Datatilsynet (Norway) - 18/02140

From GDPRhub
Datatilsynet (Norway) - 18/02140
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 32(1)(a) GDPR
Article 32(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 18.03.2019
Published: 19.03.2019
Fine: 1,600,000 NOK
Parties: Bergen municipality
National Case Number/Name: 18/02140
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

In 2019, the Norwegian DPA fined a municipality about €158,315 (NOK 1,600,000) for lacking security measures, as discovered by a 12 year old pupil at the school. The school pressed charges against the pupil, but withdrew them after massive media pressure.

English Summary

Facts

In May 2018 a pupil at a school in Bergen notified the ICT helpdesk of a folder he had found online, containing several files with usernames and passwords of over 35,000 users. However, the school management did not follow up on the notice.

In August, the pupil logged onto the learning management system as the school's principal and sent a message to several people. He expressed later that he did so because the school had failed to take his first notice seriously. When the school discovered this, it notified the police, who found out that the pupil sent the notification. He admitted he had simply guessed the principal's password.

The municipality failed to first notify the Norwegian DPA (Datatilsynet) of the breaches, who discovered these initially after being contacted by several media outlets (after the municipality sent out a press release the same day).

The DPA's investigation revealed that the school had failed to enable two-factor authentication, despite a campaign the DPA conducted in 2013-2014 in the education sector. At the time, the DPA instructed all municipalities in Norway to enable strong authentication on their learning management systems and other administrative systems. Thus, the DPA argues that it is beyond doubt that Bergen municipality was well aware of this security requirement.

Following this incident, the municipality reset all passwords and enabled two-factor authentication.

Holding

The DPA first instructed Bergen municipality to enable two-factor authentication in their systems, cf. Article 5(1)(f) GDPR, cf. Article 32(1)(b). Second, the DPA fined the municipality about €158,315 (NOK 1,600,000) for the lack of sufficient technical and organisational measures required by Article 5(1)(f) and Article 32(1)(a) and Article 32(1)(b).

Comment

This case got a lot of media attention in Norway, especially since the school decided to press charges. Both the school and the police was critised heavily in the media by the DPA's Data Protection Commissioner, the pupil's parents, and various organisations and political parties. The school withdrew their charges, but not until ten months later, when the police was done investigating the case.

Further Resources

Some news stories from the Norwegian media:

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 BERGEN MUNICIPALITY
 PO Box 7700

 5020 BERGEN






 Their reference Our reference Date
2019 / 04991-9 18 / 02140-13 / KBK 18.03.2019



Decision on order and infringement fee - Notification of deviations at Bergen

municipality

0. Introduction

We refer to a report of a breach of personal data security (deviation report) from Bergen
municipality sent 15 August 2018, the Data Inspectorate's notification of decision of 17 December 2018,
Bergen Municipality's feedback on the Data Inspectorate's notice of 31 January 2019 and other
relevant correspondence in the case.


The case concerns an incident where files with usernames and passwords of over 35,000 users in
Bergen municipality has been openly accessible to students. It has been possible to log in

on the school's various information systems as a student, employee or administrator of the school, and
thus gaining access to personal information about students and staff.


The Data Inspectorate has taken note of the allegations the municipality has made about the choice of law issue,
but can not see that these change our view of the matter. Bergen municipality has also given one
chronological presentation of the actual circumstances of the case, where i.a. an account is given of
the municipality's work with the introduction of two-factor authentication. However, the Data Inspectorate can not see

that this has an impact on our decision.

With regard to the notified decisions, the municipality states that these must be considered closed.

Regarding the notified decision no. 1, it is stated that the introduction will be completed these days.
The Data Inspectorate will, however, point out that the deviation can only be considered closed when the introduction of
two-factor authentication is complete. We therefore uphold the decision.


With regard to the notified decision no. 2, we note that the deviation is closed by you
complies with Article 5 and Article 32 of the Privacy Ordinance. This means that Bergen
municipality ensures a lasting confidentiality, integrity, accessibility and robustness

(Article 32 (1) (b)) and that you have a process for regular testing, analysis and
assessment of how effective the treatment's technical and organizational security measures are
(Article 32 (1) (d)).


1European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016, cf. Act of 15 June 2018 no. 38 on
processing of personal data (Personal Data Act) § 1.

Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 OSLOUt from the information in the case, the Data Inspectorate believes that Bergen municipality has violated the rules
on personal data security in the Privacy Ordinance. The Data Inspectorate makes three different decisions.
One decision concerns the imposition of infringement fines. The other two decisions apply
order to implement further measures.


A more detailed account of what the decision on order and infringement fee entails and
justification for that follows below.

1. Decision on order and infringement fine


1.1 Decision on order
Pursuant to Article 58 no. 2 letter d of the Privacy Ordinance, the Data Inspectorate makes decisions
on the following orders:

1) Bergen municipality must change all employees' login to all information systems such as

    contains personal information about students, by establishing strong authentication
    (two-factor authentication) for login over external networks and on student networks, cf.
    Article 5 (1) (f) of the Privacy Ordinance, cf. Article 32 (1), cf. letter b

1.2 Decision on infringement fines
Pursuant to the Personal Data Act § 26 second paragraph, the Data Inspectorate may impose public

authorities and bodies infringement fines under the rules of the Privacy Regulation Article
83.

Pursuant to section 26 of the Personal Data Act, cf. the Privacy Ordinance art. 83, fatter
The Data Inspectorate makes the following decision on infringement fines:


2) Bergen Municipality shall, pursuant to the Personal Data Act § 26 second paragraph, cf.
    Article 83 of the Privacy Ordinance, pay an infringement fee of NOK 1,600,000
    million six hundred thousand Norwegian kroner - to the Treasury, for not having completed
    appropriate technical and organizational measures to achieve a level of security that is appropriate with
    consideration of the risk, and ensuring lasting confidentiality, cf. the Privacy Ordinance
    Article 5 (1) (f) and the Privacy Regulation 32 (1) (a) and (b).



2. The facts and the course of the case


2.1 The progress of the case
The Data Inspectorate became aware of the case after Bergen municipality sent out on Friday 15 August 2018
press release. The case received great interest in the media and the Data Inspectorate was contacted the same day
VG, Bergens Tidende, Bergensavisa and NRK.




2We mean here wireless guest networks that students can connect to and that are open to others than the staff.



                                                                                              2Bergen municipality sent a report of a breach of personal data security
(deviation report) to the Norwegian Data Protection Authority on 15 August 2018.

The privacy ombudsman in Bergen municipality gave the Data Inspectorate an update on the breach
personal data security, by e-mail on 16 August. We received an additional message from
Bergen municipality on 24 August, which contained a report on the reported violation
personal data security, and a letter from the municipality that had been sent to parents and

guardians who were affected by the breach of personal data security.

The parents of one of the students at the relevant school have in an e-mail of 10 September contacted
to the Norwegian Data Protection Authority to give its version of the case. The Data Inspectorate has also been in telephone
Contact with:

     Bergen municipality's supplier of eFeide, Identum

     Principal at the current school
     West police district v / Ronny Haldorsen

2.2 The case includes the following systems

The municipality uses FEIDE as a login solution in the school. Bergen municipality has described
this solution as follows:

       «FEIDE is a user directory for students, which provides central user registration and« single
       sign-on »for various services and systems in use at school. eFeide is a tool to
       create and manage users in the FEIDE user directory. "


As the Data Inspectorate has understood, FEIDE is a national login solution that makes it possible
to share data related to education and research. When employees and students in primary school in
Bergen logs in via FEIDE, they get access to various systems, such as Its
Learning. Its Learning is a learning platform that in addition to school work as well
contains assessments and evaluations of individual students' performance. The system makes it possible
to communicate between students and teachers, and one can use free text fields where teachers can add
enter information about students registered in the system.


Another service that is available through FEIDE in Bergen municipality is Conexus
Engage. It is a tool for the individual teacher where the intention is to facilitate the teacher's work
related to the follow-up of the individual student. The service includes both mapping of professionals
as well as social conditions about the student.

Bergen municipality uses eFeide as a user administration tool. eFeide is a cloud solution

which makes it possible for staff and students to log in to the school's systems (via FEIDE) from
various devices (laptop, smartphone, etc.). As of 24 August 2018, eFeide had a total
35,601 unique users in Bergen municipality. Bergen municipality's eFeide system contains
information about the users' names, usernames, passwords, birth numbers, address,
school affiliation and school class. Employees are also registered with a telephone number.


eFeide is provided by Identum.



                                                                                             3Details about the actual circumstances of the case
In the following, we will describe how we, based on the case documents and information
obtained from various parties, perceives the actual circumstances of the case.

On Tuesday 15 May 2018, the ICT Helpdesk in Bergen municipality received a message from an employee at

a school stating that a folder with multiple files containing usernames and passwords was available
for students. This had been discovered by a student, who reported this to staff at the school. It
employees write the following in the e-mail to the ICT Helpdesk in Bergen municipality:

        "We have a student […] who looks very eagerly in his attempts to get into Bergen
        municipality's hidden pages in the student network. He has managed to find an overview of
        username and password for the student network - the old ones before eFeide. There are not as many as

        changed password yet (yes I know we are slow on that) but the student has not abused
        the information he has found. He has told us that he has found them and shown them
        super fast - you do like that, and like that, and like that…. I do not have the opportunity to keep up
        when he shows it.

        He's recently brought with him a memory pen where I think he has a program he has
        made at home. He told my colleague that what he was trying did not work.


        He has a lot of good knowledge about ICT systems, and is very interested in coding. But I am
        worried about whether he is heading for "wild paths" so that his skills can be used
        error.

        I have seized the PC he used last week (but am probably logged on to a new one now).

        It should be refueled. […] Is it interesting for you to check the log of the machine before
        it is done? And you have the opportunity to look at log files of what he is doing. "

The student, who is discussed here, found that the username and password of the account with administrator access
was in the folder that was available to students. Thus, he had the opportunity to see information
about all users in the municipality's FEIDE catalog. Both the student's contact teacher and another teacher
was in telephone contact with the ICT Helpdesk prior to the e-mail to inform about the breach

on personal data security. The school principal has confirmed this.

The student logged in to eFeide five times before notifying the school of the security risk.
The first login took place on 13 March 2018. The notification from the student contained information about several
conditions, including the folder with username and password. The message about the folder was
however, not followed up further by the management at the school.


This folder has been used to move data between different systems used by the school.
Every year at the start of school, new users are created. Every autumn holiday, the passwords of everyone are reset
user accounts, so that everyone has to create a new password when school starts after the holidays. By
password change, no previous password has been checked and excluded for later use. Users have
therefore had the opportunity to change back to previously used passwords after the autumn holidays.





                                                                                                 4Before 22 June and 30 July 2018, someone has entered the user administration tool eFeide
with a user account belonging to Bergen municipality, and changed the contact information associated with
Bergen municipality's customer relationship with Identum. This was discovered by Identum on Monday 13.
August.

On Tuesday 14 August, the student logged in to the learning platform Its Learning with the account to
principal at the said school. The student has sent a message to several people via FEIDE.

The message contained the password to the principal's account. The principal has confirmed that it was not him
who logged in at this time, and that it was not he who sent the message.

Due to findings in security logs, this was reported to the West Police District on Thursday 16 August.
The police acted on Friday morning, and confirm that a student admits to being behind both the change
in eFeide and the message from the principal's account. He has admitted to the police that he has
guessed the principal's password, and logged on to Its Learning with a total of ten different ones

account.

Identum implemented measures after discovering this, and reset passwords for everyone
administrator accounts in Bergen municipality when this was discovered on 13 August. Wednesday 15 August
passwords for all accounts were reset.

Identum v / Erik Lithun confirms in a telephone conversation with the Danish Data Protection Agency on Monday 10 September that

the company in the autumn of 2016 was in contact with Bergen municipality about the use of eFeide. March 17, 2017
sent Identum an offer to Bergen municipality on eFeide with an option to use
two-factor authentication.

The privacy ombudsman in Bergen municipality has stated that it has pointed out the need for
two-factor authentication as a necessary security measure for logging in to eFeide.


The Privacy Ombudsman has stated by telephone that Bergen Municipality has routines for access control
to eFeide, but that these were not followed in this case. The routines are subsequently sent to
The Data Inspectorate by e-mail.

As mentioned, Bergen municipality published a press release about the case on 15 August. Those affected have
also been informed per. letter.


Bergen municipality has, after the case became known in the media, introduced two-factor authentication in
the eFeide user administration tool for accounts with administrator access to eFeide
(technical personnel). This was implemented on Friday 17 August.


3 The regulations in the area

3.1 Which regulations should be applied - question of choice of law
The new Personal Data Act (Personal Data Act 2018), which in § 1 incorporates the EU
privacy ordinance in Norwegian law, entered into force on 20 July 2018. The law also repealed the law
14.04.2000 no. 31 on the processing of personal data (Personal Data Act 2000) and

the rules in the Personal Data Regulations 15.12.2000 no. 1265 on the processing of



                                                                                               5personal information (Personal Data Regulations 2000). Because of the case
course of events, it is necessary to decide whether the case should be assessed accordingly
the Personal Data Act of 2018 or the Personal Data Act 2000.

We have come to the conclusion that the Personal Data Act of 2018 must be applied in the case. Thus comes
also the provisions of the Privacy Ordinance apply, cf. section 1 of the Act. This applies to everyone
aspects of the case, including those concerning the imposition of infringement fines, cf. also

the Personal Data Act § 26 second paragraph and § 33.

This case concerns a breach of the regulations that has occurred at a time prior to
the entry into force of the Personal Data Act 2018. However, the breaches of regulations have been
continuous and has persisted in time, and was discovered on August 15, that is, after
the date of entry into force of the new Personal Data Act. The current events have
in other words, extended over a longer period. The first time it was found defective

security routines were when this was reported to the ICT Helpdesk on 15 May 2018. On this
the time applied as the Personal Data Act 2000 and the Personal Data Regulations of
2000. The regulations §§ 2-6, 2-11, 2-13 and 2-14 regulated such matters as the case deals with.

The relevant conditions that are under consideration have thus arisen before the entry into force of
the Personal Data Act 2018, but they have persisted and been continuous for some time after it
The new Personal Data Act came into force on 20 July.


The Personal Data Act 2018 § 33 first paragraph lays down a special transitional rule
infringement fee which reads as follows:

        «The rules on the processing of personal data that applied at the time of the action,
        shall be used as a basis when a decision on an infringement fine is made. The legislation on
        the time of the decision shall nevertheless be used when this leads to a more favorable one

        result for the person responsible. "

When a decision is made on an infringement fee, the question of choice of law must therefore be assessed on the basis of
what must be considered the time of action. The Danish Data Protection Agency's assessment is that
the time of action in this case is extended in time - the illegal act or acts have
occurred before July 20, but it has been, and will continue to be, a constant

and continuous breaches of regulations until the person in charge of treatment takes care of bringing
the treatment activities in accordance with the requirements of the regulations. As the treatment manager
has not taken any action to bring to an end the illegal treatment activities
and in accordance with the requirements of the regulations before August this year, the time of action in § 33 must be considered to
be after the date of entry into force of the new Personal Data Act. It thus follows
§ 33 of the Personal Data Act that this case shall be assessed in accordance with the Personal Data Act
2018. This is also in accordance with ECHR art 7, which refers to resp.

«The time of the action» and «the time when [the action] was committed».

We also refer to the preparatory work for the Personal Data Act 2018 (Prop. 56 LS (2017-2018) page
196), where the Ministry states, among other things, the following on questions of choice of law between
the Personal Data Act 2000 and the Personal Data Act 2018:




                                                                                               6 «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to
        is made on the basis of the material rules in force at any given time ».


The same follows from the Privacy Board's practice in cases that do not concern infringement fines
and which is submitted to the tribunal before a new law, but which is processed according to a new law. See for example PVN-
2018-005 and PVN-2018-006.


Against this background, we consider it clear that cases that apply on an ongoing or ongoing basis
Violations of the rules must be assessed in accordance with the Personal Data Act 2018 and the Privacy Ordinance.

3.2 The rules in the Privacy Ordinance
The Privacy Ordinance regulates all aspects of the processing of personal data.

Article 5 of the Privacy Regulation deals with what must be said to be the core of
the right to privacy, and the article is absolutely central to the interpretation of the regulation's upper rest
provisions. Violation of the principles in art. 5 may in itself lead to the imposition of
sanctions, and it follows from Art. 83 no. 5 that violations of art. 5 are among the offenses
which can result in the highest infringement fines, ie 20,000,000 euros (currently approx. 195)

NOK million) for data controllers or data processors that are not to be counted as
companies.

The provision in art. 5 sounds as follows:

Article 5. Principles for the processing of personal data

1. Personal data shall
 a) is treated in a lawful, fair and transparent manner with respect to the data subject («legality,
    justice and transparency »),

 b) collected for specific, expressly stated and justified purposes and not further processed on a
    manner incompatible with these purposes; further processing for archival purposes in the public
    interest, for purposes related to scientific or historical research or for statistical purposes
    shall, in accordance with Article 89 (1), not be considered incompatible with its original purpose
    ("Purpose limitation"),
 c) be adequate, relevant and limited to what is necessary for the purposes for which they are processed
    ("Data minimization"),

 d) be correct and, if necessary, up to date; every reasonable step must be taken to ensure that
    personal data that are incorrect with regard to the purposes for which they are processed, without delay
    deleted or corrected ("correctness"),
 e) is stored so that it is not possible to identify the data subjects for longer periods than at present

    necessary for the purposes for which the personal data are processed; personal information can be stored
    for longer periods if they will be processed exclusively for archival purposes in the general public
    interest, for purposes related to scientific or historical research or for statistical purposes in
    in accordance with Article 89 (1), provided that appropriate technical and organizational arrangements are made
    measures required by this Regulation to ensure the rights and freedoms of data subjects
    ("Storage limitation"),
 f) is processed in a way that ensures sufficient security for personal data, including protection
    against unauthorized or illegal treatment and against unintentional loss, destruction or damage, by the use of

    appropriate technical or organizational measures ("integrity and confidentiality").



                                                                                                    72. The controller is responsible for and must be able to demonstrate that No. 1 is complied with («responsibility»).

As stated in the provision, Art. 5 no. 1 letter f personal data security
and the principle of duty to ensure the necessary integrity and confidentiality. Species. 5 No. 2 knee sets
the principle of responsibility, which states that it is the data controller who is responsible for

comply with the privacy principles in art. 5 No. 1.

The principle in art. 5 No. 1 letter f on integrity and confidentiality is described in more detail and
supplemented by more specific provisions in the Privacy Ordinance, Chapter IV, see e.g. article
24 on the implementation of necessary appropriate technical and organizational measures, Article 25 on
requirements for built-in privacy and privacy by default, and so on.


The rules on personal data security are set out in Chapter IV, Section 2. Here is Article 32
central. Article 32 (1) (a) and (b) states:

Article 32. Safety of treatment

1. Taking into account technical progress, implementation costs and the nature of the treatment,
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
severity of the rights and freedoms of natural persons, the person responsible for treatment and
the data processor implement appropriate technical and organizational measures to achieve a level of security
which is suitable in terms of risk, including, inter alia, as appropriate,
 a) pseudonymisation and encryption of personal data,
 b) ability to ensure lasting confidentiality, integrity, availability and robustness in
    treatment systems and services


3.3. In particular on the imposition of infringement fines

The Privacy Regulation leaves it to the Member States to determine whether infringement fines should apply
could be imposed on public authorities and bodies, cf. Article 83 (7).
Act (2018) § 26 second paragraph, it is determined that the Data Inspectorate may impose on public authorities
and bodies infringement fines in accordance with the rules in the Privacy Ordinance Article 83, cf. Article
83 No. 7.


In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry refers to
that


        «The Data Inspectorate in several cases has imposed administrative fees on public bodies, and
        the ministry can see no reason not to continue such access for
        The Data Inspectorate. The Ministry also points out that the consultative bodies have generally been
        positive that infringement fines can be imposed on public authorities. "

Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision

contains i.a. an overview of which factors should be taken into account when considering both
whether an infringement fee is to be imposed and which factors are to be assessed in connection
with the measurement of the size of the fee. The article also indicates the magnitude of the fees, and that





                                                                                                   8 appears from art. 83 no. 4 and no. 5 that the maximum rates depend on which provisions in
the Privacy Regulation that has been violated.


Article 83 (1) and (2) states:
Each supervisory authority shall ensure that the imposition of infringement fines under this Article for

infringements of this Regulation referred to in paragraphs 4, 5 and 6 in each case are effective,
reasonable relation to the violation and acts as a deterrent.
2. Depending on the circumstances of each individual case, an infringement fine shall be imposed in addition to or
instead of the measures referred to in Article 58 (2) (a) to (h) and (j). When a decision is made as to whether

an infringement fee shall be imposed as well as the amount of the infringement fee, it shall be in each individual
In this case, due account shall be taken of the following:
 a) the nature, severity and duration of the infringement, taking into account the person concerned
    the nature, scope or purpose of the processing as well as the number of data subjects affected, and the extent of it
    damage they have suffered,
 b) whether the infringement was committed intentionally or negligently,

 c) any measures taken by the data controller or data processor to limit
    the damage suffered by the data subjects,
 (d) the degree of responsibility of the controller or processor, taking into account those
    technical and organizational measures they have implemented in accordance with Articles 25 and 32,

 e) any relevant previous violations committed by the data controller or
    the data processor,
 f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible

    negative effects of it,
 g) the categories of personal data affected by the infringement,
 (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in
    the extent to which the controller or processor has notified the infringement,

 (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
    data controller or data processor with respect to the same subject matter, that said measures
    complied with,

 (j) compliance with approved standards of conduct in accordance with Article 40 or approved
    certification mechanisms in accordance with Article 42 and
 k) any other aggravating or mitigating factor in the case, e.g. economic benefits that are
    achieved, or losses that have been avoided, directly or indirectly, as a result of the violation.


The provision basically provides instructions that the imposition of an infringement fee is due to
a discretionary overall assessment, but lays down guidelines for the exercise of discretion by drawing
present moments that should have special emphasis. The first paragraph of the article states that

the infringement fine in each individual case must be effective, proportionate to
the violation and act as a deterrent.

We also refer to the Privacy Council's guidelines regarding the application and determination of
infringement fine in accordance with Regulation (EU) 2016/679 (WP 253), where








                                                                                                       9The Privacy Council explains the general criteria in art. 83 no. 1, and the moments in art. 83 no.
2.3


4 The Data Inspectorate's assessments and reasons for decisions

The non-conformance report has revealed circumstances that constitute possible violations of the Privacy Ordinance
Article 32 (1):


 Storage of an open and unprotected digital folder with files that contain usernames
    and passwords to the information systems in the primary school in Bergen municipality, in clear text and on
    in such a way that the information is accessible to all users of the information systems,
    ie teachers and pupils in primary school, is in violation of the Privacy Ordinance art. 32 No. 1.
    This discrepancy is closed.


 Failure to implement two-factor authentication for logging in to the information systems,
    to achieve the necessary level of security to ensure lasting confidentiality, integrity,
    availability and robustness in the treatment systems, constitute a breach of
    Article 32 (1) of the Privacy Regulation


Further justification for why we believe there is a breach of these provisions
appears below.

4.1 Justification for a decision on an order to implement measures
Bergen municipality is responsible for the processing of the treatments mentioned in the case.

In this context, Identum is to be regarded as a data processor for Bergen municipality.
The Data Inspectorate believes that there is a breach of the provision in the Privacy Ordinance article
32 no. 1, which makes demands on the data controller and the data processor that it
appropriate technical and organizational measures are implemented to achieve a level of security that is
suitable in terms of risk.


On 17 August 2018, Bergen municipality introduced two-factor authentication for everyone involved
administrator access in eFeide. As the Data Inspectorate sees it, it is not sufficient that
two-factor authentication only includes those with administrator access. Bergen municipality must change
all employees' login to all information system with personal information about students, by that
strong authentication (two-factor authentication) is established for login over external networks and on

elevnett.

In this connection, the Data Inspectorate points out that children in particular are entitled to a high degree of protection when it does
processed information about them, see the Privacy Ordinance's proposition point 38 where it says:


        "Children's personal data deserve special protection, as children may be smaller
        aware of current risks, consequences and guarantees, as well as the rights they have
        when it comes to the processing of personal data. "

3
 Originally prepared by the Article 29 Group, but adopted by the Privacy Council, see the Privacy Council
"Endorsement 1/2018", section 16. The documents are available at https://edpb.europa.eu



                                                                                               104.2 Grounds for decision on infringement fine
The right to impose infringement fines is provided as a means of ensuring effective
compliance with and enforcement of the Personal Data Act. Internal law is a violation fee
not to be regarded as a punishment but as an administrative sanction. However, it must be assumed that
infringement fines are to be regarded as penalties under the ECHR (European
Convention), Article 6, and in accordance with the case law of the Supreme Court, cf. Rt. 2012 page 1556 med

further references.

The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.

The Norwegian Data Protection Authority finds it clear that Bergen municipality has processed personal data in a way

which is contrary to Article 32 of the Regulation, see notice of decision above.

As mentioned above, Article 83 basically provides for the imposition of
violation fee is based on a discretionary overall assessment, but adds guidance
the exercise of discretion by highlighting factors that should have particular weight, taking into account that
imposition of infringement fines in each individual case shall be effective, proportionate
and deterrent.


We have placed particular emphasis on the following aspects in our assessment of whether or not
infringement fines must be imposed:

a) the nature, severity and duration of the infringement, taking into account
    the nature, extent or purpose of the act concerned or the number of data subjects affected,

    and the extent of the damage they have suffered
The breach of personal data security is a result of lack of technical and
organizational measures that ensure satisfactory information security with regard to
confidentiality and integrity, cf. Article 32 of the Regulation. We also refer to
Advocacy of the Privacy Regulation 83.

The violation includes over 35,000 teachers and children in primary school in Bergen municipality. The

registrants' usernames and passwords could potentially have been exposed to all users, at worst
fall 35,000 people. The violation mainly involves children, who to a lesser extent have
preconditions for safeguarding their rights and freedoms. In addition, registration of information
about children compulsory in primary school in the municipality. The children can not choose whether they want to be on
this platform, where i.a. Its Learning is included, Its Learning is compulsory for all children.

Unauthorized persons may have gained access to personal information about many people, both on

learning platforms, school administrative system, etc. We refer here to the Privacy Ordinance
Advocate 38, where it is pointed out that children's personal data must be given special protection.







                                                                                              11The fact that children's rights and freedoms have been exposed makes the violation extra serious, and
The Norwegian Data Protection Authority has emphasized this as an aggravating circumstance. The Data Inspectorate has also added
emphasis that the use of the platform is mandatory for children.

As early as 15 May, the school reported the breach of ICT's personal data security
Help desk. This was a potential discrepancy which in that case should have been reported to the Norwegian Data Protection Authority
iht. the then applicable Personal Data Act § 13, cf. the Personal Data Regulations 2000 § 2-

6. However, this was not done.

The reported breach of personal data security applies to the period 22 June to 15.
August 2018. However, the breach of personal data security must be regarded as having occurred from
no later than the time when the school reported this to the ICT Helpdesk. We also note that this
not only applies to the lack of introduction of two-factor authentication, but also to deficiencies
handling of folder with username and password, which was openly available. The relevant

the context taken into account, the Data Inspectorate considers it serious that such information was available
openly available over an extended period. We refer here to the principle of liability in Article 5
no. 2, cf. Article 5 no. 1 letter f, as it has a special duty on it
controllers to comply with the principles set out in Article 5.

b) whether the infringement was committed intentionally or negligently
In 2013/2014, the Norwegian Data Protection Authority had several inspections aimed at the school sector in Norwegian municipalities.

Following these inspections, deficiencies were found in the access control for employees' access to
personal information about many students. The Data Inspectorate therefore instructed the municipalities to use strong
authentication, ie two-factor authentication, for employees' access to learning platforms and
school administrative systems. Our position was made known on our websites, and opposite
The IT environments in the municipalities, among other things through lectures, inspections and other meetings. We
carried out a local inspection of Møhlenpris school in 2013 (Datatilsynet's case reference
13/00941), which was specifically aimed at using the School Wide mapping tool

Information System (SWIS). After this inspection, we imposed on Bergen municipality, in its capacity as to
be responsible for processing, to use strong authentication in connection with the use of SWIS by
this school.

The Norwegian Data Protection Authority has also prepared a guide for the use of strong authentication / two-factor authentication,
which is available on our websites. There we explain in more detail why strong

authentication is required, and in which cases such authentication is required.

Identum, which is Bergen municipality's supplier of eFeide, has stated that talks about the use of
eFeide started in the autumn of 2016, and that Identum gave Bergen municipality an offer to use eFeide
with an option for two-factor authentication on 17 March 2017. Over a year later, the option agreement was not
used.


First, the municipality has been notified by its supplier that the use of
two-factor authentication was a necessary security measure, see above. Secondly, have
The privacy ombudsman in Bergen municipality pointed out the requirement for two-factor authentication when using
eFeide, without the management having done what is necessary for the establishment.





                                                                                                12We consider it beyond doubt that Bergen municipality has had knowledge of
the need for the establishment of two-factor authentication in eFeide. By not taking the necessary ones
steps, the municipality has acted reprehensibly. This indicates a lack of awareness of where
important it is with necessary safety measures, and inadequate care of
the principle of responsibility. This must be described as negligent, and in our opinion this is a serious one
degree of negligence. We also point out that Bergen municipality did not follow up when it became known
with the possible breaches of regulations.


c) any measures taken by the data controller or data processor to
    limit the damage suffered by the data subjects
It is clear that Bergen municipality has routines for handling deviations, but that the notice from
employees were not forwarded in the system.

When the breach of personal data security was reported on Friday 17 August, access was granted

folder blocked. In retrospect, the municipality has established two-factor authentication in
the eFeide user administration tool for accounts with administrator access to eFeide.

d) the degree of responsibility of the data controller or data processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and
    32
The Privacy Ordinance has introduced a much higher degree of responsibility for it

persons responsible for processing, cf. the principle of liability in Article 5. Bergen municipality does not have
implemented technical or organizational measures, which live up to the principles of embedded
privacy, cf. Article 25. The Norwegian Data Protection Authority also does not find that Bergen Municipality has secured a
sufficient level of security, cf. Article 32. It can therefore be stated that Bergen Municipality has
demonstrated poor accountability in relation to acceptable level of protection.


e) any relevant previous violations committed by the data controller or
    the data processor
In the case against Bergen municipality and Møhlenpris school (see under point b), a decision was made
that the municipality had to make use of two-factor authentication in access control.

f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
    possible negative effects of it

Bergen municipality has reported the violation and has been in dialogue with the Norwegian Data Protection Authority below
the course of the case, without it having helped to reduce the possible negative effects of
the infringement.

g) the categories of personal data affected by the infringement
We can not establish that special categories of personal data, as defined in
Article 9 of the Privacy Regulation has been exposed to unauthorized persons. Then the violation

includes children, we refer to point 75 of the Privacy Ordinance, where it is pointed out that
special consideration shall be given to the risk associated with children's personal data, regarding the processing
includes a large amount of personal information and affects a large number of data subjects.






                                                                                             13Information that has been available is username, password, full name, school affiliation and
school class. In eFeide, it is also possible to see the birth number and address of each person.
Employees are also registered with a telephone number, which was visible in eFeide. In addition, has
the security breach has meant that the potential for access to sensitive personal information has been
present. Its Learning is a system available via eFeide. Here it will be possible to register
sensitive personal information about e.g. absence.


h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
    possibly to what extent the data controller or data processor has
    notified of the infringement
The Norwegian Data Protection Authority first became aware of the current situation through media coverage. The Data Inspectorate
was first notified of the breach of personal data security from Bergen municipality on 15 August
2018.


(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
    data controller or data processor with respect to the same subject matter, that
    the said measures are complied with
No measures have previously been taken against Bergen municipality with regard to
same subject matter.

(j) compliance with approved standards of conduct in accordance with Article 40 or approved

    certification mechanisms in accordance with Article 42
Not relevant to the case.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits
    which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
    the infringement
The Data Inspectorate has not established that Bergen municipality has had financial benefits, or

avoided losses directly or indirectly as a result of the infringement.

In assessing whether an infringement fee should be imposed, the Norwegian Data Protection Authority places particular emphasis on the fact that
the violations have significantly violated basic principles that the regulation protects, cf.
Article 5 (1) (f) of the Regulation, which states that 'personal data shall be processed
in a way that ensures adequate security of personal data, including protection against

unauthorized or illegal treatment and against unintentional loss, destruction or damage, by the use of
appropriate technical or organizational measures ("integrity and confidentiality") ".

The Data Inspectorate places particular emphasis on the fact that no two-factor authentication was established in eFeide, to
despite the fact that the municipality had knowledge of the necessity of this. The Data Inspectorate is assessing
this as serious. The users of the municipality's services have a clear and worthy of protection
interest in deficient security measures where confidentiality is required. This can get

serious consequences for the individual both because the environment gets access to information such as
the registered person has not himself chosen to make known, and as it is obligatory to register, however
also because the availability makes it unpredictable how many have acquired
the information. General preventive reasons and the consideration that the rules should have effect and effect





                                                                                              14 according to its purpose, then speaks with force that it reacts with a tool such as
infringement fine.

The Data Inspectorate cannot see that the other aspects that the law emphasizes apply in
appreciable degree - neither in aggravating nor mitigating direction.

Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed.


The size of the fee
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that

        «As a starting point, the same rules for infringement fines shall apply
        public bodies as for private, as this is the scheme under current
        Personal Data Act. »


The ministry further writes that they have noted the concern as some public
consultation bodies have expressed, but the Ministry assumes that within the rules of
Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement
of administrative fees, there is room for considerable consideration with regard to the size of
fee. The Ministry states that «[t] he limits in the regulation Article 83 state
maximum limits for the calculation of administrative fees, while no one has been set

minimum limits. "

With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
shall be imposed, special weight shall be given. The conditions the Data Inspectorate has pointed out above speak for themselves
fee of a certain size. The fee should be set so high that it also has an effect beyond it
specific case, at the same time as the size of the fee must be in a reasonable proportion to the violation
and the business, cf. art. 83 No. 1.


We have particularly noted that the municipality had not established two-factor authentication despite
knowledge that this was necessary. Furthermore, we have looked at the general expectation of citizens
should be able to ensure that municipal bodies follow the rules that have been given, and especially those that do
individuals rights that are meant to be a protection against extradition of this kind
information.


The signal effect of this case, the general preventive considerations, we believe is clear. It is
important that such incidents do not occur, and that all public bodies that process
citizens' personal data and information on vulnerable persons such as children, must
be aware of their responsibilities.

Inadequate routines often have the consequence that the risk of errors increases. In this case have weak

routines and non-compliance with the routines actually had a real consequence which also dictates
an intensified reaction.

It is also a significant moment that Bergen municipality is Norway's second largest municipality
measured in number of inhabitants. Furthermore, it is stated in Bergensavisen




                                                                                              15 (https://www.ba.no/nyhet/okonomi/politikk/bergen-kommune-1-1-milliard-kroner-i-
profit / s / 5-8-742795) that Bergen municipality had a significant profit in 2017, of 1.1

billion Norwegian kroner. We have also looked at this.

After an overall assessment of the case, and then especially with regard to the seriousness of the violation and
the legislation's requirement that the imposition of infringement fines in each individual case shall be
effective, proportionate and dissuasive, we have come to the conclusion of an infringement charge
NOK 1,600,000 is considered correct.


5 Concluding remarks

Deadline for completion of the order

The Data Inspectorate gives a deadline for implementation of the order until 30 April 2019. The municipality must within
mentioned date confirm in writing to the Data Inspectorate that the order has been implemented. Unless
unless otherwise stated, no further documentation is required that the order is
completed. However, it is pointed out that the Norwegian Data Protection Authority will be able to carry out one
follow-up of this.

Right of appeal
This decision can be appealed in accordance with the provisions of the Public Administration Act. Possible complaint
must be submitted to the Norwegian Data Protection Authority within three weeks after the decision was received. An eventual
complaint is sent to the Privacy Board for complaint processing. The Norwegian Data Protection Authority does in this connection
note the right of access to the case documents, cf. the Public Administration Act § 18.


If you have any questions, you can contact Knut Kaspersen on telephone 22 39 69 07.



With best regards



Bjørn Erik Thon
director
                                                                Knut Kaspersen
                                                                subject director
















                                                                                           16