Datatilsynet (Norway) - 20/01984
|Datatilsynet - 20/01984|
|Relevant Law:||Article 5 GDPR|
Article 6 GDPR
Article 32(1)(b) GDPR
The Education Act § 15(1)
Public Administration Act § 13 no. 1
|Parties:||Indre Østfold kommune (municipality)|
|National Case Number/Name:||20/01984|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA (Datatilsynet) fined Indre Østfold municipality €18,860 for publishing a former student's school folder openly on their website, therefore breaching Articles 32(1)(b), (5), and (6) of the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
A former student asked a school to share their school folder. The municipality's routine is to keep records for access requests, which meant, in this case, that the folder was scanned and made available for access. It was, however, made openly available on their website and a local journalist was able to download the entire folder with its contents. The information was confidential, cf. the Education Act.
When the error was discovered, the folder was removed and the municipality notified the DPA of the personal data breach, as well as the affected data subject.
Dispute[edit | edit source]
Was publishing the student's school folder online a breach of Article 32?
Holding[edit | edit source]
The DPA concluded that the municipality had breached the required information security requirements as per Article 32(1)(b), cf. Article 5, and that they didn't have any legal grounds for this processing as per Article 6, cf. Article 5 (the latter because the information was confidential and should never have been published openly). The municipality was fined €18,860.
Comment[edit | edit source]
It's interesting to note that the DPA also held that the municipality had breached Article 6, with the following logic: The folder and its content was subject to confidentiality as per the Freedom of Information Act. When the folder was openly published, the GDPR came into effect, meaning the municipality would require legal grounds for processing as per Article 6. However, since the personal data by law weren't allowed to be shared publically, none of the requirements for establishing legal grounds as per Article 6, were applicable, i.e. the municipality breached Article 6.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Violation fee to Indre Østfold municipality The Norwegian Data Protection Authority has decided to give Indre Østfold municipality an infringement fee of NOK 200,000 for breach of confidentiality. Personal information that should have been protected was made available to unauthorized persons. Violation fee to Indre Østfold municipality Indre Østfold municipality, formerly Askim municipality, published the student folder of a former student on the municipality's website. The student file contained personal information that is subject to a duty of confidentiality. Got tips from local newspaper The starting point for the incident was that the student needed the student file in a study context, and therefore asked the municipality to send it over. The municipality's routine is for requests for access to be recorded. This means that the document in which access has been requested is also scanned and made available for access. The student folder was available on the municipality's website from Friday 27 September to Monday 30 September. The municipality was made aware of the case by a journalist in the local newspaper Smaalenenes Avis. The documents were removed from the mailing list and exempted from public access immediately after they were discovered. The affected person was then notified. The infringement fee does not change After the Data Inspectorate sent a notification of infringement fines, we received feedback from the municipality. Here they regret that "personal sensitive information" was posted on the mailing list. The municipality also asked the Data Inspectorate to assess the size of the fee in light of the measures that were introduced afterwards. An infringement fee shall reflect the severity of the offense in question. It follows from Norwegian law that the municipality must implement the necessary measures to prevent future offenses. The Norwegian Data Protection Authority has come to the conclusion that the subsequent measures to rectify the incidents, in view of the seriousness of the breach, do not have a significant effect on the size of the infringement fee. We have therefore concluded that the notified fee will not change.