Datatilsynet (Norway) - 24/00793-9
From GDPRhub
| Datatilsynet - 24/00793-9 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 24 GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 04.09.2024 |
| Published: | |
| Fine: | 150,000 NOK |
| Parties: | The University of Agder |
| National Case Number/Name: | 24/00793-9 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Norwegian |
| Original Source: | Datatilsynet (Norway) (in NO) |
| Initial Contributor: | wp |
A University was fined NOK 150,000 (€12,700) for the lack of technical and organisational measures enabling all its employees and students to access personal data stored in an MS Teams folder. Thus, the university violated Article 24 and Article 32 GDPR.
English Summary
Facts
Since 2018, the University of Agder (the controller) was using MS Teams and Sharepoint.
The controller’s employee found out that an open MS Teams’ folder gave all the employees and students access to documents contacting personal data. For example, four documents referred to 4,851 employees and 10,419 external persons (back to 2014) who were mentioned by name, national identity number, employee number, resignation date and organisational unit. Moreover, other documents consisted of, for example, an exam overview of 568 students or personal data of 64 Ukrainian refugees.
After receiving the notification from the employee, the controller immediately changed the access setting of the MS Teams’ folders. The new setting required each employee willing to access the folder to be approved by the folder's owner.
The controller notified about the incident under Article 33 GDPR the Norwegian DPA (Datatilsynet) and according to Article 34 GDPR affected data subjects. Additionally, the controller published its detailed description on the controller’s website. However, the log control was limited only to 6 months back. The controller was unable to confirm if the employees and students interacted with or downloaded the data.
Holding
The DPA found the controller violated Article 24 and Article 32 GDPR.
The data confidentiality was violated. Personal data became freely available to approximately 1,200 employees and 12,000 students of the controller. Furthermore, the controller had no adequate log control in place, which made it impossible to assess how many people accessed the data. At the same time, the controller failed to implement internal procedures and employees’ training in reference to usage of MS Teams. Also, the initial setting was incorrect, as there was no control over employees accessed to data stored within MS Teams or to discover the unauthorised access in advance.
Hence, the controller failed to implement appropriate security measures in accordance with Article 24 and 32 GDPR, which led to the data breach.
The DPA admitted the controller properly handled the breach and updated the MS Teams settings. Nevertheless, the gravity of the breach, in particular the number of people who potentially had accessed to the data and the categories of data involved required an appropriate reaction of the DPA. The DPA decided then to fine the controller NOK 150,000 (approximately €12,700).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE UNIVERSITY OF AGDER
PO Box 422
4604 KRISTIANSAND S
Your reference Our reference Date
24/00793-9 04/09/2024
Decision on infringement fee - University of Agder
We refer to our notice of decision on infringement fees on 28 June 2024. University of Agder
(hereafter UiA) submitted a notification of a breach of personal data security
(notice of deviation) 14 February 2024. We have not received any comments from UiA regarding our notification.
1. Decision on infringement fees
The Norwegian Data Protection Authority has today made the following decision:
Pursuant to the personal data protection regulation article 58 no. 2 letter i, cf.
§ 26 of the Personal Data Act, cf. Article 83 of the Personal Data Protection Ordinance, is imposed
The University of Agder to pay an infringement fee of NOK 150,000 –
one hundred and fifty thousand Norwegian kroner - to the treasury, for breach of the requirements for
security and internal control when processing personal data, cf.
Article 32 and Article 24 of the Personal Data Protection Regulation.
2. Description of the deviation
2.1 General information about the deviation
According to the notice of deviation, documents with personal data have been stored in open Teams
folders, to which employees have had access without official need. It was an employee who discovered
the error after searching open Teams folders. The discrepancy had been ongoing since 2018, when UiA took over
use Microsoft Teams and Sharepoint.
On February 14, 2024, four documents in Microsoft Teams were discovered to be missing
access control and which contained personal information about employees and students:
I A document with an overview of all employees and external persons associated
the university back to 2014. This applies to 4,851 employees and 10,419 external persons
who are mentioned by name, with birth and social security number, employee number,
resignation date and organizational unit. All employees have had access to the document.
Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO II A document with an overview of 568 students who have had their exams arranged.
The document contains name, birth and social security number, student number,
special adaptation code, free text about what the measure applies to and date. All employees have had
access to the document.
III In the public team "Academic service - Ukraine" there has been an overview of 64
refugees from Ukraine with full name, address, student number, date of birth,
telephone number, previous educational background, field of study, whether they have registered
to Lånekassen, planned course of study and residence status. It has been possible for
both staff and students to access the folder.
IV List of employees at the library linked to a project from 2015. The list contained
information about name, residential address and birth and social security number. All employees have
had access to the document.
On 16 February 2024, UiA revealed five new documents in Microsoft Teams without
access control:
V A list from 2014 in which an external practice teacher is referred to as "sick on sick leave autumn 2014".
The information has been available to all employees at the university.
VI A document with 177 of the students' names, social security number, UiA e-mail address, private
e-mail address and exam notification. The list has been available to all employees.
VII A list with an overview of 60 students' names, social security number, student number and
exam attempt. The document has been available to all employees.
VIII List of 13 students with information on name, social security number and address. The list
has been available to all employees.
IX List with an overview of 40 students' names, exam subject and type of special arrangement.
The list has been available to all employees.
The discrepancy includes both general personal data and personal data of particular importance
category. The general personal data consists, among other things, of students' and employees' data
contact details, social security number, education information and residence status for
refugees, examination notification and number of examination attempts. In addition, will information about
students' arrangements for examinations, special arrangements related to study subjects, as well as information about
sick leave relating to an employee, involve the processing of health information.
2.2 Access control
Open Teams folders are something that every unit at UiA uses to be able to share documents internally
cooperation across the units. The discrepancy has arisen as a result of the end users not having been
aware that documents stored in "shared documents" or "Public Teams" are shared with everyone
employees in the business. In total, there are nine documents without access control. All nine of them
the documents have been available to all employees. Students have also had the opportunity to access
the folder containing information on 64 Ukrainian refugees.
22.3 Log control
The notice of deviation states that there was a log control of access to the documents for six
months back in time. For the deviation in question, UiA cannot therefore confirm or deny whether
unauthorized persons have actually had access, made changes or downloaded documents for the largest
part of the deviation period.
2.4 Internal routines for storage and shielding
UiA had no internal routines for or training in shielding documents in Microsoft
Teams (Sharepoint).
2.5 Implemented and planned measures
The discrepancy was first reported internally by an employee who discovered the discrepancy through searches in open groups
in Microsoft Teams. UiA reviewed all shared folders and corrected the access management
immediately. All public teams in Microsoft Teams were made private, so that employees who
want access must be approved by the team's owner. Information has been sent out to employees about safe
storage in Microsoft Teams.
2.6 Information to the registered
UiA contacted the affected data subjects on 21 February 2024.
In addition, UiA has published detailed information about the deviation on its website. It has also been
several media cases dealing with the deviation.
3. Legal background
The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf.
Regulation Article 57.
3.1 The basic principles for processing personal data
The basic principles for processing personal data can be seen from
the personal protection regulation article 5. We refer in particular to article 5 no. 1 letter f, where it
appears:
"1. Personal data must (...)
f) processed in a way that ensures sufficient security for the personal data,
including protection against unauthorized or illegal processing (...), using suitable
technical or organizational measures ("integrity and confidentiality")".
It is the controller's responsibility that the principles are observed, and that
controllers must be able to demonstrate this, cf. Article 5 no. 2.
3.2 The requirements for personal data security and management systems
Article 32 of the Personal Data Protection Regulation regulates the requirements for security in the processing of
personal data. Below follows an extract of relevant parts of Article 32:
3 «1. Taking into account the technical development, implementation costs and
the nature, scope, purpose and context of the processing, as well as the risks of
varying degrees of probability and severity for the rights of natural persons and
freedoms, the data controller and the data processor must carry out suitable
technical and organizational measures to achieve a level of security that is suitable with
consideration of the risk, including, among other things, depending on what is suitable, (...)
b) ability to ensure continued confidentiality, integrity, availability and robustness i
the treatment systems and services, (…)
d) a process for regular testing, analysis and assessment of how effective
the processing's technical and organizational security measures are.
2. When assessing the appropriate security level, special consideration must be given to the risks
associated with the processing, particularly as a result of (...) unauthorized disclosure of
or access to personal data that has been transferred, stored or otherwise
processed".
The duty to carry out suitable technical and organizational measures appears accordingly from
Article 24 of the Personal Data Protection Regulation, which regulates the controller's responsibilities
separately.
3.3 Information to affected persons
If it is likely that the breach of security will entail a high risk for natural persons
rights and freedoms, the data controller must notify them without undue delay
affected persons about the breach, cf. the Personal Protection Ordinance, Article 34 No. 1.
The supervisory authority can order the controller to inform affected persons, cf.
article 34 no. 4. The more detailed requirements for the content of such notification appear in article
34 No. 2 and 3.
3.4 In particular regarding the imposition of infringement fees
Of the personal data protection regulation article 58 no. 2 letter i and the personal data act § 26 other
paragraph, it appears that the Norwegian Data Protection Authority can impose public authorities and bodies
infringement fee according to the rules in the personal data protection regulation article 83 in the event of a breach of
provisions in the respective laws.
Article 83 of the Personal Data Protection Regulation sets out the conditions for imposing a fee. The provision
contains, among other things, an overview of which elements must be taken into account, both when
considered whether an infringement fee should be imposed and in the assessment of the fee.
The relevant parts of Article 83 No. 1 and No. 2 are reproduced below:
"1. Each supervisory authority must ensure that the imposition of infringement fees in accordance with
this article for violations of this regulation mentioned in nos. 4, 5 and 6 in each individual case
case is effective, is in a reasonable relationship to the infringement and works
deterrent.
4 2. (…) When a decision is made on whether an infringement fee should be imposed as well as
on the size of the infringement fee, due consideration shall be given in each individual case
following:
a) the nature, seriousness and duration of the infringement, when taken
consideration of the nature, extent or purpose of the processing concerned and the number
data subjects who are affected, and the extent of the damage they have suffered,
b) whether the infringement was committed intentionally or negligently,
c) any measures taken by the controller or data processor for
to limit the damage that the data subjects have suffered,
d) the controller's or data processor's degree of responsibility, when it is taken
regard to the technical and organizational measures they have carried out in accordance
articles 25 and 32,
e) any relevant previous infringements committed by it
data controller or data processor,
f) the degree of cooperation with the supervisory authority to remedy the infringement and
reduce the possible negative effects of it,
g) the categories of personal data affected by the breach,
h) in which way the supervisory authority became aware of the infringement, in particular
whether and possibly to what extent the data controller or
the data processor has notified of the infringement,
i) if measures mentioned in Article 58 no. 2 have previously been taken against it
concerned controller or data processor with regard to the same
subject matter, that said measures are complied with,
j) compliance with approved standards of conduct in accordance with Article 40 or
approved certification mechanisms pursuant to Article 42 and
k) any other aggravating or mitigating factor in the case, e.g. economic
benefits gained, or losses avoided, directly or indirectly, which
consequence of the infringement".
Article 83 also sets out the framework for the order of magnitude of the infringement fee. We show in this
in connection with Article 83 No. 4. The relevant parts of the provisions read:
"4. In the event of violations of the following provisions, in accordance with No. 2, fines shall be imposed
infringement fee of up to 10,000,000 euros […]:
a) the data controller's and the data processor's obligations in accordance with Article
8, 11, 25-39 [...]".
Section 26 first paragraph of the Personal Data Act states that Article 83 of the Personal Data Protection Ordinance
no. 4 applies correspondingly to violations of the regulation article 24. This means that violations of
Article 24 of the Personal Protection Regulation under Norwegian law can be sanctioned with an infringement fee
of up to an amount equivalent to 10 million euros.
4. The Norwegian Data Protection Authority's assessment
5In the explanation of our assessment, we will follow the same chronology as under point 2 description
of the deviation above.
4.1 Access control
The deviation represents a breach of the duty to preserve the confidentiality of personal data
as a result of employees at UiA having had access to personal data without official need.
There has also been a folder with personal information on 64 Ukrainian refugees who have
been stored and available to all students. According to UiA's website, there are approximately 1,200 employees
and 12,000 students affiliated with the university.
The personal information has been easily accessible within Microsoft Teams, and employees have been able to
access through search in open Teams folders.
We assume that UiA has breached its duty to provide access management as part of its
internal control and duty to ensure adequate personal data security, cf.
Article 32 and Article 24 of the Personal Data Protection Regulation.
4.2 Log control
UiA has not had a sufficient function for logging activity in Microsoft Teams.
The log control that has been established has shown activity six months back, but log
There are no notices beyond this.
The Norwegian Data Protection Authority considers that UiA has breached its obligation to have a logging function in large parts of
the deviation period of six years. In this way, it has not been possible to uncover unauthorized
access to the personal data, cf. the Personal Data Protection Regulation article 32 and article 24.
4.3 Internal routines for storage and shielding
The discrepancy illustrates that UiA has had insufficient internal routines and training for its employees
in connection with the shielding of personal data in Microsoft Teams.
We emphasize that it is the management's responsibility to take measures to achieve a level of safety which
is suitable with regard to the risk, including internal routines for safe storage and adequate
training of employees.
UiA has not implemented suitable measures to safeguard the security of personal data in Microsoft
Teams. This is a violation of Article 32 and Article 24 of the Personal Data Protection Regulation.
4.4 Implemented and planned measures
UiA took immediate measures after the discrepancy was discovered and quickly reported the discrepancy to
The Norwegian Data Protection Authority. We take a positive view that all access to shared folders is now closed and information
about shielding of personal data when using Microsoft Teams has been communicated to everyone
employees.
The Norwegian Data Protection Authority otherwise has no comments on the measures implemented.
4.5 Information to the registered
6UiA has informed the affected data subjects in accordance with Article 34 of the Personal Data Protection Ordinance.
4.6 Summary
The management at UiA has a statutory duty to ensure that employees do not have access to
personal data they do not have an official need for. In addition, systems must be established for
logging and subsequent control which, among other things, makes it possible to detect deviations.
It is a management responsibility that technical and organizational solutions are in place so that
the university is able to handle sensitive personal data in a sufficiently secure manner
manner.
The Danish Data Protection Authority considers that there have been fundamental deficiencies in the internal control and
personal data security related to employees' use of Microsoft Teams.
4.7 Assessment of the claim of guilt for the imposition of an infringement fee
In order for the Norwegian Data Protection Authority to be able to impose an infringement fee on UiA, it is required that it or they
who has acted on behalf of the university has shown some form of guilt, cf.
Article 83 of the Personal Data Protection Regulation, cf. case C-807/21 (Deutsche Wohnen). In this case is
our assessment that the form of fault in question is simple negligence.
The provision on negligence is legally established in Section 22 of the Criminal Code, which states that:
"Anyone who acts contrary to the requirement for proper behavior in an area, and who based on
his personal assumptions can be blamed, is negligent".
In accordance with the due diligence requirement, businesses must familiarize themselves with which legislation
applies in the area and organize the business in accordance with the framework that follows from it
current regulations.
In the non-compliance case in question, UiA has acknowledged a lack of access control in shared folders in
Microsoft Teams. Adequate logging has also not been established for the majority of
the deviation period of six years. We assume that the requirements for internal control and
information security is a management responsibility, cf. the personal data protection regulation article 5 no. 2.
As a result of the aforementioned deficiencies, the Norwegian Data Protection Authority is of the opinion that the offense must
is described as negligent.
The culpability requirement for imposing an infringement fee has thus been fulfilled.
4.8 Assessment of whether an infringement fee should be imposed
The Norwegian Data Protection Authority has come to the conclusion that UiA has breached the Personal Data Protection Regulation article 32 and article
24. There is therefore an offense which can give grounds for the imposition of an infringement fee.
Below we review the elements that we consider relevant for the assessment of whether
an infringement fee shall be imposed, cf. the Personal Protection Ordinance, Article 83 No. 4.
7 a) the nature, severity and duration of the infringement, taking into account
the nature, scope or purpose of the processing concerned as well as the number of registered users
affected, and the extent of the damage they have suffered
The discrepancy represents a serious breach of personal data security in that
personal information about employees and students has been available to employees without official permission
needs for a period of six years. The discrepancy means that approximately 1,200 employees have had access to
nine documents with personal data of varying degrees of sensitivity. In addition, it is approx
12,000 students who have had access to a document with information on 64 Ukrainian
refugees.
Overall, there is a large number of personal data covered by the deviation, including:
contact details, social security number for 16,000 employees and students, information on
preparation of exams for 568 students, education information and residence status for
64 Ukrainian refugees, information on sick leave relating to one employee, special arrangement i
study subject for 40 students and number of exam attempts for 60 students.
Birth and social security numbers are not in themselves confidential information or information
with demands for extra protection under the Personal Data Protection Regulation Article 9. Nevertheless, it is clear
limits for when personal identification numbers can legally be used according to Section 12 of the Personal Data Act. 1
The breach of integrity has led to those registered losing control over their own
personal data, including whether personal data has been passed on to
unauthorized. The personal information has been easily accessible in Microsoft Teams, and employees
have had easy access through searches in shared folders/groups. It has at all times
only been a log check six months back in time.
b) whether the infringement was committed intentionally or negligently
We refer to our assessment under point 4.7 and our conclusion that the offense must be considered as
negligence by the management at UiA.
The case shows that UiA has not had sufficient routines for and training in the use of Microsoft
Teams, and UiA must take measures to protect themselves against such violations
personal data security.
c) any measures taken by the controller or data processor to
limit the damage that the data subjects have suffered
UiA quickly closed the discrepancy and reported the breach to the Norwegian Data Protection Authority. The affected data subjects received
information about the discrepancy already a week after the discrepancy was discovered, either through direct
contact or through information on the website and in the media. UiA has also implemented measures to
improve personal data security. This speaks in a mitigating direction.
1The provision assumes that national identification numbers can only be used when there is a factual need for security
identification of a person and when the national identification number is necessary to achieve such identification.
8 d) the controller's or data processor's degree of responsibility, as it is taken
regard to the technical and organizational measures they have carried out in accordance
articles 25 and 32
UiA has not complied with its obligations to establish suitable information security and internal control
using Microsoft Teams. The Norwegian Data Protection Authority believes that the deviation represents fundamentals
deficiencies in access control and internal routines/training related to UiA's use of Microsoft
Teams. The function for log control has also not been sufficient, as this has only had
documentation six months back in time.
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce
the possible negative effects of it
The Norwegian Data Protection Authority quickly received notification of a breach of personal data security and has been
continuously informed about the non-conformance case with supplementary information.
g) the categories of personal data affected by the breach
The fact that the deviation covers special categories of personal data makes the situation more serious
serious. We have been informed that the discrepancy includes a document with information about a
employee on sick leave. In another document, there was information about an exam arranged for 568
students, including information on special adaptation with free text. This information will
often disclose health information. In another document, there was an overview of the special arrangement in
study subjects for 40 students, which also qualify as health information.
In addition, the discrepancy includes approximately 16,000 birth and social security numbers, which do not fall within
protected under Article 9 of the Personal Data Protection Ordinance, but which is particularly protected in the Act and
involves a certain risk of abuse.
It is also unfortunate that information on residence status, previous education and current
educational courses for 64 Ukrainian refugees have been available in an open folder for both
staff and students. Altogether, this amounts to 13,200 people who in theory could have had
access to the information.
All in all, the deviation concerns a large amount of personal data, some of which is very sensitive
character.
h) in what way the supervisory authority became aware of the infringement, in particular if and
possibly to what extent the controller or data processor has notified
about the violation
UiA itself reported the discrepancy to the Norwegian Data Protection Authority, in line with the duty in the personal data protection regulation
article 33.
The Norwegian Data Protection Authority's summary and assessment
9UiA is required to ensure that employees do not have access to personal data they do not have
official need for. This means having good routines and training employees in shielding
personal data in the systems the university uses. In addition, there is an obligation to
establish systems for logging and subsequent control that make it possible to detect deviations.
The Danish Data Protection Authority is positive that measures were taken to stop the existing practice
immediately after the discrepancy was discovered.
The discrepancy represents a breach of the confidentiality of the personal data of several of
the students at UiA. The information has been stored relatively easily accessible and consists of a
large amount of personal data of a sensitive nature. A spread of social security numbers implies
also a certain risk of abuse. The personal information that has lacked access control is
Preferably information that you want to keep to yourself, such as the number of attempts
student has taken the exam.
Based on an overall assessment, we believe that the deviation is of such a serious nature that it is
necessary to impose an infringement fee on UiA.
4.9 Amount of the fee
In assessing the amount of the fee, we have ensured that UiA quickly provided for shielding of
the personal data that was available and informed the data subjects. UiA has quickly reported
from about the deviation and cooperation with the Norwegian Data Protection Authority during the course of the case.
In this non-compliance case, a large amount of personal data has been available for 1,200
employees without an official need for a period of six years. It is about personal data linked
to approximately 14,000 people. The deviation has revealed a lack of training and unclear routines at
shielding of personal data in Microsoft Teams.
There are large quantities of birth and personal identification numbers that are covered by the deviation. An estimate shows that
we are talking about approximately 16,000 such numbers.
The Norwegian Data Protection Authority has concluded that an infringement fee of NOK 150,000 is reasonable in this respect
the case.
5. Access to appeal
The decision on infringement fees can be appealed within three weeks after you have received this
the letter, cf. sections 28 and 29 of the Administration Act.
A possible complaint is sent to the Norwegian Data Protection Authority. If we uphold our decision, we will
send the case to the Personal Data Protection Board for complaint processing, cf. Personal Data Act § 22.
If you have any questions, you can contact us by e-mail postkasse@datatilsynet.no.
10 With kind regards
Camilla Nervik
section manager
Kristin Skolt
legal advisor
The document is electronically approved and therefore has no handwritten signatures
Copy to: UNIVERSITY OF AGDER, Johanne Lavold
UNIVERSITY OF AGDER, Trond Hauso
11
