Datatilsynet (Norway) - 21/03177: Difference between revisions
No edit summary |
(Moved information about the national regulation and its effect to the comments section and clarified the consequence of breaching this) |
||
(7 intermediate revisions by 4 users not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
The Norwegian DPA fined a municipality €29,880 for | The Norwegian DPA fined a municipality €29,880 for publishing a confidential document with a pupil's sensitive personal data, including potential diagnoses such as ADHD, in breach of [[Article 32 GDPR#1b|Articles 32(1)(b)]], [[Article 6 GDPR|6]], and [[Article 5 GDPR|5 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Lillestrom municipality notified the Norwegian DPA about a personal data breach concerning a document they had published on their website, where they had forgotten to classify the appendices as exempt from public disclosure. The caseworker also failed to notice the error. The document | Lillestrom municipality notified the Norwegian DPA about a personal data breach concerning a document they had published on their website, where they had forgotten to classify the appendices as exempt from public disclosure. The caseworker also failed to notice the error. The document then went through two additional manual quality controls without the error being detected and it was only discovered after a local journalist notified them. | ||
The document contained information and personal data about a pupil, including name, birth date, name and address | The document contained information and personal data about a pupil, including name, birth date, name and address of their parents and their description of their child, description and assessment of the pupil's behaviour and educational challenges from both the school and other public authorities, as well as a concrete assessment of how much special needs tutoring the pupil needs, the pupil's own description of their well-being at home and at school, their tests and assessments and potential diagnoses like dyslexia or ADHD. | ||
The document was available online for about two days and was accessed by four different IP addresses before the municipality managed to remove it. | The document was available online for about two days and was accessed by four different IP addresses before the municipality managed to remove it. | ||
=== Holding === | === Holding === | ||
The Norwegian DPA fined the controller €29,880 for lack of sufficient technical and organisational measures | The Norwegian DPA fined the controller €29,880 for lack of sufficient technical and organisational measures under [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 5 GDPR|Article 5 GDPR]], and for having published personal data on their website without lawful grounds under [[Article 6 GDPR|Article 6 GDPR]] and [[Article 5 GDPR|Article 5 GDPR]]. | ||
== Comment == | == Comment == | ||
'' | The personal data concerned is confidential as per [https://lovdata.no/NLE/lov/1967-02-10/§13 the Norwegian Public Administration Act § 13(1)]. As per the corresponding regulation § 7, it is unlawful to publish such personal data online. If this still happens, the GDPR will ''also'' come into effect, requiring lawful grounds for the processing as per [[Article 6 GDPR|Article 6]]. However, there would be no available legal ground to rely upon as the processing is unlawful to begin with, thus violating [[Article 6 GDPR|Article 6]] and [[Article 5 GDPR|Article 5(1)(a)]]. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 10:57, 20 May 2022
Datatilsynet - 21/03177 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5 GDPR Article 6 GDPR Article 32(1)(b) GDPR The Public Administration Act § 13(1) |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 29.09.2021 |
Decided: | 02.02.2022 |
Published: | 05.05.2022 |
Fine: | 300000 NOK |
Parties: | Lillestrøm municipality |
National Case Number/Name: | 21/03177 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined a municipality €29,880 for publishing a confidential document with a pupil's sensitive personal data, including potential diagnoses such as ADHD, in breach of Articles 32(1)(b), 6, and 5 GDPR.
English Summary
Facts
Lillestrom municipality notified the Norwegian DPA about a personal data breach concerning a document they had published on their website, where they had forgotten to classify the appendices as exempt from public disclosure. The caseworker also failed to notice the error. The document then went through two additional manual quality controls without the error being detected and it was only discovered after a local journalist notified them.
The document contained information and personal data about a pupil, including name, birth date, name and address of their parents and their description of their child, description and assessment of the pupil's behaviour and educational challenges from both the school and other public authorities, as well as a concrete assessment of how much special needs tutoring the pupil needs, the pupil's own description of their well-being at home and at school, their tests and assessments and potential diagnoses like dyslexia or ADHD.
The document was available online for about two days and was accessed by four different IP addresses before the municipality managed to remove it.
Holding
The Norwegian DPA fined the controller €29,880 for lack of sufficient technical and organisational measures under Article 32(1)(b) GDPR and Article 5 GDPR, and for having published personal data on their website without lawful grounds under Article 6 GDPR and Article 5 GDPR.
Comment
The personal data concerned is confidential as per the Norwegian Public Administration Act § 13(1). As per the corresponding regulation § 7, it is unlawful to publish such personal data online. If this still happens, the GDPR will also come into effect, requiring lawful grounds for the processing as per Article 6. However, there would be no available legal ground to rely upon as the processing is unlawful to begin with, thus violating Article 6 and Article 5(1)(a).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Fee to Lillestrøm municipality The Norwegian Data Protection Authority has given Lillestrøm municipality an infringement fee of NOK 300,000 for breach of the Privacy Ordinance's requirements for confidentiality. The municipality published a document in its public postal journal where 10 of 21 attachments contained personal data of special categories, cf. Article 9 no. 1 of the regulation. The municipality forgot to mark the 10 relevant attachments except for the public as they should. This was not detected by the case officer, and the document went through two more manual quality checks in the documentation center without the error being detected. The municipality was made aware that the document with attachments was made available on the municipality's website on 27 September 2021 by a journalist in Romerikes Blad. The Data Inspectorate also received a report of a breach of personal data security from Lillestrøm municipality on 29 September. Violation of confidentiality Investigations showed that four different IP addresses (including Romerikes Blad) had accessed the document. The documents were removed from the mailing list and exempted from public access immediately after the incident was discovered. The affected were then notified. The Data Inspectorate's assessment is that when a document with an appendix about a student is published on the municipality's website, it is clear that a good enough level of security has not been established, or that it does not work as intended. The fact that the incident is not detected by the municipality, but by a third party, also indicates deficient routines in this area. The incident would involve a breach of Article 32 (1) (b) of the Privacy Regulation, which requires the establishment of a level of security that is suitable for ensuring continued confidentiality. Personal information that should have been protected had been made available to unauthorized persons on the internet. This applies to information about, for example, students' names, date of birth, test results, assessments of behavior and challenges and any diagnoses. The Danish Data Protection Agency previously sent a notice of infringement fines of NOK 500,000. It is pointed out in the municipality's response to the notice of fee that they have routines, and that the discrepancy is due to human failure. The Data Inspectorate has noticed this and resulted in the fee being reduced from NOK 500,000 to NOK 300,000. Published: 05.05.2022