Datatilsynet (Norway) - 18/02579: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |Datatilsynet - 2019-31-1424 |- | colspan="2" style="padding: 20px;" |File:Datatilsyne...")
 
 
(19 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{{DPAdecisionBOX
! colspan="2" |Datatilsynet - 2019-31-1424
|-
| colspan="2" style="padding: 20px;" |[[File:DatatilsynetlogoNorwaypng.png|center|250px]]
|-
|Authority:||[[Datatilsynet (Norway)]]
[[Category:Datatilsynet (Norway)]]
|-
|Jurisdiction:||[[:Category:Norway|Norway]]
[[Category:Norway]]
|-
|Relevant Law:||[[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]
[[Category:Article 5(1)(f) GDPR]]


[[Article 5 GDPR#2|Article 5(2) GDPR]]
|Jurisdiction=Norway
[[Category:Article 5(2) GDPR]]
|DPA-BG-Color=
|DPAlogo=LogoNO.png
|DPA_Abbrevation=Datatilsynet (Norway)
|DPA_With_Country=Datatilsynet (Norway)


[[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] [[Category:Article 32(1)(d) GDPR]]
|Case_Number_Name=18/02579
|-
|ECLI=
|Type:||n/a
|-
|Outcome:||Violation found
|-
|Decided:||11.10.2019
|-
|Published:|| 1.12.2019
[[Category:2019]]
|-
|Fine:|| 120.000 EUR
|-
|Parties:|| Skolemelding Vs. n/a
|-
|National Case Number:||18/34319-1
|-
|European Case Law Identifier:||n/a
|-
|Appeal:||n/a
|-
|Original Language:||Norwegian
[[Category:Norwegian]]
|-
|Original Source:||[ https://www.datatilsynet.no/contentassets/ae65e212c134455c93f36a10c5a8c792/vedtak-oslo-kommune-oktober2019.pdf(in NO)]
|}


The Datatilsynet found that a pension company restricted data subject’s right of access under Article 15 GDPR.  
|Original_Source_Name_1=Datatilsynet
==English Summary==
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/ae65e212c134455c93f36a10c5a8c792/vedtak-oslo-kommune-oktober2019.pdf
|Original_Source_Language_1=Norwegian
|Original_Source_Language__Code_1=NO
|Original_Source_Name_2=press release source
|Original_Source_Link_2=https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2019/gebyr-til-oslo-kommune-utdanningsetaten/
|Original_Source_Language_2=Norwegian
|Original_Source_Language__Code_2=NO


===Facts===
|Type=
A citizen complained that his pension company refused to give him access to his medical consultant’s assessment. Thus, the complainant filed a complaint with the Datatilsynet. Before the Datatilsynet, the pension company claimed that  such documents are considered internal and they are not shared with the clients, according to its privacy policy.
|Outcome=Violation Found
|Date_Started=
|Date_Decided=11.10.2019
|Date_Published=01.12.2019
|Year=2019
|Fine=1,200,000
|Currency=NOK


===Dispute===
|GDPR_Article_1=Article 5(1)(f) GDPR
Could a data controller limit the access right to personal data because these personal data are include in a internal document?
|GDPR_Article_Link_1=Article 5 GDPR#1f
|GDPR_Article_2=Article 5(2) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#2
|GDPR_Article_3=Article 32(1)(b) GDPR
|GDPR_Article_Link_3=Article 32 GDPR#1b
|GDPR_Article_4=Article 32(1)(d) GDPR
|GDPR_Article_Link_4=Article 32 GDPR#1d


===Holding===
The Datatilsynet found that the company could not restrict the right of access to certain categories of personal data. Thus, it violated Article 15 GDPR. The Datatilsynet issued an injunction and ordered the company, as foreseen under 58(2)(c) GDPR, to carry out a concrete assessment on whether data subjects shall access personal data included in the medical consultants’ assessments. 


==Comment==
''Share your comments here!''


==Further Resources==
|Party_Name_1=Education Agency for Oslo municipality
''Share blogs or news articles here!''
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=


==English Machine Translation of the Decision==
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=


The decision below is a machine translation of the original. Please refer to the Danish original for more details.
|Initial_Contributor=
|
}}


<pre>
A fine of NOK 1,200,000 (approximately €120,000), reduced from NOK 2,000,000, was imposed against the Education Agency of the Municipality of Oslo due to breach of personal data security in the mobile application “Skolemelding”. The fine was issued due to the application's lack of security and subsequent violations of [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] and of the principle of accountability as foreseen in [[Article 5 GDPR#2|Article 5(2) GDPR]] read in conjunction with [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].


Insight into medical consultant reviews
==English Summary==
Published 18-11-2019
Decision Private companies The Danish


Data Protection Agency has decided on a case in which a citizen complained that his pension company refused to give him insight into a medical consultant assessment that was prepared in connection with his case. In the case, the Danish Data Protection Agency found it necessary to issue serious criticism and to issue an injunction to the pension company.
===Facts===
The case concerned vulnerabilities in the  mobile app “Skolemelding”. In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils        were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school.  


Journal number: 2019-31-1424Agency
===Holding===
Summary The Danish
The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f). 


Data Protectionhas decided in a case in which a citizen complained that his pension company, the Jurists and Economists' Pension Fund (JØP), refused to give him access to a medical consultant's assessment.
The issued fine was NOK 1,200,000 (approximately €120,000), which was lower than the initially suggested fine of NOK 2,000,000 (approximately €200,000). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the DPA, showing a will to fix the security flaws.


In the case in question, JØP had refused to provide insights into the medical consultant's assessment in question, i.a. because it is a firm business practice for the company to obtain assessments from medical consultants to use the company's internal handling of the cases, and it is a common practice that these assessments are not shared with the clients as these are internal documents.
The municipality did not contest the evaluation by the DPA regarding the scope of the security breach.


In its decision, the Data Inspectorate laid down, inter alia, emphasis is that, as a general rule, insight should be given to personal data and that a concrete assessment must always be made as to whether insight can be refused according to the exception rules. Therefore, JØP could not - as was the case in this case - generally cut off certain types of information from the right of access.
==Comment==
''Share your comments here!''


In the opinion of the Danish Data Protection Agency, JØP had not acted in accordance with Article 15 of the Data Protection Regulation on the right of access, which caused the Authority to give serious criticism.
==Further Resources==
''Share blogs or news articles here!''


Against this background, the Danish Data Protection Agency issued an injunction to make a concrete assessment of whether complaints can be given insight into personal data on complaints contained in the medical consultant assessment.
==English Machine Translation of the Decision==
Decision The Danish


Data Protection Agency hereby returns to the case where on February 4, 2019, the Complaints complained to the Supervisor of a reply from the Jurisprudence and Economists' Pension Fund (hereafter JØP) of his request for insight under the Data Protection Regulation.
The decision below is a machine translation of the original. Please refer to the Norwegian original for more details.


The Data Inspectorate has understood the complainant's request as a complaint about JØP's refusal of access to documents prepared by JØP's medical consultant and correspondence between JØP and the medical consultant, which was entered into the case regarding the grant of disability pension to the complainant.
<pre>
 
Press release:
The matter was discussed at a meeting of the Data Council.
1. Mandatory
Fee to Oslo Municipality Education Agency
 
It is DPA's opinion that JØP has not acted in accordance with the Data Protection Regulation [1] Article 15
 
Data Protection Agency is therefore reason to express severe criticism that JØP have not dealt with the complainant's request for access in accordance with Article 15
 
Data Protection must then give JØP orders to make a concrete assessment of whether complainants can be given insight into personal data on complaints contained in the medical consultant assessment. The order is issued pursuant to Article 58 (2) of the Data Protection Regulation. 2, point c.
 
The deadline for complying with the order is 18 December 2019. Data Protection Agency must request the same date to receive a confirmation that the order is complied with, and a copy of JØP's reassessment of the question of insight and answers for complaints.
 
According to section 41 (1) of the Data Protection Act [2]. Paragraph 2 (5) shall be punishable by a fine or imprisonment for up to 6 months to a person who fails to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Data Protection Regulation. 2.
2. Presentation
 
of the case It appears from the case that complaints in connection with an objection request did not receive a number of documents and internal correspondence between JØP and a medical consultant.
 
JØP has refused to give complaints to the medical consultant's opinion.
2.1. JØP's comments
 
JØP has generally stated that by letter of 6 December 2018, JØP has met the complainant's request for insight, however, so that a medical consultant's assessment was excluded from insight. This medical consultant assessment is part of JØP's decision basis for awarding disability pension complaints in accordance with his application.
 
The medical examiner's assessment was made on the basis of material that complainants are fully aware of, including specialist medical statements and supplementary health information, which complaints have been submitted to JØP.
 
JØP has stated that complaints have gained insight into all the personal data processed by the insurance company about him, however, the medical consultant assessment has been denied.
 
JØP has stated that it is a firm business practice at JØP - as is generally the case in the insurance and pension industry - that assessments are obtained from medical consultants for the purpose of JØP's internal handling of the cases. In this case, the medical consultant's task is to assess medical issues for use in JØP's decision on the case.
 
It is a common practice throughout the industry that the medical consultants' internal assessment and medical advice to the injury practitioners are not shared with the clients to whom the assessments relate. In order to ensure adequate and professional injury treatment, it is essential that the injury practitioners can obtain medical advice in confidence.
 
The need for confidentiality is partly due to the fact that medical assessments by nature contain uncertainties and arguments for and against a result. The internal assessment of the medical consultant must thus be comparable to an internal legal memorandum. On that basis, the medical consultant assessment is considered to be covered by the right to exempt internal assessments in accordance with section 22 (2) of the Data Protection Act. 1.
 
Confidentiality also ensures that, in the interaction between the claims officer and the medical consultant, all relevant questions are asked so that the whole case is covered. Confidentiality is thus in effect also for the sake of complaints themselves.
 
Furthermore, in the opinion of the JØP, the medical consultant's assessment can be exempted from the right of access for reasons of JØP's private interests, including the consideration of JØP's business basis and business practices and the possibility of defending his interests in any dispute cases.
 
JØP has finally stated that these are business secrets that can be exempted from the right of access under Article 15 (1) of the Data Protection Regulation. 4. 
2.2. Complainant's comments
 
Complainant has generally stated that complainants do not recognize that there should be business secrets or a violation of the freedoms of others.


Furthermore, the complainant states that JØP's refusal of access to the information in question means that the complainant cannot verify the accuracy of the personal data that has been processed.
In April 2019, the Data Inspectorate sent a notification to the Oslo Municipality Education Agency about a violation fee for breach of personal data security in the mobile application School Notification. In October, a final fee of NOK 1.2 million was adopted.


Furthermore, complainants have stated that the opinion of the medical consultant is seen to have legal effect, as JØP has stated complaints that the medical consultant has assessed that complaints cannot be awarded permanent permanent pension at this time.  
The fee is given because the municipality had not taken appropriate measures to achieve a level of security appropriate to the risk. The assessment emphasized, among other things:
2.3. Forsikring & Pension's comments


Forsikring & Pension has, as an industry organization, at the request of JØP submitted a statement to use the case. Forsikring & Pension finds that this is a fundamental problem for the insurance and pension industry.
    One of the uses of the app is for parents to send messages about their children or announce absence when using free text fields. It facilitates the communication of sensitive personal information, such as health information, about the children. There are no technical measures to prevent this from happening, nor does the app inform you not to communicate such information. Had built-in privacy been taken into consideration, it would not have been a free-text field, but for example a drop-down list or check boxes.
    Lack of security around logging in to the app has allowed unauthorized persons access to view and change personal information of more than 63,000 children in primary school in Oslo.
    Inadequate security testing prior to the launch of the app led to it being launched with vulnerabilities well known in security environments worldwide.


Forsikring & Pension has confirmed that medical consultants' assessments are, as a rule, not shared with clients / injured parties. The assessments are intended to contribute to the company's decision-making basis, but are not in themselves conclusive.
The municipality has not been conscious of its responsibility and has launched a school messaging app with an unacceptable vulnerability without taking appropriate measures to close the vulnerabilities. They have also had insufficient control with the supplier when it comes to safety test results.


Forsikring & Pension has stated that if it is not possible to secure a room for internal assessment, there is a risk that either statements will not be obtained or that the statements will be incomplete, because doctors are aware that later insight can be given. This could damage the policyholder's case.
Read the entire case published in connection with the notice
Lower fee than notified


Finally, Forsikring & Pension argues that a further argument that these statements can be exempted under section 22 (2) of the Data Protection Act. 1, is the consideration of the policyholder himself. Medical assessments may include some uncertainties and considerations that may cause misunderstanding and unnecessary concern on the part of the policyholder.
However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.
3. Legal basis
3.1. The concept of personal data


The term personal data is defined in Article 4 (1) of the Data Protection Regulation as any form of information about an identified or identifiable natural person ('the data subject'). An identifiable natural person means a natural person who, on the basis of the information, can be identified directly or indirectly.
3.2. The right of access for data protection Article 15


According to the data protection of Article 15 that the data subject has the right to have the controller's confirmation of whether personal data concerning him processed and, where appropriate, access to personal information and the following information:
---------------------------------------------------------------


    purposes of the processing
    concerned categories of personal data means
    the recipients or categories of recipients to whom the personal data is or will be disclosed, in particular recipients in third countries or international organizations, where possible, the intended period for which the personal data will be stored or, if this is not possible, the criteria used for determining that period the
    right to request the data controller to correct or delete personal data or to limit the processing of personal data concerning the data subject or to object to such processing theobject
    right toprovide a complaint to a supervisory authority with
    all available information on where the personal data originates if it is not collected from the registered
    occurrence of automatic decisions, including profiling, as referred to in Article 22 (2). 1 and 4, and at least meaningful information about the logic therein, as well as the significance and expected consequences of such processing for the data subject.


The Data Protection Regulation's preamble recital No 63 states, inter alia, the following:
Decision on infringement fine


“A data subject should have the right to access personal data collected about him and to exercise that right easily and at reasonable intervals in order to ascertain and verify the legality of a processing. This includes the right of data subjects to access their health information, e.g. data in their medical records on diagnoses, examination results, medical assessments as well as any treatment and any intervention made. […] This right should not infringe on the rights or freedoms of others, including trade secrets or intellectual property, in particular the copyright of the programs. […] ”However, the
Date10/11/2019


right of access is limited by Article 15 (2) of the Regulation. 4, according to which the right to receive a copy of the personal data processed must not infringe on the rights and freedoms of others.
We refer to a report of a breach of personal data security (deviation report) from Oslo municipality sent 7 September 2018, notification of decision of 29 April 2019 and Oslo municipality response of 21 June 2019.


Furthermore, section 22 of the Data Protection Act contains restrictions on the right of access. The right to access is limited, among other things. pursuant to section 22 (2) of the Act. 1, according to which the right of access does not apply if the data subject's interest in the information is found to depart from the imperative of private interests, including the interests of the data subject himself.
Based on the information in the case, the Data Inspectorate believes that Oslo Municipality has violated the rulespersonal data security in the Privacy Regulation (European Parliament and Council Regulation)(EU) 2016/679 of 27 April 2016).
3.3. Case law of the European Court


In Joined Cases C-141/12 and C-372/12 YS and M and S v Minister for Immigration, Integration and Asylum (hereinafter the Immigration case), stated that a legal analysis prepared in an internal administrative document with a case manager's reason for draft decision in connection with an asylum applicant's application for a residence permit is not a personal information about the asylum seeker. The judgment states, inter alia, the following:
Pursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.the Personal Data Act § 26, cf. the Privacy Ordinance art. 83, the Danish Data Protection Agency understands the followingdecision on infringement fine:


”40. As the Advocate General essentially states in paragraph 59 of the Opinion, and as the Netherlands, Czech and French Governments state, such a legal analysis does not constitute information on the applicant for a residence permit, but rather in so far as: it is not limited to a purely abstract interpretation of the legal rules, information on the assessment of the competent authority and the application of those legal rules in relation to the applicant's situation. is determined on the basis of the personal data of the applicant's person at the disposal of the authority. […]
Oslo Municipality is imposed, pursuant to the Personal Data Act § 26 second paragraph, cf.Article 83 of the Privacy Ordinance, to pay an infringement fee of NOK 1,200,000 -one million two hundred thousand Norwegian kroner - to the Treasury for breaches of dutieswhich complies with the Privacy Regulation.


44. As regards the rights of the data subject within the meaning of Directive 95/46, it should be noted that the protection of the fundamental right to respect for privacy inter alia: implies that the data subject must be able to ensure that the personal data of the person concerned is correct and legally processed. […]
The fee is imposed as a result of Oslo Municipality not having carried out suitable technical andorganizational measures to achieve a level of safety appropriate to the risk,and ensuring lasting confidentiality and integrity, cf. the Privacy OrdinanceArticle 5 No. 1 letter f, and the Privacy Regulation 32 No. 1. letter book d


45. Contrary to the information relating to an applicant for a residence permit contained in a statement and which may constitute the factual basis for the legal analysis of the statement, such analysis - as the Netherlands and French Governments have stated - is thus not in itself subject to the applicant's verification of its correctness and to an amendment under Article 12 (b) of Directive 95/46.
The background and reasons for the decision follow below.


46. ​​In those circumstances, extending the right of access for an applicant for a residence permit to the legal analysis does not really serve the purpose of the directive to safeguard that applicant's right to privacy when processing information about the applicant, but the purpose to secure the right to access administrative documents in question, which, however, is not covered by Directive 95/46.


47. In a similar context, as regards the processing of personal data by the Union institutions, governed by Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data personal data in the Community institutions and bodies and on the free exchange of such information (OJ 2001 L 8, p. 1) and, secondly, Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 on public access to European Parliament , Council and Commission documents (OJ 1998 L 145, p. 43), the Court has already stated in paragraph 49 of Commission v Bavarian Lager (C-28/08 P, EU: C: 2010: 378) that these regulations differ and Regulation No 45/2001, unlike Regulation No 1049/2001, does not aim to ensure transparency in the decision-making process of public authorities and to promote good administrative practice by facilitating the exercise of the right of access. That finding also applies to Directive 95/46, the purpose of which essentially corresponds to the purpose of Regulation No 45/2001.
1. The case
1.1. Description of the case
The case concerns vulnerabilities in the mobile application Skolemelding. This is an application that can be downloaded to the mobile phone, and which is developed for use in the Oslo School. In the applicationcan parents and pupils communicate with the staff in the school. The communication is in writing, and can be compared to SMS or email.  


48. It follows from all the foregoing considerations that the first and second questions in Case C-141/12 and the fifth question in Case C-372/12 must be answered by the fact that Article 2 (a) of Directive 95 / 46 is to be interpreted as meaning that the particulars relating to an applicant for a residence permit contained in a statement and, where applicable, the information contained in the legal analysis of the statement constitute 'personal data' within the meaning of this provision, the legal analysis, on the other hand, cannot in itself be classified in the same way.
It has been possible for unauthorized persons to log in as authorized users and thus few access to personal information about students. More than 63,000 primary school students 1 in the Oslo schools arecovered.In addition, it is possible to register special categories of personal information in the free text field, forexample of children's health. This may have entailed a risk that unauthorized persons have been able to seeinformation of an intrusive nature.


In Case C-434/16 Peter Nowak v Data Protection Commissioner (hereinafter the Nowak case), the European Court of Justice has further stated that a written reply, as a participant has provided in connection with a professional test, and any examiners' corrections and comments on this answer are considered to be personal information. The judgment states, inter alia, the following:
1.2. ProceedingsThe Norwegian Data Protection Authority became aware of the case after Aftenposten had one on Thursday 6 September 2018news article about serious security holes in the application.Oslo Municipality sent notification of breach of personal data security (non-conformance report)to the Danish Data Protection Agency on 7 September 2018.The Data Inspectorate also received an inquiry from a private individual in connection with the case. The Data Inspectoratethen sent a request for a statement to Oslo Municipality on 4 October 2018, and we receivedreply from Oslo municipality sent on 26 October. We have also had a dialogue with the municipality by telephone.We asked for more information in an e-mail sent on 23 November, and received a reply from the municipality 26.November.In a letter dated 29 April 2019, the Norwegian Data Protection Authority announced a decision on three orders to implement measureswhich was considered necessary to close the relevant deviations from requirements in the privacy regulations.We also announced that we would consider making a decision on infringement fines as a result of the breachon the duties of the data controller in accordance with the privacy regulations.Oslo Municipality responded to the notification in a timely manner in a letter dated 21 June 2019.The response from the City of Oslo explains in more detail the system Skolemelding, as well as CGisobligations (the municipality's supplier) and the course of events before and after the security incident.The Norwegian Data Protection Authority bases this report as part of the actual circumstances of the case.The Norwegian Data Protection Authority has assessed Oslo Municipality's proposals for measures in connection with the case, and finds thatthe discrepancies are now closed. The notified decisions on orders are therefore considered to have lapsed.In the following, the Norwegian Data Protection Authority will only consider decisions on infringement fines.


”34. The use of the term 'any type of information' in the definition of the term 'personal data' in Article 2 (a) of Directive 95/46 reflects that the EU legislature intended to give this concept a broad meaning, since it is not limited to sensitive or private information, but potentially includes any form of information, both objective and subjective in the form of expressions of opinion or judgment, provided that the information is "about" the person concerned.
1.3. More about the system and functionality in SkolemeldingSchool notification is a notification application for Oslo School's parents, students and employees. INthe application can parents and students send a message to the contact teacher / subject teacher or othersemployees at the school. They can also respond to messages sent from the school. The application also providesteachers the opportunity to communicate with each other.1 Source: https://www.oslo.kommune.no/politikk-og-administrasjon/etater-foretak-og-ombud / utdanningsetaten / arsberetning-2017 /? del = 3 # gref2


35. As regards the latter condition, it is fulfilled if, because of its content, purpose or effect, the information is linked to a particular person. […]


42. Regarding the examiner's corrections and comments on the participant's answer, it should be noted that these, like the answer given by the participant in the examination, constitute information about this participant.
On the Oslo municipality's website (https://aktuelt.osloskolen.no/larerik-bruk-av-laringsteknolocd / digital-skolehverdag / skolemelding /) states that parents can report absence inthe application and in the Portal. The portal is a school platform for the Oslo school and the individual schooleach has its own portal. The message is sent automatically to the child's contact teacher.It further states: «Do not use the app or other communication channels in Skoleplattform Osloto to send sensitive personal information, such as your child's health information. It suffices to say thatthe child does not come to school today. ». In the School Notice, absence is reported by clicking on «Newmessage »and the« Report absence »button. There is a free text field here to write what the absence isapplies. There is nothing in the application itself that you should not enter sensitivepersonal information.To authenticate users, Skolemelding uses the ID port for parents and FEIDE foremployees. These are well-established standard components for authentication and the discrepancy in the case appliesnot these two services.The discrepancy affects how these components are integrated with the School Notice for handlinglogin.


43. The content of these corrections and comments thus reflects the examiner's opinion or assessment of the participant's individual performance in the exam, and in particular of his knowledge and competence in the field concerned. Moreover, the corrections and comments are intended precisely to document the examiner's evaluation of the participant's performance and may thus have an effect on the latter as stated in paragraph 39 of this judgment. […]
1.4. Oslo Municipality's description of the discrepanciesIn the report on breaches of personal data security we received from Oslo Municipality 7.September 2018, the incident is described as follows:«Authorized users of the school messaging apps who have the knowledge to decrypt appsand having the right type of software has been able to acquire access to other userspersonal information of the type, name, e-mail address and which children a parent has, as wellmessages sent to and from school. By combining birth number, client secret andsystem password, it was possible to access the personal information mentioned above.This in combination with a lack of security when using a specific API did sopossible to access other people's messages for logged in users. "The discrepancy was described in more detail in a letter from Oslo Municipality dated 26 October 2018:"After further investigations, CGI now confirms that it was possible to decrypt the code forschool messaging apps and acquire knowledge about weaknesses in the authentication process,and through it gain access to other users' data by bypassing login via FEIDEor the ID port without being an authorized user of the solution. At the same time, they emphasize thatthis presupposes that one must have a lot of competence and knowledge about both authenticationand the school message to do this without first being logged in. As is known, the deviation wasalso first uncovered by someone who had access to the solution.By taking advantage of the weakness could one thus the only to recognize an employee or studentusername or a parent's social security number ra access to their personal information bytype of name, e-mail address and which children a parent has. Furthermore, one could then alsoretrieve one message at a time regardless of user.


46. ​​Contrary to the data protection supervisor and Ireland's where applicable, the qualification of the answer given by the participant in the course of a professional test, and any examiners' corrections and comments on that answer as personal data shall not be affected by the fact that this qualification, in principle, entitles the participant to insight and rectification. of Article 12 (a) and (b) of Directive 95/46. " 
Justification of the Danish Data Protection Agency's decision on access to medical consultant assessments


According to the case information, there is no agreement between the parties as to whether complaints - in addition to medical consultancy assessments - have been received insight.
CGI therefore believes that the analyzes in the blog are mainly correct. CGI also has itselfrevealed the weaknesses of the blog in the further security testing of the application, where allerrors that may cause safety deviations have been corrected.We have also carried out our own safety tests of the solution afterwards and have verifiedthat the discrepancies have been rectified. "The Data Inspectorate sent several requests for statements related to, among other things, how testingof the solution had been carried out, whether risk assessments had been carried out andPrivacy Impact Assessment (DPIA).In its responses, the City of Oslo has described that the supplier (CGI) carried out safety testingin the period 16 - 24 August 2018. The supplier identified some vulnerabilities and proposed measuresto reduce these in their safety report. It further emerged that the supplier did not haveinformed the municipality about the results of the safety test, but that they chose to wait with the measureto the next scheduled release. The municipality stated that this was the reason why they could close quicklydeviation and issue an update of the application. They further stated that if they had knownvulnerabilities previously they would have closed the solution until these were rectified.When asked by the Norwegian Data Protection Authority whether a DPIA and risk assessment had been carried out for the solution,the municipality replied that no formal DPIA was carried out, but that one was carried outrisk assessment. One of nine identified vulnerabilities / threats was considered unacceptable.The vulnerability was that sensitive data is registered in the solution. Some measures were proposed todeal with vulnerability. One was to provide information on the schools' and the municipality's websites about thatsensitive information must not be written in the free text field, which has been completed. The second was toenter information in the application in the next update, which was scheduled for December 13 2018. A final measure was to create templates for registration of different types of absence. This measure isplanned as part of the further development of the solution in 2019. The education agency would alsoassess the need for free text fields to report absence.The Norwegian Data Protection Authority has not requested or been sent a risk assessment beyond what is describedabove. We have also not requested or received a report from the security testing.


The Data Inspectorate finds no basis for infringing JØP's information that JØP does not process more information about complaints than the personal data already disclosed and personal data contained in the medical consultant assessment in this case.
1.5. The vulnerabilities in the systemIn our notification of decisions, the vulnerabilities in the system were described as follows:As we understand it, the vulnerabilities cannot be exploited during normal use of the applicationSchool message, but by using a tool such as a web proxy to be able to see andmanipulate traffic of data communicated through the system. Such tools are easyavailable for download from interned. It requires a certain technical competence to be able touse them, but there is also readily available information on the internet on how touse them.4
Page 5
1.5.1. Authentication issues
When a user of the parent application is to log in, the user is taken as expectedthrough the login process in the ID port. It is after this that problems arose. There was aerror in the logic of the authentication server (called the rnid port) used by the system.The login solution only issued the birth number (which is the parent's user ID) as oneaccess token 2 after login. It was therefore possible here to create your own access token withoutgo through the login solution as long as a birth number registered as was useda guardian.Birth numbers are structured in a well-defined way and are limited to 11 million. Thismakes it easy for an attacker to generate all possible birth numbers, and then try them outthe solution. The range of birth numbers one needs to test can also be reduced based onfor example, year of birth when you know that you are going to try out a birth number that may belongparents of children in primary school. Based on a further weakness in the system it is notnecessary to have more than one valid user to access other people's messages.


In this connection, the Data Inspectorate notes that the audit only deals with cases on a written basis and that the audit therefore does not have the opportunity to conduct an actual investigation of the case. The final assessment of such evidentiary issues may be made by the courts, which, unlike the Data Inspectorate, have the opportunity to elucidate the situation in detail, including by hearing witnesses.
1.5.2. Lack of separation between users means that you can access othersmessagesWhen a user is authenticated, they can read messages stored on the server.This is done in the background of the application by specifying, among other things, an ID for the desiredMessage. The ID is a sequentially generated integer that acts as a unique identifier fornotifications. The system lacks a verification of who a message (ID) belongs to when it is retrievedout. This allows an authenticated user to retrieve any message in the systemby specifying a valid message ID, regardless of who it belongs to. Guessing of validIDs will not be difficult since those previously mentioned consist of sequential integers.1.5.3. Possibility to harvest information and link person to messagesIt is also possible to retrieve information about the user you are logged in to and the studentsassociated with this user. This includes full name, username, email,birth number and telephone number. This is done by running a call to the server, which returnsLDAP 3 data. This results in that even if someone initially tests with randombirth number, they will also have the opportunity to link the birth number to the person and familyin an easy way.
4.1. Is it personal data?


The question of whether insight should be given to the medical consultant assessment depends initially on whether the assessment can be considered to be personal data.
2. Oslo Municipality's feedbackIn a letter dated 21 June 2019, the City of Oslo has not disputed the Data Inspectorate's presentation of themactual circumstances arising from our notice of decision of 29 April 2019.In the following, we assume that our presentation of the nature and extent of the deviation gives onecorrect description.


Personal information is defined as any kind of information about an identified or identifiable natural person. Thus, there is no doubt that information about pensioners, which appears in the underlying material, including specialist medical statements, patient records, etc., must be considered personal data.
*2 An access token contains security information for a login session and identifies, among other thingsthe user and its rights.
*3 Lightweight Directory Access Protocol is a protocol used to look up a directory service on a server5


The question then is whether the medical assessment carried out by a medical consultant on the basis of this material can also be considered as personal data.


In the opinion of the Data Inspectorate, a medical assessment differs from a legal analysis - as referred to in the Immigration case - in several respects. First, the medical assessment differs from the legal analysis in that in the present case, the medical assessment will be based on personal data. A legal analysis, on the other hand, will not in the same way depend on personal data about a specific person, but will instead be based on a set of rules, processes, case law, etc. with a view to subsuming the facts of the case in relation to the given legal basis.
In its response, the municipality has described how the deviations have been closed, and what measures have been takenin to prevent similar deviations from happening again. We assume that these measures aresatisfactory, and considers the discrepancies to be closed.The City of Oslo has raised objections to the size of the notificationthe infringement charge. These are discussed below in our assessment of the infringement feeto be imposed.


Furthermore, a medical assessment is in itself seen as being able to lead to new personal data. The actual assessment of the medical material involves a new assessment of the person's health conditions and thus specific statements about the person's health conditions, which in itself must be considered personal data. In this context, reference is made to the Article 29 Working Party's opinion on personal data [3], which refers to information about a person when the information relates to the person, and it is clear that the results of a medical analysis are considered personal data.
3. Legal basis for the assessment
3.1. About the Privacy OrdinanceThe Privacy Ordinance regulates all aspects of the processing of personal data.Article 5 of the Privacy Regulation deals with what must be said to be the core ofprivacy law, and the article is absolutely central to the interpretation of the rest of the regulationprovisions. Violation of the principles in art. 5 may in itself lead to the imposition ofsanctions.As stated in the provision, Art. 5 no. 1 letter f personal data securityand the principle of duty to ensure the necessary integrity and confidentiality.The principle in art. 5 No. 1 letter f on integrity and confidentiality is described in more detail andsupplemented by more specific provisions in the Privacy Ordinance, Chapter IV, see e.g. article32 on personal data security.Species. 5 no. 2 enshrines the principle of responsibility, which states that it is the person responsible for processing whois responsible for complying with the privacy principles in art. 5 No. 1.


The opinion of the Article 29 Working Party also states that: will be personal data when there is a "purpose element", ie. when the information is used or can be expected to be used for the purpose of assessing a person, treating that person in a particular way, or influencing that person's status or behavior. In line with this, the opinion of the European Court of Justice in the Nowak case shows that an examiner's corrections and comments constitute personal information about the person who wrote the answer. The content of the corrections and comments reflect the examiner's opinion or judgment of the person's performance. The corrections and comments are intended to document the examiner's evaluation of the participant's performance.  
3.2. In particular on the imposition of infringement fines - Article 58 (2), letter iThe Privacy Regulation leaves it to the Member States to determine whether infringement fines should applycould be imposed on public authorities and bodies, cf. Article 83 (7).Act (2018) § 26 second paragraph, it is determined that the Data Inspectorate may impose on public authoritiesand bodies infringement fines in accordance with the rules in the Privacy Ordinance Article 83, cf. Article83 No. 7.Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provisioncontains i.a. an overview of which factors should be taken into account when considering bothwhether an infringement fee is to be imposed and which factors are to be assessed in connectionwith the measurement of the size of the fee. The article also indicates the magnitude of the fees, and thatappears from art. 83 no. 4 and no. 5 that the maximum rates depend on which provisions inthe Privacy Regulation that has been violated.The provision basically provides instructions that the imposition of an infringement fee is dueone overall judgment, but it provides guidelines for exercise of discretion by tohighlight aspects that should have special emphasis. The first paragraph of the article states thatthe infringement fine in each individual case must be effective, proportionate toviolation and act as a deterrent.6


Overall, the Data Protection Agency considers that the contents of a medical consultant analysis approaches must be considered to be personal data to the extent that there is information relating to an identified or identifiable natural person referred to in. Article 4. 1.
We also refer to the Privacy Council's guidelines regarding the application and determination ofinfringement fine in accordance with Regulation (EU) 2016/679 (WP 253), whereThe Privacy Council explains the general criteria in art. 83 no. 1, and the points in art. 83 no.2.4


The fact that the qualification of the content of a medical consultant assessment as a personal data means that such an opinion will be covered by the Data Protection Regulation and the rights that follow, - as stated in para. 46 in the Nowak case - does not in itself affect the qualification.
4. The Data Inspectorate's assessments and reasons for decisions
4.2. Is the information subject to the right of access?


The Data Protection Authority is of the opinion that it follows from the Data Protection Regulation that, as a general rule, access to personal data must be provided and that a concrete assessment must always be made as to whether access can be refused according to the exception rules. Thus, as is seen in the present case, JØP cannot generally cut off certain types of information from the right of access.
4.1. Assessment of whether an offense has taken placeThe processing of a report of a breach of personal data security revealed the followingcircumstances constituting a breach of Article 32 (1) of the Privacy Regulation:Lack of security around logging in to the application, which made it possible to accessto view and change personal information of more than 63,000 children, is contraryArticle 32 (1) (b) of the Privacy Regulation. In addition, it will include informationabout parents and teachers.2. Inadequate security testing before launching the application, and that it was launched withsecurity holes that are well known in security environments around the world are in conflict withArticle 32 (1) (d) of the Privacy Regulation3. Launch of a school notification application with an unacceptable vulnerability such as Oslomunicipality had not implemented appropriate measures to close, and inadequate control ofthe supplier, CGI, about the results of the security test, is a violation ofthe principle of liability in Article 5 (2) of the Privacy Regulation, cf. Article 5 (1)letter f)The City of Oslo has not disputed the Data Inspectorate's assessments of whether and to what extent it hasdeviations from the Privacy Ordinance's requirements for the processing of personal data.


When the content of medical consultancy assessments is classified as personal data, the complainant is in principle entitled to access the personal data in the opinions under Article 15 of the
4.2. The Data Inspectorate's assessment of the conditions for imposing an infringement fee


Data Protection Regulation. The Data Inspectorate furthermore states that it follows from preamble recital 63 that the right of access includes the right to access health information, f. eg. medical assessments.
4.2.1. General information about the assessmentThe right to impose infringement fines is provided as a means of ensuring effectivecompliance with and enforcement of the Personal Data Act. Infringement fee may be charged fordeviations that have taken place, also for cases where the deviations are closed at the time of the decisionthe infringement charge.Under international law, an infringement fine is not to be regarded as a penalty, but as an administrative sanction.However, it must be assumed that the infringement fine is to be regarded as a penalty under the ECHR (European)human rights convention) Article 6, and in accordance with the case law of the Supreme Court, cf. Rt. 2012page 1556 with further references.Inspectorate therefore the reason that it requires a clear likelihood ofoffense in order to impose a fee. The case and the question of imposinginfringement fines are assessed on the basis of this evidentiary requirement.4 Originally prepared by the Article 29 Working Party, but adopted by the Privacy Council, see the Privacy Council"Endorsement 1/2018", section 16. The documents are available at https://edpb.europa.eu7
4.2.1. Exemption under Article 15 (1) of the Data Protection Regulation. 4 The


right to access is limited, among other things. Article 15 (1) of the Data Protection Regulation. 4, according to which the right of access must not infringe the rights or liberties of others. The rights or freedoms of others may include: business secrets.
As mentioned above, Article 83 in principle provides that the imposition ofviolation fee is based on a discretionary overall assessment, but adds guidancethe exercise of discretion by highlighting factors that should have special weight, taking into account thatimposition of infringement fines in each individual case shall be effective, proportionateand deterrent.In the following, we review the relevant conditions in the Privacy Ordinance, Article 83 no.2:


JØP has not given any detailed reasons why these are business secrets and therefore information that can be exempted from the right of access under Article 15 (2) of the Regulation. 4.
4.2.2. Article 83 (2) (a): Grade, severity andthe duration of the infringement, taking into account the action takennature, scope or purpose as well as the number of data subjects affected, and the scopeof the damage they have sufferedThe breach of personal data security is a result of lack of technical andorganizational measures that ensure satisfactory information security with regard toconfidentiality and integrity, cf. Article 32 of the Regulation. We also refer toAdvocacy point 83 of the Privacy Regulation 83.The violation includes over 63,000 children in primary school in Oslo municipality. Not everyone has takenthe school registration application in use, but the potential is still 63,000. The infringement includeschildren, who to a lesser extent have the prerequisites to safeguard their rights and freedoms. That use ofThe application School report is a voluntary matter does not change the picture of the severity inthe breaches.In this connection, the Data Inspectorate points out that children in particular are entitled to a high degree of protection wheninformation about them is processed, see the Privacy Ordinance's preamble 38 where itnamed:"Children's personal data deserve special protection, as children may be smalleraware of current risks, consequences and guarantees, as well as the rights they havewhen it comes to the processing of personal data. "The fact that children's rights and freedoms have been exposed makes the violation extra serious, andThe Norwegian Data Protection Authority has emphasized this as an aggravating circumstance.Absence must be reported in the absence part of the application. On the municipality's website it isinformed that no sensitive information must be written in the free text field. Equivalentinformation is not entered in the absence part of the application, which the Data Inspectorate will believe canhelped to limit the possibility of communicating special categories ofpersonal information.Most people who use the application School Message does not go into via the municipality's website,but via the application, and will thus not receive this information. However, this will nothave a decisive effect on the severity of the deviation.


In the light of the information provided by the Data Inspectorate, the personal data appearing from the medical consultant assessment from JØP's medical consultant cannot be considered as trade secrets, in particular because it has not been established that the information has a commercial value or otherwise way includes what might otherwise be considered business secrets. In this connection, the Data Inspectorate has also emphasized that JØP itself has informed the Authority of its treatment of injury cases, etc., including for what purposes and how the opinions of medical consultants are obtained. Furthermore, according to the report, there is a firm practice throughout the industry, which is why insights in these statements, in the opinion of the Authority, cannot be considered a business secret.


Against this background, the Data Inspectorate finds that JØP does not refer to Article 15 (2) of the Regulation. 4, may refuse to provide insight into personal data on complaints contained in medical consultant reviews.
The fact that unauthorized persons have had the opportunity to gain access to otherspersonal data have led to an opportunity to manipulate the personal data inthe application.The breach of personal data security has meant that the data subject has lost control ofinformation about themselves, and whether others have seen or changed information aboutperson in the application.
4.2.2. Exemption under section 22 (2) of the Data Protection Act. 11) of the


According to section 22 (Data Protection Act. In accordance with paragraph 1, the right of access may be restricted if the data subject's interest in the information should be found to depart from the overriding considerations of private interests, including the interests of the person concerned.
4.2.3. Article 83 (2) (b): assessment of the degree of guiltPursuant to section 46 of the Public Administration Act , an administrative sanction may be imposed on an enterprise itselfif no individual has shown guilt. This means that Oslo Municipality has an objectiveliability. By enterprise is meant company, cooperative, association or otherassociation, sole proprietorship, foundation, estate or public enterprise.We consider it beyond doubt that Oslo Municipality has had knowledge of the necessityfor the establishment of organizational and technical measures in the application. By not committing themnecessary steps, the municipality has acted negligently.The Data Inspectorate finds that there is a clear overriding probability that Oslo Municipality has violatedspecies. 5 and Article 32 of the Privacy Regulation.


Under this provision, JØP may, after a specific assessment, refuse to provide information if it will cause the company's business base, business practices or know-how to suffer material damage. Furthermore, after a specific assessment, it will be possible to refuse insight into internal assessments of whether the company will enter into a contractual relationship on the basis of available information, change an existing contractual relationship, impose special conditions for continuation, possibly terminate a contractual relationship and similar cases. Similarly, it will be possible to refuse insight into e.g. a note assessing whether there is a prospect of winning a particular lawsuit against a customer, or an internal note in a case that points to possible evidence that a customer has attempted to pursue insurance fraud against an insurance company or attempted to evade the obligation under e.g. a loan contract. [4]
4.2.4. Article 83 (2) (c): measures taken by the controlleror the data processor to limit the damage suffered by the data subjectsThe security hole was closed the same day as the municipality discovered it. It is important thatthe municipality took these measures, and will be a signal effect to others. The Data Inspectoratebelieves this should have a mitigating effect in the assessment of the infringement fee.


There must be "decisive considerations", which means that exceptions to the right of access can only be made in cases where there is a nearby danger that private interests will suffer material damage.
4.2.5. Article 83 (2) (d): of the controller orthe degree of responsibility of the data processor, taking into account the technical andorganizational measures they have implemented in accordance with Articles 25 and 32The errors found in Skolemelding are of such a nature that they have been on OW ASP 5 top 10the list for many years. OW ASP top 10 is a recognized document for raising awareness aboutsecurity in web applications and is often referred to among people in the security environment and onsecurity conferences.There is a consensus among security experts around the world on what are the most criticalsecurity risks in web applications. The Danish Data Protection Agency has referred to OWASP in several places in itssupervisor of software development with built-in person 6• The errors in the School Notice aredescribed in A2, A3 and AS in OW ASP top 10 from 2013. Given the security holes found inthe solution, any testing that has been done appears to be very deficient. This mustdescribed as negligent.5 Open Web Application Security Project- https://www.owasp.org6 https: // www .datatilsynet.no / regulations-and-tools v / supervisors / software development-with-built-in privacy /9


It is clear from the Register Committee's report no. 1345/1997 on the processing of personal data, p. 311, that it is recognized that private data controllers like public data controllers need to be able to protect internal decision-making to some extent. The right of access may be limited on the basis of the company's decisive interest in being free to assess, among other things, the conclusion of contracts and existing customer relationships, and to prevent competitors from obtaining information that is purely internal assessments or business secrets. The Committee therefore considered that the right of access should be limited if disclosure of information in the specific situation would entail an imminent risk of harm. On the other hand, the fact that these are internal assessments, etc., cannot in itself justify a refusal of a request for access.
It can therefore be stated that Oslo Municipality has shown negligence in relation to acceptablelevel of protection.


In the opinion of the Data Inspectorate, the personal data in the medical consultancy assessment are not, as a general rule, internal information that can be exempted from insight under section 22 (2) of the Data Protection Act. 1.
4.2.6. Article 83 (2) (f): co-operation with the supervisory authority to remedy fineson the violation and reduce the possible negative effects of itThere has been no collaboration with the Norwegian Data Protection Authority to remedy the violation. Oslo councilhas on its own initiative taken the necessary measures to close the breachespersonal data security.


It is hereby emphasized that there are no such internal documents referred to in the comments to the provision, which state that exceptions to the right of access can only be made if there is an obvious danger that: private interests will suffer material damage. Concrete statements about medical conditions from medical consultants are not seen to have any content that could cause such an imminent danger that private interests will suffer material damage.
4.2.7. ThisArticle 83 No. 2 letter g: categories of personal data such asis affected by the violationAs the violation includes children in primary school, we refer to the Privacy OrdinanceAdvocate 75, where it is pointed out that special consideration must be given to the risk associated with childrenpersonal data, if the processing includes a large amount of personal data andaffects a large number of registered.We can state that special categories of personal data, as defined inArticle 9 of the Privacy Regulation has been exposed to unauthorized persons.Information that has been available is absence information that in a free text field canresult in information about the reason for absence being stated. Also, it will inthe school registration application could be registered information that requires confidentiality,such as information about bullying.


Nor does the fact that the statements can be involved in connection with any complaints or litigation against JØP, does not mean that the personal data in the statements can be exempted from insight according to section 22 (2) of the Act. 1. Thus, it does not appear to be notes in which it is assessed whether there is a prospect that a particular lawsuit against a customer can be won, nor is it an internal note in a case that points to possible evidence that a customer has attempted to carry out insurance fraud against an insurance company or has attempted to evade the obligation under, for example, a loan contract or other matters of a similar nature. It is, on the other hand, a contribution to the decision-making basis for the overall assessment and thus for the decision taken by JØP on the grant of invalidity pension.
4.2.8. Article 83 (2) (h): the manner in which the supervisory authority was informedinfringement, in particular if and to what extentthe data controller or the data processor has notifiedthe infringementThe Norwegian Data Protection Authority first became aware of the current situation through media coverage. We were notifiedabout the breach of personal data security from Oslo Municipality on 7 September 2018. It isIt is unfortunate that the Data Inspectorate only learns about the discrepancy after the case has been mentioned in the media.The Data Inspectorate finds it highly reprehensible that knowledge of what has happened in the breachpersonal data security, and the vulnerability in the school notification application has been addedus through initiatives from private individuals. Oslo Municipality then also admits thatthe non-conformance reports were misleading. This will be important in our assessment ofinfringement fines must be imposed.


The need for confidentiality in order to create a freer framework for being able to ask questions to the medical consultant and for the medical consultant to comment cannot, in the opinion of the Danish Data Protection Agency, justify the exclusion of personal data in the opinions.
4.2.9. Article 83 (2) (k): second aggravating or mitigating factorin the case, e.g. financial benefits gained, or losses that areavoided, directly or indirectly, as a result of the infringementThe Data Inspectorate has not found that Oslo Municipality has had financial benefits, or avoided lossesdirectly or indirectly as a result of the infringement.
The Norwegian Data Protection Authority places particular emphasis on the fact that sufficient organizational andtechnical measures in the application School report. The Data Inspectorate considers this to be serious, and isone of the reasons for the infringement charge. The users of the municipality's services have a clearand interest worthy of protection against inadequate security measures where confidentiality andintegrity is required.Inadequate security can have serious consequences for the individual both because of the surroundingsgets access to information that the data subject has not himself chosen to make known, but also becausethe availability makes it unpredictable how many people have obtained the information.General preventive reasons and the consideration that the rules should have effect and work as intended,then speaks with force for it to react with an instrument such as an infringement charge.In a mitigating direction, it can be pointed out that Oslo Municipality reacted as soon as they receivedknowledge of the security holes.


The fact that JØP regards the medical consultant assessment as an internal document and as part of JØP's decision-making basis, which is requested to be confidential, and that the opinions could potentially be involved in any subsequent disputes with pensioners, does not appear to be of such crucial importance under the Data Protection Act. Section 22 (2). 1 that the data subject's right to access - and thus, among other things, the possibility of verifying the accuracy of personal data - generally can be overridden.
4.2.10. Summary and conclusionAfter an overall assessment of the deviation's scope, character and severity, the Data Inspectorate hasconcluded that it is correct to uphold our notified decision on infringement fines.We have placed special emphasis on the fact that it is children's privacy that is affected by the discrepancy.


Finally, the consideration of the data subject itself does not appear to be able to result in the assessments generally being exempt from the right of access. The fact that the data subject is given insight into the information being processed about the person, and thus knowledge of any misunderstandings or erroneous information, is generally considered to weigh more heavily.
4.3. Measurement of the size of the infringement feeIn the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that«As a starting point, the same rules for infringement fines shall applypublic bodies as for private, as this is the scheme under currentPersonal Data Act »,but the Ministry assumes that within the rules of the Regulation Article 83, whichalso indicates the factors to be emphasized in the calculation of administrative fees,there is room for considerable discretion as to the size of the fee. The Ministry statesthat '[t] he flow limits in Article 83 of the Regulation set maximum limits for the measurement ofadministrative fees, while no minimum limits have been set. "With regard to the size of the fee, the same factors shall apply as when assessing whether the feeshall be imposed, weighted. The fee should be set so high that it also has an effect beyond itspecific case, at the same time as the size of the fee must be in a reasonable proportion to the violationand the business, cf. art. 83 No. 1.We have particularly noted that the breach of personal data security is associated with a significantnumber of children in primary school. Furthermore, we have emphasized the general expectation of citizenscould have municipal authorities follow the rules that are given, and especially those that giveIndividual rights that are meant to be a protection of this type of information.The imposition of infringement fines in this case will have an important signal effect. The Data Inspectorate wantsto clearly communicate that such incidents are considered serious It is important that such
 
It should be noted that the Data Inspectorate considers that the exceptions to the right of access are very narrow. In this connection, the Danish Data Protection Authority attaches particular importance to the fact that the right of access gives the data subject access to verify the accuracy of the personal data and the lawfulness of the processing, and that this principle can only exceptionally be waived.
 
Accordingly, it is the opinion of the Data Inspectorate that JØP, when dealing with the question of access to the medical consultancy assessment, did not act in accordance with Article 15 of the
 
Data Protection Regulation. 15. The
 
Data Inspectorate must then notify JØP of a specific assessment of whether complaints can be given insight into personal data on complaints contained in the medical consultant assessment. The order is issued pursuant to Article 58 (2) of the Data Protection Regulation.2) of the
 
According to section 41 (Data Protection Act. Paragraph 2 (5) shall be punishable by a fine or imprisonment for up to 6 months to a person who fails to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Data Protection Regulation. 2nd
 


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).
incidents do not occur, and that all public bodies dealing with citizenspersonal information and information about vulnerable persons such as children must be their ownresponsibility consciously. We have emphasized the general preventive effects of a decisionviolation fee is assumed to have.In our notified decision, we stated that the size of the fee would be set at 2,000,000 NOK.Oslo Municipality responded to our notice with objections to the size of the fee. It stated 'thatit is sufficient to impose obligations on the supplier to report deviations, in addition toRoutines have been established for continuous follow-up of the supplier. We have considered thispralcsisen as satisfactory, as it has worked well over several years through that deviations havebeen discovered and cleaned up in. It is also admitted by the supplier that deficientfollow-up of the agreement is due to human failure. UDE believes that the aforementioned must be considered asmitigating circumstances. In any case, we have wanted to improve our control in terms ofsafety tests, and has therefore introduced measures for a joint review of all results fromsafety testing with supplier, cf. above ».Oslo Municipality points out that they could not report deviations to the Data Inspectorate when they did notknowledge of the conditions. That Oslo municipality had no knowledge of the test resultscomes, as the Data Inspectorate sees it, as a result of a lack of project management betweenthe municipality and their supplier.The Norwegian Data Protection Authority draws attention to the fact that Oslo Municipality is responsible for the serious violationshappened by not introducing organizational and technical measures which are likely to to ensurepersistent confidentiality and integrity in the School Message application. That Oslo municipality wasin the belief that the application had been safety tested before it was put into production, and believed it wassufficient to impose obligations on the supplier on the reporting of nonconformities is a calculatedrisk, which may not mitigate the incident.Oslo Municipality finally points out that the supplier has a significant part of the responsibility forthe event. The Norwegian Data Protection Authority does not disagree with this, but this does not exempt the municipality from thisresponsibility.Finally, the municipality points out that it can only be stated that two people are affected by the breachpersonal data security. This is of little importance to the Data Inspectorate when the potential wasfar larger.The Data Inspectorate has come to the conclusion that the notified infringement fee must be adjusted downwards somewhat. We have inThe assessment emphasized that the City of Oslo has implemented damage mitigation measures so quicklythe municipality was informed about the breach of information security, and shown a willingness to arrangeup in the incident.After an overall assessment of the case, we have come to the conclusion of an infringement fee of NOK 1,200,000considered correct.12


[2] Act No 502 of 23 May 2018 on additional provisions for a regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information (Data Protection Act).
5. Decision on infringement fines


[3] Article 29 Group Opinion No 4/2007 on the concept of personal data (WP136) of 20 June 2007
5.1. Decision on infringement finePursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.the Personal Data Act § 26, cf. the Privacy Ordinance art. 83, the Danish Data Protection Agency understands the followingdecision on infringement fine:Oslo Municipality is imposed, pursuant to the Personal Data Act § 26 second paragraph, cf.Article 83 of the Privacy Ordinance , to pay an infringement fee of NOK 1,200,000one million two hundred thousand Norwegian kroner - to the Treasury for breaches of dutieswhich complies with the Privacy Regulation.The fee is imposed as a result of Oslo Municipality not having carried out suitable technical andorganizational measures / or to achieve a level of safety appropriate to the risk,and ensuring lasting confidentiality and integrity, cf. the Privacy OrdinanceArticle 5 No. 1 letter f and the Privacy Regulation 32 No. 1. letter book d


[4] Bill No 68, FT 2017/18, comments on section 22 of the Bill
5.2. Recovery of the infringement feeThe infringement fee is due for payment four weeks after the decision is final, cf.the Personal Data Act (2018) § 27. The decision is a coercive basis for disbursement. Recovery ofthe claim will be implemented by the Central Government Collection Agency.


5.3. Right of appealYou can appeal the decision. Any complaint must be sent to us within three weeks after thisthe letter has been received, cf. the Public Administration Act § § 28 and 29. If we uphold our decision,we send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22.5.4. Transparency and publicityYou have the right to access the case documents, cf. the Public Administration Act § 18. We will also informthat all documents are in principle public, cf. Section 3 of the Public Access to Information Act, howeveremphasizes at the same time that security documentation is as a general rule exempt from public access, cf.the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.


With best regards
Bjørn Erik ThondirectorKnut Brede Kaspersenlegal director
</pre>
</pre>

Latest revision as of 18:52, 5 March 2022

Datatilsynet (Norway) - 18/02579
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type:
Outcome: Violation Found
Started:
Decided: 11.10.2019
Published: 01.12.2019
Fine: 1,200,000 NOK
Parties: Education Agency for Oslo municipality
National Case Number/Name: 18/02579
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
press release source (in NO)
Initial Contributor: n/a

A fine of NOK 1,200,000 (approximately €120,000), reduced from NOK 2,000,000, was imposed against the Education Agency of the Municipality of Oslo due to breach of personal data security in the mobile application “Skolemelding”. The fine was issued due to the application's lack of security and subsequent violations of Article 32(1)(b) GDPR and Article 32(1)(d) GDPR and of the principle of accountability as foreseen in Article 5(2) GDPR read in conjunction with Article 5(1)(f) GDPR.

English Summary

Facts

The case concerned vulnerabilities in the mobile app “Skolemelding”. In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school.

Holding

The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f).

The issued fine was NOK 1,200,000 (approximately €120,000), which was lower than the initially suggested fine of NOK 2,000,000 (approximately €200,000). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the DPA, showing a will to fix the security flaws.

The municipality did not contest the evaluation by the DPA regarding the scope of the security breach.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Norwegian original for more details.

Press release: 
 
Fee to Oslo Municipality Education Agency

In April 2019, the Data Inspectorate sent a notification to the Oslo Municipality Education Agency about a violation fee for breach of personal data security in the mobile application School Notification. In October, a final fee of NOK 1.2 million was adopted.

The fee is given because the municipality had not taken appropriate measures to achieve a level of security appropriate to the risk. The assessment emphasized, among other things:

    One of the uses of the app is for parents to send messages about their children or announce absence when using free text fields. It facilitates the communication of sensitive personal information, such as health information, about the children. There are no technical measures to prevent this from happening, nor does the app inform you not to communicate such information. Had built-in privacy been taken into consideration, it would not have been a free-text field, but for example a drop-down list or check boxes.
    Lack of security around logging in to the app has allowed unauthorized persons access to view and change personal information of more than 63,000 children in primary school in Oslo.
    Inadequate security testing prior to the launch of the app led to it being launched with vulnerabilities well known in security environments worldwide.

The municipality has not been conscious of its responsibility and has launched a school messaging app with an unacceptable vulnerability without taking appropriate measures to close the vulnerabilities. They have also had insufficient control with the supplier when it comes to safety test results.

Read the entire case published in connection with the notice
Lower fee than notified

However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.


---------------------------------------------------------------


Decision on infringement fine

Date10/11/2019

We refer to a report of a breach of personal data security (deviation report) from Oslo municipality sent 7 September 2018, notification of decision of 29 April 2019 and Oslo municipality response of 21 June 2019.

Based on the information in the case, the Data Inspectorate believes that Oslo Municipality has violated the rulespersonal data security in the Privacy Regulation (European Parliament and Council Regulation)(EU) 2016/679 of 27 April 2016).

Pursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.the Personal Data Act § 26, cf. the Privacy Ordinance art. 83, the Danish Data Protection Agency understands the followingdecision on infringement fine:

Oslo Municipality is imposed, pursuant to the Personal Data Act § 26 second paragraph, cf.Article 83 of the Privacy Ordinance, to pay an infringement fee of NOK 1,200,000 -one million two hundred thousand Norwegian kroner - to the Treasury for breaches of dutieswhich complies with the Privacy Regulation.

The fee is imposed as a result of Oslo Municipality not having carried out suitable technical andorganizational measures to achieve a level of safety appropriate to the risk,and ensuring lasting confidentiality and integrity, cf. the Privacy OrdinanceArticle 5 No. 1 letter f, and the Privacy Regulation 32 No. 1. letter book d

The background and reasons for the decision follow below.


1. The case
1.1. Description of the case
The case concerns vulnerabilities in the mobile application Skolemelding. This is an application that can be downloaded to the mobile phone, and which is developed for use in the Oslo School. In the applicationcan parents and pupils communicate with the staff in the school. The communication is in writing, and can be compared to SMS or email. 

It has been possible for unauthorized persons to log in as authorized users and thus few access to personal information about students. More than 63,000 primary school students 1 in the Oslo schools arecovered.In addition, it is possible to register special categories of personal information in the free text field, forexample of children's health. This may have entailed a risk that unauthorized persons have been able to seeinformation of an intrusive nature.

1.2. ProceedingsThe Norwegian Data Protection Authority became aware of the case after Aftenposten had one on Thursday 6 September 2018news article about serious security holes in the application.Oslo Municipality sent notification of breach of personal data security (non-conformance report)to the Danish Data Protection Agency on 7 September 2018.The Data Inspectorate also received an inquiry from a private individual in connection with the case. The Data Inspectoratethen sent a request for a statement to Oslo Municipality on 4 October 2018, and we receivedreply from Oslo municipality sent on 26 October. We have also had a dialogue with the municipality by telephone.We asked for more information in an e-mail sent on 23 November, and received a reply from the municipality 26.November.In a letter dated 29 April 2019, the Norwegian Data Protection Authority announced a decision on three orders to implement measureswhich was considered necessary to close the relevant deviations from requirements in the privacy regulations.We also announced that we would consider making a decision on infringement fines as a result of the breachon the duties of the data controller in accordance with the privacy regulations.Oslo Municipality responded to the notification in a timely manner in a letter dated 21 June 2019.The response from the City of Oslo explains in more detail the system Skolemelding, as well as CGisobligations (the municipality's supplier) and the course of events before and after the security incident.The Norwegian Data Protection Authority bases this report as part of the actual circumstances of the case.The Norwegian Data Protection Authority has assessed Oslo Municipality's proposals for measures in connection with the case, and finds thatthe discrepancies are now closed. The notified decisions on orders are therefore considered to have lapsed.In the following, the Norwegian Data Protection Authority will only consider decisions on infringement fines.

1.3. More about the system and functionality in SkolemeldingSchool notification is a notification application for Oslo School's parents, students and employees. INthe application can parents and students send a message to the contact teacher / subject teacher or othersemployees at the school. They can also respond to messages sent from the school. The application also providesteachers the opportunity to communicate with each other.1 Source: https://www.oslo.kommune.no/politikk-og-administrasjon/etater-foretak-og-ombud / utdanningsetaten / arsberetning-2017 /? del = 3 # gref2


On the Oslo municipality's website (https://aktuelt.osloskolen.no/larerik-bruk-av-laringsteknolocd / digital-skolehverdag / skolemelding /) states that parents can report absence inthe application and in the Portal. The portal is a school platform for the Oslo school and the individual schooleach has its own portal. The message is sent automatically to the child's contact teacher.It further states: «Do not use the app or other communication channels in Skoleplattform Osloto to send sensitive personal information, such as your child's health information. It suffices to say thatthe child does not come to school today. ». In the School Notice, absence is reported by clicking on «Newmessage »and the« Report absence »button. There is a free text field here to write what the absence isapplies. There is nothing in the application itself that you should not enter sensitivepersonal information.To authenticate users, Skolemelding uses the ID port for parents and FEIDE foremployees. These are well-established standard components for authentication and the discrepancy in the case appliesnot these two services.The discrepancy affects how these components are integrated with the School Notice for handlinglogin.

1.4. Oslo Municipality's description of the discrepanciesIn the report on breaches of personal data security we received from Oslo Municipality 7.September 2018, the incident is described as follows:«Authorized users of the school messaging apps who have the knowledge to decrypt appsand having the right type of software has been able to acquire access to other userspersonal information of the type, name, e-mail address and which children a parent has, as wellmessages sent to and from school. By combining birth number, client secret andsystem password, it was possible to access the personal information mentioned above.This in combination with a lack of security when using a specific API did sopossible to access other people's messages for logged in users. "The discrepancy was described in more detail in a letter from Oslo Municipality dated 26 October 2018:"After further investigations, CGI now confirms that it was possible to decrypt the code forschool messaging apps and acquire knowledge about weaknesses in the authentication process,and through it gain access to other users' data by bypassing login via FEIDEor the ID port without being an authorized user of the solution. At the same time, they emphasize thatthis presupposes that one must have a lot of competence and knowledge about both authenticationand the school message to do this without first being logged in. As is known, the deviation wasalso first uncovered by someone who had access to the solution.By taking advantage of the weakness could one thus the only to recognize an employee or studentusername or a parent's social security number ra access to their personal information bytype of name, e-mail address and which children a parent has. Furthermore, one could then alsoretrieve one message at a time regardless of user.


CGI therefore believes that the analyzes in the blog are mainly correct. CGI also has itselfrevealed the weaknesses of the blog in the further security testing of the application, where allerrors that may cause safety deviations have been corrected.We have also carried out our own safety tests of the solution afterwards and have verifiedthat the discrepancies have been rectified. "The Data Inspectorate sent several requests for statements related to, among other things, how testingof the solution had been carried out, whether risk assessments had been carried out andPrivacy Impact Assessment (DPIA).In its responses, the City of Oslo has described that the supplier (CGI) carried out safety testingin the period 16 - 24 August 2018. The supplier identified some vulnerabilities and proposed measuresto reduce these in their safety report. It further emerged that the supplier did not haveinformed the municipality about the results of the safety test, but that they chose to wait with the measureto the next scheduled release. The municipality stated that this was the reason why they could close quicklydeviation and issue an update of the application. They further stated that if they had knownvulnerabilities previously they would have closed the solution until these were rectified.When asked by the Norwegian Data Protection Authority whether a DPIA and risk assessment had been carried out for the solution,the municipality replied that no formal DPIA was carried out, but that one was carried outrisk assessment. One of nine identified vulnerabilities / threats was considered unacceptable.The vulnerability was that sensitive data is registered in the solution. Some measures were proposed todeal with vulnerability. One was to provide information on the schools' and the municipality's websites about thatsensitive information must not be written in the free text field, which has been completed. The second was toenter information in the application in the next update, which was scheduled for December 13 2018. A final measure was to create templates for registration of different types of absence. This measure isplanned as part of the further development of the solution in 2019. The education agency would alsoassess the need for free text fields to report absence.The Norwegian Data Protection Authority has not requested or been sent a risk assessment beyond what is describedabove. We have also not requested or received a report from the security testing.

1.5. The vulnerabilities in the systemIn our notification of decisions, the vulnerabilities in the system were described as follows:As we understand it, the vulnerabilities cannot be exploited during normal use of the applicationSchool message, but by using a tool such as a web proxy to be able to see andmanipulate traffic of data communicated through the system. Such tools are easyavailable for download from interned. It requires a certain technical competence to be able touse them, but there is also readily available information on the internet on how touse them.4
Page 5
1.5.1. Authentication issues 
When a user of the parent application is to log in, the user is taken as expectedthrough the login process in the ID port. It is after this that problems arose. There was aerror in the logic of the authentication server (called the rnid port) used by the system.The login solution only issued the birth number (which is the parent's user ID) as oneaccess token 2 after login. It was therefore possible here to create your own access token withoutgo through the login solution as long as a birth number registered as was useda guardian.Birth numbers are structured in a well-defined way and are limited to 11 million. Thismakes it easy for an attacker to generate all possible birth numbers, and then try them outthe solution. The range of birth numbers one needs to test can also be reduced based onfor example, year of birth when you know that you are going to try out a birth number that may belongparents of children in primary school. Based on a further weakness in the system it is notnecessary to have more than one valid user to access other people's messages.

1.5.2. Lack of separation between users means that you can access othersmessagesWhen a user is authenticated, they can read messages stored on the server.This is done in the background of the application by specifying, among other things, an ID for the desiredMessage. The ID is a sequentially generated integer that acts as a unique identifier fornotifications. The system lacks a verification of who a message (ID) belongs to when it is retrievedout. This allows an authenticated user to retrieve any message in the systemby specifying a valid message ID, regardless of who it belongs to. Guessing of validIDs will not be difficult since those previously mentioned consist of sequential integers.1.5.3. Possibility to harvest information and link person to messagesIt is also possible to retrieve information about the user you are logged in to and the studentsassociated with this user. This includes full name, username, email,birth number and telephone number. This is done by running a call to the server, which returnsLDAP 3 data. This results in that even if someone initially tests with randombirth number, they will also have the opportunity to link the birth number to the person and familyin an easy way.

2. Oslo Municipality's feedbackIn a letter dated 21 June 2019, the City of Oslo has not disputed the Data Inspectorate's presentation of themactual circumstances arising from our notice of decision of 29 April 2019.In the following, we assume that our presentation of the nature and extent of the deviation gives onecorrect description.

*2 An access token contains security information for a login session and identifies, among other thingsthe user and its rights.
*3 Lightweight Directory Access Protocol is a protocol used to look up a directory service on a server5


In its response, the municipality has described how the deviations have been closed, and what measures have been takenin to prevent similar deviations from happening again. We assume that these measures aresatisfactory, and considers the discrepancies to be closed.The City of Oslo has raised objections to the size of the notificationthe infringement charge. These are discussed below in our assessment of the infringement feeto be imposed.

3. Legal basis for the assessment
3.1. About the Privacy OrdinanceThe Privacy Ordinance regulates all aspects of the processing of personal data.Article 5 of the Privacy Regulation deals with what must be said to be the core ofprivacy law, and the article is absolutely central to the interpretation of the rest of the regulationprovisions. Violation of the principles in art. 5 may in itself lead to the imposition ofsanctions.As stated in the provision, Art. 5 no. 1 letter f personal data securityand the principle of duty to ensure the necessary integrity and confidentiality.The principle in art. 5 No. 1 letter f on integrity and confidentiality is described in more detail andsupplemented by more specific provisions in the Privacy Ordinance, Chapter IV, see e.g. article32 on personal data security.Species. 5 no. 2 enshrines the principle of responsibility, which states that it is the person responsible for processing whois responsible for complying with the privacy principles in art. 5 No. 1.

3.2. In particular on the imposition of infringement fines - Article 58 (2), letter iThe Privacy Regulation leaves it to the Member States to determine whether infringement fines should applycould be imposed on public authorities and bodies, cf. Article 83 (7).Act (2018) § 26 second paragraph, it is determined that the Data Inspectorate may impose on public authoritiesand bodies infringement fines in accordance with the rules in the Privacy Ordinance Article 83, cf. Article83 No. 7.Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provisioncontains i.a. an overview of which factors should be taken into account when considering bothwhether an infringement fee is to be imposed and which factors are to be assessed in connectionwith the measurement of the size of the fee. The article also indicates the magnitude of the fees, and thatappears from art. 83 no. 4 and no. 5 that the maximum rates depend on which provisions inthe Privacy Regulation that has been violated.The provision basically provides instructions that the imposition of an infringement fee is dueone overall judgment, but it provides guidelines for exercise of discretion by tohighlight aspects that should have special emphasis. The first paragraph of the article states thatthe infringement fine in each individual case must be effective, proportionate toviolation and act as a deterrent.6

We also refer to the Privacy Council's guidelines regarding the application and determination ofinfringement fine in accordance with Regulation (EU) 2016/679 (WP 253), whereThe Privacy Council explains the general criteria in art. 83 no. 1, and the points in art. 83 no.2.4

4. The Data Inspectorate's assessments and reasons for decisions

4.1. Assessment of whether an offense has taken placeThe processing of a report of a breach of personal data security revealed the followingcircumstances constituting a breach of Article 32 (1) of the Privacy Regulation:Lack of security around logging in to the application, which made it possible to accessto view and change personal information of more than 63,000 children, is contraryArticle 32 (1) (b) of the Privacy Regulation. In addition, it will include informationabout parents and teachers.2. Inadequate security testing before launching the application, and that it was launched withsecurity holes that are well known in security environments around the world are in conflict withArticle 32 (1) (d) of the Privacy Regulation3. Launch of a school notification application with an unacceptable vulnerability such as Oslomunicipality had not implemented appropriate measures to close, and inadequate control ofthe supplier, CGI, about the results of the security test, is a violation ofthe principle of liability in Article 5 (2) of the Privacy Regulation, cf. Article 5 (1)letter f)The City of Oslo has not disputed the Data Inspectorate's assessments of whether and to what extent it hasdeviations from the Privacy Ordinance's requirements for the processing of personal data.

4.2. The Data Inspectorate's assessment of the conditions for imposing an infringement fee

4.2.1. General information about the assessmentThe right to impose infringement fines is provided as a means of ensuring effectivecompliance with and enforcement of the Personal Data Act. Infringement fee may be charged fordeviations that have taken place, also for cases where the deviations are closed at the time of the decisionthe infringement charge.Under international law, an infringement fine is not to be regarded as a penalty, but as an administrative sanction.However, it must be assumed that the infringement fine is to be regarded as a penalty under the ECHR (European)human rights convention) Article 6, and in accordance with the case law of the Supreme Court, cf. Rt. 2012page 1556 with further references.Inspectorate therefore the reason that it requires a clear likelihood ofoffense in order to impose a fee. The case and the question of imposinginfringement fines are assessed on the basis of this evidentiary requirement.4 Originally prepared by the Article 29 Working Party, but adopted by the Privacy Council, see the Privacy Council"Endorsement 1/2018", section 16. The documents are available at https://edpb.europa.eu7

As mentioned above, Article 83 in principle provides that the imposition ofviolation fee is based on a discretionary overall assessment, but adds guidancethe exercise of discretion by highlighting factors that should have special weight, taking into account thatimposition of infringement fines in each individual case shall be effective, proportionateand deterrent.In the following, we review the relevant conditions in the Privacy Ordinance, Article 83 no.2:

4.2.2. Article 83 (2) (a): Grade, severity andthe duration of the infringement, taking into account the action takennature, scope or purpose as well as the number of data subjects affected, and the scopeof the damage they have sufferedThe breach of personal data security is a result of lack of technical andorganizational measures that ensure satisfactory information security with regard toconfidentiality and integrity, cf. Article 32 of the Regulation. We also refer toAdvocacy point 83 of the Privacy Regulation 83.The violation includes over 63,000 children in primary school in Oslo municipality. Not everyone has takenthe school registration application in use, but the potential is still 63,000. The infringement includeschildren, who to a lesser extent have the prerequisites to safeguard their rights and freedoms. That use ofThe application School report is a voluntary matter does not change the picture of the severity inthe breaches.In this connection, the Data Inspectorate points out that children in particular are entitled to a high degree of protection wheninformation about them is processed, see the Privacy Ordinance's preamble 38 where itnamed:"Children's personal data deserve special protection, as children may be smalleraware of current risks, consequences and guarantees, as well as the rights they havewhen it comes to the processing of personal data. "The fact that children's rights and freedoms have been exposed makes the violation extra serious, andThe Norwegian Data Protection Authority has emphasized this as an aggravating circumstance.Absence must be reported in the absence part of the application. On the municipality's website it isinformed that no sensitive information must be written in the free text field. Equivalentinformation is not entered in the absence part of the application, which the Data Inspectorate will believe canhelped to limit the possibility of communicating special categories ofpersonal information.Most people who use the application School Message does not go into via the municipality's website,but via the application, and will thus not receive this information. However, this will nothave a decisive effect on the severity of the deviation.


The fact that unauthorized persons have had the opportunity to gain access to otherspersonal data have led to an opportunity to manipulate the personal data inthe application.The breach of personal data security has meant that the data subject has lost control ofinformation about themselves, and whether others have seen or changed information aboutperson in the application.

4.2.3. Article 83 (2) (b): assessment of the degree of guiltPursuant to section 46 of the Public Administration Act , an administrative sanction may be imposed on an enterprise itselfif no individual has shown guilt. This means that Oslo Municipality has an objectiveliability. By enterprise is meant company, cooperative, association or otherassociation, sole proprietorship, foundation, estate or public enterprise.We consider it beyond doubt that Oslo Municipality has had knowledge of the necessityfor the establishment of organizational and technical measures in the application. By not committing themnecessary steps, the municipality has acted negligently.The Data Inspectorate finds that there is a clear overriding probability that Oslo Municipality has violatedspecies. 5 and Article 32 of the Privacy Regulation.

4.2.4. Article 83 (2) (c): measures taken by the controlleror the data processor to limit the damage suffered by the data subjectsThe security hole was closed the same day as the municipality discovered it. It is important thatthe municipality took these measures, and will be a signal effect to others. The Data Inspectoratebelieves this should have a mitigating effect in the assessment of the infringement fee.

4.2.5. Article 83 (2) (d): of the controller orthe degree of responsibility of the data processor, taking into account the technical andorganizational measures they have implemented in accordance with Articles 25 and 32The errors found in Skolemelding are of such a nature that they have been on OW ASP 5 top 10the list for many years. OW ASP top 10 is a recognized document for raising awareness aboutsecurity in web applications and is often referred to among people in the security environment and onsecurity conferences.There is a consensus among security experts around the world on what are the most criticalsecurity risks in web applications. The Danish Data Protection Agency has referred to OWASP in several places in itssupervisor of software development with built-in person 6• The errors in the School Notice aredescribed in A2, A3 and AS in OW ASP top 10 from 2013. Given the security holes found inthe solution, any testing that has been done appears to be very deficient. This mustdescribed as negligent.5 Open Web Application Security Project- https://www.owasp.org6 https: // www .datatilsynet.no / regulations-and-tools v / supervisors / software development-with-built-in privacy /9

It can therefore be stated that Oslo Municipality has shown negligence in relation to acceptablelevel of protection.

4.2.6. Article 83 (2) (f): co-operation with the supervisory authority to remedy fineson the violation and reduce the possible negative effects of itThere has been no collaboration with the Norwegian Data Protection Authority to remedy the violation. Oslo councilhas on its own initiative taken the necessary measures to close the breachespersonal data security.

4.2.7. ThisArticle 83 No. 2 letter g: categories of personal data such asis affected by the violationAs the violation includes children in primary school, we refer to the Privacy OrdinanceAdvocate 75, where it is pointed out that special consideration must be given to the risk associated with childrenpersonal data, if the processing includes a large amount of personal data andaffects a large number of registered.We can state that special categories of personal data, as defined inArticle 9 of the Privacy Regulation has been exposed to unauthorized persons.Information that has been available is absence information that in a free text field canresult in information about the reason for absence being stated. Also, it will inthe school registration application could be registered information that requires confidentiality,such as information about bullying.

4.2.8. Article 83 (2) (h): the manner in which the supervisory authority was informedinfringement, in particular if and to what extentthe data controller or the data processor has notifiedthe infringementThe Norwegian Data Protection Authority first became aware of the current situation through media coverage. We were notifiedabout the breach of personal data security from Oslo Municipality on 7 September 2018. It isIt is unfortunate that the Data Inspectorate only learns about the discrepancy after the case has been mentioned in the media.The Data Inspectorate finds it highly reprehensible that knowledge of what has happened in the breachpersonal data security, and the vulnerability in the school notification application has been addedus through initiatives from private individuals. Oslo Municipality then also admits thatthe non-conformance reports were misleading. This will be important in our assessment ofinfringement fines must be imposed.

4.2.9. Article 83 (2) (k): second aggravating or mitigating factorin the case, e.g. financial benefits gained, or losses that areavoided, directly or indirectly, as a result of the infringementThe Data Inspectorate has not found that Oslo Municipality has had financial benefits, or avoided lossesdirectly or indirectly as a result of the infringement.
The Norwegian Data Protection Authority places particular emphasis on the fact that sufficient organizational andtechnical measures in the application School report. The Data Inspectorate considers this to be serious, and isone of the reasons for the infringement charge. The users of the municipality's services have a clearand interest worthy of protection against inadequate security measures where confidentiality andintegrity is required.Inadequate security can have serious consequences for the individual both because of the surroundingsgets access to information that the data subject has not himself chosen to make known, but also becausethe availability makes it unpredictable how many people have obtained the information.General preventive reasons and the consideration that the rules should have effect and work as intended,then speaks with force for it to react with an instrument such as an infringement charge.In a mitigating direction, it can be pointed out that Oslo Municipality reacted as soon as they receivedknowledge of the security holes.

4.2.10. Summary and conclusionAfter an overall assessment of the deviation's scope, character and severity, the Data Inspectorate hasconcluded that it is correct to uphold our notified decision on infringement fines.We have placed special emphasis on the fact that it is children's privacy that is affected by the discrepancy.

4.3. Measurement of the size of the infringement feeIn the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that«As a starting point, the same rules for infringement fines shall applypublic bodies as for private, as this is the scheme under currentPersonal Data Act »,but the Ministry assumes that within the rules of the Regulation Article 83, whichalso indicates the factors to be emphasized in the calculation of administrative fees,there is room for considerable discretion as to the size of the fee. The Ministry statesthat '[t] he flow limits in Article 83 of the Regulation set maximum limits for the measurement ofadministrative fees, while no minimum limits have been set. "With regard to the size of the fee, the same factors shall apply as when assessing whether the feeshall be imposed, weighted. The fee should be set so high that it also has an effect beyond itspecific case, at the same time as the size of the fee must be in a reasonable proportion to the violationand the business, cf. art. 83 No. 1.We have particularly noted that the breach of personal data security is associated with a significantnumber of children in primary school. Furthermore, we have emphasized the general expectation of citizenscould have municipal authorities follow the rules that are given, and especially those that giveIndividual rights that are meant to be a protection of this type of information.The imposition of infringement fines in this case will have an important signal effect. The Data Inspectorate wantsto clearly communicate that such incidents are considered serious It is important that such

incidents do not occur, and that all public bodies dealing with citizenspersonal information and information about vulnerable persons such as children must be their ownresponsibility consciously. We have emphasized the general preventive effects of a decisionviolation fee is assumed to have.In our notified decision, we stated that the size of the fee would be set at 2,000,000 NOK.Oslo Municipality responded to our notice with objections to the size of the fee. It stated 'thatit is sufficient to impose obligations on the supplier to report deviations, in addition toRoutines have been established for continuous follow-up of the supplier. We have considered thispralcsisen as satisfactory, as it has worked well over several years through that deviations havebeen discovered and cleaned up in. It is also admitted by the supplier that deficientfollow-up of the agreement is due to human failure. UDE believes that the aforementioned must be considered asmitigating circumstances. In any case, we have wanted to improve our control in terms ofsafety tests, and has therefore introduced measures for a joint review of all results fromsafety testing with supplier, cf. above ».Oslo Municipality points out that they could not report deviations to the Data Inspectorate when they did notknowledge of the conditions. That Oslo municipality had no knowledge of the test resultscomes, as the Data Inspectorate sees it, as a result of a lack of project management betweenthe municipality and their supplier.The Norwegian Data Protection Authority draws attention to the fact that Oslo Municipality is responsible for the serious violationshappened by not introducing organizational and technical measures which are likely to to ensurepersistent confidentiality and integrity in the School Message application. That Oslo municipality wasin the belief that the application had been safety tested before it was put into production, and believed it wassufficient to impose obligations on the supplier on the reporting of nonconformities is a calculatedrisk, which may not mitigate the incident.Oslo Municipality finally points out that the supplier has a significant part of the responsibility forthe event. The Norwegian Data Protection Authority does not disagree with this, but this does not exempt the municipality from thisresponsibility.Finally, the municipality points out that it can only be stated that two people are affected by the breachpersonal data security. This is of little importance to the Data Inspectorate when the potential wasfar larger.The Data Inspectorate has come to the conclusion that the notified infringement fee must be adjusted downwards somewhat. We have inThe assessment emphasized that the City of Oslo has implemented damage mitigation measures so quicklythe municipality was informed about the breach of information security, and shown a willingness to arrangeup in the incident.After an overall assessment of the case, we have come to the conclusion of an infringement fee of NOK 1,200,000considered correct.12

5. Decision on infringement fines

5.1. Decision on infringement finePursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.the Personal Data Act § 26, cf. the Privacy Ordinance art. 83, the Danish Data Protection Agency understands the followingdecision on infringement fine:Oslo Municipality is imposed, pursuant to the Personal Data Act § 26 second paragraph, cf.Article 83 of the Privacy Ordinance , to pay an infringement fee of NOK 1,200,000one million two hundred thousand Norwegian kroner - to the Treasury for breaches of dutieswhich complies with the Privacy Regulation.The fee is imposed as a result of Oslo Municipality not having carried out suitable technical andorganizational measures / or to achieve a level of safety appropriate to the risk,and ensuring lasting confidentiality and integrity, cf. the Privacy OrdinanceArticle 5 No. 1 letter f and the Privacy Regulation 32 No. 1. letter book d

5.2. Recovery of the infringement feeThe infringement fee is due for payment four weeks after the decision is final, cf.the Personal Data Act (2018) § 27. The decision is a coercive basis for disbursement. Recovery ofthe claim will be implemented by the Central Government Collection Agency.

5.3. Right of appealYou can appeal the decision. Any complaint must be sent to us within three weeks after thisthe letter has been received, cf. the Public Administration Act § § 28 and 29. If we uphold our decision,we send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22.5.4. Transparency and publicityYou have the right to access the case documents, cf. the Public Administration Act § 18. We will also informthat all documents are in principle public, cf. Section 3 of the Public Access to Information Act, howeveremphasizes at the same time that security documentation is as a general rule exempt from public access, cf.the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.

With best regards
Bjørn Erik ThondirectorKnut Brede Kaspersenlegal director