Datainspektionen - DI-2019-7024

From GDPRhub
Revision as of 20:52, 30 November 2020 by Elisavet Dravalou (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSK.png |DPA_Abbrevation=Datainspektionen |DPA_With_Country=Datainspektionen (Sweden) |Case_Number_Name=DI-2...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datainspektionen - DI-2019-7024
LogoSK.png
Authority: Datainspektionen (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 35 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 24.11.2020
Published: 24.11.2020
Fine: 4000000 SEK
Parties: n/a
National Case Number/Name: DI-2019-7024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: Datainspektionen (in SV)
Initial Contributor: Elisavet Dravalou

The Swedish DPA (Datainspektionen) has issued a fine of 4 millions SEK at the Educational Board of Stockholm after receiving many complaints that the newly developed IT system "Skolplattformen", used for education administration, has suffered data breaches.

English Summary

Facts

"Skolplattformen" was developed by the Educational Board of Stockholm to help administrate the students and was used for the last years. In the platform there were being processed personal data of 500000 students, education personnel and students' guardians. In the platform, a lot of special categories of personal data were being processed as well as personal data protected by the Swedish Secrecy Law. Four sub-systems were found to have "weak" protection e.g. guardians could access other students' personal data, even those of students with hidden identity.

Dispute

Holding

After receiving many complaints, the Datainspektionen found that the Education Board did not apply adequate technical measures to ensure the security of personal data, which has cause to data breaches and that although the Education Board had carried out DPIAs, these DPIAs did not meet the standards of Article 35 GDPR.

Comment

Building the IT platform "Skolplattformen" was a big project and the total cost of its development costed 675 millions SEK (around €66 millions) while the operating costs were high as well. The reveal of these data breaches created a lot of frustration among Swedes, some of which see it as a bad investment of public money.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Serious shortcomings in the School Platform in Stockholm - Datainspektionen </title><link rel="icon" type="image/png" href="/Client/dist/images/favicon-32x32.png"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" /><link rel="stylesheet" type="text/css" href="/Client/app/scripts/external/jquery-ui-1.12.1/jquery-ui.min.css"><link rel="stylesheet" type="text/css" href="/ui-cms/css/editmode.css"><link rel="stylesheet" type="text/css" href="/Client/dist/styles/vendor.bundle.min.css"><link rel="stylesheet" type="text/css" href="/Client/dist/styles/global.min.css"><script src="/Client/app/scripts/external/10101_webReader/webReader.js?pids=wr" type="text/javascript"></script><link href="/nyheter/allvarliga-brister-i-skolplattformen-i-stockholm/" rel="canonical" /><meta name="google-site-verification" content="_Lt2mFNRblu6L6_wWFv18SpImT5VvDKKg59lOUKgoos" /><meta name="referrer" content="same-origin"><meta property="og:title" content="The Data Inspectorate" /><meta property="og:image" content="https://www.datainspektionen.se/globalassets/bilder/logotyper/og.png" /><!-- Custom.css --><style type="text/css">
#spalter .venster{width:45%;float:left;margin-right:10px}#spalter .hoger{width:45%;float:left;margin-left:10px}#spalter:after{content:".";display:block;height:0;clear:both;visibility:hidden}.link-arrow:before{margin-right:10px}.area-text a.link-arrow:before{margin-right:10px}.item-link{margin-top:0}.search-result .result-list>.list-item .item-link .link-external{margin-top:10px;margin-bottom:0;font-size:1.125rem}figcaption{margin-top:20px;font-size:18px;line-height:25px}table{font-size:16px;line-height:22px;background-color:#e4ebee;border:2px solid #999;margin-bottom:20px;font-family:FrutigerLTStd-LightCn,Corbel,sans-serif;width:100%}td{padding:12px}.breadcrumb{margin-bottom:30px}.breadcrumb__mini{margin-bottom:0}.teaser-link-text:last-of-type{margin-bottom:30px}.footer-link{font-family:FrutigerLTStd-LightCn,sans-serif;font-size:18px;line-height:25px}.footer .footer-content ul li.content-phone a{color:#43433c}.info-block{font-family:Constantia}.info-block p{margin-bottom:20px}.info-block a.link-arrow:before{background:url(/client/dist/images/arrow.svg) no-repeat}.info-block-red{border-radius:10px;background-color:#e5dfcf;margin-top:30px;margin-bottom:20px;padding:20px}.form a.link-arrow:before{content:"";display:inline-block;background:url(/client/dist/images/arrow.svg) no-repeat;top:5px;width:22px;height:15px;min-width:22px;min-height:15px;margin-top:3px;margin-right:20px}.form p a{font-family:FrutigerLTStd-LightCn}a[href^="mailto:"]{font-family:Constantia}.area-text a.link-arrow{margin-top:0}.right-image{float:right;width:auto!important;margin:5px 0 5px 20px}.vanster-bild{float:left;width:auto!important;margin:0 20px 5px 5px}ol ul,ul ul{list-style-type:disc}h2{margin-bottom:8px}h3{margin-bottom:6px}h4{margin-bottom:4px}.news-list h3{text-align:center}.area-text h2{padding-top:15px}.area-text h3{padding-top:15px}.area-text h4{padding-top:10px}@media (max-width:1200px) and (min-width:769px){.area-text img{width:100%;height:auto}}@media (min-width:992px){h2{font-size:32px;line-height:1.3}h3{font-size:1.65rem;line-height:32px}h4{font-size:20px;line-height:24px}.news-list{margin-bottom:30px}.news-list h3{font-size:1.65rem}}
</style></head><body class="bg-login"><header class="header"><a class="mobile-logo" href="/"><img class="logo-horizontal" alt="logo" src="/client/dist/images/di-logo-liggande.svg" /><img class="logo-vertical" alt="logo" src="/client/dist/images/di-logo-staende.svg" /></a> <div class="global-nav-container d-lg-none"><div role="button" class="global-nav-toggle toggle-fallout" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"><div class="menu-icon menu-closed"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></div></div></div> menu <div class="mobile-nav"><form action="/sok/" class="nav-search" method="get"><input type="text" name="q" class="SearchKeywords" placeholder="Sök frågor och svar, vägledning och regler..."><svg class="search-icon"><use xlink:href="#icon-search" /></svg></form><nav class="nav-main"><ul class="lvl-1"><li class="link-item"><div class="lvl-1-link"> <a href="/aktuellt/" class="">Currently</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/tillsyn/" class="">Supervision</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/corona/" class="">Corona</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/remissvar/" class="">Referral response</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/personuppgiftsincidenter/" class="">Personal data incidents</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/publikationer/" class="">Publications</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/internationellt-arbete/" class="">International work</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/fragor-och-svar/" class="">Questions and answers</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/gdpr/" class="">Data Protection Regulation</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/kreditupplysning/" class="">Credit information</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/inkasso/" class="">Collection</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/kamera/" class="">Camera surveillance</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/vagledningar/" class="">Guides</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/" class="">An introduction to the Data Protection Ordinance</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/vad-ar-en-personuppgift/" class="">What is a personal information</a></div></li><li><div class="lvl-3-link"><a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/kanslig-personuppgift/" class="">Sensitive personal information</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/sa-har-hanger-lagarna-ihop/" class="">This is how the laws are connected</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/ordforklaringar/" class="">Glossaries</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/vara-vanligaste-fragor/" class="">common questions and answers</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-dig-som-privatperson/" class="">For you as a private person</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/vad-dataskyddsforordningen-innebar-for-dig-som-privatperson/" class="">The Data Protection Ordinance for you as an individual</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/for-medborgare---dina-rattigheter2/" class="">Your rights</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/utgivningsbevis/" class="">Sites with publishing certificates</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/fa-bort-sokresultat/" class="">The right to have search results removed</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/registerutdrag-och-rattelser/" class="">Registry extracts and corrections</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/personnummer/" class="">Social security number</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/klagomal-och-tips/" class="">Complaints and tips</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/privatpersoners-kamerabevakning/" class="">Private camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/sa-har-begar-du-en-laglighetskontroll/" class="">How to request a legality check</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/for-dig-som-kund/" class="">For you as a customer</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/informationssakerhet-for-dig-som-privatperson/" class="">Information security for you as a private person</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/kamerabevakning/" class="">Camera surveillance</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/privatpersoner/" class="">Private individuals</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/offentlig-verksamhet/" class="">Government controlled businesses</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/foretag/" class="">Business</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/batklubbar-och-hamnar/" class="">Boat clubs and ports</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/bostadsrattsforeningar-och-hyresvardar/" class="">Tenancy associations and landlords</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/kollektivtrafiken/" class="">Public transport</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/informera/" class="">Inform</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/anmal-olaglig-kamerabevakning/" class="">Report illegal camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/registrerades-rattigheter/" class="">Registered rights during camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/ansiktsigenkanning-och-dataskydd/" class="">Face recognition and data protection</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/lagringstid-och-behorighet/" class="">Storage time and authorization</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/oschysst-behandlad-pa-natet/" class="">Cyberbullying</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-dig-som-har-foretag/" class="">For you who have a business</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-har-foretag/barn-och-ungas-rattigheter/" class="">Children and young people's rights on digital platforms</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/" class="">Associations and member organizations</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/det-har-behover-ni-gora/" class="">This is what you need to do</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/det-har-behover-ni-veta/" class="">You need to know this</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/fragor-och-svar/" class="">Questions and answers</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/inkasso/" class="">Collection</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/fran-faktura-till-anmarkning/" class="">From invoice to note</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/Det-har-gor-vi-inte/" class="">We do not do this</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/klagomal-om-inkasso/" class="">Complaints about debt collection</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/inkassotillstand/" class="">Debt collection permit</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/for-dig-som-bedriver-inkassoverksamhet/" class="">For you who conduct debt collection activities</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/kreditupplysningar/" class="">Credit information</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/betalningsanmarkningar/" class="">Payment remarks</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/kreditupplysningslagen/" class="">The Credit Information Act</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/skolor-och-forskolor/" class="">Schools and preschools</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/livesanda-luciatag/" class="">Live Lucia trains during the corona pandemic</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/livesanda-skolavslutningar/" class="">Live school graduations during the corona pandemic</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/digital-undervisning/" class="">Digital teaching</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/for-personuppgiftsansvariga-inom-skola-och-forskola/" class="">For data controllers within school and preschool</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/lucia-fotografering/" class="">Lucia photography</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/personuppgiftsbitraden/" class="">Personal data assistants</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-myndigheter/" class="">For authorities</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/informationssakerhet/" class="">Information security</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/informationssakerhet/informationssakerhet-for-dig-som-privatperson/" class="">Information security for you as a private person</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/informationssakerhet/informationssakerhet/" class="">Information security and data protection regulation</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/arbetsliv/" class="">Working life</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/nar-galler-dataskyddsforordningen/" class="">What about the Data Protection Regulation?</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/arbetsgivarens-personuppgiftsansvar/" class="">The employer's personal data responsibility</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/tillaten-behandling-vilka-krav-galler/" class="">Permitted treatment - what requirements apply?</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/rekryteringssystem-och-kompetensdatabaser/" class="">Recruitment systems and competence databases</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/kontroll-och-overvakning/" class="">Control and monitoring of employees</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/biometri/" class="">Biometrics</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/tillsyn-sanktionsavgifter-och-skadestand/" class="">Supervision, penalty fees and damages</a></div></li></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/lagar--regler/" class="">Laws and regulations</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/dataskyddsforordningen/" class="">Data Protection Regulation</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsombud/" class="">Data Protection Officer</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsforordningens-syfte-och-tillampningsomrade/" class="">Purpose and scope of the Data Protection Regulation</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/grundlaggande-principer/" class="">Fundamental principals</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/rattslig-grund/" class="">Legal basis</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/kansliga-personuppgifter/" class="">Sensitive personal data</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/de-registrerades-rattigheter/" class="">Rights of data subjects</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsansvariga-och-personuppgiftsbitraden/" class="">Personal data controllers and personal data assistants</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/fora-register-over-behandling/" class="">Keep records of treatment</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsincident/" class="">Personal data incidents</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/konsekvensbedomningar-och-forhandssamrad/" class="">Impact assessments and prior consultation</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/uppforandekoder-och-certifieringar/" class="">Code of conduct and certifications</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/informationssakerhet/" class="">Information security</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/inbyggt-dataskydd-och-dataskydd-som-standard/" class="">Built-in data protection and data protection as standard</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/" class="">Third country transfer</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/sanktionsavgifter-och-varningar/" class="">Penalty fees and warnings</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/gransoverskridande-personuppgiftsbehandling/" class="">Cross-border processing of personal data</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgifter-om-lagovertradelser/" class="">Personal data relating to violations of the law</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/kamerabevakningslagen/" class="">The Camera Surveillance Act</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/inkassolagen/" class="">Debt collection law</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/innehavare-av-datainspektionens-inkassotillstand/" class="">Holders of debt collection permits</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/ansok-om-inkassotillstand/" class="">Apply for a debt collection permit</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/for-dig-som-fatt-ett-inkassokrav/" class="">For you who have received a debt collection claim</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/dataskydd-i-inkassoverksamhet/" class="">Data protection in debt collection operations</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/digitala-inkassokrav/" class="">Digital debt collection requirements</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/kreditupplysningslagen/" class="">The Credit Information Act</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/kreditupplysningslagen/ansok-om-tillstand/" class="">Apply for a permit</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/patientdatalagen/" class="">Patient data layers</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/patientdatalagen/systematisk-logguppfoljning/" class="">Systematic log follow-up</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/patientdatalagen/hur-forhindrar-man-obefogad-spridning-av-patientuppgifter/" class="">How to prevent unauthorized dissemination of patient data?</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/brottsdatalagen/" class="">Criminal Data Act (BdL)</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/syfte-och-tillampningsomrade/" class="">Purpose and scope</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/granskning-och-kontroll/" class="">Review and control</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/laglighetskontroller/" class="">Legality checks</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/anmala-personuppgiftsincidenter/" class="">Report personal data incident according to the Criminal Data Act</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/forhandssamrad-enligt-brottsdatalagen/" class="">Prior consultation according to the Criminal Data Act</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/forebyggande-och-korrigerande-befogenheter/" class="">Preventive and corrective powers</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/datainspektionens-foreskrifter-och-allmanna-rad/" class="">Regulations and general advice</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/dataskyddslagen/" class="">The Data Protection Act</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/pnr-lagen/" class="">PNR law</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/utbildningar/" class="">Trainings and conferences</a></div></li></ul></nav><div class="nav-aside"> <a href="/om-oss/">About us</a> <a href="/kontakta-oss/">Contact us</a> <a href="/press/">Press</a> <a href="/a-till-o/">A-Ö</a> <a href="/other-lang/">På svenska</a> </div></div></header><svg style="display:none"><symbol id="icon-arrow" viewBox="0 0 22 15"><path d="M13.8392147,0.00589452011 C13.3488775,0.0526378592 12.9299969,0.382299983 12.7698367,0.847272105 C12.607212,1.31470361 12.7328765,1.83133909 13.0901571,2.17084188 L17.1705497,6.24487919 L1.32206805,6.24487919 C1.28264397,6.24241918 1.24321988,6.24241918 1.2037958,6.24487919 C0.50648216,6.27686121 -0.0306706659,6.8673014 0.00136124446,7.56352894 C0.0333931548,8.25975649 0.624754412,8.79607268 1.32206805,8.76409066 L17.1705497,8.76409066 L13.070445,12.838128 C12.5751801,13.3326215 12.5751801,14.1346364 13.070445,14.6291299 C13.5657099,15.1236234 14.3689759,15.1236234 14.8642408,14.6291299 L21.0932461,8.39014521 L22,7.50448492 L21.0932461,6.61882464 L14.8642408,0.379839973 C14.5981283,0.106761228 14.2211356,-0.0310081492 13.8392147,0.00589452011 Z"></path></symbol></svg><div class="icons"><svg style="display:none"><symbol id="icon-arrow" viewBox="0 0 22 15"><path d="M13.8392147,0.00589452011 C13.3488775,0.0526378592 12.9299969,0.382299983 12.7698367,0.847272105 C12.607212,1.31470361 12.7328765,1.83133909 13.0901571,2.17084188 L17.1705497,6.24487919 L1.32206805,6.24487919 C1.28264397,6.24241918 1.24321988,6.24241918 1.2037958,6.24487919 C0.50648216,6.27686121 -0.0306706659,6.8673014 0.00136124446,7.56352894 C0.0333931548,8.25975649 0.624754412,8.79607268 1.32206805,8.76409066 L17.1705497,8.76409066 L13.070445,12.838128 C12.5751801,13.3326215 12.5751801,14.1346364 13.070445,14.6291299 C13.5657099,15.1236234 14.3689759,15.1236234 14.8642408,14.6291299 L21.0932461,8.39014521 L22,7.50448492 L21.0932461,6.61882464 L14.8642408,0.379839973 C14.5981283,0.106761228 14.2211356,-0.0310081492 13.8392147,0.00589452011 Z"></path></symbol></svg><svg style="display:none"><symbol id="icon-plus" viewBox="0 0 34 34"><path d="M17,0 C7.6256087,0 0,7.6256087 0,17 C0,26.3743913 7.6256087,34 17,34 C26.3743913,34 34,26.3743913 34,17 C34,7.6256087 26.3743913,0 17,0 Z M25.8695652,17.7391304 L17.7391304,17.7391304 L17.7391304,25.8695652 L16.2608696,25.8695652 L16.2608696,17.7391304 L8.13043478,17.7391304 L8.13043478,16.2608696 L16.2608696,16.2608696 L16.2608696,8.13043478 L17.7391304,8.13043478 L17.7391304,16.2608696 L25.8695652,16.2608696 L25.8695652,17.7391304 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-check" viewBox="0 0 21 16"><polygon points="18.5405093 0 7.4613233 11.079186 2.4685571 6.08641975 0.28125 8.27372685 6.36766975 14.3601466 7.4613233 15.40625 8.55497685 14.3601466 20.7278164 2.1873071"></polygon></symbol></svg><svg style="display:none"><symbol id="icon-search" viewBox="0 0 32 33"><path d="M12.7624633,0 C5.70674524,0 0,5.75017946 0,12.8595989 C0,19.969019 5.70674524,25.7191977 12.7624633,25.7191977 C15.2815251,25.7191977 17.6129036,24.9745702 19.5894428,23.7098854 L28.8093842,33 L32,29.7851003 L22.8973607,20.6368195 C24.5337247,18.4738539 25.5249267,15.7937856 25.5249267,12.8595989 C25.5249267,5.75017946 19.8181822,0 12.7624633,0 Z M12.7624633,3.02578797 C18.1671556,3.02578797 22.5219941,7.4137713 22.5219941,12.8595989 C22.5219941,18.3054264 18.1671556,22.6934097 12.7624633,22.6934097 C7.35777107,22.6934097 3.00293255,18.3054264 3.00293255,12.8595989 C3.00293255,7.4137713 7.35777107,3.02578797 12.7624633,3.02578797 Z" id="Shape" transform="translate(16.000000, 16.500000) scale(-1, 1) translate(-16.000000, -16.500000) "></path></symbol></svg><svg style="display:none"><symbol id="icon-doc" viewBox="0 0 34 34"><path d="M9.09939256,0 L0,0 L0,18 L14,18 L14,4.93104639 L9.09939256,0 Z M8.94444444,5.08695652 L8.94444444,0.938519217 L13.0672745,5.08695652 L8.94444444,5.08695652 Z"></path></symbol></svg><svg style="display:none"><symbol id="icon-angle" viewBox="0 0 10 16"><path d="M1.83921466,0.00589452011 C1.34887746,0.0526378592 0.92999688,0.382299983 0.769836698,0.847272105 C0.607212037,1.31470361 0.732876462,1.83133909 1.09015706,2.17084188 L6.5,7.5 L1.07044502,12.838128 C0.575180126,13.3326215 0.575180126,14.1346364 1.07044502,14.6291299 C1.56570992,15.1236234 2.36897594,15.1236234 2.86424083,14.6291299 L9.09324607,8.39014521 L10,7.50448492 L9.09324607,6.61882464 L2.86424083,0.379839973 C2.59812827,0.106761228 2.22113562,-0.0310081492 1.83921466,0.00589452011 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-circle" viewBox="0 0 34 34"><path d="M17,0 C7.6256087,0 0,7.6256087 0,17 C0,26.3743913 7.6256087,34 17,34 C26.3743913,34 34,26.3743913 34,17 C34,7.6256087 26.3743913,0 17,0 Z M25.8695652,17.7391304 L17.7391304,17.7391304 L17.7391304,25.8695652 L16.2608696,25.8695652 L16.2608696,17.7391304 L8.13043478,17.7391304 L8.13043478,16.2608696 L16.2608696,16.2608696 L16.2608696,8.13043478 L17.7391304,8.13043478 L17.7391304,16.2608696 L25.8695652,16.2608696 L25.8695652,17.7391304 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-plus-white" viewBox="0 0 13 13"><path d="M3.55178455,2.5245531 L2.55106461,3.52527304 L11.5503447,12.5245531 L12.5510646,11.5238332 L3.55178455,2.5245531 Z M2.55106461,11.6369612 L3.55178455,12.6376811 L12.5510646,3.63840107 L11.5503447,2.63768114 L2.55106461,11.6369612 Z" id="Shape"></path></symbol></svg></div><main><div class="container"><div class="row justify-content-md-center"><div class="col-md-12"><nav class="breadcrumb"><ol class="breadcrumb-list"><li class="list-item"> <a href="/" class="item-link">Start</a></li><li class="list-item"> <a href="/nyheter/" class="item-link">News</a></li><li class="list-item"> <a href="/nyheter/allvarliga-brister-i-skolplattformen-i-stockholm/" class="item-link active">Serious shortcomings in the School Platform in Stockholm</a> </li></ol></nav></div><div class="col-md-8"><article class="content" id="readspeaker-content"><header class="content-header"><time class="item-created"> Published 2020-11-24</time><h1 class="header-text"> Serious shortcomings in the School Platform in Stockholm</h1><p class="header-ingress"> The Data Inspectorate has examined the School Platform, the IT system used for, among other things, student administration of schools in the city of Stockholm. The review shows shortcomings in security that are so serious that the authority issues an administrative sanction fee of SEK 4 million against the Board of Education in the city of Stockholm.</p></header><div class="readspeaker rs_skip rs_preserve"> <a class="readspeaker-activate"><img class="activate-icon" src="/Client/app/images/Ear.svg" /><span class="activate-text">Listen</span></a> <a class="readspeaker-hide"><span class="hide-icon">×</span> <span class="hide-text">Hide player</span></a><div class="readspeaker-app rsbtn" id="readspeaker_button1"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to the text of the page with ReadSpeaker webReader" href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=10101&lang=sv_se&readid=readspeaker-content&url=http%3a%2f%2fwww.datainspektionen.se%2fnyheter%2fallvarliga-brister-i-skolplattformen-i-stockholm%2f"><span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span><span class="rsbtn_right rsimg rsplay rspart"></span></a> </div></div><div class="content-area"><figure class="area-figure"></figure><div class="area-text"><p> The Data Inspectorate has received a number of reports of personal data incidents from the Board of Education in the city of Stockholm. The incidents concern the School Platform, which is the IT system used for, among other things, student administration in Stockholm. The school platform contains information on upwards of 500,000 students, guardians and teachers. The system contains sensitive and privacy-sensitive information as well as information about students and teachers with confidential information or protected identity.</p><p> The authority has examined four subsystems in the School Platform and has found serious deficiencies. In one of the subsystems, shortcomings in the possibility of restricting users' access to the data have meant that large parts of the staff have had the opportunity to access data on students with protected identities. In another subsystem, guardians have been able to access other children's information on, for example, grades and development interviews in a relatively simple way. Through searches on Google, it has been possible to find links to log in to an administration interface and there come across information about teachers with protected identities.</p><p> - In an IT system like this, large amounts of personal data are handled. Then it is extremely important that the person responsible for personal data has taken sufficient security measures to protect the data and continuously ensures protection, says Ranja Bunni who is a lawyer at the Data Inspectorate and who participated in the review.</p><p> In its decision, the Data Inspectorate states that the Board of Education has not ensured an appropriate security for personal data. The Board has also not taken sufficient appropriate technical and organizational measures to ensure a level of safety that is appropriate in relation to the risk, which includes a procedure for regularly testing, examining and evaluating the effectiveness of the technical safety measures.</p><p> The Data Inspectorate issues a penalty fee of SEK 4 million for the violations that have been established. In Sweden, the maximum limit for sanction fees against authorities is SEK 10 million.</p><p> - According to the Data Protection Regulation, GDPR, penalty fees must be effective, proportionate and dissuasive. In this case, the violations have affected hundreds of thousands of registrants, including children and students, and included shortcomings in the handling of sensitive and privacy-sensitive personal data such as data on persons with protected identities and health data, says Salli Fanaei who also participated in the Data Inspectorate's audit.</p><p> <a href="/globalassets/dokument/beslut/beslut-tillsyn-stockholms-stad.pdf">Read the Data Inspectorate's decision in pdf format</a></p><p class="link-arrow"> <a href="/lagar--regler/dataskyddsforordningen/sanktionsavgifter-och-varningar/">Read more about penalty fees</a></p><p class="link-arrow"> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsincident/">Read more about personal data incidents</a></p><p> <strong>For more information contact</strong></p><p> Lawyer Ranja Bunni, phone 08-657 61 46</p><p> Lawyer Salli Fanaei, phone 08-657 61 45</p><p> IT security specialist Adolf Slama, telephone 08-657 61 12</p><p> The press service, 08-515 15 415 </p></div></div></article></div></div></div></main><section class="pre-footer"><div class="container"><div class="row justify-content-md-center"><div class="col-md-4"><div class="news-list"><h3> Service</h3><h4> For private individuals</h4><ul><li> <a href="/vagledningar/for-dig-som-privatperson/klagomal-och-tips/">Send tips and complaints</a></li><li> <a href="/lagar--regler/brottsdatalagen/laglighetskontroller/">Request a legality check</a></li></ul><h4> For companies and organizations</h4><ul><li> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsombud/">Report data protection officer</a></li><li> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsincident/anmala-personuppgiftsincident/">Report personal data incident</a></li><li> <a href="/lagar--regler/dataskyddsforordningen/konsekvensbedomningar-och-forhandssamrad/forhandssamrad/">Request prior consultation</a></li><li> <a href="/vagledningar/kamerabevakning/offentlig-verksamhet/behover-ni-soka-tillstand/sok-tillstand-for-kamerabevakning/">Apply for a camera surveillance permit</a> </li></ul></div></div><div class="col-md-4"><div class="news-list-footer"><div class="news-list"><h3> News</h3><div class="list-link"> <a href="/nyheter/datainspektionen-granskar-overforing-av-personuppgifter-till-tredje-land/">The Data Inspectorate examines the transfer of personal data to third countries</a><time> 2020-11-26</time></div><div class="list-link"> <a href="/nyheter/sanktionavgift-for-olaglig-kamerabevakning-pa-lss-boende/">Penalty fee for illegal camera surveillance at LSS accommodation</a><time> 2020-11-25</time></div><div class="list-link"> <a href="/nyheter/gdpr-fine-for-unlawful-video-surveillance-in-an-lss-housing/">GDPR fine for illegal video surveillance in an LSS housing</a><time> 2020-11-25</time></div><br /><ul><li> <a href="/nyheter/">News archive</a> </li></ul></div></div></div></div></div></section><footer class="footer"><div class="container"><div class="footer-wrapper"><div class="footer-content"><h2> Find and contact us</h2><ul><li class="content-phone"><p> Phone</p> <a href="tel:08-657 61 00">08-657 61 00</a></li><li> <a href="/kontakta-oss/">Contact Us</a></li><li> <a href="/press/">Press and media</a></li></ul></div><div class="footer-content"><h2> About the Data Inspectorate</h2><ul><li> <a href="/om-oss/lediga-jobb/">Free jobs</a></li><li> <a href="/om-oss/om-webbplatsen/">About the website</a></li><li> <a href="/om-oss/om-webbplatsen/#cookies">Use of cookies</a></li><li> <a href="/om-oss/information-om-hur-datainspektionen-behandlar-personuppgifter/">Processing of personal data</a></li></ul></div><div class="footer-content"><h2> Common shortcuts</h2><ul><li> <a href="/vagledningar/inkasso/">Have you received a debt collection claim?</a></li><li> <a href="/vagledningar/kreditupplysningar/betalningsanmarkningar/">Have you received a payment remark?</a></li><li> <a href="/vagledningar/kamerabevakning/">Camera surveillance</a></li></ul></div><div class="footer-content"><h2> follow us</h2><ul><li> <a href="http://www.twitter.com/Datainspektion">On Twitter</a></li><li> <a href="https://www.linkedin.com/company/datainspektion/">On Linkedin</a></li><li> <a href="https://www.datainspektionen.se/nyheter/rss.xml">RSS</a></li></ul></div><div class="footer-home"><a href="/"><img src="/client/dist/images/di-logo-staende.svg" alt="Logotype" /></a><p> At datainspektionen.se we use cookies. Read more about cookies on our page <a title="About the website" href="/link/9f36ff08eec74e95971fa8e677833e4d.aspx">About the website</a> . </p></div></div></div></footer><script type="text/javascript" src="/Client/app/scripts/external/epi-util/find.js"></script><script type="text/javascript">
if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}
</script><script type="text/javascript" src="/client/dist/scripts/vendor.bundle.min.js"></script><script type="text/javascript" src="/client/dist/scripts/app.bundle.min.js"></script><script type="text/javascript" src="/Client/app/scripts/external/jquery-ui-1.12.1/external/jquery/jquery.js"></script><script type="text/javascript" src="/Client/app/scripts/external/jquery-ui-1.12.1/jquery-ui.min.js"></script><script>
        function closeModal() {
            $('.modal-wrapper').remove(".modal-wrapper");
        }
    </script></body></html>