Datatilsynet (Norway) - 18/02140
|Datatilsynet (Norway) - 18/02140|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32(1)(a) GDPR
Article 32(1)(b) GDPR
|National Case Number/Name:||18/02140|
|European Case Law Identifier:||n/a|
|Original Language(s):||Norwegian |
|Original Source:||Datatilsynet (in NO) |
Datatilsynet (in NO)
|Initial Contributor:||Rie Aleksandra Walle|
In 2019, the Norwegian DPA fined a municipality about €158,315 (NOK 1,600,000) for lacking security measures, as discovered by a 12 year old pupil at the school. The school pressed charges against the pupil, but withdrew them after massive media pressure.
English Summary[edit | edit source]
Facts[edit | edit source]
In May 2018 a pupil at a school in Bergen notified the ICT helpdesk of a folder he had found online, containing several files with usernames and passwords of over 35,000 users. However, the school management did not follow up on the notice.
In August, the pupil logged onto the learning management system as the school's principal and sent a message to several people. He expressed later that he did so because the school had failed to take his first notice seriously. When the school discovered this, it notified the police, who found out that the pupil sent the notification. He admitted he had simply guessed the principal's password.
The municipality failed to first notify the Norwegian DPA (Datatilsynet) of the breaches, who discovered these initially after being contacted by several media outlets (after the municipality sent out a press release the same day).
The DPA's investigation revealed that the school had failed to enable two-factor authentication, despite a campaign the DPA conducted in 2013-2014 in the education sector. At the time, the DPA instructed all municipalities in Norway to enable strong authentication on their learning management systems and other administrative systems. Thus, the DPA argues that it is beyond doubt that Bergen municipality was well aware of this security requirement.
Following this incident, the municipality reset all passwords and enabled two-factor authentication.
Holding[edit | edit source]
The DPA first instructed Bergen municipality to enable two-factor authentication in their systems, cf. Article 5(1)(f) GDPR, cf. Article 32(1)(b). Second, the DPA fined the municipality about €158,315 (NOK 1,600,000) for the lack of sufficient technical and organisational measures required by Article 5(1)(f) and Article 32(1)(a) and Article 32(1)(b).
Comment[edit | edit source]
This case got a lot of media attention in Norway, especially since the school decided to press charges. Both the school and the police was critised heavily in the media by the DPA's Data Protection Commissioner, the pupil's parents, and various organisations and political parties. The school withdrew their charges, but not until ten months later, when the police was done investigating the case.
Further Resources[edit | edit source]
Some news stories from the Norwegian media:
- Datainnbrot hos Bergen kommune – fryktar at personinfo til 35.000 er spreidd
- Trur elevar står bak datainnbrot: Sende tullemelding frå rektors e-post
- Datainnbrotet: Barneskuleelev varsla om sikkerheitshol for eit halvt år sidan
- Barneskuleelev sende «tullemelding» til 301 personar: – Visste ikkje at det var ulovleg
- Skolebyråd om sikkerhetsflause: – Det har aldri vært kommunens intensjon å skylde på eleven
- Sonen avslørte sikkerheitshol – no får kommunen 1,6 millionar kroner i bot
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
BERGEN MUNICIPALITY PO Box 7700 5020 BERGEN Their reference Our reference Date 2019 / 04991-9 18 / 02140-13 / KBK 18.03.2019 Decision on order and infringement fee - Notification of deviations at Bergen municipality 0. Introduction We refer to a report of a breach of personal data security (deviation report) from Bergen municipality sent 15 August 2018, the Data Inspectorate's notification of decision of 17 December 2018, Bergen Municipality's feedback on the Data Inspectorate's notice of 31 January 2019 and other relevant correspondence in the case. The case concerns an incident where files with usernames and passwords of over 35,000 users in Bergen municipality has been openly accessible to students. It has been possible to log in on the school's various information systems as a student, employee or administrator of the school, and thus gaining access to personal information about students and staff. The Data Inspectorate has taken note of the allegations the municipality has made about the choice of law issue, but can not see that these change our view of the matter. Bergen municipality has also given one chronological presentation of the actual circumstances of the case, where i.a. an account is given of the municipality's work with the introduction of two-factor authentication. However, the Data Inspectorate can not see that this has an impact on our decision. With regard to the notified decisions, the municipality states that these must be considered closed. Regarding the notified decision no. 1, it is stated that the introduction will be completed these days. The Data Inspectorate will, however, point out that the deviation can only be considered closed when the introduction of two-factor authentication is complete. We therefore uphold the decision. With regard to the notified decision no. 2, we note that the deviation is closed by you complies with Article 5 and Article 32 of the Privacy Ordinance. This means that Bergen municipality ensures a lasting confidentiality, integrity, accessibility and robustness (Article 32 (1) (b)) and that you have a process for regular testing, analysis and assessment of how effective the treatment's technical and organizational security measures are (Article 32 (1) (d)). 1European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016, cf. Act of 15 June 2018 no. 38 on processing of personal data (Personal Data Act) § 1. Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLOUt from the information in the case, the Data Inspectorate believes that Bergen municipality has violated the rules on personal data security in the Privacy Ordinance. The Data Inspectorate makes three different decisions. One decision concerns the imposition of infringement fines. The other two decisions apply order to implement further measures. A more detailed account of what the decision on order and infringement fee entails and justification for that follows below. 1. Decision on order and infringement fine 1.1 Decision on order Pursuant to Article 58 no. 2 letter d of the Privacy Ordinance, the Data Inspectorate makes decisions on the following orders: 1) Bergen municipality must change all employees' login to all information systems such as contains personal information about students, by establishing strong authentication (two-factor authentication) for login over external networks and on student networks, cf. Article 5 (1) (f) of the Privacy Ordinance, cf. Article 32 (1), cf. letter b 1.2 Decision on infringement fines Pursuant to the Personal Data Act § 26 second paragraph, the Data Inspectorate may impose public authorities and bodies infringement fines under the rules of the Privacy Regulation Article 83. Pursuant to section 26 of the Personal Data Act, cf. the Privacy Ordinance art. 83, fatter The Data Inspectorate makes the following decision on infringement fines: 2) Bergen Municipality shall, pursuant to the Personal Data Act § 26 second paragraph, cf. Article 83 of the Privacy Ordinance, pay an infringement fee of NOK 1,600,000 million six hundred thousand Norwegian kroner - to the Treasury, for not having completed appropriate technical and organizational measures to achieve a level of security that is appropriate with consideration of the risk, and ensuring lasting confidentiality, cf. the Privacy Ordinance Article 5 (1) (f) and the Privacy Regulation 32 (1) (a) and (b). 2. The facts and the course of the case 2.1 The progress of the case The Data Inspectorate became aware of the case after Bergen municipality sent out on Friday 15 August 2018 press release. The case received great interest in the media and the Data Inspectorate was contacted the same day VG, Bergens Tidende, Bergensavisa and NRK. 2We mean here wireless guest networks that students can connect to and that are open to others than the staff. 2Bergen municipality sent a report of a breach of personal data security (deviation report) to the Norwegian Data Protection Authority on 15 August 2018. The privacy ombudsman in Bergen municipality gave the Data Inspectorate an update on the breach personal data security, by e-mail on 16 August. We received an additional message from Bergen municipality on 24 August, which contained a report on the reported violation personal data security, and a letter from the municipality that had been sent to parents and guardians who were affected by the breach of personal data security. The parents of one of the students at the relevant school have in an e-mail of 10 September contacted to the Norwegian Data Protection Authority to give its version of the case. The Data Inspectorate has also been in telephone Contact with: Bergen municipality's supplier of eFeide, Identum Principal at the current school West police district v / Ronny Haldorsen 2.2 The case includes the following systems The municipality uses FEIDE as a login solution in the school. Bergen municipality has described this solution as follows: «FEIDE is a user directory for students, which provides central user registration and« single sign-on »for various services and systems in use at school. eFeide is a tool to create and manage users in the FEIDE user directory. " As the Data Inspectorate has understood, FEIDE is a national login solution that makes it possible to share data related to education and research. When employees and students in primary school in Bergen logs in via FEIDE, they get access to various systems, such as Its Learning. Its Learning is a learning platform that in addition to school work as well contains assessments and evaluations of individual students' performance. The system makes it possible to communicate between students and teachers, and one can use free text fields where teachers can add enter information about students registered in the system. Another service that is available through FEIDE in Bergen municipality is Conexus Engage. It is a tool for the individual teacher where the intention is to facilitate the teacher's work related to the follow-up of the individual student. The service includes both mapping of professionals as well as social conditions about the student. Bergen municipality uses eFeide as a user administration tool. eFeide is a cloud solution which makes it possible for staff and students to log in to the school's systems (via FEIDE) from various devices (laptop, smartphone, etc.). As of 24 August 2018, eFeide had a total 35,601 unique users in Bergen municipality. Bergen municipality's eFeide system contains information about the users' names, usernames, passwords, birth numbers, address, school affiliation and school class. Employees are also registered with a telephone number. eFeide is provided by Identum. 3Details about the actual circumstances of the case In the following, we will describe how we, based on the case documents and information obtained from various parties, perceives the actual circumstances of the case. On Tuesday 15 May 2018, the ICT Helpdesk in Bergen municipality received a message from an employee at a school stating that a folder with multiple files containing usernames and passwords was available for students. This had been discovered by a student, who reported this to staff at the school. It employees write the following in the e-mail to the ICT Helpdesk in Bergen municipality: "We have a student […] who looks very eagerly in his attempts to get into Bergen municipality's hidden pages in the student network. He has managed to find an overview of username and password for the student network - the old ones before eFeide. There are not as many as changed password yet (yes I know we are slow on that) but the student has not abused the information he has found. He has told us that he has found them and shown them super fast - you do like that, and like that, and like that…. I do not have the opportunity to keep up when he shows it. He's recently brought with him a memory pen where I think he has a program he has made at home. He told my colleague that what he was trying did not work. He has a lot of good knowledge about ICT systems, and is very interested in coding. But I am worried about whether he is heading for "wild paths" so that his skills can be used error. I have seized the PC he used last week (but am probably logged on to a new one now). It should be refueled. […] Is it interesting for you to check the log of the machine before it is done? And you have the opportunity to look at log files of what he is doing. " The student, who is discussed here, found that the username and password of the account with administrator access was in the folder that was available to students. Thus, he had the opportunity to see information about all users in the municipality's FEIDE catalog. Both the student's contact teacher and another teacher was in telephone contact with the ICT Helpdesk prior to the e-mail to inform about the breach on personal data security. The school principal has confirmed this. The student logged in to eFeide five times before notifying the school of the security risk. The first login took place on 13 March 2018. The notification from the student contained information about several conditions, including the folder with username and password. The message about the folder was however, not followed up further by the management at the school. This folder has been used to move data between different systems used by the school. Every year at the start of school, new users are created. Every autumn holiday, the passwords of everyone are reset user accounts, so that everyone has to create a new password when school starts after the holidays. By password change, no previous password has been checked and excluded for later use. Users have therefore had the opportunity to change back to previously used passwords after the autumn holidays. 4Before 22 June and 30 July 2018, someone has entered the user administration tool eFeide with a user account belonging to Bergen municipality, and changed the contact information associated with Bergen municipality's customer relationship with Identum. This was discovered by Identum on Monday 13. August. On Tuesday 14 August, the student logged in to the learning platform Its Learning with the account to principal at the said school. The student has sent a message to several people via FEIDE. The message contained the password to the principal's account. The principal has confirmed that it was not him who logged in at this time, and that it was not he who sent the message. Due to findings in security logs, this was reported to the West Police District on Thursday 16 August. The police acted on Friday morning, and confirm that a student admits to being behind both the change in eFeide and the message from the principal's account. He has admitted to the police that he has guessed the principal's password, and logged on to Its Learning with a total of ten different ones account. Identum implemented measures after discovering this, and reset passwords for everyone administrator accounts in Bergen municipality when this was discovered on 13 August. Wednesday 15 August passwords for all accounts were reset. Identum v / Erik Lithun confirms in a telephone conversation with the Danish Data Protection Agency on Monday 10 September that the company in the autumn of 2016 was in contact with Bergen municipality about the use of eFeide. March 17, 2017 sent Identum an offer to Bergen municipality on eFeide with an option to use two-factor authentication. The privacy ombudsman in Bergen municipality has stated that it has pointed out the need for two-factor authentication as a necessary security measure for logging in to eFeide. The Privacy Ombudsman has stated by telephone that Bergen Municipality has routines for access control to eFeide, but that these were not followed in this case. The routines are subsequently sent to The Data Inspectorate by e-mail. As mentioned, Bergen municipality published a press release about the case on 15 August. Those affected have also been informed per. letter. Bergen municipality has, after the case became known in the media, introduced two-factor authentication in the eFeide user administration tool for accounts with administrator access to eFeide (technical personnel). This was implemented on Friday 17 August. 3 The regulations in the area 3.1 Which regulations should be applied - question of choice of law The new Personal Data Act (Personal Data Act 2018), which in § 1 incorporates the EU privacy ordinance in Norwegian law, entered into force on 20 July 2018. The law also repealed the law 14.04.2000 no. 31 on the processing of personal data (Personal Data Act 2000) and the rules in the Personal Data Regulations 15.12.2000 no. 1265 on the processing of 5personal information (Personal Data Regulations 2000). Because of the case course of events, it is necessary to decide whether the case should be assessed accordingly the Personal Data Act of 2018 or the Personal Data Act 2000. We have come to the conclusion that the Personal Data Act of 2018 must be applied in the case. Thus comes also the provisions of the Privacy Ordinance apply, cf. section 1 of the Act. This applies to everyone aspects of the case, including those concerning the imposition of infringement fines, cf. also the Personal Data Act § 26 second paragraph and § 33. This case concerns a breach of the regulations that has occurred at a time prior to the entry into force of the Personal Data Act 2018. However, the breaches of regulations have been continuous and has persisted in time, and was discovered on August 15, that is, after the date of entry into force of the new Personal Data Act. The current events have in other words, extended over a longer period. The first time it was found defective security routines were when this was reported to the ICT Helpdesk on 15 May 2018. On this the time applied as the Personal Data Act 2000 and the Personal Data Regulations of 2000. The regulations §§ 2-6, 2-11, 2-13 and 2-14 regulated such matters as the case deals with. The relevant conditions that are under consideration have thus arisen before the entry into force of the Personal Data Act 2018, but they have persisted and been continuous for some time after it The new Personal Data Act came into force on 20 July. The Personal Data Act 2018 § 33 first paragraph lays down a special transitional rule infringement fee which reads as follows: «The rules on the processing of personal data that applied at the time of the action, shall be used as a basis when a decision on an infringement fine is made. The legislation on the time of the decision shall nevertheless be used when this leads to a more favorable one result for the person responsible. " When a decision is made on an infringement fee, the question of choice of law must therefore be assessed on the basis of what must be considered the time of action. The Danish Data Protection Agency's assessment is that the time of action in this case is extended in time - the illegal act or acts have occurred before July 20, but it has been, and will continue to be, a constant and continuous breaches of regulations until the person in charge of treatment takes care of bringing the treatment activities in accordance with the requirements of the regulations. As the treatment manager has not taken any action to bring to an end the illegal treatment activities and in accordance with the requirements of the regulations before August this year, the time of action in § 33 must be considered to be after the date of entry into force of the new Personal Data Act. It thus follows § 33 of the Personal Data Act that this case shall be assessed in accordance with the Personal Data Act 2018. This is also in accordance with ECHR art 7, which refers to resp. «The time of the action» and «the time when [the action] was committed». We also refer to the preparatory work for the Personal Data Act 2018 (Prop. 56 LS (2017-2018) page 196), where the Ministry states, among other things, the following on questions of choice of law between the Personal Data Act 2000 and the Personal Data Act 2018: 6 «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to is made on the basis of the material rules in force at any given time ». The same follows from the Privacy Board's practice in cases that do not concern infringement fines and which is submitted to the tribunal before a new law, but which is processed according to a new law. See for example PVN- 2018-005 and PVN-2018-006. Against this background, we consider it clear that cases that apply on an ongoing or ongoing basis Violations of the rules must be assessed in accordance with the Personal Data Act 2018 and the Privacy Ordinance. 3.2 The rules in the Privacy Ordinance The Privacy Ordinance regulates all aspects of the processing of personal data. Article 5 of the Privacy Regulation deals with what must be said to be the core of the right to privacy, and the article is absolutely central to the interpretation of the regulation's upper rest provisions. Violation of the principles in art. 5 may in itself lead to the imposition of sanctions, and it follows from Art. 83 no. 5 that violations of art. 5 are among the offenses which can result in the highest infringement fines, ie 20,000,000 euros (currently approx. 195) NOK million) for data controllers or data processors that are not to be counted as companies. The provision in art. 5 sounds as follows: Article 5. Principles for the processing of personal data 1. Personal data shall a) is treated in a lawful, fair and transparent manner with respect to the data subject («legality, justice and transparency »), b) collected for specific, expressly stated and justified purposes and not further processed on a manner incompatible with these purposes; further processing for archival purposes in the public interest, for purposes related to scientific or historical research or for statistical purposes shall, in accordance with Article 89 (1), not be considered incompatible with its original purpose ("Purpose limitation"), c) be adequate, relevant and limited to what is necessary for the purposes for which they are processed ("Data minimization"), d) be correct and, if necessary, up to date; every reasonable step must be taken to ensure that personal data that are incorrect with regard to the purposes for which they are processed, without delay deleted or corrected ("correctness"), e) is stored so that it is not possible to identify the data subjects for longer periods than at present necessary for the purposes for which the personal data are processed; personal information can be stored for longer periods if they will be processed exclusively for archival purposes in the general public interest, for purposes related to scientific or historical research or for statistical purposes in in accordance with Article 89 (1), provided that appropriate technical and organizational arrangements are made measures required by this Regulation to ensure the rights and freedoms of data subjects ("Storage limitation"), f) is processed in a way that ensures sufficient security for personal data, including protection against unauthorized or illegal treatment and against unintentional loss, destruction or damage, by the use of appropriate technical or organizational measures ("integrity and confidentiality"). 72. The controller is responsible for and must be able to demonstrate that No. 1 is complied with («responsibility»). As stated in the provision, Art. 5 no. 1 letter f personal data security and the principle of duty to ensure the necessary integrity and confidentiality. Species. 5 No. 2 knee sets the principle of responsibility, which states that it is the data controller who is responsible for comply with the privacy principles in art. 5 No. 1. The principle in art. 5 No. 1 letter f on integrity and confidentiality is described in more detail and supplemented by more specific provisions in the Privacy Ordinance, Chapter IV, see e.g. article 24 on the implementation of necessary appropriate technical and organizational measures, Article 25 on requirements for built-in privacy and privacy by default, and so on. The rules on personal data security are set out in Chapter IV, Section 2. Here is Article 32 central. Article 32 (1) (a) and (b) states: Article 32. Safety of treatment 1. Taking into account technical progress, implementation costs and the nature of the treatment, the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and severity of the rights and freedoms of natural persons, the person responsible for treatment and the data processor implement appropriate technical and organizational measures to achieve a level of security which is suitable in terms of risk, including, inter alia, as appropriate, a) pseudonymisation and encryption of personal data, b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services 3.3. In particular on the imposition of infringement fines The Privacy Regulation leaves it to the Member States to determine whether infringement fines should apply could be imposed on public authorities and bodies, cf. Article 83 (7). Act (2018) § 26 second paragraph, it is determined that the Data Inspectorate may impose on public authorities and bodies infringement fines in accordance with the rules in the Privacy Ordinance Article 83, cf. Article 83 No. 7. In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry refers to that «The Data Inspectorate in several cases has imposed administrative fees on public bodies, and the ministry can see no reason not to continue such access for The Data Inspectorate. The Ministry also points out that the consultative bodies have generally been positive that infringement fines can be imposed on public authorities. " Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision contains i.a. an overview of which factors should be taken into account when considering both whether an infringement fee is to be imposed and which factors are to be assessed in connection with the measurement of the size of the fee. The article also indicates the magnitude of the fees, and that 8 appears from art. 83 no. 4 and no. 5 that the maximum rates depend on which provisions in the Privacy Regulation that has been violated. Article 83 (1) and (2) states: Each supervisory authority shall ensure that the imposition of infringement fines under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 in each case are effective, reasonable relation to the violation and acts as a deterrent. 2. Depending on the circumstances of each individual case, an infringement fine shall be imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j). When a decision is made as to whether an infringement fee shall be imposed as well as the amount of the infringement fee, it shall be in each individual In this case, due account shall be taken of the following: a) the nature, severity and duration of the infringement, taking into account the person concerned the nature, scope or purpose of the processing as well as the number of data subjects affected, and the extent of it damage they have suffered, b) whether the infringement was committed intentionally or negligently, c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, (d) the degree of responsibility of the controller or processor, taking into account those technical and organizational measures they have implemented in accordance with Articles 25 and 32, e) any relevant previous violations committed by the data controller or the data processor, f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible negative effects of it, g) the categories of personal data affected by the infringement, (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in the extent to which the controller or processor has notified the infringement, (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that said measures complied with, (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 and k) any other aggravating or mitigating factor in the case, e.g. economic benefits that are achieved, or losses that have been avoided, directly or indirectly, as a result of the violation. The provision basically provides instructions that the imposition of an infringement fee is due to a discretionary overall assessment, but lays down guidelines for the exercise of discretion by drawing present moments that should have special emphasis. The first paragraph of the article states that the infringement fine in each individual case must be effective, proportionate to the violation and act as a deterrent. We also refer to the Privacy Council's guidelines regarding the application and determination of infringement fine in accordance with Regulation (EU) 2016/679 (WP 253), where 9The Privacy Council explains the general criteria in art. 83 no. 1, and the moments in art. 83 no. 2.3 4 The Data Inspectorate's assessments and reasons for decisions The non-conformance report has revealed circumstances that constitute possible violations of the Privacy Ordinance Article 32 (1): Storage of an open and unprotected digital folder with files that contain usernames and passwords to the information systems in the primary school in Bergen municipality, in clear text and on in such a way that the information is accessible to all users of the information systems, ie teachers and pupils in primary school, is in violation of the Privacy Ordinance art. 32 No. 1. This discrepancy is closed. Failure to implement two-factor authentication for logging in to the information systems, to achieve the necessary level of security to ensure lasting confidentiality, integrity, availability and robustness in the treatment systems, constitute a breach of Article 32 (1) of the Privacy Regulation Further justification for why we believe there is a breach of these provisions appears below. 4.1 Justification for a decision on an order to implement measures Bergen municipality is responsible for the processing of the treatments mentioned in the case. In this context, Identum is to be regarded as a data processor for Bergen municipality. The Data Inspectorate believes that there is a breach of the provision in the Privacy Ordinance article 32 no. 1, which makes demands on the data controller and the data processor that it appropriate technical and organizational measures are implemented to achieve a level of security that is suitable in terms of risk. On 17 August 2018, Bergen municipality introduced two-factor authentication for everyone involved administrator access in eFeide. As the Data Inspectorate sees it, it is not sufficient that two-factor authentication only includes those with administrator access. Bergen municipality must change all employees' login to all information system with personal information about students, by that strong authentication (two-factor authentication) is established for login over external networks and on elevnett. In this connection, the Data Inspectorate points out that children in particular are entitled to a high degree of protection when it does processed information about them, see the Privacy Ordinance's proposition point 38 where it says: "Children's personal data deserve special protection, as children may be smaller aware of current risks, consequences and guarantees, as well as the rights they have when it comes to the processing of personal data. " 3 Originally prepared by the Article 29 Group, but adopted by the Privacy Council, see the Privacy Council "Endorsement 1/2018", section 16. The documents are available at https://edpb.europa.eu 104.2 Grounds for decision on infringement fine The right to impose infringement fines is provided as a means of ensuring effective compliance with and enforcement of the Personal Data Act. Internal law is a violation fee not to be regarded as a punishment but as an administrative sanction. However, it must be assumed that infringement fines are to be regarded as penalties under the ECHR (European Convention), Article 6, and in accordance with the case law of the Supreme Court, cf. Rt. 2012 page 1556 med further references. The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required offense in order to impose a fee. The case and the question of imposing infringement fines are assessed on the basis of this evidentiary requirement. The Norwegian Data Protection Authority finds it clear that Bergen municipality has processed personal data in a way which is contrary to Article 32 of the Regulation, see notice of decision above. As mentioned above, Article 83 basically provides for the imposition of violation fee is based on a discretionary overall assessment, but adds guidance the exercise of discretion by highlighting factors that should have particular weight, taking into account that imposition of infringement fines in each individual case shall be effective, proportionate and deterrent. We have placed particular emphasis on the following aspects in our assessment of whether or not infringement fines must be imposed: a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the act concerned or the number of data subjects affected, and the extent of the damage they have suffered The breach of personal data security is a result of lack of technical and organizational measures that ensure satisfactory information security with regard to confidentiality and integrity, cf. Article 32 of the Regulation. We also refer to Advocacy of the Privacy Regulation 83. The violation includes over 35,000 teachers and children in primary school in Bergen municipality. The registrants' usernames and passwords could potentially have been exposed to all users, at worst fall 35,000 people. The violation mainly involves children, who to a lesser extent have preconditions for safeguarding their rights and freedoms. In addition, registration of information about children compulsory in primary school in the municipality. The children can not choose whether they want to be on this platform, where i.a. Its Learning is included, Its Learning is compulsory for all children. Unauthorized persons may have gained access to personal information about many people, both on learning platforms, school administrative system, etc. We refer here to the Privacy Ordinance Advocate 38, where it is pointed out that children's personal data must be given special protection. 11The fact that children's rights and freedoms have been exposed makes the violation extra serious, and The Norwegian Data Protection Authority has emphasized this as an aggravating circumstance. The Data Inspectorate has also added emphasis that the use of the platform is mandatory for children. As early as 15 May, the school reported the breach of ICT's personal data security Help desk. This was a potential discrepancy which in that case should have been reported to the Norwegian Data Protection Authority iht. the then applicable Personal Data Act § 13, cf. the Personal Data Regulations 2000 § 2- 6. However, this was not done. The reported breach of personal data security applies to the period 22 June to 15. August 2018. However, the breach of personal data security must be regarded as having occurred from no later than the time when the school reported this to the ICT Helpdesk. We also note that this not only applies to the lack of introduction of two-factor authentication, but also to deficiencies handling of folder with username and password, which was openly available. The relevant the context taken into account, the Data Inspectorate considers it serious that such information was available openly available over an extended period. We refer here to the principle of liability in Article 5 no. 2, cf. Article 5 no. 1 letter f, as it has a special duty on it controllers to comply with the principles set out in Article 5. b) whether the infringement was committed intentionally or negligently In 2013/2014, the Norwegian Data Protection Authority had several inspections aimed at the school sector in Norwegian municipalities. Following these inspections, deficiencies were found in the access control for employees' access to personal information about many students. The Data Inspectorate therefore instructed the municipalities to use strong authentication, ie two-factor authentication, for employees' access to learning platforms and school administrative systems. Our position was made known on our websites, and opposite The IT environments in the municipalities, among other things through lectures, inspections and other meetings. We carried out a local inspection of Møhlenpris school in 2013 (Datatilsynet's case reference 13/00941), which was specifically aimed at using the School Wide mapping tool Information System (SWIS). After this inspection, we imposed on Bergen municipality, in its capacity as to be responsible for processing, to use strong authentication in connection with the use of SWIS by this school. The Norwegian Data Protection Authority has also prepared a guide for the use of strong authentication / two-factor authentication, which is available on our websites. There we explain in more detail why strong authentication is required, and in which cases such authentication is required. Identum, which is Bergen municipality's supplier of eFeide, has stated that talks about the use of eFeide started in the autumn of 2016, and that Identum gave Bergen municipality an offer to use eFeide with an option for two-factor authentication on 17 March 2017. Over a year later, the option agreement was not used. First, the municipality has been notified by its supplier that the use of two-factor authentication was a necessary security measure, see above. Secondly, have The privacy ombudsman in Bergen municipality pointed out the requirement for two-factor authentication when using eFeide, without the management having done what is necessary for the establishment. 12We consider it beyond doubt that Bergen municipality has had knowledge of the need for the establishment of two-factor authentication in eFeide. By not taking the necessary ones steps, the municipality has acted reprehensibly. This indicates a lack of awareness of where important it is with necessary safety measures, and inadequate care of the principle of responsibility. This must be described as negligent, and in our opinion this is a serious one degree of negligence. We also point out that Bergen municipality did not follow up when it became known with the possible breaches of regulations. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects It is clear that Bergen municipality has routines for handling deviations, but that the notice from employees were not forwarded in the system. When the breach of personal data security was reported on Friday 17 August, access was granted folder blocked. In retrospect, the municipality has established two-factor authentication in the eFeide user administration tool for accounts with administrator access to eFeide. d) the degree of responsibility of the data controller or data processor, taking into account to the technical and organizational measures they have implemented in accordance with Article 25 and 32 The Privacy Ordinance has introduced a much higher degree of responsibility for it persons responsible for processing, cf. the principle of liability in Article 5. Bergen municipality does not have implemented technical or organizational measures, which live up to the principles of embedded privacy, cf. Article 25. The Norwegian Data Protection Authority also does not find that Bergen Municipality has secured a sufficient level of security, cf. Article 32. It can therefore be stated that Bergen Municipality has demonstrated poor accountability in relation to acceptable level of protection. e) any relevant previous violations committed by the data controller or the data processor In the case against Bergen municipality and Møhlenpris school (see under point b), a decision was made that the municipality had to make use of two-factor authentication in access control. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it Bergen municipality has reported the violation and has been in dialogue with the Norwegian Data Protection Authority below the course of the case, without it having helped to reduce the possible negative effects of the infringement. g) the categories of personal data affected by the infringement We can not establish that special categories of personal data, as defined in Article 9 of the Privacy Regulation has been exposed to unauthorized persons. Then the violation includes children, we refer to point 75 of the Privacy Ordinance, where it is pointed out that special consideration shall be given to the risk associated with children's personal data, regarding the processing includes a large amount of personal information and affects a large number of data subjects. 13Information that has been available is username, password, full name, school affiliation and school class. In eFeide, it is also possible to see the birth number and address of each person. Employees are also registered with a telephone number, which was visible in eFeide. In addition, has the security breach has meant that the potential for access to sensitive personal information has been present. Its Learning is a system available via eFeide. Here it will be possible to register sensitive personal information about e.g. absence. h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement The Norwegian Data Protection Authority first became aware of the current situation through media coverage. The Data Inspectorate was first notified of the breach of personal data security from Bergen municipality on 15 August 2018. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with No measures have previously been taken against Bergen municipality with regard to same subject matter. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 Not relevant to the case. k) any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement The Data Inspectorate has not established that Bergen municipality has had financial benefits, or avoided losses directly or indirectly as a result of the infringement. In assessing whether an infringement fee should be imposed, the Norwegian Data Protection Authority places particular emphasis on the fact that the violations have significantly violated basic principles that the regulation protects, cf. Article 5 (1) (f) of the Regulation, which states that 'personal data shall be processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal treatment and against unintentional loss, destruction or damage, by the use of appropriate technical or organizational measures ("integrity and confidentiality") ". The Data Inspectorate places particular emphasis on the fact that no two-factor authentication was established in eFeide, to despite the fact that the municipality had knowledge of the necessity of this. The Data Inspectorate is assessing this as serious. The users of the municipality's services have a clear and worthy of protection interest in deficient security measures where confidentiality is required. This can get serious consequences for the individual both because the environment gets access to information such as the registered person has not himself chosen to make known, and as it is obligatory to register, however also because the availability makes it unpredictable how many have acquired the information. General preventive reasons and the consideration that the rules should have effect and effect 14 according to its purpose, then speaks with force that it reacts with a tool such as infringement fine. The Data Inspectorate cannot see that the other aspects that the law emphasizes apply in appreciable degree - neither in aggravating nor mitigating direction. Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed. The size of the fee In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that «As a starting point, the same rules for infringement fines shall apply public bodies as for private, as this is the scheme under current Personal Data Act. » The ministry further writes that they have noted the concern as some public consultation bodies have expressed, but the Ministry assumes that within the rules of Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement of administrative fees, there is room for considerable consideration with regard to the size of fee. The Ministry states that «[t] he limits in the regulation Article 83 state maximum limits for the calculation of administrative fees, while no one has been set minimum limits. " With regard to the size of the fee, the same factors shall apply as when assessing whether the fee shall be imposed, special weight shall be given. The conditions the Data Inspectorate has pointed out above speak for themselves fee of a certain size. The fee should be set so high that it also has an effect beyond it specific case, at the same time as the size of the fee must be in a reasonable proportion to the violation and the business, cf. art. 83 No. 1. We have particularly noted that the municipality had not established two-factor authentication despite knowledge that this was necessary. Furthermore, we have looked at the general expectation of citizens should be able to ensure that municipal bodies follow the rules that have been given, and especially those that do individuals rights that are meant to be a protection against extradition of this kind information. The signal effect of this case, the general preventive considerations, we believe is clear. It is important that such incidents do not occur, and that all public bodies that process citizens' personal data and information on vulnerable persons such as children, must be aware of their responsibilities. Inadequate routines often have the consequence that the risk of errors increases. In this case have weak routines and non-compliance with the routines actually had a real consequence which also dictates an intensified reaction. It is also a significant moment that Bergen municipality is Norway's second largest municipality measured in number of inhabitants. Furthermore, it is stated in Bergensavisen 15 (https://www.ba.no/nyhet/okonomi/politikk/bergen-kommune-1-1-milliard-kroner-i- profit / s / 5-8-742795) that Bergen municipality had a significant profit in 2017, of 1.1 billion Norwegian kroner. We have also looked at this. After an overall assessment of the case, and then especially with regard to the seriousness of the violation and the legislation's requirement that the imposition of infringement fines in each individual case shall be effective, proportionate and dissuasive, we have come to the conclusion of an infringement charge NOK 1,600,000 is considered correct. 5 Concluding remarks Deadline for completion of the order The Data Inspectorate gives a deadline for implementation of the order until 30 April 2019. The municipality must within mentioned date confirm in writing to the Data Inspectorate that the order has been implemented. Unless unless otherwise stated, no further documentation is required that the order is completed. However, it is pointed out that the Norwegian Data Protection Authority will be able to carry out one follow-up of this. Right of appeal This decision can be appealed in accordance with the provisions of the Public Administration Act. Possible complaint must be submitted to the Norwegian Data Protection Authority within three weeks after the decision was received. An eventual complaint is sent to the Privacy Board for complaint processing. The Norwegian Data Protection Authority does in this connection note the right of access to the case documents, cf. the Public Administration Act § 18. If you have any questions, you can contact Knut Kaspersen on telephone 22 39 69 07. With best regards Bjørn Erik Thon director Knut Kaspersen subject director 16