Datatilsynet (Norway) - 24/00793-9
Datatilsynet - 24/00793-9 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 24 GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 04.09.2024 |
Published: | |
Fine: | 150,000 NOK |
Parties: | The University of Agder |
National Case Number/Name: | 24/00793-9 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (Norway) (in NO) |
Initial Contributor: | wp |
The University of Agder was fined NOK 150,000 for violation of Article 24 and 32 GDPR that enabled all the employees and students to access the personal data stored in MS Teams folder.
English Summary
Facts
Since 2018, the University of Agder (the controller) was using MS Teams and Sharepoint.
The controller’s employee found out that an open MS Teams’ folder gave all the employees and students access to documents contacting personal data. For example, four documents referred to 4,851 employees and 10,419 external persons (back to 2014) who were mentioned by name, national identity number, employee number, resignation date and organisational unit. Moreover, other documents consisted of, for example, an exam overview of 568 students or personal data of 64 Ukrainian refugees.
After receiving the notification from the employee, the controller immediately changed the access setting of the MS Teams’ folders. The new setting required each employee willing to access the folder to be approved by the folder's owner.
The controller notified the Norwegian DPA (Datatilsynet) and affected data subjects about the incident. Additionally, the controller published its detailed description on the controller’s website. However, the log control was limited only to 6 months back. The controller was unable to confirm if the employees and students interacted with or downloaded the data.
Holding
The DPA found the controller violated Article 24 and 32 GDPR.
The data confidentiality was violated. Personal data became freely available to approximately 1,200 employees and 12,000 students of the controller. Furthermore, the controller had no adequate log control in place, which made it impossible to assess how many people accessed the data. At the same time, the controller failed to implement internal procedures and employees’ training in reference to usage of MS Teams. Also, the initial setting was incorrect, as there was no control over employees accessed to data stored within MS Teams or to discover the unauthorised access in advance.
Hence, the controller failed to implement appropriate security measures in accordance with Article 24 and 32 GDPR, which led to the data breach.
The DPA admitted the controller properly handled the breach and updated the MS Teams settings. Nevertheless, the gravity of the breach, in particular the number of people who potentially had accessed to the data and the categories of data involved required an appropriate reaction of the DPA. The DPA decided then to fine the controller NOK 150,000 (approximately €12,700).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE UNIVERSITY OF AGDER PO Box 422 4604 KRISTIANSAND S Your reference Our reference Date 24/00793-9 04/09/2024 Decision on infringement fee - University of Agder We refer to our notice of decision on infringement fees on 28 June 2024. University of Agder (hereafter UiA) submitted a notification of a breach of personal data security (notice of deviation) 14 February 2024. We have not received any comments from UiA regarding our notification. 1. Decision on infringement fees The Norwegian Data Protection Authority has today made the following decision: Pursuant to the personal data protection regulation article 58 no. 2 letter i, cf. § 26 of the Personal Data Act, cf. Article 83 of the Personal Data Protection Ordinance, is imposed The University of Agder to pay an infringement fee of NOK 150,000 – one hundred and fifty thousand Norwegian kroner - to the treasury, for breach of the requirements for security and internal control when processing personal data, cf. Article 32 and Article 24 of the Personal Data Protection Regulation. 2. Description of the deviation 2.1 General information about the deviation According to the notice of deviation, documents with personal data have been stored in open Teams folders, to which employees have had access without official need. It was an employee who discovered the error after searching open Teams folders. The discrepancy had been ongoing since 2018, when UiA took over use Microsoft Teams and Sharepoint. On February 14, 2024, four documents in Microsoft Teams were discovered to be missing access control and which contained personal information about employees and students: I A document with an overview of all employees and external persons associated the university back to 2014. This applies to 4,851 employees and 10,419 external persons who are mentioned by name, with birth and social security number, employee number, resignation date and organizational unit. All employees have had access to the document. Postal address: Office address: Telephone: Org. no: Website: PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO II A document with an overview of 568 students who have had their exams arranged. The document contains name, birth and social security number, student number, special adaptation code, free text about what the measure applies to and date. All employees have had access to the document. III In the public team "Academic service - Ukraine" there has been an overview of 64 refugees from Ukraine with full name, address, student number, date of birth, telephone number, previous educational background, field of study, whether they have registered to Lånekassen, planned course of study and residence status. It has been possible for both staff and students to access the folder. IV List of employees at the library linked to a project from 2015. The list contained information about name, residential address and birth and social security number. All employees have had access to the document. On 16 February 2024, UiA revealed five new documents in Microsoft Teams without access control: V A list from 2014 in which an external practice teacher is referred to as "sick on sick leave autumn 2014". The information has been available to all employees at the university. VI A document with 177 of the students' names, social security number, UiA e-mail address, private e-mail address and exam notification. The list has been available to all employees. VII A list with an overview of 60 students' names, social security number, student number and exam attempt. The document has been available to all employees. VIII List of 13 students with information on name, social security number and address. The list has been available to all employees. IX List with an overview of 40 students' names, exam subject and type of special arrangement. The list has been available to all employees. The discrepancy includes both general personal data and personal data of particular importance category. The general personal data consists, among other things, of students' and employees' data contact details, social security number, education information and residence status for refugees, examination notification and number of examination attempts. In addition, will information about students' arrangements for examinations, special arrangements related to study subjects, as well as information about sick leave relating to an employee, involve the processing of health information. 2.2 Access control Open Teams folders are something that every unit at UiA uses to be able to share documents internally cooperation across the units. The discrepancy has arisen as a result of the end users not having been aware that documents stored in "shared documents" or "Public Teams" are shared with everyone employees in the business. In total, there are nine documents without access control. All nine of them the documents have been available to all employees. Students have also had the opportunity to access the folder containing information on 64 Ukrainian refugees. 22.3 Log control The notice of deviation states that there was a log control of access to the documents for six months back in time. For the deviation in question, UiA cannot therefore confirm or deny whether unauthorized persons have actually had access, made changes or downloaded documents for the largest part of the deviation period. 2.4 Internal routines for storage and shielding UiA had no internal routines for or training in shielding documents in Microsoft Teams (Sharepoint). 2.5 Implemented and planned measures The discrepancy was first reported internally by an employee who discovered the discrepancy through searches in open groups in Microsoft Teams. UiA reviewed all shared folders and corrected the access management immediately. All public teams in Microsoft Teams were made private, so that employees who want access must be approved by the team's owner. Information has been sent out to employees about safe storage in Microsoft Teams. 2.6 Information to the registered UiA contacted the affected data subjects on 21 February 2024. In addition, UiA has published detailed information about the deviation on its website. It has also been several media cases dealing with the deviation. 3. Legal background The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. Regulation Article 57. 3.1 The basic principles for processing personal data The basic principles for processing personal data can be seen from the personal protection regulation article 5. We refer in particular to article 5 no. 1 letter f, where it appears: "1. Personal data must (...) f) processed in a way that ensures sufficient security for the personal data, including protection against unauthorized or illegal processing (...), using suitable technical or organizational measures ("integrity and confidentiality")". It is the controller's responsibility that the principles are observed, and that controllers must be able to demonstrate this, cf. Article 5 no. 2. 3.2 The requirements for personal data security and management systems Article 32 of the Personal Data Protection Regulation regulates the requirements for security in the processing of personal data. Below follows an extract of relevant parts of Article 32: 3 «1. Taking into account the technical development, implementation costs and the nature, scope, purpose and context of the processing, as well as the risks of varying degrees of probability and severity for the rights of natural persons and freedoms, the data controller and the data processor must carry out suitable technical and organizational measures to achieve a level of security that is suitable with consideration of the risk, including, among other things, depending on what is suitable, (...) b) ability to ensure continued confidentiality, integrity, availability and robustness i the treatment systems and services, (…) d) a process for regular testing, analysis and assessment of how effective the processing's technical and organizational security measures are. 2. When assessing the appropriate security level, special consideration must be given to the risks associated with the processing, particularly as a result of (...) unauthorized disclosure of or access to personal data that has been transferred, stored or otherwise processed". The duty to carry out suitable technical and organizational measures appears accordingly from Article 24 of the Personal Data Protection Regulation, which regulates the controller's responsibilities separately. 3.3 Information to affected persons If it is likely that the breach of security will entail a high risk for natural persons rights and freedoms, the data controller must notify them without undue delay affected persons about the breach, cf. the Personal Protection Ordinance, Article 34 No. 1. The supervisory authority can order the controller to inform affected persons, cf. article 34 no. 4. The more detailed requirements for the content of such notification appear in article 34 No. 2 and 3. 3.4 In particular regarding the imposition of infringement fees Of the personal data protection regulation article 58 no. 2 letter i and the personal data act § 26 other paragraph, it appears that the Norwegian Data Protection Authority can impose public authorities and bodies infringement fee according to the rules in the personal data protection regulation article 83 in the event of a breach of provisions in the respective laws. Article 83 of the Personal Data Protection Regulation sets out the conditions for imposing a fee. The provision contains, among other things, an overview of which elements must be taken into account, both when considered whether an infringement fee should be imposed and in the assessment of the fee. The relevant parts of Article 83 No. 1 and No. 2 are reproduced below: "1. Each supervisory authority must ensure that the imposition of infringement fees in accordance with this article for violations of this regulation mentioned in nos. 4, 5 and 6 in each individual case case is effective, is in a reasonable relationship to the infringement and works deterrent. 4 2. (…) When a decision is made on whether an infringement fee should be imposed as well as on the size of the infringement fee, due consideration shall be given in each individual case following: a) the nature, seriousness and duration of the infringement, when taken consideration of the nature, extent or purpose of the processing concerned and the number data subjects who are affected, and the extent of the damage they have suffered, b) whether the infringement was committed intentionally or negligently, c) any measures taken by the controller or data processor for to limit the damage that the data subjects have suffered, d) the controller's or data processor's degree of responsibility, when it is taken regard to the technical and organizational measures they have carried out in accordance articles 25 and 32, e) any relevant previous infringements committed by it data controller or data processor, f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible negative effects of it, g) the categories of personal data affected by the breach, h) in which way the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or the data processor has notified of the infringement, i) if measures mentioned in Article 58 no. 2 have previously been taken against it concerned controller or data processor with regard to the same subject matter, that said measures are complied with, j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms pursuant to Article 42 and k) any other aggravating or mitigating factor in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, which consequence of the infringement". Article 83 also sets out the framework for the order of magnitude of the infringement fee. We show in this in connection with Article 83 No. 4. The relevant parts of the provisions read: "4. In the event of violations of the following provisions, in accordance with No. 2, fines shall be imposed infringement fee of up to 10,000,000 euros […]: a) the data controller's and the data processor's obligations in accordance with Article 8, 11, 25-39 [...]". Section 26 first paragraph of the Personal Data Act states that Article 83 of the Personal Data Protection Ordinance no. 4 applies correspondingly to violations of the regulation article 24. This means that violations of Article 24 of the Personal Protection Regulation under Norwegian law can be sanctioned with an infringement fee of up to an amount equivalent to 10 million euros. 4. The Norwegian Data Protection Authority's assessment 5In the explanation of our assessment, we will follow the same chronology as under point 2 description of the deviation above. 4.1 Access control The deviation represents a breach of the duty to preserve the confidentiality of personal data as a result of employees at UiA having had access to personal data without official need. There has also been a folder with personal information on 64 Ukrainian refugees who have been stored and available to all students. According to UiA's website, there are approximately 1,200 employees and 12,000 students affiliated with the university. The personal information has been easily accessible within Microsoft Teams, and employees have been able to access through search in open Teams folders. We assume that UiA has breached its duty to provide access management as part of its internal control and duty to ensure adequate personal data security, cf. Article 32 and Article 24 of the Personal Data Protection Regulation. 4.2 Log control UiA has not had a sufficient function for logging activity in Microsoft Teams. The log control that has been established has shown activity six months back, but log There are no notices beyond this. The Norwegian Data Protection Authority considers that UiA has breached its obligation to have a logging function in large parts of the deviation period of six years. In this way, it has not been possible to uncover unauthorized access to the personal data, cf. the Personal Data Protection Regulation article 32 and article 24. 4.3 Internal routines for storage and shielding The discrepancy illustrates that UiA has had insufficient internal routines and training for its employees in connection with the shielding of personal data in Microsoft Teams. We emphasize that it is the management's responsibility to take measures to achieve a level of safety which is suitable with regard to the risk, including internal routines for safe storage and adequate training of employees. UiA has not implemented suitable measures to safeguard the security of personal data in Microsoft Teams. This is a violation of Article 32 and Article 24 of the Personal Data Protection Regulation. 4.4 Implemented and planned measures UiA took immediate measures after the discrepancy was discovered and quickly reported the discrepancy to The Norwegian Data Protection Authority. We take a positive view that all access to shared folders is now closed and information about shielding of personal data when using Microsoft Teams has been communicated to everyone employees. The Norwegian Data Protection Authority otherwise has no comments on the measures implemented. 4.5 Information to the registered 6UiA has informed the affected data subjects in accordance with Article 34 of the Personal Data Protection Ordinance. 4.6 Summary The management at UiA has a statutory duty to ensure that employees do not have access to personal data they do not have an official need for. In addition, systems must be established for logging and subsequent control which, among other things, makes it possible to detect deviations. It is a management responsibility that technical and organizational solutions are in place so that the university is able to handle sensitive personal data in a sufficiently secure manner manner. The Danish Data Protection Authority considers that there have been fundamental deficiencies in the internal control and personal data security related to employees' use of Microsoft Teams. 4.7 Assessment of the claim of guilt for the imposition of an infringement fee In order for the Norwegian Data Protection Authority to be able to impose an infringement fee on UiA, it is required that it or they who has acted on behalf of the university has shown some form of guilt, cf. Article 83 of the Personal Data Protection Regulation, cf. case C-807/21 (Deutsche Wohnen). In this case is our assessment that the form of fault in question is simple negligence. The provision on negligence is legally established in Section 22 of the Criminal Code, which states that: "Anyone who acts contrary to the requirement for proper behavior in an area, and who based on his personal assumptions can be blamed, is negligent". In accordance with the due diligence requirement, businesses must familiarize themselves with which legislation applies in the area and organize the business in accordance with the framework that follows from it current regulations. In the non-compliance case in question, UiA has acknowledged a lack of access control in shared folders in Microsoft Teams. Adequate logging has also not been established for the majority of the deviation period of six years. We assume that the requirements for internal control and information security is a management responsibility, cf. the personal data protection regulation article 5 no. 2. As a result of the aforementioned deficiencies, the Norwegian Data Protection Authority is of the opinion that the offense must is described as negligent. The culpability requirement for imposing an infringement fee has thus been fulfilled. 4.8 Assessment of whether an infringement fee should be imposed The Norwegian Data Protection Authority has come to the conclusion that UiA has breached the Personal Data Protection Regulation article 32 and article 24. There is therefore an offense which can give grounds for the imposition of an infringement fee. Below we review the elements that we consider relevant for the assessment of whether an infringement fee shall be imposed, cf. the Personal Protection Ordinance, Article 83 No. 4. 7 a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned as well as the number of registered users affected, and the extent of the damage they have suffered The discrepancy represents a serious breach of personal data security in that personal information about employees and students has been available to employees without official permission needs for a period of six years. The discrepancy means that approximately 1,200 employees have had access to nine documents with personal data of varying degrees of sensitivity. In addition, it is approx 12,000 students who have had access to a document with information on 64 Ukrainian refugees. Overall, there is a large number of personal data covered by the deviation, including: contact details, social security number for 16,000 employees and students, information on preparation of exams for 568 students, education information and residence status for 64 Ukrainian refugees, information on sick leave relating to one employee, special arrangement i study subject for 40 students and number of exam attempts for 60 students. Birth and social security numbers are not in themselves confidential information or information with demands for extra protection under the Personal Data Protection Regulation Article 9. Nevertheless, it is clear limits for when personal identification numbers can legally be used according to Section 12 of the Personal Data Act. 1 The breach of integrity has led to those registered losing control over their own personal data, including whether personal data has been passed on to unauthorized. The personal information has been easily accessible in Microsoft Teams, and employees have had easy access through searches in shared folders/groups. It has at all times only been a log check six months back in time. b) whether the infringement was committed intentionally or negligently We refer to our assessment under point 4.7 and our conclusion that the offense must be considered as negligence by the management at UiA. The case shows that UiA has not had sufficient routines for and training in the use of Microsoft Teams, and UiA must take measures to protect themselves against such violations personal data security. c) any measures taken by the controller or data processor to limit the damage that the data subjects have suffered UiA quickly closed the discrepancy and reported the breach to the Norwegian Data Protection Authority. The affected data subjects received information about the discrepancy already a week after the discrepancy was discovered, either through direct contact or through information on the website and in the media. UiA has also implemented measures to improve personal data security. This speaks in a mitigating direction. 1The provision assumes that national identification numbers can only be used when there is a factual need for security identification of a person and when the national identification number is necessary to achieve such identification. 8 d) the controller's or data processor's degree of responsibility, as it is taken regard to the technical and organizational measures they have carried out in accordance articles 25 and 32 UiA has not complied with its obligations to establish suitable information security and internal control using Microsoft Teams. The Norwegian Data Protection Authority believes that the deviation represents fundamentals deficiencies in access control and internal routines/training related to UiA's use of Microsoft Teams. The function for log control has also not been sufficient, as this has only had documentation six months back in time. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible negative effects of it The Norwegian Data Protection Authority quickly received notification of a breach of personal data security and has been continuously informed about the non-conformance case with supplementary information. g) the categories of personal data affected by the breach The fact that the deviation covers special categories of personal data makes the situation more serious serious. We have been informed that the discrepancy includes a document with information about a employee on sick leave. In another document, there was information about an exam arranged for 568 students, including information on special adaptation with free text. This information will often disclose health information. In another document, there was an overview of the special arrangement in study subjects for 40 students, which also qualify as health information. In addition, the discrepancy includes approximately 16,000 birth and social security numbers, which do not fall within protected under Article 9 of the Personal Data Protection Ordinance, but which is particularly protected in the Act and involves a certain risk of abuse. It is also unfortunate that information on residence status, previous education and current educational courses for 64 Ukrainian refugees have been available in an open folder for both staff and students. Altogether, this amounts to 13,200 people who in theory could have had access to the information. All in all, the deviation concerns a large amount of personal data, some of which is very sensitive character. h) in what way the supervisory authority became aware of the infringement, in particular if and possibly to what extent the controller or data processor has notified about the violation UiA itself reported the discrepancy to the Norwegian Data Protection Authority, in line with the duty in the personal data protection regulation article 33. The Norwegian Data Protection Authority's summary and assessment 9UiA is required to ensure that employees do not have access to personal data they do not have official need for. This means having good routines and training employees in shielding personal data in the systems the university uses. In addition, there is an obligation to establish systems for logging and subsequent control that make it possible to detect deviations. The Danish Data Protection Authority is positive that measures were taken to stop the existing practice immediately after the discrepancy was discovered. The discrepancy represents a breach of the confidentiality of the personal data of several of the students at UiA. The information has been stored relatively easily accessible and consists of a large amount of personal data of a sensitive nature. A spread of social security numbers implies also a certain risk of abuse. The personal information that has lacked access control is Preferably information that you want to keep to yourself, such as the number of attempts student has taken the exam. Based on an overall assessment, we believe that the deviation is of such a serious nature that it is necessary to impose an infringement fee on UiA. 4.9 Amount of the fee In assessing the amount of the fee, we have ensured that UiA quickly provided for shielding of the personal data that was available and informed the data subjects. UiA has quickly reported from about the deviation and cooperation with the Norwegian Data Protection Authority during the course of the case. In this non-compliance case, a large amount of personal data has been available for 1,200 employees without an official need for a period of six years. It is about personal data linked to approximately 14,000 people. The deviation has revealed a lack of training and unclear routines at shielding of personal data in Microsoft Teams. There are large quantities of birth and personal identification numbers that are covered by the deviation. An estimate shows that we are talking about approximately 16,000 such numbers. The Norwegian Data Protection Authority has concluded that an infringement fee of NOK 150,000 is reasonable in this respect the case. 5. Access to appeal The decision on infringement fees can be appealed within three weeks after you have received this the letter, cf. sections 28 and 29 of the Administration Act. A possible complaint is sent to the Norwegian Data Protection Authority. If we uphold our decision, we will send the case to the Personal Data Protection Board for complaint processing, cf. Personal Data Act § 22. If you have any questions, you can contact us by e-mail postkasse@datatilsynet.no. 10 With kind regards Camilla Nervik section manager Kristin Skolt legal advisor The document is electronically approved and therefore has no handwritten signatures Copy to: UNIVERSITY OF AGDER, Johanne Lavold UNIVERSITY OF AGDER, Trond Hauso 11