Datatilsynet (Norway) - 18/02579

From GDPRhub
Datatilsynet - 18/34319-1
DatatilsynetlogoNorwaypng.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR

Article 5(2) GDPR

Article 32(1)(b) GDPR

Article 32(1)(d) GDPR

Type: n/a
Outcome: Violation found
Decided: 11.10.2019
Published: 1.12.2019
Fine: 120.000 EUR
Parties: Education Agency for Oslo municipality
National Case Number: 18/34319-1
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Norwegian
Original Source: Datatilsynet (in NO) and press release source (in NO)

A fine of 1,200,000 NOK (approximately EUR 120,000) was imposed against the Education Agency of the Municipality of Oslo due to breach of personal data security in the mobile application “Skolemelding”. The fine was issued due to the application's lack of security and subsequent violations of Article 32(1)(b) GDPR and Article 32(1)(d) GDPR and of the principle of accountability as foreseen in Article 5(2) GDPR read in conjunction with Article 5(1)(f) GDPR.

English Summary

Facts

The case concerned vulnerabilities in the mobile app “Skolemelding”. In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school.

Dispute

On which legal basis the Datatilsynet can impose a fine for a lack of security?

Holding

The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f).

The issued fine was 1 200 000 NOK (approximately 120 000 euro), which was lower than the initially suggested fine of 2 000 000 NOK (approximately 200 000 euro). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the Data Protection Authority, showing a will to fix the security flaws.

The municipality did not contest the evaluation by the Data Protection Authority regarding the scope of the security breach.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Norwegian original for more details.

The content of the pdf decision cannot be copied/paste. You can find the translation of the press relaese provided by the datatilsynet authority here. 
 
Fee to Oslo Municipality Education Agency

In April 2019, the Data Inspectorate sent a notification to the Oslo Municipality Education Agency about a violation fee for breach of personal data security in the mobile application School Notification. In October, a final fee of NOK 1.2 million was adopted.

The fee is given because the municipality had not taken appropriate measures to achieve a level of security appropriate to the risk. The assessment emphasized, among other things:

    One of the uses of the app is for parents to send messages about their children or announce absence when using free text fields. It facilitates the communication of sensitive personal information, such as health information, about the children. There are no technical measures to prevent this from happening, nor does the app inform you not to communicate such information. Had built-in privacy been taken into consideration, it would not have been a free-text field, but for example a drop-down list or check boxes.
    Lack of security around logging in to the app has allowed unauthorized persons access to view and change personal information of more than 63,000 children in primary school in Oslo.
    Inadequate security testing prior to the launch of the app led to it being launched with vulnerabilities well known in security environments worldwide.

The municipality has not been conscious of its responsibility and has launched a school messaging app with an unacceptable vulnerability without taking appropriate measures to close the vulnerabilities. They have also had insufficient control with the supplier when it comes to safety test results.

Read the entire case published in connection with the notice
Lower fee than notified

However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.