical measures and organizational measures in accordance with Article 32. Av The investigation in the case also shows that the allocation of competence in Compulsory school monitoring is more extensive than is necessary in in relation to what each role holder needs to perform theirs tasks. The Board of Education has stated that a review of the eight the eligibility roles will be initiated shortly. Overall assessment Both the fact that unauthorized persons had access to / have been able to access privacy-sensitive personal data concerning students with protected identity and that there is a more extensive access to data in Compulsory schooling than necessary is contrary to Article 32 (1) the Data Protection Regulation. According to Article 32 (1), the Board of Education shall include taking into account recent developments, implementation costs and the nature, scope, context and purpose of the treatment and the risks of the rights and freedoms of natural persons, take appropriate technical and organizational measures to ensure an appropriate level of security in in relation to the risk. Page 12 The Data Inspectorate DI-2019-7024 1 2 (31) The Data Inspectorate assesses that an appropriate security in this case includes one ability to continuously ensure the confidentiality of treatment systems and services. Because the board has allocated more extensively authorizations and that unauthorized persons have gained access to personal data about students with a protected identity, it is the Data Inspectorate's assessment that the Board of Education has failed in its ability to continuously ensure confidentiality of the data processed in the processing systems and - services as required by Article 32 (1) of the Data Protection Regulation. The requirement of adequate security also includes having a procedure for regularly test, examine and evaluate the effectiveness of the technical and organizational measures taken to ensure the safety of treatment which has not been the case here either. The Data Inspectorate finds that if the Board of Education had had such a procedure to regularly test, examine and evaluate the effectiveness of the measures taken the board has been able to ensure / discover whether the technical measures are correct in accordance with the organizational measures taken. As for it the lack of organization (the extensive competence) is also according to The Data Inspectorate's assessment is such a shortcoming in the authorization restriction which should have been discovered if the Board of Education had regularly checked the authorization. This too is a shortcoming in the requirements for appropriate security pursuant to Article 32 (1) of the Data Protection Regulation. The Board of Education in the City of Stockholm has summarized personal data in the module Compulsory school monitoring in the School Platform in violation of Article 32 of the Data Protection Regulation. The Data Inspectorate also assesses that the Board of Education has considered personal data in breach of Article 5 (1) (f) of the Data Protection Regulation thereof current subsystem. This is because the board has not ensured a suitable one security of personal data, including protection against unauthorized or unauthorized use treatment through the use of appropriate technical measures. Page 13 The Data Inspectorate DI-2019-7024 1 3 (31) 2.4 The student documentation What the Education Board in the city of Stockholm stated during the proceedings General information about the Student Documentation The student documentation is one of six subsystems that the School Platform consists of. In the subsystem Student Documentation there are a total of 464,611 registered, of which 122,699 are students in municipal primary and secondary school. Of these students has 787 protected personal data. There are 233,066 in this subsystem registered guardians and 34,756 employees (some of these employees works in childcare and adult education not covered by supervision). The personal data that is processed in the current subsystem are, among other things. a. rating, result on national tests, reporting of results to Statistics Sweden, Statistics Sweden, assessment support that involves documentation of the student's level of knowledge, information that some students need extra adaptations, documentation around investigations and action programs, personal data for the work with development talks and written assessments. Technical deficiencies On August 21, 2019, a guardian was discovered via a thread on Twitter had discovered a data leak in the Student Documentation. The person behind The Twitter account has analyzed with its own access and login via Bank ID the traffic and calls between the front-end and back-end systems. 7 The person has then took out parts of these calls and manipulated them in order to do so get over other people's information. 7 The terms are used by the Board of Education in the city of Stockholm and their function can generally described as follows. The separation of front end and back end system simplifies the data process when it comes to multilayer development and maintenance of computer systems. One Front-end systems are mainly used to send questions and requests and receive data from the backend system. It allows users to interact and use one information system. Usually, front-end systems have very limited computational or business logic processing functions and relies on data and functions from the backend system. A front-end system can include or consist of a text or graphic user interface (GUI) and / or a front-end client application connected to the backend system. The backend system manages databases and data processing components and ensures that the responses to the front - end system's requests are retrieved from databases and data processing components. Page 14 The Data Inspectorate DI-2019-7024 1 4 (31) The board has stated that when logging in takes place in the Student Documentation in The school platform is exposed to personal data through an API 8 . Due to a technical lack of API could people, with some knowledge of network systems and programming, monitor calls made from a logged in client mode, copy and modify them. In this way, new calls and personal data could be made which would not be available to the person became available. This means that personal data was available depending on what requests an individual made did, regardless of eligibility. This in turn gave access to personal data without correct authorization. This shortcoming has meant that unauthorized persons have been able to access it the following information about other students: first name, last name, social security number, school type (eg special primary school), year, school ID, class, student's assessment from module development calls, whether it is an integrated user or not as well migrated IUP 9 documents from the School Web. All registered guardians in the School Platform have because of it current shortage had the opportunity to unauthorized access to information. According to the Board of Education, a person has taken advantage of this opportunity and done paging of 101 unique people. The shortcoming has existed since the subsystem was launched. The module where the shortage existed has been in operation since 26 October 2018 . This deficiency had not been detected in previous function and safety tests before the function was put into production. The deficiency in the subsystem was remedied by code changes that were completed during November 2019 . The student documentation was closed after the shortage was discovered until all detected deficiencies were rectified. 8 , an application programming interface (API) is a set of protocols, procedures, functions and / or commands that programmers use to develop software or facilitate interaction between different systems. APIs are usually useful for programming GUI components (graphical user interface), as well as for a program to request and provide services from another program. 9 Individual development plan. Page 15 The Data Inspectorate DI-2019-7024 1 5 (31) The Data Inspectorate's assessment Security requirements The Data Inspectorate initially states that in the subsystem Student documentation in the School Platform is extensive personal data processing involving thousands of students, guardians and teacher. According to Article 9 of the Data Protection Regulation, health information is so-called sensitive personal data according to the Data Protection Regulation. In preparatory work, Processing of personal data in the field of education (Bill 2017/18: 218 p.57) states the following: As mentioned above, sensitive personal data is further processed health when examining admission to the special primary school, special school, upper secondary special school, and special education for adults according to 7, 18 and 21 Cape. the Education Act. Even an indication that a student goes to such a school is one sensitive task. The Data Inspectorate further states that in the subsystem Student documentation data relating to students' health are treated as data contained in various inquiries about students, special adaptations, etc. Also information about that some students go to a special school involves the treatment of sensitive personal data . In addition, extensive personal data processing is added in The student documentation that does not constitute sensitive personal data according to the Data Protection Regulation but is to be regarded as extra privacy sensitive such as information relating to assessments and data from development interviews. In view of the scope of the personal data processing that takes place in the Student Documentation subsystem, the nature and nature of the treatments and the risks to the data subjects' freedoms and rights, the Data Inspectorate considers that very high demands should be placed on the technical measures to be taken to ensure an appropriate level of safety in accordance with Article 32 i the Data Protection Regulation. Page 16 The Data Inspectorate DI-2019-7024 1 6 (31) Assessment of technical measures The technical shortcoming in the Student Documentation that is now being examined has meant that unauthorized persons have been able to access other people's personal data through to monitor calls made from a logged in client mode, copy and modify them. In this way, new calls could be made and personal data not would be available became available. According to the Board of Education information could be accessed by unauthorized persons, e.g. a. other people's first names, surname, social security number, type of school (eg special primary school), year, school ID, class and students' assessments from the module development conversations. This technical shortage has meant that all registered guardians in the School Platform has had the opportunity to unauthorized access to information about all registered students, including sensitive and privacy-sensitive information concerning students. The Data Inspectorate notes that the technical security measures that have taken in the subsystem The student documentation in the School Platform has been deficient as unauthorized persons have been able to easily access comprehensive sensitive and privacy-sensitive personal data concerning thousands of students. The Board of Education has thus breached its obligation pursuant to Article 32 (1) of the Data Protection Regulation, taking into account the latest development, implementation costs and the nature, scope of treatment, context and purpose and the risks to the rights of natural persons and freedoms, take appropriate technical measures to ensure a level of security which is appropriate in relation to the risk. The current technical deficiency which is now being examined in the subsystem According to the Swedish Data Inspectorate's assessment, the student documentation should have detected at an early stage, before the processing of personal data was started. The Data Inspectorate considers that an appropriate security in this case includes an ability to continuously ensure the confidentiality of treatment systems and services. The requirement of adequate security also includes having a procedure for regularly test, examine and evaluate the effectiveness of the technical the measures taken to ensure the safety of the treatment. That it current technical deficiency was discovered by a guardian long after subsystem The student documentation was launched, shows that the Board of Education neither has ensured to continuously ensure confidentiality in this subsystem or had a procedure to regularly test, examine and Page 17 The Data Inspectorate DI-2019-7024 1 7 (31) evaluate the effectiveness of the technical measures taken in a way that: meets the requirements of the Data Protection Regulation. The Data Inspectorate finds that this too is a shortcoming in the requirements for appropriate security under Article 32 (1) (i) the Data Protection Regulation. In summary, the Board of Education in the city of Stockholm has dealt with this personal information in the Student Documentation which is part of the School Platform in in breach of Article 32 of the Data Protection Regulation. The Data Inspectorate also assesses that the Board of Education has considered personal data in the subsystem in question in breach of Article 5 (1) (fi) the Data Protection Regulation. This is because the board has not secured one appropriate security for personal data, including protection against unauthorized or unauthorized treatment using appropriate technical measures. 2.5 Home page What the Education Board in the city of Stockholm has stated during the proceedings General about the Home page The start page is one of the six subsystems that the School Platform consists of. A module in the subsystem The start page is called "contacts" where personal information from School Data Sync Database (SDS DB) is processed, which in turn retrieves information from the child and student register subsystem. Personal data is processed to ensure guardians' access to information about the right school and class based on the connection between guardians and children / pupils and children / pupils connection to classes / groups. This is controlled based on information in Children and student register. Among the personal data processed in the Home Page are students and teachers name, e-mail address, school connection, connection to groups, connection to departments, mentor groups and courses. Data on is also processed guardian's name, social security number, address, e-mail address, telephone number and connection to children. In the subsystem Start page, there are a total of 440,695 registered, of which 31,847 are employees, 233,062 guardians and 122,699 students in municipal primary and lower secondary school and high school. Page 18 The Data Inspectorate DI-2019-7024 1 8 (31) Technical shortage On June 27, 2019, a new functionality was introduced on the Home page there guardians could apply for other guardians with children in the same class provided that the guardians have consented to it. August 24th In 2019, it was discovered that the technical measures had failed then one guardians by changing calls in the developer tool in their browser with the help of social security numbers could search for other guardians who were registered on the Home Page. The shortage has meant that everyone registered guardians in the School Platform have had the opportunity to take part in unauthorized access information. This shortcoming has existed since the new functionality was introduced in June 2019. The Board of Education has identified a guardian who has access unauthorized information about seven unique people. None of those affected had a protected identity. The technical deficiency was remedied on the day it was discovered, on 24 August 2019, through a code change that was produced. The Data Inspectorate's assessment Security requirements The Data Inspectorate initially states that in the subsystem Start page in The school platform carries out extensive personal data processing that concerns thousands of students, guardians and teachers. It is treated differently information such as guardian's social security number, address, e-mail address, telephone number and connection to children. In view of the scope of the personal data processing that takes place in the home system subsystem, the nature and nature of the treatments and the risks to them The data inspectorate's freedoms and rights, the Data Inspectorate considers that high demands should technical measures to be taken to ensure an appropriate security level in accordance with Article 32 of the Data Protection Regulation. The assessment of technical measures The technical shortcoming in Startsidan, which is now being examined, has meant that guardians by changing calls in the developer tool in their browser with the help of social security numbers could search for other guardians who are registered on the Home page. This means that guardians have on one easily accessed unauthorized by other guardians personal data. The Board of Education has thus breached its obligation Page 19 The Data Inspectorate DI-2019-7024 1 9 (31) pursuant to Article 32 (1) of the Data Protection Regulation, taking into account the latest development, implementation costs and the nature, scope of treatment, context and purpose and the risks to the rights of natural persons and freedoms, take appropriate technical measures to ensure a level of security which is appropriate in relation to the risk in the subsystem in question. The Data Inspectorate assesses that an appropriate security in this case includes one ability to continuously ensure the confidentiality of treatment systems and services. The current technical shortage should according to The Data Inspectorate's assessment has been discovered at an early stage before the processing of personal data began. That the current shortage was discovered by a guardian after the launch of the Startup subsystem, shows that the Board of Education also did not have a procedure that fulfills the requirements of the Data Protection Regulation to regularly test, examine and evaluate the effectiveness of the technical measures taken. This too is lack of appropriate security requirements under Article 32 (1) of the Data Protection Regulation. The Board of Education in the city of Stockholm has thus dealt with personal data in the subsystem in question in breach of Article 32 i the Data Protection Regulation. The Data Inspectorate further assesses that the Board of Education in the city of Stockholm has processed the personal data in the current subsystem in violation of the article 5.1 in the Data Protection Ordinance because the board has not ensured one appropriate security for personal data, including protection against unauthorized or illicit treatment. 2.6 The administration interface What the Education Board in the city of Stockholm has stated during the proceedings General information about the Administration Interface The administration interface was common to the two subsystems Absence / Attendance and Schedule in the School Platform, where settings for these subsystems are executed. The system read data from the Children and Pupil Register which is the source system for basic data in the current subsystem. The data were administered in this interface and was then shown to users in various interfaces based on the role of the system and depending on the settings made. The administration interface was not intended for guardians. People with Page 20 The Data Inspectorate DI-2019-7024 2 0 (31) a combination of roles such as teacher or chancellor who is also guardians had no access to the information linked to the role guardian when logging in to this interface. People who only had however, the role of guardian was given when logging in to the Administration Interface access to data linked to own children. Among the personal data handled are name, social security number, e-mail, telephone number, department or group / class affiliation, teacher connection to group / class / department, lesson information (group / class / subject / course, room and time), absence data (presence / absence, reason for absence, valid / invalid) and the application for leave. Technical deficiencies On August 26, 2019, it was discovered that guardians through a search on Google found links to login to the Administration Interface there guardians should not be able to log in. The current shortage has meant that guardians have been able to produce reports for "Contact information teachers" where name, e-mail address and work telephone number are displayed. Furthermore, the interface has not been shown to be adapted for handling classified information tasks. Individuals with protected identities have not had a marking as reveals this. This means that people with protected identities can have covered by the current deficiency, but that these can not be distinguished from the others registered. The shortcoming has existed since the function was launched, probably since August 2017 . It was discovered internally on 19 November 2018 and was then assessed by the Board of Education be trivial because the inquiry then claimed that no data that the guardian could not see in another interface was shown. The differences that existed e.g. access to "Contact Information-Teacher", was then said to only show the student's current teacher and what subjects they have with them eleven. It was also said that no contact details were shown. The shortage would be solved with a code merger which was then planned in 2019. The release as the correction would be covered by early 2019, however, is postponed to the future. The personal data that was displayed as a result of the current deficiency is contact information for teachers, such as name, class, school, subject / course, e- postal address (both work and private address) and telephone number (both work and private number). Page 21 The Data Inspectorate DI-2019-7024 2 1 (31) It is not possible to determine how many guardians have logged in to this interface and incorrectly accessed data. It is also not possible to get it how many of the teachers covered by the reports also had their private e- postal address entered in the Children and Pupil Register and which could thus be displayed for unauthorized. The Board of Education cannot state the number of registered as was affected by this technical deficiency. At present, there are between 50 and 60 teachers which have a protected identity in this subsystem. The Board of Education can not nor appreciate what the current shortage has meant for the data subjects as the board has not received any indications of consequences. After the vulnerability was discovered and could be confirmed, Stockholm requested city on 26 August 2019 that the supplier would close the access for caregiver. The subsystem was shut down and is no longer in operation. The Data Inspectorate's assessment Security requirements The Data Inspectorate initially states that in the Administration Interface data concerning teachers were processed, such as e-mail address (both work and private address) and telephone number (both work and private numbers). The data on teachers with protected identities were also processed. As previously mentioned, the Data Inspectorate considers that information concerning persons with protected identities are very worthy of protection / privacy sensitive then the risks for the data subjects' freedoms and rights are great in processing them personal data. Given the nature and nature of the personal data processing that has taken place in the Administration Interface and the risks to the data subjects' freedoms and rights, the Data Inspectorate considers that high demands be placed on the technical measures to be taken to ensure an appropriate level of safety in accordance with Article 32 i the Data Protection Regulation. The assessment of technical measures In the Administration Interface, guardians have via Google search been able to find links for logging in to the Administration interface there guardians should not be able to log in. In this interface have guardians been able to produce information on e.g. a. teachers' private contact details such as email address and private phone numbers. This interface has also been proven not be adapted for handling data on individuals with protected Page 22 The Data Inspectorate DI-2019-7024 2 2 (31) identity. This means that unauthorized persons have been able to access information on persons with a protected identity. Because the current shortage has meant that unauthorized persons have had possibility to access information about persons with a protected identity the Board of Education has breached its obligation under Article 32 (1) (i) the Data Protection Regulation that, taking into account recent developments, implementation costs and the nature, scope, context of the treatment and purposes and the risks to the rights and freedoms of natural persons appropriate technical measures to ensure an appropriate level of safety in relation to the risk. The Data Inspectorate assesses that an appropriate security in this case includes one ability to continuously ensure the confidentiality of treatment systems and services. The current technical shortage should according to The Data Inspectorate's assessment has been discovered at an early stage before the processing of personal data began. The mentioned shortcoming has has been around for a long time since the system was launched. The Board of Education was made aware of the shortcoming in November 2018, but chose not to remedy it until the deficiency was rediscovered in August 2019. The Board of Education has thus breached the necessity of continuously ensure confidentiality in the current interface. The requirement of Appropriate security also includes having a procedure to regularly test, investigate and evaluate the effectiveness of the technical measures taken measures to ensure the safety of treatment, which neither has in this case in the light of the foregoing. The Board of Education in the city of Stockholm has thus dealt with personal data in the subsystem in question in breach of Article 32 i the Data Protection Regulation. The Data Inspectorate also assesses in this part that the Board of Education has processed personal data in the current interface in violation of Article 5 (1) (fi) the Data Protection Ordinance because the board has not ensured an appropriate security of personal data. Page 23 The Data Inspectorate DI-2019-7024 2 3 (31) 2.7 Impact assessment What the Education Board in the city of Stockholm stated during the proceedings The Board of Education states that since the Children and Pupil Register production was launched before 25 May 2018 has no comprehensive impact assessment under Article 35 of the Data Protection Regulation yet implemented. On the other hand, impact assessments have been carried out continuously as new functionalities have been added. The committee believes that an impact assessment needs to be made and work on this is ongoing and will be completed in December 2020. The vulnerabilities that have detected during penetration tests has been promptly remedied. The Board of Education has further stated that it is working with one risk management plan, where what is discovered in risk and impact assessments systematically addressed in accordance with the city's risk matrix and that objective is that there will soon be active risk management for the whole The school platform. The Board of Education has a developed process for that ensure adequate information security that involves risk and impact assessments shall be carried out Regarding the Administration Interface, there will be no impact assessment to be done for this part because the interface has been discontinued and is no longer in use. The Data Inspectorate's assessment In the subsystems and modules that have been the subject of the Data Inspectorate review treats students, school staff and guardians personal data of varying degrees of sensitivity. The current subsystems covered of the supervision in question involves the treatment of a large number personal data of a large number of data subjects, who are largely children, who in the Data Protection Regulation is highlighted as vulnerable natural persons 10 . The Data Inspectorate states that in the relevant subsystems there is extensive personal data processing with different types of personal data such as grades, inquiries about students, development talks, special adaptations, children and adults with a protected identity. Furthermore, sensitive people are also treated personal data to a certain extent, ie. specific categories of data such as referred to in Article 9 (1) as health information. It is thus a question of one 10 See recital 75 of the Data Protection Regulation. Page 24 The Data Inspectorate DI-2019-7024 2 4 (31) comprehensive personal data processing if a large number of registered in the system. The Data Inspectorate states that it is a question of a treatment as with consideration of its nature, scope, context and purpose is likely to lead to a high risk to natural persons rights and freedoms in such a way which requires that the Board of Education should have implemented one impact assessment in accordance with Article 35 of the Data Protection Regulation. By article 35.3 (b) further states that an impact assessment under paragraph 1 in particular shall be required in the case of large-scale treatment of special categories of data referred to in Article 9 (1). The Data Inspectorate states that the processing of personal data in the relevant subsystems is of it the nature set out in Article 35 (3) (b) of the Data Protection Regulation, which is a circumstance which in particular requires an impact assessment. The Data Inspectorate has, on the basis of guidelines from Article 29- working group and the criteria developed by the group 11 , adopted one list of when an impact assessment is to be made. 12 In addition to the situations referred to in Article 35 (3) of the Data Protection Regulation, and taking into account the derogation in Article 35 (10), an impact assessment shall regarding data protection is made if the planned processing meets at least two of the nine criteria mentioned in the list. In this case, sensitive data or data is processed by a lot personal nature, large-scale information and vulnerable information registered which are three of nine criteria that according to the list suggest that an impact assessment shall be carried out. Furthermore, the list indicates when an impact assessment is not required. The no impact assessment is required for treatments that have checked by a regulatory authority or a data protection officer in accordance 11 Guidelines on impact assessment regarding data protection and determining whether the treatment "is likely to lead to a high risk" within the meaning of the Regulation 2016/679, last revised and adopted on 4 October 2017, WP 248 rev. 01. 2 (6) http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236 . The The European Data Protection Board (EDPB) has approved the guidelines on 25 May 2018 https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents.pdf. 12 List according to Article 35 (4) of the Data Protection Ordinance, no. DI-2018-13200 Page 25 The Data Inspectorate DI-2019-7024 2 5 (31) with Article 20 of Directive 95/46 / EC and the implementation of which has not changed since previous control. As a good practice, however, one should impact assessment is reviewed continuously and evaluated regularly. The Data Inspectorate finds that there is no circumstance that suggests that an impact assessment is not required. In the 29-group guidelines specify that even if an impact assessment is not required on 25 May In 2018, it is necessary for the person responsible for personal data to perform one impact assessment, at an appropriate time and as part of its general liability. 13 The Data Inspectorate states that the processing of personal data takes place in the current subsystems in the School Platform is likely to lead to a high risk of the rights and freedoms of natural persons in such a way that a impact assessment under Article 35 of the Data Protection Regulation implemented in the respective subsystems covered by this supervision, in order to: assess the consequences of the planned treatment for the protection of personal data in accordance with Article 35. The fact that the system was launched before 25 May 2018 does not affect the assessment of the inspectorate. The Board of Education states that the reason for that the current deficiencies that caused the incidents that occurred in the respective subsystem not discovered before is that no comprehensive impact assessment has been performed. In the current review, the Data Inspectorate has assessed that it has existed technical deficiencies in several subsystems covered by the supervision. The inspection has also assessed that the eligibility allocations have been more extensive in it the module where the issue has been examined (Compulsory school monitoring). Against the background of the Board of Education's own information that has emerged in the case regarding impact assessment, the Data Inspectorate considers that the Board of Education, during the period 25 May 2018 until 27 August 2020, has not implemented one impact assessment covering the compulsory schooling subsystems, Student Documentation, Home Page and Administration Interface in its whole. If the board had made a complete impact assessment, so the deficiencies found could probably have been avoided. The Board of Education has thus not carried out an impact assessment that meets the requirements of 13 Guidelines on impact assessment regarding data protection and determining whether the treatment "is likely to lead to a high risk" within the meaning of the Regulation 2016/679, last revised and adopted on 4 October 2017, WP 248 rev. 01. 2 (6) pp. 15- 16 http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236 Page 26 The Data Inspectorate DI-2019-7024 2 6 (31) Article 35 of the subsystems concerned and has thus dealt with personal data in violation of the current provision. 3. Choice of intervention 3.1 Possible intervention measures The Data Inspectorate has a number of corrective powers available according to Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia to impose it personal data controllers to ensure that the processing takes place in accordance with Regulation and, if necessary, in a specific way and within a specific period. Of point (i) of Article 58 (2) and Article 83 (2) of the Data Protection Regulation it appears that the Data Inspectorate has the authority to impose administrative penalty fees in accordance with Article 83. Depending on the circumstances of in the individual case, administrative penalty fees shall be imposed in addition to or in instead of the other measures referred to in Article 58 (2). Furthermore, Article 83 (2) sets out the factors to be taken into account when deciding whether: administrative penalty fees shall be imposed and in determining the size of the fee. If it is a question of a minor violation, the Data Inspectorate receives according to what set out in recital 148 of the Data Protection Regulation instead of imposing a issue a reprimand in accordance with Article 58 (2) (b) the Data Protection Regulation. Account must be taken of aggravating and mitigating circumstances of the case, such as the nature of the infringement, the severity and duration and previous breaches of relevance. For authorities, according to Article 83 (7), national supplementary provisions are introduced regarding administrative sanction fees. Of ch. 6 § 2 The Data Protection Act states that the supervisory authority may charge a penalty fee by an authority in the event of infringements referred to in Article 83 (4), (5) and (6) the Data Protection Regulation. In that case, Article 83 (1), (2) and (3) of the Regulation shall apply apply. Page 27 The Data Inspectorate DI-2019-7024 2 7 (31) 3.2 Order The Data Inspectorate has found that the Board of Education in the city of Stockholm, by having a more extensive allocation of competencies than necessary in the subsystem / module Compulsory school monitoring, has processed personal data in contrary to Articles 5 (1) (f) and 32 (1) of the Data Protection Regulation. Furthermore, it has been established that the Board of Education, although impact assessments have been carried out continuously as new functionalities have has not met the requirements for carrying out an impact assessment in in accordance with Article 35 of the Data Protection Regulation. The Board of Education in the City of Stockholm must therefore be instructed to ensure that the processing in these parts takes place in accordance with the Data Protection Regulation according to following. The Data Inspectorate submits to the Board of Education, on the basis of Article 58 (2) (d) in the Data Protection Regulation, to limit authorization allocations in the module Compulsory school supervision for those people who have a need for treatment the personal data to perform their tasks in the current module. The Data Inspectorate also submits it to the Board of Education, with the support of an article 58.2 of the Data Protection Regulation, to implement one as soon as possible impact assessment in the compulsory schooling subsystems, The student documentation and the start page for guardians who meet the requirements of Article 35 of the Data Protection Regulation. 3.3 A penalty fee shall be imposed The Data Inspectorate has above assessed that the Board of Education in the relevant subsystems have infringed Article 5 and Article 32 of the Data Protection Regulation. These articles are covered by Article 83 (4) and 83 (5) respectively and in the event of an infringement of these, the supervisory authority shall consider imposing administrative penalty fee in addition to, or instead of, other corrective measures. In view of the fact that they identified infringements in the subsystems Compulsory schooling, Student documentation, Administration interface and The home page has touched a very large number of registrants including children and students, and included shortcomings in the handling of sensitive and privacy-sensitive personal data, including data on persons with a protected identity, information about health, grades, etc., it is not a question of a minor violation. Page 28 The Data Inspectorate DI-2019-7024 2 8 (31) There is thus no reason to replace the sanction fee with a reprimand. The Board of Education shall thus be subject to administrative penalty fees. 3.4 Determination of the amount of the penalty fee General provisions According to Article 83 (1) of the Data Protection Regulation, each supervisory authority shall: ensure that the imposition of administrative penalty fees in each individual cases are effective, proportionate and dissuasive. For authorities, according to ch. § 2 second paragraph of the Data Protection Act that the penalty fees shall be set at a maximum of SEK 5,000,000 at infringements referred to in Article 83 (4) of the Data Protection Regulation and up to a maximum of 10 SEK 000 000 for infringements referred to in Article 83 (5) and 83 (6). Violations of Article 5 are subject to the higher penalty fee under Article 83 (5), while infringements of Articles 32 and 35 are covered by the lower the maximum amount in accordance with Article 83 (4). Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account in determining the amount of the penalty fee. When assessing the size of sanction fee shall, among other things. a. account is taken of Article 83 (2) (a) (nature of the infringement, severity and duration), b (intent or negligence), g (categories of personal data), h (how the violation came to the Data Inspectorate knowledge) and k (another aggravating or mitigating factor for example direct or indirect financial gain) in the Data Protection Regulation. Assessment of mitigating and aggravating circumstances In the Data Inspectorate's assessment of the penalty fee, account has been taken of the fact that there have been infringements concerning several articles of the Data Protection Regulation, whereby infringement of Article 5 is to be judged as more serious and covered by the higher penalty fee. In order for penalty fees to be effective and deterrence, a proportionality assessment must be made in each individual case. A personal data controller must ensure before launching a new system appropriate security. The requirements for the personal data controller and the measures that taken to ensure adequate security must be set high when it comes to the issue about a large number of data subjects and especially when it comes to data on for example health and protected personal data, which means sensitive and privacy-sensitive personal data processing takes place. Page 29 The Data Inspectorate DI-2019-7024 2 9 (31) In the present case, special consideration has been given to the Board of Education in the City of Stockholm has processed a large amount of personal data in the digital platform used in the city of Stockholm, Skolplattformen, and that the violations have concerned data on a very large number of data subjects, at least above one hundred thousand registered. The current violations have included both privacy-sensitive and sensitive personal data concerning children that are extra worthy of protection. The violations have also meant that unauthorized persons have been able to obtain access to data on persons with a protected identity. This is personal data which by its nature has a high protection value as it can get a lot serious consequences for the individual natural person if unauthorized sheep part of the data. Furthermore, the following aggravating and mitigating circumstances have been weighed into the various subsystems that have been examined. Compulsory school surveillance Adverse circumstances in the module Compulsory schooling are the risks for the lives of individuals caused by unauthorized access to privacy-sensitive personal data concerning approximately 60 students with protected identity. Another aggravating circumstance that the inspectorate has taken into account is that the Board of Education has still not addressed the competencies in module so that each user only has access to the data he needs to perform his duties. The student documentation What have been aggravating circumstances regarding the shortcomings that have found in the Student Documentation is that the technical shortcomings of this supervision covers have enabled unauthorized access to sensitive and much privacy-sensitive personal data concerning at least over one hundred thousand students. All registered guardians have, by that in a relatively simple manipulate the system, had the opportunity to access data such as social security number, information about pupils who attend special school and pupils' grades and reviews. The technical shortcomings in the Student Documentation have outside the investigation in the case has existed for a period longer than six months and was discovered by a guardian. Page 30 The Data Inspectorate DI-2019-7024 3 0 (31) As an attenuating circumstance, the Education Board's actions have to address the shortcomings after the discovery has been weighed in the assessment of the size of the penalty fee. Home page The technical deficiency in the subsystem The start page has arisen in connection with launch of a new functionality. That which has been aggravating circumstances is that the defect was discovered by a guardian and not by the Board of Education. This indicates that the Board of Education does not have sufficient test seductions when launching new functionalities. As mitigating circumstance, the inspectorate has taken into account the current the shortage has existed for a short period and that the Board of Education remedied the deficiency promptly after the discovery. The administration interface What has been aggravating regarding the shortcomings that have existed in the subsystem The administration interface is that the shortcomings could have led to unauthorized persons had access to data on approximately 50-60 employees with protected identities, which can have very serious consequences for individuals. Other aggravating circumstances that have been taken into account in the assessment of the penalty fee is that the technical deficiencies have existed for a period which exceeds one year and that the Board of Education as in November 2018 was made aware of the shortcomings of the Administration Interface, did not take action until the deficiencies were rediscovered in August 2019. Overall assessment of the size of the penalty fee The Data Inspectorate decides on the basis of an overall assessment that The Board of Education in the city of Stockholm must pay an administrative fee a penalty fee of SEK 4,000,000 (four million) for those found the violations in the subsystems Compulsory school surveillance, Student documentation, The administration interface and the Home page for guardians. This decision was made by Director General Lena Lindgren Schelin after presentation by lawyers Salli Fanaei and Ranja Bunni. At the final The case is also handled by the General Counsel Hans-Olof Lindblom, the head of the unit Malin Blixt and the information security specialist Adolf Slama participated. Page 31 The Data Inspectorate DI-2019-7024 3 1 (31) Lena Lindgren Schelin, 2020-11-23 (This is an electronic signature) Appendix How to pay penalty fee. Copy for knowledge of: The Data Protection Officer for the Board of Education in the City of Stockholm. 4. How to appeal If you want to appeal the decision, you must write to the Data Inspectorate. Enter i the letter which decision you are appealing and the change you are requesting. The appeal must have been received by the Data Inspectorate no later than three weeks from on the day the decision was announced. If the appeal has been received in due time the Data Inspectorate forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Data Inspectorate if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision.