Datatilsynet (Norway) - 20/01984: Difference between revisions
No edit summary |
|||
Line 52: | Line 52: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=Rie Aleksandra Walle | |Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle] | ||
| | | | ||
}} | }} |
Revision as of 07:35, 4 October 2021
Datatilsynet - 20/01984 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5 GDPR Article 6 GDPR Article 32(1)(b) GDPR The Education Act § 15(1) Public Administration Act § 13 no. 1 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 16.11.2020 |
Published: | 16.11.2020 |
Fine: | 200000 NOK |
Parties: | Indre Østfold kommune (municipality) |
National Case Number/Name: | 20/01984 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA (Datatilsynet) fined Indre Østfold municipality €18,860 for publishing a former student's school folder openly on their website, therefore breaching Articles 32(1)(b), (5), and (6) of the GDPR.
English Summary
Facts
A former student asked a school to share their school folder. The municipality's routine is to keep records for access requests, which meant, in this case, that the folder was scanned and made available for access. It was, however, made openly available on their website and a local journalist was able to download the entire folder with its contents. The information was confidential, cf. the Education Act.
When the error was discovered, the folder was removed and the municipality notified the DPA of the personal data breach, as well as the affected data subject.
Dispute
Was publishing the student's school folder online a breach of Article 32?
Holding
The DPA concluded that the municipality had breached the required information security requirements as per Article 32(1)(b), cf. Article 5, and that they didn't have any legal grounds for this processing as per Article 6, cf. Article 5 (the latter because the information was confidential and should never have been published openly). The municipality was fined €18,860.
Comment
It's interesting to note that the DPA also held that the municipality had breached Article 6, with the following logic: The folder and its content was subject to confidentiality as per the Freedom of Information Act. When the folder was openly published, the GDPR came into effect, meaning the municipality would require legal grounds for processing as per Article 6. However, since the personal data by law weren't allowed to be shared publically, none of the requirements for establishing legal grounds as per Article 6, were applicable, i.e. the municipality breached Article 6.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Violation fee to Indre Østfold municipality The Norwegian Data Protection Authority has decided to give Indre Østfold municipality an infringement fee of NOK 200,000 for breach of confidentiality. Personal information that should have been protected was made available to unauthorized persons. Violation fee to Indre Østfold municipality Indre Østfold municipality, formerly Askim municipality, published the student folder of a former student on the municipality's website. The student file contained personal information that is subject to a duty of confidentiality. Got tips from local newspaper The starting point for the incident was that the student needed the student file in a study context, and therefore asked the municipality to send it over. The municipality's routine is for requests for access to be recorded. This means that the document in which access has been requested is also scanned and made available for access. The student folder was available on the municipality's website from Friday 27 September to Monday 30 September. The municipality was made aware of the case by a journalist in the local newspaper Smaalenenes Avis. The documents were removed from the mailing list and exempted from public access immediately after they were discovered. The affected person was then notified. The infringement fee does not change After the Data Inspectorate sent a notification of infringement fines, we received feedback from the municipality. Here they regret that "personal sensitive information" was posted on the mailing list. The municipality also asked the Data Inspectorate to assess the size of the fee in light of the measures that were introduced afterwards. An infringement fee shall reflect the severity of the offense in question. It follows from Norwegian law that the municipality must implement the necessary measures to prevent future offenses. The Norwegian Data Protection Authority has come to the conclusion that the subsequent measures to rectify the incidents, in view of the seriousness of the breach, do not have a significant effect on the size of the infringement fee. We have therefore concluded that the notified fee will not change.