Datatilsynet (Norway) - 18/02579: Difference between revisions

From GDPRhub
No edit summary
 
(16 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{{DPAdecisionBOX
! colspan="2" |Datatilsynet - 2019-31-1424
|-
| colspan="2" style="padding: 20px;" |[[File:DatatilsynetlogoNorwaypng.png|center|250px]]
|-
|Authority:||[[Datatilsynet (Norway)]]
[[Category:Datatilsynet (Norway)]]
|-
|Jurisdiction:||[[:Category:Norway|Norway]]
[[Category:Norway]]
|-
|Relevant Law:||[[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]
[[Category:Article 5(1)(f) GDPR]]


[[Article 5 GDPR#2|Article 5(2) GDPR]]
|Jurisdiction=Norway
[[Category:Article 5(2) GDPR]]
|DPA-BG-Color=
|DPAlogo=LogoNO.png
|DPA_Abbrevation=Datatilsynet (Norway)
|DPA_With_Country=Datatilsynet (Norway)


[[Article 32 GDPR#1d|Article 32(1)(d) GDPR]]
|Case_Number_Name=18/02579
[[Category:Article 32(1)(d) GDPR]]
|ECLI=
|-
 
|Type:||n/a
|Original_Source_Name_1=Datatilsynet
|-
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/ae65e212c134455c93f36a10c5a8c792/vedtak-oslo-kommune-oktober2019.pdf
|Outcome:||Violation found
|Original_Source_Language_1=Norwegian
|-
|Original_Source_Language__Code_1=NO
|Decided:||11.10.2019
|Original_Source_Name_2=press release source
|-
|Original_Source_Link_2=https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2019/gebyr-til-oslo-kommune-utdanningsetaten/
|Published:||1.12.2019
|Original_Source_Language_2=Norwegian
[[Category:2019]]
|Original_Source_Language__Code_2=NO
|-
 
|Fine:||120.000 EUR
|Type=
|-
|Outcome=Violation Found
|Parties:||Education Agency for Oslo municipality  
|Date_Started=
|-
|Date_Decided=11.10.2019
|National Case Number:||18/34319-1
|Date_Published=01.12.2019
|-
|Year=2019
|European Case Law Identifier:||n/a
|Fine=1,200,000
|-
|Currency=NOK
|Appeal:||n/a
 
|-
|GDPR_Article_1=Article 5(1)(f) GDPR
|Original Language:||Norwegian
|GDPR_Article_Link_1=Article 5 GDPR#1f
[[Category:Norwegian]]
|GDPR_Article_2=Article 5(2) GDPR
|-
|GDPR_Article_Link_2=Article 5 GDPR#2
|Original Source:||[https://www.datatilsynet.no/contentassets/ae65e212c134455c93f36a10c5a8c792/vedtak-oslo-kommune-oktober2019.pdf Datatilsynet (in NO)] and [https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2019/gebyr-til-oslo-kommune-utdanningsetaten/ press release source (in NO)]
|GDPR_Article_3=Article 32(1)(b) GDPR
|}
|GDPR_Article_Link_3=Article 32 GDPR#1b
|GDPR_Article_4=Article 32(1)(d) GDPR
|GDPR_Article_Link_4=Article 32 GDPR#1d
 
 
 
|Party_Name_1=Education Agency for Oslo municipality
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=
 
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
 
|Initial_Contributor=
|
}}
 
A fine of NOK 1,200,000 (approximately €120,000), reduced from NOK 2,000,000, was imposed against the Education Agency of the Municipality of Oslo due to breach of personal data security in the mobile application “Skolemelding”. The fine was issued due to the application's lack of security and subsequent violations of [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] and of the principle of accountability as foreseen in [[Article 5 GDPR#2|Article 5(2) GDPR]] read in conjunction with [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].


1 December 2019, a fined of 1 200 000 NOK (approximately 120 000 euro) has been imposed to the Education Agency for Oslo municipality concerning an infringement penalty for breach of personal data security in the mobile application “Skolemelding”. The fine was issued due to the application's lack of security, leading to a breach of Article 32(1)(b) and 32(1)(d) and of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f) GDPR.
==English Summary==
==English Summary==


===Facts===
===Facts===
The case concerned vulnerabilities in the  mobile app “Skolemelding”.  In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils        were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school.  
The case concerned vulnerabilities in the  mobile app “Skolemelding”.  In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils        were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school.  
===Dispute===
On which legal basis the Datatilsynet can impose a fine for a lack of security?


===Holding===
===Holding===
The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f).   
The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f).   


The issued fine was 1 200 000 NOK (approximately 120 000 euro), which was lower than the initially suggested fine of 2 000 000 NOK (approximately 200 000 euro). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the Data Protection Authority, showing a will to fix the security flaws.
The issued fine was NOK 1,200,000 (approximately €120,000), which was lower than the initially suggested fine of NOK 2,000,000 (approximately €200,000). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the DPA, showing a will to fix the security flaws.


The municipality did not contest the evaluation by the Data Protection Authority regarding the scope of the security breach.
The municipality did not contest the evaluation by the DPA regarding the scope of the security breach.


==Comment==
==Comment==
Line 68: Line 81:
==English Machine Translation of the Decision==
==English Machine Translation of the Decision==


The decision below is a machine translation of the original. Please refer to the Danish original for more details.
The decision below is a machine translation of the original. Please refer to the Norwegian original for more details.


<pre>
<pre>
The content of the pdf decision cannot be copied/paste. You can find the translation of the press relaese provided by the datatilsynet authority here.
Press release:
   
   
Fee to Oslo Municipality Education Agency
Fee to Oslo Municipality Education Agency
Line 89: Line 102:


However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.
However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.
---------------------------------------------------------------
Decision on infringement fine
Date10/11/2019
We refer to a report of a breach of personal data security (deviation report) from Oslo municipality sent 7 September 2018, notification of decision of 29 April 2019 and Oslo municipality response of 21 June 2019.
Based on the information in the case, the Data Inspectorate believes that Oslo Municipality has violated the rulespersonal data security in the Privacy Regulation (European Parliament and Council Regulation)(EU) 2016/679 of 27 April 2016).
Pursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.the Personal Data Act § 26, cf. the Privacy Ordinance art. 83, the Danish Data Protection Agency understands the followingdecision on infringement fine:
Oslo Municipality is imposed, pursuant to the Personal Data Act § 26 second paragraph, cf.Article 83 of the Privacy Ordinance, to pay an infringement fee of NOK 1,200,000 -one million two hundred thousand Norwegian kroner - to the Treasury for breaches of dutieswhich complies with the Privacy Regulation.
The fee is imposed as a result of Oslo Municipality not having carried out suitable technical andorganizational measures to achieve a level of safety appropriate to the risk,and ensuring lasting confidentiality and integrity, cf. the Privacy OrdinanceArticle 5 No. 1 letter f, and the Privacy Regulation 32 No. 1. letter book d
The background and reasons for the decision follow below.
1. The case
1.1. Description of the case
The case concerns vulnerabilities in the mobile application Skolemelding. This is an application that can be downloaded to the mobile phone, and which is developed for use in the Oslo School. In the applicationcan parents and pupils communicate with the staff in the school. The communication is in writing, and can be compared to SMS or email.
It has been possible for unauthorized persons to log in as authorized users and thus few access to personal information about students. More than 63,000 primary school students 1 in the Oslo schools arecovered.In addition, it is possible to register special categories of personal information in the free text field, forexample of children's health. This may have entailed a risk that unauthorized persons have been able to seeinformation of an intrusive nature.
1.2. ProceedingsThe Norwegian Data Protection Authority became aware of the case after Aftenposten had one on Thursday 6 September 2018news article about serious security holes in the application.Oslo Municipality sent notification of breach of personal data security (non-conformance report)to the Danish Data Protection Agency on 7 September 2018.The Data Inspectorate also received an inquiry from a private individual in connection with the case. The Data Inspectoratethen sent a request for a statement to Oslo Municipality on 4 October 2018, and we receivedreply from Oslo municipality sent on 26 October. We have also had a dialogue with the municipality by telephone.We asked for more information in an e-mail sent on 23 November, and received a reply from the municipality 26.November.In a letter dated 29 April 2019, the Norwegian Data Protection Authority announced a decision on three orders to implement measureswhich was considered necessary to close the relevant deviations from requirements in the privacy regulations.We also announced that we would consider making a decision on infringement fines as a result of the breachon the duties of the data controller in accordance with the privacy regulations.Oslo Municipality responded to the notification in a timely manner in a letter dated 21 June 2019.The response from the City of Oslo explains in more detail the system Skolemelding, as well as CGisobligations (the municipality's supplier) and the course of events before and after the security incident.The Norwegian Data Protection Authority bases this report as part of the actual circumstances of the case.The Norwegian Data Protection Authority has assessed Oslo Municipality's proposals for measures in connection with the case, and finds thatthe discrepancies are now closed. The notified decisions on orders are therefore considered to have lapsed.In the following, the Norwegian Data Protection Authority will only consider decisions on infringement fines.
1.3. More about the system and functionality in SkolemeldingSchool notification is a notification application for Oslo School's parents, students and employees. INthe application can parents and students send a message to the contact teacher / subject teacher or othersemployees at the school. They can also respond to messages sent from the school. The application also providesteachers the opportunity to communicate with each other.1 Source: https://www.oslo.kommune.no/politikk-og-administrasjon/etater-foretak-og-ombud / utdanningsetaten / arsberetning-2017 /? del = 3 # gref2
On the Oslo municipality's website (https://aktuelt.osloskolen.no/larerik-bruk-av-laringsteknolocd / digital-skolehverdag / skolemelding /) states that parents can report absence inthe application and in the Portal. The portal is a school platform for the Oslo school and the individual schooleach has its own portal. The message is sent automatically to the child's contact teacher.It further states: «Do not use the app or other communication channels in Skoleplattform Osloto to send sensitive personal information, such as your child's health information. It suffices to say thatthe child does not come to school today. ». In the School Notice, absence is reported by clicking on «Newmessage »and the« Report absence »button. There is a free text field here to write what the absence isapplies. There is nothing in the application itself that you should not enter sensitivepersonal information.To authenticate users, Skolemelding uses the ID port for parents and FEIDE foremployees. These are well-established standard components for authentication and the discrepancy in the case appliesnot these two services.The discrepancy affects how these components are integrated with the School Notice for handlinglogin.
1.4. Oslo Municipality's description of the discrepanciesIn the report on breaches of personal data security we received from Oslo Municipality 7.September 2018, the incident is described as follows:«Authorized users of the school messaging apps who have the knowledge to decrypt appsand having the right type of software has been able to acquire access to other userspersonal information of the type, name, e-mail address and which children a parent has, as wellmessages sent to and from school. By combining birth number, client secret andsystem password, it was possible to access the personal information mentioned above.This in combination with a lack of security when using a specific API did sopossible to access other people's messages for logged in users. "The discrepancy was described in more detail in a letter from Oslo Municipality dated 26 October 2018:"After further investigations, CGI now confirms that it was possible to decrypt the code forschool messaging apps and acquire knowledge about weaknesses in the authentication process,and through it gain access to other users' data by bypassing login via FEIDEor the ID port without being an authorized user of the solution. At the same time, they emphasize thatthis presupposes that one must have a lot of competence and knowledge about both authenticationand the school message to do this without first being logged in. As is known, the deviation wasalso first uncovered by someone who had access to the solution.By taking advantage of the weakness could one thus the only to recognize an employee or studentusername or a parent's social security number ra access to their personal information bytype of name, e-mail address and which children a parent has. Furthermore, one could then alsoretrieve one message at a time regardless of user.
CGI therefore believes that the analyzes in the blog are mainly correct. CGI also has itselfrevealed the weaknesses of the blog in the further security testing of the application, where allerrors that may cause safety deviations have been corrected.We have also carried out our own safety tests of the solution afterwards and have verifiedthat the discrepancies have been rectified. "The Data Inspectorate sent several requests for statements related to, among other things, how testingof the solution had been carried out, whether risk assessments had been carried out andPrivacy Impact Assessment (DPIA).In its responses, the City of Oslo has described that the supplier (CGI) carried out safety testingin the period 16 - 24 August 2018. The supplier identified some vulnerabilities and proposed measuresto reduce these in their safety report. It further emerged that the supplier did not haveinformed the municipality about the results of the safety test, but that they chose to wait with the measureto the next scheduled release. The municipality stated that this was the reason why they could close quicklydeviation and issue an update of the application. They further stated that if they had knownvulnerabilities previously they would have closed the solution until these were rectified.When asked by the Norwegian Data Protection Authority whether a DPIA and risk assessment had been carried out for the solution,the municipality replied that no formal DPIA was carried out, but that one was carried outrisk assessment. One of nine identified vulnerabilities / threats was considered unacceptable.The vulnerability was that sensitive data is registered in the solution. Some measures were proposed todeal with vulnerability. One was to provide information on the schools' and the municipality's websites about thatsensitive information must not be written in the free text field, which has been completed. The second was toenter information in the application in the next update, which was scheduled for December 13 2018. A final measure was to create templates for registration of different types of absence. This measure isplanned as part of the further development of the solution in 2019. The education agency would alsoassess the need for free text fields to report absence.The Norwegian Data Protection Authority has not requested or been sent a risk assessment beyond what is describedabove. We have also not requested or received a report from the security testing.
1.5. The vulnerabilities in the systemIn our notification of decisions, the vulnerabilities in the system were described as follows:As we understand it, the vulnerabilities cannot be exploited during normal use of the applicationSchool message, but by using a tool such as a web proxy to be able to see andmanipulate traffic of data communicated through the system. Such tools are easyavailable for download from interned. It requires a certain technical competence to be able touse them, but there is also readily available information on the internet on how touse them.4
Page 5
1.5.1. Authentication issues
When a user of the parent application is to log in, the user is taken as expectedthrough the login process in the ID port. It is after this that problems arose. There was aerror in the logic of the authentication server (called the rnid port) used by the system.The login solution only issued the birth number (which is the parent's user ID) as oneaccess token 2 after login. It was therefore possible here to create your own access token withoutgo through the login solution as long as a birth number registered as was useda guardian.Birth numbers are structured in a well-defined way and are limited to 11 million. Thismakes it easy for an attacker to generate all possible birth numbers, and then try them outthe solution. The range of birth numbers one needs to test can also be reduced based onfor example, year of birth when you know that you are going to try out a birth number that may belongparents of children in primary school. Based on a further weakness in the system it is notnecessary to have more than one valid user to access other people's messages.
1.5.2. Lack of separation between users means that you can access othersmessagesWhen a user is authenticated, they can read messages stored on the server.This is done in the background of the application by specifying, among other things, an ID for the desiredMessage. The ID is a sequentially generated integer that acts as a unique identifier fornotifications. The system lacks a verification of who a message (ID) belongs to when it is retrievedout. This allows an authenticated user to retrieve any message in the systemby specifying a valid message ID, regardless of who it belongs to. Guessing of validIDs will not be difficult since those previously mentioned consist of sequential integers.1.5.3. Possibility to harvest information and link person to messagesIt is also possible to retrieve information about the user you are logged in to and the studentsassociated with this user. This includes full name, username, email,birth number and telephone number. This is done by running a call to the server, which returnsLDAP 3 data. This results in that even if someone initially tests with randombirth number, they will also have the opportunity to link the birth number to the person and familyin an easy way.
2. Oslo Municipality's feedbackIn a letter dated 21 June 2019, the City of Oslo has not disputed the Data Inspectorate's presentation of themactual circumstances arising from our notice of decision of 29 April 2019.In the following, we assume that our presentation of the nature and extent of the deviation gives onecorrect description.
*2 An access token contains security information for a login session and identifies, among other thingsthe user and its rights.
*3 Lightweight Directory Access Protocol is a protocol used to look up a directory service on a server5
In its response, the municipality has described how the deviations have been closed, and what measures have been takenin to prevent similar deviations from happening again. We assume that these measures aresatisfactory, and considers the discrepancies to be closed.The City of Oslo has raised objections to the size of the notificationthe infringement charge. These are discussed below in our assessment of the infringement feeto be imposed.
3. Legal basis for the assessment
3.1. About the Privacy OrdinanceThe Privacy Ordinance regulates all aspects of the processing of personal data.Article 5 of the Privacy Regulation deals with what must be said to be the core ofprivacy law, and the article is absolutely central to the interpretation of the rest of the regulationprovisions. Violation of the principles in art. 5 may in itself lead to the imposition ofsanctions.As stated in the provision, Art. 5 no. 1 letter f personal data securityand the principle of duty to ensure the necessary integrity and confidentiality.The principle in art. 5 No. 1 letter f on integrity and confidentiality is described in more detail andsupplemented by more specific provisions in the Privacy Ordinance, Chapter IV, see e.g. article32 on personal data security.Species. 5 no. 2 enshrines the principle of responsibility, which states that it is the person responsible for processing whois responsible for complying with the privacy principles in art. 5 No. 1.
3.2. In particular on the imposition of infringement fines - Article 58 (2), letter iThe Privacy Regulation leaves it to the Member States to determine whether infringement fines should applycould be imposed on public authorities and bodies, cf. Article 83 (7).Act (2018) § 26 second paragraph, it is determined that the Data Inspectorate may impose on public authoritiesand bodies infringement fines in accordance with the rules in the Privacy Ordinance Article 83, cf. Article83 No. 7.Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provisioncontains i.a. an overview of which factors should be taken into account when considering bothwhether an infringement fee is to be imposed and which factors are to be assessed in connectionwith the measurement of the size of the fee. The article also indicates the magnitude of the fees, and thatappears from art. 83 no. 4 and no. 5 that the maximum rates depend on which provisions inthe Privacy Regulation that has been violated.The provision basically provides instructions that the imposition of an infringement fee is dueone overall judgment, but it provides guidelines for exercise of discretion by tohighlight aspects that should have special emphasis. The first paragraph of the article states thatthe infringement fine in each individual case must be effective, proportionate toviolation and act as a deterrent.6
We also refer to the Privacy Council's guidelines regarding the application and determination ofinfringement fine in accordance with Regulation (EU) 2016/679 (WP 253), whereThe Privacy Council explains the general criteria in art. 83 no. 1, and the points in art. 83 no.2.4
4. The Data Inspectorate's assessments and reasons for decisions
4.1. Assessment of whether an offense has taken placeThe processing of a report of a breach of personal data security revealed the followingcircumstances constituting a breach of Article 32 (1) of the Privacy Regulation:Lack of security around logging in to the application, which made it possible to accessto view and change personal information of more than 63,000 children, is contraryArticle 32 (1) (b) of the Privacy Regulation. In addition, it will include informationabout parents and teachers.2. Inadequate security testing before launching the application, and that it was launched withsecurity holes that are well known in security environments around the world are in conflict withArticle 32 (1) (d) of the Privacy Regulation3. Launch of a school notification application with an unacceptable vulnerability such as Oslomunicipality had not implemented appropriate measures to close, and inadequate control ofthe supplier, CGI, about the results of the security test, is a violation ofthe principle of liability in Article 5 (2) of the Privacy Regulation, cf. Article 5 (1)letter f)The City of Oslo has not disputed the Data Inspectorate's assessments of whether and to what extent it hasdeviations from the Privacy Ordinance's requirements for the processing of personal data.
4.2. The Data Inspectorate's assessment of the conditions for imposing an infringement fee
4.2.1. General information about the assessmentThe right to impose infringement fines is provided as a means of ensuring effectivecompliance with and enforcement of the Personal Data Act. Infringement fee may be charged fordeviations that have taken place, also for cases where the deviations are closed at the time of the decisionthe infringement charge.Under international law, an infringement fine is not to be regarded as a penalty, but as an administrative sanction.However, it must be assumed that the infringement fine is to be regarded as a penalty under the ECHR (European)human rights convention) Article 6, and in accordance with the case law of the Supreme Court, cf. Rt. 2012page 1556 with further references.Inspectorate therefore the reason that it requires a clear likelihood ofoffense in order to impose a fee. The case and the question of imposinginfringement fines are assessed on the basis of this evidentiary requirement.4 Originally prepared by the Article 29 Working Party, but adopted by the Privacy Council, see the Privacy Council"Endorsement 1/2018", section 16. The documents are available at https://edpb.europa.eu7
As mentioned above, Article 83 in principle provides that the imposition ofviolation fee is based on a discretionary overall assessment, but adds guidancethe exercise of discretion by highlighting factors that should have special weight, taking into account thatimposition of infringement fines in each individual case shall be effective, proportionateand deterrent.In the following, we review the relevant conditions in the Privacy Ordinance, Article 83 no.2:
4.2.2. Article 83 (2) (a): Grade, severity andthe duration of the infringement, taking into account the action takennature, scope or purpose as well as the number of data subjects affected, and the scopeof the damage they have sufferedThe breach of personal data security is a result of lack of technical andorganizational measures that ensure satisfactory information security with regard toconfidentiality and integrity, cf. Article 32 of the Regulation. We also refer toAdvocacy point 83 of the Privacy Regulation 83.The violation includes over 63,000 children in primary school in Oslo municipality. Not everyone has takenthe school registration application in use, but the potential is still 63,000. The infringement includeschildren, who to a lesser extent have the prerequisites to safeguard their rights and freedoms. That use ofThe application School report is a voluntary matter does not change the picture of the severity inthe breaches.In this connection, the Data Inspectorate points out that children in particular are entitled to a high degree of protection wheninformation about them is processed, see the Privacy Ordinance's preamble 38 where itnamed:"Children's personal data deserve special protection, as children may be smalleraware of current risks, consequences and guarantees, as well as the rights they havewhen it comes to the processing of personal data. "The fact that children's rights and freedoms have been exposed makes the violation extra serious, andThe Norwegian Data Protection Authority has emphasized this as an aggravating circumstance.Absence must be reported in the absence part of the application. On the municipality's website it isinformed that no sensitive information must be written in the free text field. Equivalentinformation is not entered in the absence part of the application, which the Data Inspectorate will believe canhelped to limit the possibility of communicating special categories ofpersonal information.Most people who use the application School Message does not go into via the municipality's website,but via the application, and will thus not receive this information. However, this will nothave a decisive effect on the severity of the deviation.
The fact that unauthorized persons have had the opportunity to gain access to otherspersonal data have led to an opportunity to manipulate the personal data inthe application.The breach of personal data security has meant that the data subject has lost control ofinformation about themselves, and whether others have seen or changed information aboutperson in the application.
4.2.3. Article 83 (2) (b): assessment of the degree of guiltPursuant to section 46 of the Public Administration Act , an administrative sanction may be imposed on an enterprise itselfif no individual has shown guilt. This means that Oslo Municipality has an objectiveliability. By enterprise is meant company, cooperative, association or otherassociation, sole proprietorship, foundation, estate or public enterprise.We consider it beyond doubt that Oslo Municipality has had knowledge of the necessityfor the establishment of organizational and technical measures in the application. By not committing themnecessary steps, the municipality has acted negligently.The Data Inspectorate finds that there is a clear overriding probability that Oslo Municipality has violatedspecies. 5 and Article 32 of the Privacy Regulation.
4.2.4. Article 83 (2) (c): measures taken by the controlleror the data processor to limit the damage suffered by the data subjectsThe security hole was closed the same day as the municipality discovered it. It is important thatthe municipality took these measures, and will be a signal effect to others. The Data Inspectoratebelieves this should have a mitigating effect in the assessment of the infringement fee.
4.2.5. Article 83 (2) (d): of the controller orthe degree of responsibility of the data processor, taking into account the technical andorganizational measures they have implemented in accordance with Articles 25 and 32The errors found in Skolemelding are of such a nature that they have been on OW ASP 5 top 10the list for many years. OW ASP top 10 is a recognized document for raising awareness aboutsecurity in web applications and is often referred to among people in the security environment and onsecurity conferences.There is a consensus among security experts around the world on what are the most criticalsecurity risks in web applications. The Danish Data Protection Agency has referred to OWASP in several places in itssupervisor of software development with built-in person 6• The errors in the School Notice aredescribed in A2, A3 and AS in OW ASP top 10 from 2013. Given the security holes found inthe solution, any testing that has been done appears to be very deficient. This mustdescribed as negligent.5 Open Web Application Security Project- https://www.owasp.org6 https: // www .datatilsynet.no / regulations-and-tools v / supervisors / software development-with-built-in privacy /9
It can therefore be stated that Oslo Municipality has shown negligence in relation to acceptablelevel of protection.
4.2.6. Article 83 (2) (f): co-operation with the supervisory authority to remedy fineson the violation and reduce the possible negative effects of itThere has been no collaboration with the Norwegian Data Protection Authority to remedy the violation. Oslo councilhas on its own initiative taken the necessary measures to close the breachespersonal data security.
4.2.7. ThisArticle 83 No. 2 letter g: categories of personal data such asis affected by the violationAs the violation includes children in primary school, we refer to the Privacy OrdinanceAdvocate 75, where it is pointed out that special consideration must be given to the risk associated with childrenpersonal data, if the processing includes a large amount of personal data andaffects a large number of registered.We can state that special categories of personal data, as defined inArticle 9 of the Privacy Regulation has been exposed to unauthorized persons.Information that has been available is absence information that in a free text field canresult in information about the reason for absence being stated. Also, it will inthe school registration application could be registered information that requires confidentiality,such as information about bullying.
4.2.8. Article 83 (2) (h): the manner in which the supervisory authority was informedinfringement, in particular if and to what extentthe data controller or the data processor has notifiedthe infringementThe Norwegian Data Protection Authority first became aware of the current situation through media coverage. We were notifiedabout the breach of personal data security from Oslo Municipality on 7 September 2018. It isIt is unfortunate that the Data Inspectorate only learns about the discrepancy after the case has been mentioned in the media.The Data Inspectorate finds it highly reprehensible that knowledge of what has happened in the breachpersonal data security, and the vulnerability in the school notification application has been addedus through initiatives from private individuals. Oslo Municipality then also admits thatthe non-conformance reports were misleading. This will be important in our assessment ofinfringement fines must be imposed.
4.2.9. Article 83 (2) (k): second aggravating or mitigating factorin the case, e.g. financial benefits gained, or losses that areavoided, directly or indirectly, as a result of the infringementThe Data Inspectorate has not found that Oslo Municipality has had financial benefits, or avoided lossesdirectly or indirectly as a result of the infringement.
The Norwegian Data Protection Authority places particular emphasis on the fact that sufficient organizational andtechnical measures in the application School report. The Data Inspectorate considers this to be serious, and isone of the reasons for the infringement charge. The users of the municipality's services have a clearand interest worthy of protection against inadequate security measures where confidentiality andintegrity is required.Inadequate security can have serious consequences for the individual both because of the surroundingsgets access to information that the data subject has not himself chosen to make known, but also becausethe availability makes it unpredictable how many people have obtained the information.General preventive reasons and the consideration that the rules should have effect and work as intended,then speaks with force for it to react with an instrument such as an infringement charge.In a mitigating direction, it can be pointed out that Oslo Municipality reacted as soon as they receivedknowledge of the security holes.
4.2.10. Summary and conclusionAfter an overall assessment of the deviation's scope, character and severity, the Data Inspectorate hasconcluded that it is correct to uphold our notified decision on infringement fines.We have placed special emphasis on the fact that it is children's privacy that is affected by the discrepancy.
4.3. Measurement of the size of the infringement feeIn the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that«As a starting point, the same rules for infringement fines shall applypublic bodies as for private, as this is the scheme under currentPersonal Data Act »,but the Ministry assumes that within the rules of the Regulation Article 83, whichalso indicates the factors to be emphasized in the calculation of administrative fees,there is room for considerable discretion as to the size of the fee. The Ministry statesthat '[t] he flow limits in Article 83 of the Regulation set maximum limits for the measurement ofadministrative fees, while no minimum limits have been set. "With regard to the size of the fee, the same factors shall apply as when assessing whether the feeshall be imposed, weighted. The fee should be set so high that it also has an effect beyond itspecific case, at the same time as the size of the fee must be in a reasonable proportion to the violationand the business, cf. art. 83 No. 1.We have particularly noted that the breach of personal data security is associated with a significantnumber of children in primary school. Furthermore, we have emphasized the general expectation of citizenscould have municipal authorities follow the rules that are given, and especially those that giveIndividual rights that are meant to be a protection of this type of information.The imposition of infringement fines in this case will have an important signal effect. The Data Inspectorate wantsto clearly communicate that such incidents are considered serious It is important that such
incidents do not occur, and that all public bodies dealing with citizenspersonal information and information about vulnerable persons such as children must be their ownresponsibility consciously. We have emphasized the general preventive effects of a decisionviolation fee is assumed to have.In our notified decision, we stated that the size of the fee would be set at 2,000,000 NOK.Oslo Municipality responded to our notice with objections to the size of the fee. It stated 'thatit is sufficient to impose obligations on the supplier to report deviations, in addition toRoutines have been established for continuous follow-up of the supplier. We have considered thispralcsisen as satisfactory, as it has worked well over several years through that deviations havebeen discovered and cleaned up in. It is also admitted by the supplier that deficientfollow-up of the agreement is due to human failure. UDE believes that the aforementioned must be considered asmitigating circumstances. In any case, we have wanted to improve our control in terms ofsafety tests, and has therefore introduced measures for a joint review of all results fromsafety testing with supplier, cf. above ».Oslo Municipality points out that they could not report deviations to the Data Inspectorate when they did notknowledge of the conditions. That Oslo municipality had no knowledge of the test resultscomes, as the Data Inspectorate sees it, as a result of a lack of project management betweenthe municipality and their supplier.The Norwegian Data Protection Authority draws attention to the fact that Oslo Municipality is responsible for the serious violationshappened by not introducing organizational and technical measures which are likely to to ensurepersistent confidentiality and integrity in the School Message application. That Oslo municipality wasin the belief that the application had been safety tested before it was put into production, and believed it wassufficient to impose obligations on the supplier on the reporting of nonconformities is a calculatedrisk, which may not mitigate the incident.Oslo Municipality finally points out that the supplier has a significant part of the responsibility forthe event. The Norwegian Data Protection Authority does not disagree with this, but this does not exempt the municipality from thisresponsibility.Finally, the municipality points out that it can only be stated that two people are affected by the breachpersonal data security. This is of little importance to the Data Inspectorate when the potential wasfar larger.The Data Inspectorate has come to the conclusion that the notified infringement fee must be adjusted downwards somewhat. We have inThe assessment emphasized that the City of Oslo has implemented damage mitigation measures so quicklythe municipality was informed about the breach of information security, and shown a willingness to arrangeup in the incident.After an overall assessment of the case, we have come to the conclusion of an infringement fee of NOK 1,200,000considered correct.12
5. Decision on infringement fines
5.1. Decision on infringement finePursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.the Personal Data Act § 26, cf. the Privacy Ordinance art. 83, the Danish Data Protection Agency understands the followingdecision on infringement fine:Oslo Municipality is imposed, pursuant to the Personal Data Act § 26 second paragraph, cf.Article 83 of the Privacy Ordinance , to pay an infringement fee of NOK 1,200,000one million two hundred thousand Norwegian kroner - to the Treasury for breaches of dutieswhich complies with the Privacy Regulation.The fee is imposed as a result of Oslo Municipality not having carried out suitable technical andorganizational measures / or to achieve a level of safety appropriate to the risk,and ensuring lasting confidentiality and integrity, cf. the Privacy OrdinanceArticle 5 No. 1 letter f and the Privacy Regulation 32 No. 1. letter book d
5.2. Recovery of the infringement feeThe infringement fee is due for payment four weeks after the decision is final, cf.the Personal Data Act (2018) § 27. The decision is a coercive basis for disbursement. Recovery ofthe claim will be implemented by the Central Government Collection Agency.
5.3. Right of appealYou can appeal the decision. Any complaint must be sent to us within three weeks after thisthe letter has been received, cf. the Public Administration Act § § 28 and 29. If we uphold our decision,we send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22.5.4. Transparency and publicityYou have the right to access the case documents, cf. the Public Administration Act § 18. We will also informthat all documents are in principle public, cf. Section 3 of the Public Access to Information Act, howeveremphasizes at the same time that security documentation is as a general rule exempt from public access, cf.the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.
With best regards
Bjørn Erik ThondirectorKnut Brede Kaspersenlegal director
</pre>
</pre>

Latest revision as of 18:52, 5 March 2022

Datatilsynet (Norway) - 18/02579
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type:
Outcome: Violation Found
Started:
Decided: 11.10.2019
Published: 01.12.2019
Fine: 1,200,000 NOK
Parties: Education Agency for Oslo municipality
National Case Number/Name: 18/02579
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
press release source (in NO)
Initial Contributor: n/a

A fine of NOK 1,200,000 (approximately €120,000), reduced from NOK 2,000,000, was imposed against the Education Agency of the Municipality of Oslo due to breach of personal data security in the mobile application “Skolemelding”. The fine was issued due to the application's lack of security and subsequent violations of Article 32(1)(b) GDPR and Article 32(1)(d) GDPR and of the principle of accountability as foreseen in Article 5(2) GDPR read in conjunction with Article 5(1)(f) GDPR.

English Summary

Facts

The case concerned vulnerabilities in the mobile app “Skolemelding”. In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school.

Holding

The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f).

The issued fine was NOK 1,200,000 (approximately €120,000), which was lower than the initially suggested fine of NOK 2,000,000 (approximately €200,000). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the DPA, showing a will to fix the security flaws.

The municipality did not contest the evaluation by the DPA regarding the scope of the security breach.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Norwegian original for more details.

Press release: 
 
Fee to Oslo Municipality Education Agency

In April 2019, the Data Inspectorate sent a notification to the Oslo Municipality Education Agency about a violation fee for breach of personal data security in the mobile application School Notification. In October, a final fee of NOK 1.2 million was adopted.

The fee is given because the municipality had not taken appropriate measures to achieve a level of security appropriate to the risk. The assessment emphasized, among other things:

    One of the uses of the app is for parents to send messages about their children or announce absence when using free text fields. It facilitates the communication of sensitive personal information, such as health information, about the children. There are no technical measures to prevent this from happening, nor does the app inform you not to communicate such information. Had built-in privacy been taken into consideration, it would not have been a free-text field, but for example a drop-down list or check boxes.
    Lack of security around logging in to the app has allowed unauthorized persons access to view and change personal information of more than 63,000 children in primary school in Oslo.
    Inadequate security testing prior to the launch of the app led to it being launched with vulnerabilities well known in security environments worldwide.

The municipality has not been conscious of its responsibility and has launched a school messaging app with an unacceptable vulnerability without taking appropriate measures to close the vulnerabilities. They have also had insufficient control with the supplier when it comes to safety test results.

Read the entire case published in connection with the notice
Lower fee than notified

However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.


---------------------------------------------------------------


Decision on infringement fine

Date10/11/2019

We refer to a report of a breach of personal data security (deviation report) from Oslo municipality sent 7 September 2018, notification of decision of 29 April 2019 and Oslo municipality response of 21 June 2019.

Based on the information in the case, the Data Inspectorate believes that Oslo Municipality has violated the rulespersonal data security in the Privacy Regulation (European Parliament and Council Regulation)(EU) 2016/679 of 27 April 2016).

Pursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.the Personal Data Act § 26, cf. the Privacy Ordinance art. 83, the Danish Data Protection Agency understands the followingdecision on infringement fine:

Oslo Municipality is imposed, pursuant to the Personal Data Act § 26 second paragraph, cf.Article 83 of the Privacy Ordinance, to pay an infringement fee of NOK 1,200,000 -one million two hundred thousand Norwegian kroner - to the Treasury for breaches of dutieswhich complies with the Privacy Regulation.

The fee is imposed as a result of Oslo Municipality not having carried out suitable technical andorganizational measures to achieve a level of safety appropriate to the risk,and ensuring lasting confidentiality and integrity, cf. the Privacy OrdinanceArticle 5 No. 1 letter f, and the Privacy Regulation 32 No. 1. letter book d

The background and reasons for the decision follow below.


1. The case
1.1. Description of the case
The case concerns vulnerabilities in the mobile application Skolemelding. This is an application that can be downloaded to the mobile phone, and which is developed for use in the Oslo School. In the applicationcan parents and pupils communicate with the staff in the school. The communication is in writing, and can be compared to SMS or email. 

It has been possible for unauthorized persons to log in as authorized users and thus few access to personal information about students. More than 63,000 primary school students 1 in the Oslo schools arecovered.In addition, it is possible to register special categories of personal information in the free text field, forexample of children's health. This may have entailed a risk that unauthorized persons have been able to seeinformation of an intrusive nature.

1.2. ProceedingsThe Norwegian Data Protection Authority became aware of the case after Aftenposten had one on Thursday 6 September 2018news article about serious security holes in the application.Oslo Municipality sent notification of breach of personal data security (non-conformance report)to the Danish Data Protection Agency on 7 September 2018.The Data Inspectorate also received an inquiry from a private individual in connection with the case. The Data Inspectoratethen sent a request for a statement to Oslo Municipality on 4 October 2018, and we receivedreply from Oslo municipality sent on 26 October. We have also had a dialogue with the municipality by telephone.We asked for more information in an e-mail sent on 23 November, and received a reply from the municipality 26.November.In a letter dated 29 April 2019, the Norwegian Data Protection Authority announced a decision on three orders to implement measureswhich was considered necessary to close the relevant deviations from requirements in the privacy regulations.We also announced that we would consider making a decision on infringement fines as a result of the breachon the duties of the data controller in accordance with the privacy regulations.Oslo Municipality responded to the notification in a timely manner in a letter dated 21 June 2019.The response from the City of Oslo explains in more detail the system Skolemelding, as well as CGisobligations (the municipality's supplier) and the course of events before and after the security incident.The Norwegian Data Protection Authority bases this report as part of the actual circumstances of the case.The Norwegian Data Protection Authority has assessed Oslo Municipality's proposals for measures in connection with the case, and finds thatthe discrepancies are now closed. The notified decisions on orders are therefore considered to have lapsed.In the following, the Norwegian Data Protection Authority will only consider decisions on infringement fines.

1.3. More about the system and functionality in SkolemeldingSchool notification is a notification application for Oslo School's parents, students and employees. INthe application can parents and students send a message to the contact teacher / subject teacher or othersemployees at the school. They can also respond to messages sent from the school. The application also providesteachers the opportunity to communicate with each other.1 Source: https://www.oslo.kommune.no/politikk-og-administrasjon/etater-foretak-og-ombud / utdanningsetaten / arsberetning-2017 /? del = 3 # gref2


On the Oslo municipality's website (https://aktuelt.osloskolen.no/larerik-bruk-av-laringsteknolocd / digital-skolehverdag / skolemelding /) states that parents can report absence inthe application and in the Portal. The portal is a school platform for the Oslo school and the individual schooleach has its own portal. The message is sent automatically to the child's contact teacher.It further states: «Do not use the app or other communication channels in Skoleplattform Osloto to send sensitive personal information, such as your child's health information. It suffices to say thatthe child does not come to school today. ». In the School Notice, absence is reported by clicking on «Newmessage »and the« Report absence »button. There is a free text field here to write what the absence isapplies. There is nothing in the application itself that you should not enter sensitivepersonal information.To authenticate users, Skolemelding uses the ID port for parents and FEIDE foremployees. These are well-established standard components for authentication and the discrepancy in the case appliesnot these two services.The discrepancy affects how these components are integrated with the School Notice for handlinglogin.

1.4. Oslo Municipality's description of the discrepanciesIn the report on breaches of personal data security we received from Oslo Municipality 7.September 2018, the incident is described as follows:«Authorized users of the school messaging apps who have the knowledge to decrypt appsand having the right type of software has been able to acquire access to other userspersonal information of the type, name, e-mail address and which children a parent has, as wellmessages sent to and from school. By combining birth number, client secret andsystem password, it was possible to access the personal information mentioned above.This in combination with a lack of security when using a specific API did sopossible to access other people's messages for logged in users. "The discrepancy was described in more detail in a letter from Oslo Municipality dated 26 October 2018:"After further investigations, CGI now confirms that it was possible to decrypt the code forschool messaging apps and acquire knowledge about weaknesses in the authentication process,and through it gain access to other users' data by bypassing login via FEIDEor the ID port without being an authorized user of the solution. At the same time, they emphasize thatthis presupposes that one must have a lot of competence and knowledge about both authenticationand the school message to do this without first being logged in. As is known, the deviation wasalso first uncovered by someone who had access to the solution.By taking advantage of the weakness could one thus the only to recognize an employee or studentusername or a parent's social security number ra access to their personal information bytype of name, e-mail address and which children a parent has. Furthermore, one could then alsoretrieve one message at a time regardless of user.


CGI therefore believes that the analyzes in the blog are mainly correct. CGI also has itselfrevealed the weaknesses of the blog in the further security testing of the application, where allerrors that may cause safety deviations have been corrected.We have also carried out our own safety tests of the solution afterwards and have verifiedthat the discrepancies have been rectified. "The Data Inspectorate sent several requests for statements related to, among other things, how testingof the solution had been carried out, whether risk assessments had been carried out andPrivacy Impact Assessment (DPIA).In its responses, the City of Oslo has described that the supplier (CGI) carried out safety testingin the period 16 - 24 August 2018. The supplier identified some vulnerabilities and proposed measuresto reduce these in their safety report. It further emerged that the supplier did not haveinformed the municipality about the results of the safety test, but that they chose to wait with the measureto the next scheduled release. The municipality stated that this was the reason why they could close quicklydeviation and issue an update of the application. They further stated that if they had knownvulnerabilities previously they would have closed the solution until these were rectified.When asked by the Norwegian Data Protection Authority whether a DPIA and risk assessment had been carried out for the solution,the municipality replied that no formal DPIA was carried out, but that one was carried outrisk assessment. One of nine identified vulnerabilities / threats was considered unacceptable.The vulnerability was that sensitive data is registered in the solution. Some measures were proposed todeal with vulnerability. One was to provide information on the schools' and the municipality's websites about thatsensitive information must not be written in the free text field, which has been completed. The second was toenter information in the application in the next update, which was scheduled for December 13 2018. A final measure was to create templates for registration of different types of absence. This measure isplanned as part of the further development of the solution in 2019. The education agency would alsoassess the need for free text fields to report absence.The Norwegian Data Protection Authority has not requested or been sent a risk assessment beyond what is describedabove. We have also not requested or received a report from the security testing.

1.5. The vulnerabilities in the systemIn our notification of decisions, the vulnerabilities in the system were described as follows:As we understand it, the vulnerabilities cannot be exploited during normal use of the applicationSchool message, but by using a tool such as a web proxy to be able to see andmanipulate traffic of data communicated through the system. Such tools are easyavailable for download from interned. It requires a certain technical competence to be able touse them, but there is also readily available information on the internet on how touse them.4
Page 5
1.5.1. Authentication issues 
When a user of the parent application is to log in, the user is taken as expectedthrough the login process in the ID port. It is after this that problems arose. There was aerror in the logic of the authentication server (called the rnid port) used by the system.The login solution only issued the birth number (which is the parent's user ID) as oneaccess token 2 after login. It was therefore possible here to create your own access token withoutgo through the login solution as long as a birth number registered as was useda guardian.Birth numbers are structured in a well-defined way and are limited to 11 million. Thismakes it easy for an attacker to generate all possible birth numbers, and then try them outthe solution. The range of birth numbers one needs to test can also be reduced based onfor example, year of birth when you know that you are going to try out a birth number that may belongparents of children in primary school. Based on a further weakness in the system it is notnecessary to have more than one valid user to access other people's messages.

1.5.2. Lack of separation between users means that you can access othersmessagesWhen a user is authenticated, they can read messages stored on the server.This is done in the background of the application by specifying, among other things, an ID for the desiredMessage. The ID is a sequentially generated integer that acts as a unique identifier fornotifications. The system lacks a verification of who a message (ID) belongs to when it is retrievedout. This allows an authenticated user to retrieve any message in the systemby specifying a valid message ID, regardless of who it belongs to. Guessing of validIDs will not be difficult since those previously mentioned consist of sequential integers.1.5.3. Possibility to harvest information and link person to messagesIt is also possible to retrieve information about the user you are logged in to and the studentsassociated with this user. This includes full name, username, email,birth number and telephone number. This is done by running a call to the server, which returnsLDAP 3 data. This results in that even if someone initially tests with randombirth number, they will also have the opportunity to link the birth number to the person and familyin an easy way.

2. Oslo Municipality's feedbackIn a letter dated 21 June 2019, the City of Oslo has not disputed the Data Inspectorate's presentation of themactual circumstances arising from our notice of decision of 29 April 2019.In the following, we assume that our presentation of the nature and extent of the deviation gives onecorrect description.

*2 An access token contains security information for a login session and identifies, among other thingsthe user and its rights.
*3 Lightweight Directory Access Protocol is a protocol used to look up a directory service on a server5


In its response, the municipality has described how the deviations have been closed, and what measures have been takenin to prevent similar deviations from happening again. We assume that these measures aresatisfactory, and considers the discrepancies to be closed.The City of Oslo has raised objections to the size of the notificationthe infringement charge. These are discussed below in our assessment of the infringement feeto be imposed.

3. Legal basis for the assessment
3.1. About the Privacy OrdinanceThe Privacy Ordinance regulates all aspects of the processing of personal data.Article 5 of the Privacy Regulation deals with what must be said to be the core ofprivacy law, and the article is absolutely central to the interpretation of the rest of the regulationprovisions. Violation of the principles in art. 5 may in itself lead to the imposition ofsanctions.As stated in the provision, Art. 5 no. 1 letter f personal data securityand the principle of duty to ensure the necessary integrity and confidentiality.The principle in art. 5 No. 1 letter f on integrity and confidentiality is described in more detail andsupplemented by more specific provisions in the Privacy Ordinance, Chapter IV, see e.g. article32 on personal data security.Species. 5 no. 2 enshrines the principle of responsibility, which states that it is the person responsible for processing whois responsible for complying with the privacy principles in art. 5 No. 1.

3.2. In particular on the imposition of infringement fines - Article 58 (2), letter iThe Privacy Regulation leaves it to the Member States to determine whether infringement fines should applycould be imposed on public authorities and bodies, cf. Article 83 (7).Act (2018) § 26 second paragraph, it is determined that the Data Inspectorate may impose on public authoritiesand bodies infringement fines in accordance with the rules in the Privacy Ordinance Article 83, cf. Article83 No. 7.Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provisioncontains i.a. an overview of which factors should be taken into account when considering bothwhether an infringement fee is to be imposed and which factors are to be assessed in connectionwith the measurement of the size of the fee. The article also indicates the magnitude of the fees, and thatappears from art. 83 no. 4 and no. 5 that the maximum rates depend on which provisions inthe Privacy Regulation that has been violated.The provision basically provides instructions that the imposition of an infringement fee is dueone overall judgment, but it provides guidelines for exercise of discretion by tohighlight aspects that should have special emphasis. The first paragraph of the article states thatthe infringement fine in each individual case must be effective, proportionate toviolation and act as a deterrent.6

We also refer to the Privacy Council's guidelines regarding the application and determination ofinfringement fine in accordance with Regulation (EU) 2016/679 (WP 253), whereThe Privacy Council explains the general criteria in art. 83 no. 1, and the points in art. 83 no.2.4

4. The Data Inspectorate's assessments and reasons for decisions

4.1. Assessment of whether an offense has taken placeThe processing of a report of a breach of personal data security revealed the followingcircumstances constituting a breach of Article 32 (1) of the Privacy Regulation:Lack of security around logging in to the application, which made it possible to accessto view and change personal information of more than 63,000 children, is contraryArticle 32 (1) (b) of the Privacy Regulation. In addition, it will include informationabout parents and teachers.2. Inadequate security testing before launching the application, and that it was launched withsecurity holes that are well known in security environments around the world are in conflict withArticle 32 (1) (d) of the Privacy Regulation3. Launch of a school notification application with an unacceptable vulnerability such as Oslomunicipality had not implemented appropriate measures to close, and inadequate control ofthe supplier, CGI, about the results of the security test, is a violation ofthe principle of liability in Article 5 (2) of the Privacy Regulation, cf. Article 5 (1)letter f)The City of Oslo has not disputed the Data Inspectorate's assessments of whether and to what extent it hasdeviations from the Privacy Ordinance's requirements for the processing of personal data.

4.2. The Data Inspectorate's assessment of the conditions for imposing an infringement fee

4.2.1. General information about the assessmentThe right to impose infringement fines is provided as a means of ensuring effectivecompliance with and enforcement of the Personal Data Act. Infringement fee may be charged fordeviations that have taken place, also for cases where the deviations are closed at the time of the decisionthe infringement charge.Under international law, an infringement fine is not to be regarded as a penalty, but as an administrative sanction.However, it must be assumed that the infringement fine is to be regarded as a penalty under the ECHR (European)human rights convention) Article 6, and in accordance with the case law of the Supreme Court, cf. Rt. 2012page 1556 with further references.Inspectorate therefore the reason that it requires a clear likelihood ofoffense in order to impose a fee. The case and the question of imposinginfringement fines are assessed on the basis of this evidentiary requirement.4 Originally prepared by the Article 29 Working Party, but adopted by the Privacy Council, see the Privacy Council"Endorsement 1/2018", section 16. The documents are available at https://edpb.europa.eu7

As mentioned above, Article 83 in principle provides that the imposition ofviolation fee is based on a discretionary overall assessment, but adds guidancethe exercise of discretion by highlighting factors that should have special weight, taking into account thatimposition of infringement fines in each individual case shall be effective, proportionateand deterrent.In the following, we review the relevant conditions in the Privacy Ordinance, Article 83 no.2:

4.2.2. Article 83 (2) (a): Grade, severity andthe duration of the infringement, taking into account the action takennature, scope or purpose as well as the number of data subjects affected, and the scopeof the damage they have sufferedThe breach of personal data security is a result of lack of technical andorganizational measures that ensure satisfactory information security with regard toconfidentiality and integrity, cf. Article 32 of the Regulation. We also refer toAdvocacy point 83 of the Privacy Regulation 83.The violation includes over 63,000 children in primary school in Oslo municipality. Not everyone has takenthe school registration application in use, but the potential is still 63,000. The infringement includeschildren, who to a lesser extent have the prerequisites to safeguard their rights and freedoms. That use ofThe application School report is a voluntary matter does not change the picture of the severity inthe breaches.In this connection, the Data Inspectorate points out that children in particular are entitled to a high degree of protection wheninformation about them is processed, see the Privacy Ordinance's preamble 38 where itnamed:"Children's personal data deserve special protection, as children may be smalleraware of current risks, consequences and guarantees, as well as the rights they havewhen it comes to the processing of personal data. "The fact that children's rights and freedoms have been exposed makes the violation extra serious, andThe Norwegian Data Protection Authority has emphasized this as an aggravating circumstance.Absence must be reported in the absence part of the application. On the municipality's website it isinformed that no sensitive information must be written in the free text field. Equivalentinformation is not entered in the absence part of the application, which the Data Inspectorate will believe canhelped to limit the possibility of communicating special categories ofpersonal information.Most people who use the application School Message does not go into via the municipality's website,but via the application, and will thus not receive this information. However, this will nothave a decisive effect on the severity of the deviation.


The fact that unauthorized persons have had the opportunity to gain access to otherspersonal data have led to an opportunity to manipulate the personal data inthe application.The breach of personal data security has meant that the data subject has lost control ofinformation about themselves, and whether others have seen or changed information aboutperson in the application.

4.2.3. Article 83 (2) (b): assessment of the degree of guiltPursuant to section 46 of the Public Administration Act , an administrative sanction may be imposed on an enterprise itselfif no individual has shown guilt. This means that Oslo Municipality has an objectiveliability. By enterprise is meant company, cooperative, association or otherassociation, sole proprietorship, foundation, estate or public enterprise.We consider it beyond doubt that Oslo Municipality has had knowledge of the necessityfor the establishment of organizational and technical measures in the application. By not committing themnecessary steps, the municipality has acted negligently.The Data Inspectorate finds that there is a clear overriding probability that Oslo Municipality has violatedspecies. 5 and Article 32 of the Privacy Regulation.

4.2.4. Article 83 (2) (c): measures taken by the controlleror the data processor to limit the damage suffered by the data subjectsThe security hole was closed the same day as the municipality discovered it. It is important thatthe municipality took these measures, and will be a signal effect to others. The Data Inspectoratebelieves this should have a mitigating effect in the assessment of the infringement fee.

4.2.5. Article 83 (2) (d): of the controller orthe degree of responsibility of the data processor, taking into account the technical andorganizational measures they have implemented in accordance with Articles 25 and 32The errors found in Skolemelding are of such a nature that they have been on OW ASP 5 top 10the list for many years. OW ASP top 10 is a recognized document for raising awareness aboutsecurity in web applications and is often referred to among people in the security environment and onsecurity conferences.There is a consensus among security experts around the world on what are the most criticalsecurity risks in web applications. The Danish Data Protection Agency has referred to OWASP in several places in itssupervisor of software development with built-in person 6• The errors in the School Notice aredescribed in A2, A3 and AS in OW ASP top 10 from 2013. Given the security holes found inthe solution, any testing that has been done appears to be very deficient. This mustdescribed as negligent.5 Open Web Application Security Project- https://www.owasp.org6 https: // www .datatilsynet.no / regulations-and-tools v / supervisors / software development-with-built-in privacy /9

It can therefore be stated that Oslo Municipality has shown negligence in relation to acceptablelevel of protection.

4.2.6. Article 83 (2) (f): co-operation with the supervisory authority to remedy fineson the violation and reduce the possible negative effects of itThere has been no collaboration with the Norwegian Data Protection Authority to remedy the violation. Oslo councilhas on its own initiative taken the necessary measures to close the breachespersonal data security.

4.2.7. ThisArticle 83 No. 2 letter g: categories of personal data such asis affected by the violationAs the violation includes children in primary school, we refer to the Privacy OrdinanceAdvocate 75, where it is pointed out that special consideration must be given to the risk associated with childrenpersonal data, if the processing includes a large amount of personal data andaffects a large number of registered.We can state that special categories of personal data, as defined inArticle 9 of the Privacy Regulation has been exposed to unauthorized persons.Information that has been available is absence information that in a free text field canresult in information about the reason for absence being stated. Also, it will inthe school registration application could be registered information that requires confidentiality,such as information about bullying.

4.2.8. Article 83 (2) (h): the manner in which the supervisory authority was informedinfringement, in particular if and to what extentthe data controller or the data processor has notifiedthe infringementThe Norwegian Data Protection Authority first became aware of the current situation through media coverage. We were notifiedabout the breach of personal data security from Oslo Municipality on 7 September 2018. It isIt is unfortunate that the Data Inspectorate only learns about the discrepancy after the case has been mentioned in the media.The Data Inspectorate finds it highly reprehensible that knowledge of what has happened in the breachpersonal data security, and the vulnerability in the school notification application has been addedus through initiatives from private individuals. Oslo Municipality then also admits thatthe non-conformance reports were misleading. This will be important in our assessment ofinfringement fines must be imposed.

4.2.9. Article 83 (2) (k): second aggravating or mitigating factorin the case, e.g. financial benefits gained, or losses that areavoided, directly or indirectly, as a result of the infringementThe Data Inspectorate has not found that Oslo Municipality has had financial benefits, or avoided lossesdirectly or indirectly as a result of the infringement.
The Norwegian Data Protection Authority places particular emphasis on the fact that sufficient organizational andtechnical measures in the application School report. The Data Inspectorate considers this to be serious, and isone of the reasons for the infringement charge. The users of the municipality's services have a clearand interest worthy of protection against inadequate security measures where confidentiality andintegrity is required.Inadequate security can have serious consequences for the individual both because of the surroundingsgets access to information that the data subject has not himself chosen to make known, but also becausethe availability makes it unpredictable how many people have obtained the information.General preventive reasons and the consideration that the rules should have effect and work as intended,then speaks with force for it to react with an instrument such as an infringement charge.In a mitigating direction, it can be pointed out that Oslo Municipality reacted as soon as they receivedknowledge of the security holes.

4.2.10. Summary and conclusionAfter an overall assessment of the deviation's scope, character and severity, the Data Inspectorate hasconcluded that it is correct to uphold our notified decision on infringement fines.We have placed special emphasis on the fact that it is children's privacy that is affected by the discrepancy.

4.3. Measurement of the size of the infringement feeIn the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that«As a starting point, the same rules for infringement fines shall applypublic bodies as for private, as this is the scheme under currentPersonal Data Act »,but the Ministry assumes that within the rules of the Regulation Article 83, whichalso indicates the factors to be emphasized in the calculation of administrative fees,there is room for considerable discretion as to the size of the fee. The Ministry statesthat '[t] he flow limits in Article 83 of the Regulation set maximum limits for the measurement ofadministrative fees, while no minimum limits have been set. "With regard to the size of the fee, the same factors shall apply as when assessing whether the feeshall be imposed, weighted. The fee should be set so high that it also has an effect beyond itspecific case, at the same time as the size of the fee must be in a reasonable proportion to the violationand the business, cf. art. 83 No. 1.We have particularly noted that the breach of personal data security is associated with a significantnumber of children in primary school. Furthermore, we have emphasized the general expectation of citizenscould have municipal authorities follow the rules that are given, and especially those that giveIndividual rights that are meant to be a protection of this type of information.The imposition of infringement fines in this case will have an important signal effect. The Data Inspectorate wantsto clearly communicate that such incidents are considered serious It is important that such

incidents do not occur, and that all public bodies dealing with citizenspersonal information and information about vulnerable persons such as children must be their ownresponsibility consciously. We have emphasized the general preventive effects of a decisionviolation fee is assumed to have.In our notified decision, we stated that the size of the fee would be set at 2,000,000 NOK.Oslo Municipality responded to our notice with objections to the size of the fee. It stated 'thatit is sufficient to impose obligations on the supplier to report deviations, in addition toRoutines have been established for continuous follow-up of the supplier. We have considered thispralcsisen as satisfactory, as it has worked well over several years through that deviations havebeen discovered and cleaned up in. It is also admitted by the supplier that deficientfollow-up of the agreement is due to human failure. UDE believes that the aforementioned must be considered asmitigating circumstances. In any case, we have wanted to improve our control in terms ofsafety tests, and has therefore introduced measures for a joint review of all results fromsafety testing with supplier, cf. above ».Oslo Municipality points out that they could not report deviations to the Data Inspectorate when they did notknowledge of the conditions. That Oslo municipality had no knowledge of the test resultscomes, as the Data Inspectorate sees it, as a result of a lack of project management betweenthe municipality and their supplier.The Norwegian Data Protection Authority draws attention to the fact that Oslo Municipality is responsible for the serious violationshappened by not introducing organizational and technical measures which are likely to to ensurepersistent confidentiality and integrity in the School Message application. That Oslo municipality wasin the belief that the application had been safety tested before it was put into production, and believed it wassufficient to impose obligations on the supplier on the reporting of nonconformities is a calculatedrisk, which may not mitigate the incident.Oslo Municipality finally points out that the supplier has a significant part of the responsibility forthe event. The Norwegian Data Protection Authority does not disagree with this, but this does not exempt the municipality from thisresponsibility.Finally, the municipality points out that it can only be stated that two people are affected by the breachpersonal data security. This is of little importance to the Data Inspectorate when the potential wasfar larger.The Data Inspectorate has come to the conclusion that the notified infringement fee must be adjusted downwards somewhat. We have inThe assessment emphasized that the City of Oslo has implemented damage mitigation measures so quicklythe municipality was informed about the breach of information security, and shown a willingness to arrangeup in the incident.After an overall assessment of the case, we have come to the conclusion of an infringement fee of NOK 1,200,000considered correct.12

5. Decision on infringement fines

5.1. Decision on infringement finePursuant to the Privacy Ordinance, Article 58, No. 2, letter i, cf.the Personal Data Act § 26, cf. the Privacy Ordinance art. 83, the Danish Data Protection Agency understands the followingdecision on infringement fine:Oslo Municipality is imposed, pursuant to the Personal Data Act § 26 second paragraph, cf.Article 83 of the Privacy Ordinance , to pay an infringement fee of NOK 1,200,000one million two hundred thousand Norwegian kroner - to the Treasury for breaches of dutieswhich complies with the Privacy Regulation.The fee is imposed as a result of Oslo Municipality not having carried out suitable technical andorganizational measures / or to achieve a level of safety appropriate to the risk,and ensuring lasting confidentiality and integrity, cf. the Privacy OrdinanceArticle 5 No. 1 letter f and the Privacy Regulation 32 No. 1. letter book d

5.2. Recovery of the infringement feeThe infringement fee is due for payment four weeks after the decision is final, cf.the Personal Data Act (2018) § 27. The decision is a coercive basis for disbursement. Recovery ofthe claim will be implemented by the Central Government Collection Agency.

5.3. Right of appealYou can appeal the decision. Any complaint must be sent to us within three weeks after thisthe letter has been received, cf. the Public Administration Act § § 28 and 29. If we uphold our decision,we send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22.5.4. Transparency and publicityYou have the right to access the case documents, cf. the Public Administration Act § 18. We will also informthat all documents are in principle public, cf. Section 3 of the Public Access to Information Act, howeveremphasizes at the same time that security documentation is as a general rule exempt from public access, cf.the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.

With best regards
Bjørn Erik ThondirectorKnut Brede Kaspersenlegal director