Datatilsynet (Norway) - 20/02191

From GDPRhub
Revision as of 11:45, 7 May 2022 by Riealeksandra (talk | contribs) (Added information from the original decision to combine the two)
Datatilsynet - 20 / 02191-1 KBK / -
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 9(1) GDPR
Article 32(1)(b) GDPR
Article 83(2) GDPR
Type: Investigation
Outcome: Other Outcome
Started:
Decided: 07.07.2020
Published: 20.07.2020
Fine: 500000 NOK
Parties: n/a
National Case Number/Name: 20 / 02191-1 KBK / -
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA reduced an initial fine to Rælingen municipality from €80,000 to €50,000 related to the use of the school app "Showbie", for lack of sufficient technical and organisational measures for processing special categories of data, cf. Article 32(1)(b) GDPR, Article 32(1)(d), Article 24 and Article 35, cf. Article 5.

English Summary

Facts

In May 2019, a municipality reported a personal data breach aftering discovering that special category personal data was being processed in a digital learning management system ("Showbie app"), after which the Norwegian DPA Datatilsynet launched an investigation.

The app was used in school for a group of pupils with special needs. The main use of the app was to ease communication between the school and parents, in particular with regards to communication messages about absence. The app did not include separate accounts or logins for parents and the pupils. Information concerning “health” and “medications” could be added to tabs in the app. The tabs did not include health information, but personal data regarding medication was found in the calendar and in chats with parents. There were no guidelines or routines on how to use the app securely. Teachers and employees used the school’s wireless internet, while the parents used it on unsecured home networks or mobile internet. There was no two-factor authentication implemented, as required under security level 4 when dealing with health information

The municipality argued that the intended fine was disproportionately high for the circumstances of the case, particularly since the municipality itself notified the DPA of the breach, there were a low number of data subjects involved, and the relevant information was deleted two days after the breach was discovered.

Holding

The DPA initially notified the municipality of a NOK 800,000 fine, but later reduced it to NOK 500,000. In its assessment of the fine size, the DPA stated that the size was justified on the basis of the following factors set out in Article 83(2) GDPR:

  • The municipality had failed to communicate the use of Showbie for processing special categories of data.
  • No Data Protection Impact Assessment was carried out, despite the processing involving special categories of data and the data of vulnerable children.
  • There was "beyond reasonable doubt" a breach of Article 32 by the municipality.
  • The municipality demonstrated a lack of awareness of the importance of necessary safety measures for such data.
  • The higher degree of responsibility on the controller because the personal data of children was involved.
  • No cooperation by the municipality to remedy the infringement.
  • The categories of personal data affected by the infringement.

In terms of mitigating factors for the fine size, the DPA found that the fact that the data was deleted after two days after the breach was discovered justified a reduction in the size of the fine, and that the relatively low number of persons affected was not a significant mitigating factor, but not an aggravating factor either. The DPA rejected the argument that the notification of the breach by the municipality could be a mitigating factor for this fine, as the duty on the controller to report such a breach is required by law in Article 33 GDPR.

Comment

When arguing for a smaller fine, the municipality claimed their case had several similarities with an earlier case against another municipality, where the fine was only NOK 50,000. The DPA disregarded this argument on the basis that the earlier case had been decided under the former Data Protection Directive 95/46, the precursor to the GDPR, and that the rules for fines were significantly different between the two pieces of law.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


RÆLINGEN MUNICIPALITY
PO Box 100
2025 FJERDINGBY
Their reference
Our reference
Date
20 / 02191-1 KBK / -
02/07/2020
Decision on infringement fee - Rælingen municipality
1 Introduction
We refer to the report of a breach of personal data security from Rælingen municipality sent
May 8, 2019, notification of violation fee of February 26, 2020 and the municipality's feedback
of 29 April 2020.
The case concerns the Showbie application, which is used here to communicate health-related issues
personal information between school and home, by the FINE group at Marikollen ungdomsskole.
The discrepancy applies to personal data that includes special categories of personal data.
Based on the information in the case, the Data Inspectorate believes that Rælingen municipality has violated the rules
on the security of personal data in the Privacy Regulation (European Parliament and
Council Regulation (EU) 2016/679 of 27 April 2016).
Pursuant to the Personal Data Act § 26 second paragraph, cf. the ordinance article 83,
we order Rælingen municipality to pay an infringement fee to the state treasury
500,000 - five hundred thousand - kroner for not having completed suitable technical and
organizational measures to achieve a level of security that is appropriate with respect to
the risk, in the event of failure to ensure continued confidentiality and integrity, cf.
Article 32 (1) (b) and (d) of the Regulation, Article 24 and Article 35, cf. Article 5.
The background and reasons for the decision follow below.
2. The Data Inspectorate's assessment of the municipality's feedback
In the feedback of 29 April 2020, the municipality acknowledges the facts of the case as
forms the basis for the Data Inspectorate's conclusion on the imposition of infringement fines, at the same time
as they point out that the fee is disproportionately high, given the specific circumstances that do
applicable in the case.
In the following, the Data Inspectorate will review the municipality's comments on the size of the fee.
The municipality points out that «there is no information in the case that indicates that some of the children / pupils have in fact been exposed to neither material nor non-
material damage, but the Data Inspectorate has not highlighted this point clearly in its
assessment. " The Data Inspectorate agrees that this is not clearly stated in the reasons for the decision,
but wishes to point out that this is implicitly stated in section 6.2 letter a) last paragraph. Secondly, have
The Norwegian Data Protection Authority emphasized that the breach of personal data security has a high risk for them
affected rights and freedoms. In this, the security breach itself constitutes a risk, regardless of
whether the risk manifests itself in a more concrete form of harm to those affected or not.
The municipality further points out that the Norwegian Data Protection Authority has not sufficiently emphasized that they
the relevant personal information was removed from the app two days after the actual circumstances became
discovered. In our view, this argument cannot be given further weight, because it is
the data controller's duty to ensure that the rules in the Personal Data Act and
The Privacy Ordinance is complied with at all times, but we take note of this view.
Furthermore, the municipality points out that it has consistently used the term «students at
adapted department » , and believes that this is the correct characteristic to use also in
the Authority's case documents. The Norwegian Data Protection Authority has noticed this and will comply with the municipality's
desire.
Finally, the municipality points out that this case has certain similarities with the case against Årdal
municipality (PVN-2016-14), where the final infringement fee was set at NOK 50,000.
The Data Inspectorate points out that the decision against Årdal municipality was made after old
Personal Data Act and EU Directive 95/46. The requirements and amounts of infringement fines are
significantly tightened under the new Personal Data Act and the Privacy Ordinance, see Article 83 no. 4
and 5. According to the old Personal Data Act, an infringement fine of up to 10 could be imposed
times the basic amount in the National Insurance Scheme.
Based on this, the Data Inspectorate has found that there is a basis for adjusting the notified
the violation fee down to 500 00 kroner.
Violation of the Privacy Ordinance
The report of a breach of personal data security has revealed circumstances that constitute
the following possible breaches of the Privacy Regulation:
• Inadequate security when logging in to Showbie, which makes it possible to access
personal information about other students in the FINE group, is in conflict with
Article 32 of the Privacy Regulation, see in particular point 1 (b). It has been treated
special categories personal information (health information) about students when facilitated
department in the application, without Rælingen municipality having carried out suitable technical and
organizational measures to achieve an appropriate level of security.
• Inadequate safety testing before Showbie was introduced in the municipality, and that the application
was used with a level of safety that is not suitable in terms of risk, is in conflict
with the Privacy Regulation Article 32 (1) (d)
• An assessment of privacy consequences has not been carried out, cf. Article 35
• Using an application with an insufficient level of security is a violation
the principle of liability in Article 5 (2) of the Privacy Regulation, cf. Article 5 (1) letter f) 4. The facts of the case
The actual circumstances of the case are based on the report of a breach of personal data security,
and the statements from the Privacy Ombudsman in Rælingen municipality, the municipality's statement of
5 June 2019, as well as an e-mail dated 13 September 2019. In a letter dated 9 May 2019, the Norwegian Data Protection Authority requested one
further explanation of the case. Such a statement was sent to the Norwegian Data Protection Authority on 31 May 2019 and 5 June
2019 with report from security officer dated 13 May 2019. 13 September 2019 confirmed
Rælingen municipality in an e-mail that Marikollen ungdomsskole and FINE-gruppa started with
the application Showbie from January 2018. FINE stands for Forum for Included Students, and is one
department that offers adapted teaching for students with special needs from 1. - 10.
step. Showbie is an application developed by Microsoft.
The reported breach of personal data security concerns inadequate security in
Showbie.
According to the State Educational Service, Showbie «is a digital learning platform that can simplify
communication between teacher and student, and facilitate cooperation between school and home. Showbie
allows the teacher to distribute assignments in an easy way, and students can submit answers and get
these back with an assessment. Assessments can be given with written text, possibly in the form of
video or audiovisual. "
At the FINE group, Showbie has acted as a message book. The FINE group is an organized one
department at Marikollen ungdomsskole, and includes children of different ages with different
degrees of developmental disabilities with elements of various additional diagnoses, as for
example epilepsy.
26 teachers and 15 students, including parents from the FINE group, have access to Showbie. Login
done through code or fingerprints. There is no further login to Showbie.
Parents do not have their own parental access. They log in with the student's code on
his iPad. Code on iPad is the only security.
The privacy ombudsman in Rælingen municipality received a deviation report on 28 February on the basis of
a presentation that was shown at the unit leader meeting. One of the images was a screenshot from
Showbie, which showed a student on the FINE group whose name was skimmed. On the left side in
the application there were categories called «health» and «medicines». It turned out that it was not
personal information in these folders. The folders were prepared in collaboration with RIKT AS for
use. RIKT AS is a company that offers training on various digital platforms primarily
education sector.
The municipality states in the report on the breach of personal data security that it was
found health information under daily schedules, as well as in chats with parents (who appeared to be
with the student). The school communicates with parents about how the day has been, e.g. about
the student has been to the bathroom, had seizures or received medication. Parents can act on behalf of the student,
and it is the student's name that is displayed, regardless of who is logged in and responding. Employees use
Showbie on wireless network in the workplace, while parents use unsecured wireless network, possibly mobile network at home. There are no routines for using Showbie. Rælingen
municipality states in a letter of 5 June 2019 that no assessment has been made of
the privacy implications before the application was launched. The municipality states that it rather
no risk assessment of Showbie has been carried out before it was introduced.
In the report on the breach of personal data security of 13 May 2019, stated
security officer that there were a number of requirements that were not met in the processing of
health information. The head of security pointed out i.a. that two-factor login authentication,
and use of security level 4 in relation to communication with bank ID, ID gate, etc., as well
network control, missing.
One consequence of the fact that the processing of personal data does not have sufficient security is
risk that unauthorized persons gain knowledge of information that is or is confidential
considered as special categories of personal data.
5. Legal basis for the assessment
5.1 About the privacy principles
Article 5 of the Privacy Regulation is central to the interpretation of the other provisions of the Regulation
provisions. Violation of the principles in art. 5 may in itself lead to the imposition of
sanctions.
As stated in the provision, Art. 5 no. 1 letter f) personal data security
and the principle of duty to ensure the necessary integrity and confidentiality. This is closer
described and supplemented by more specific provisions in the Privacy Ordinance, Chapter IV, see
eg. Article 32 on the security of personal data.
Species. 5 no. 2 states, through the principle of responsibility, that it is the person responsible for processing who has
the responsibility for complying with the privacy principles in art. 5 No. 1.
5.2 About information security
Article 32 of the Privacy Regulation regulates the security requirements when processing
personal information. The following is an excerpt from the relevant parts of Article 32 (1):
'1. Taking into account the technical development, implementation costs and
the nature, scope, purpose and context of the treatment, as well as the risks of
varying degrees of probability and severity for the rights of natural persons and
freedoms, the data controller and the data processor shall implement appropriate
technical and organizational measures to achieve a level of security that is appropriate with
taking into account the risk (…) ».
The obligation to implement appropriate technical and organizational measures is stated accordingly
Article 24 of the Privacy Regulation, which regulates the liability of the controller
separately. 
5.3 On assessment of the privacy consequences
Article 35 of the Privacy Regulation regulates when the data controller is to perform a
assessment of the privacy implications. An excerpt of the provision follows.
'1. If it is likely that a type of treatment, especially when using new technology and as
the nature, scope, purpose and context in which the treatment is performed will be taken into account
entail a high risk to the rights and freedoms of natural persons, it shall
treatment managers before the treatment make an assessment of the consequences
planned processing will have for personal data protection. An assessment may include several
similar treatment activities that involve correspondingly high risks.
2. The data controller shall consult with the privacy representative, if one
privacy representative is appointed, in connection with the performance of an assessment of
privacy implications.
3. An assessment of privacy consequences as mentioned in paragraph 1 shall be particularly necessary in
the following cases:
a) a systematic and comprehensive assessment of personal aspects of natural persons based
on automated processing, including profiling, and which forms the basis for decisions such as
has legal effect on the natural person or in a similar way significantly affects it
the natural person,
(b) the large-scale processing of specific categories of information referred to in Article 9 (1), or by
personal data on criminal convictions and offenses as referred to in Article 10, or
(c) a large-scale systematic monitoring of a publicly accessible area. "
Reference is also made to the Data Inspectorate's website with guidance on when DPIA will be implemented
www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/vurdere-
privacy impact / rate-of-privacy implications /
5.4 In particular on the imposition of infringement fines - Article 58 (2) (i)
The Privacy Regulation leaves it to the Member States to determine whether infringement fines should apply
could be imposed on public authorities and bodies, cf. Article 83 (7).
Section 26, second paragraph, of the Act stipulates that the Danish Data Protection Agency may impose public authorities and
bodies infringement fines in accordance with the rules of Article 58 of the Privacy Regulation, cf. Article 83
No. 7.
Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision
contains i.a. an overview of which factors should be taken into account when considering both
whether an infringement fee is to be imposed and which factors are to be assessed in connection
with the measurement of the size of the fee. The article also states the magnitude of the fees, and that
appears from art. 83 no. 4 and no. 5 that the maximum rates depend on which provisions in
the Privacy Regulation that has been violated.
The provision basically provides instructions that the imposition of an infringement fee is due
a discretionary overall assessment, but it lays down guidelines for the exercise of discretion by
highlight aspects that should have special emphasis. The first paragraph of the article states that
the infringement fine in each individual case must be effective, proportionate to
the violation and act as a deterrent.
We also refer to the Privacy Council's guidelines regarding the application and determination of
infringement fine in accordance with Regulation (EU) 2016/679 (WP 253), where
The Privacy Council explains the general criteria in art. 83 no. 1, and the points in art. 83 no.
2. 1
6. The Data Inspectorate's assessment and justification
Rælingen municipality states that health information was found under daily plans, as well as in
chat with guardians, but that it can not be established that personal information has arrived
irrelevant in her.
Rælingen municipality further states that Showbie was not arranged for treatment of special
categories that personal data, and that therefore no one has been carried out
risk assessment or review of the privacy implications of this treatment.
The head of security in the municipality has also stated that the application Showbie does not have one
sufficient level of security, cf. Article 5 (1) (f) of the Regulation, to be able to process
especially categories of personal data.
The Norwegian Data Protection Authority finds it necessary to point out that the established security level is not in accordance
with the Privacy Ordinance Article 32 No. 1 letter b), and that the municipality must implement
measures to create an adequate level of security.
Rælingen municipality has not clearly communicated that Showbie will not be used for
processing of special categories of personal data. There is no warning either
information in the application itself that one should not enter special categories of
personal information. The adaptation of the folders "health" and "medicines" was done in
collaboration between the FINE group and RIKT AS. An assessment of the privacy implications,
cf. Article 35, would have clarified this.
Rælingen municipality is not aware that unauthorized persons have taken advantage of this weakness
to access personal information, but due to insufficient security, has
unauthorized persons both inside and outside the FINE group had the opportunity to gain access to
personal information in Showbie.
6.2 The Danish Data Protection Agency's assessment - infringement fee
The right to impose infringement fines is provided as a means of ensuring effective
compliance with and enforcement of the Personal Data Act. Internal law is a violation fee
not to be regarded as a punishment but as an administrative sanction. However, it must be assumed that
infringement fine is to be regarded as a punishment under the ECHR (European
Convention), Article 6, and in accordance with the case law of the Supreme Court, cf. Rt. 2012 page 1556 med
further references.
The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.
In this connection, reference is made to Chapter IX of the Public Administration Act on administrative matters
sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMK).
For companies, the guilt assessment is unique. Section 46, first paragraph, of the Public Administration Act states:
"When it is stipulated by law that an administrative sanction may be imposed on an enterprise,
the sanction can be imposed even if no individual has shown guilt ».
In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that 'none
an individual has shown guilt 'is taken from the section on corporate punishment in the Penal Code § 27
first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ».
As mentioned above, Article 83 in principle provides that the imposition of
violation fee is based on a discretionary overall assessment, but adds guidance
the exercise of discretion by highlighting factors that should be of particular importance, taking into account that
imposition of infringement fines in each individual case shall be effective, proportionate
and deterrent.
We have placed particular emphasis on the following aspects in our assessment:
a) the nature, severity and duration of the infringement, taking into account
the nature, extent or purpose of the action concerned and the number of data subjects affected,
and the extent of the damage they have suffered ,
The breach of personal data security is a result of lack of technical and
organizational measures to ensure satisfactory information security with respect to
confidentiality and integrity, in accordance with Article 32 of the Regulation.
Special categories of personal information that the municipality has processed in Showbie are
health information about i.a. daily form, seizures (epilepsy), as well as any additional diagnoses,
medications and medication.
The violation includes 15 students at Marikollen ungdomsskole in Rælingen municipality. IN
in addition, 26 teachers will be covered. This applies to an adapted ward with children with physical
or mental disability. In an e-mail to the principal at Marikollen ungdomsskole on 13 March
In 2019, the then head of security asked the principal to explain what the use of Showbie was
is at the FINE group. The reason for the request was that it was based on the security officer
knowledge at this time could look as if the area of ​​use corresponded to « an electronic patient record system »which may or will not contain sensitive information. In his response pointed out
principal following: «Has pointed out several times what can and cannot be on Showbie for
Fine. Laila is instructed to review folders and ensure that no sensitive ones are placed
information there. " It is not exempt from liability if the management has pointed out how Showbie should
used, when this has not been followed up with necessary measures.
No privacy impact assessment (DPIA) has been carried out either. Then
processing of special categories of personal data could entail a high risk
the rights and freedoms of natural persons, Rælingen municipality must make an assessment of which
consequences the planned processing will have for personal data protection. We refer here to
Advocate 38 of the Privacy Ordinance, where it is pointed out that children's personal data shall
given special protection. That the rights and freedoms of children in the adapted ward have been postponed,
must be emphasized in an aggravating direction in the assessment of whether an infringement fine should be imposed.
b) whether the infringement was committed intentionally or negligently
In the case documents, including an e-mail from the principal to the security officer, it is clear that
The FINE group has used Showbie in a way that has not been the prerequisites for
use. That the principal has given instructions to named persons in the FINE group that sensitive
information should not be posted there, does not exempt from lack of follow-up. The risk of this
could happen was great; and since no good routines have been established or implemented
assessment of the privacy implications under Article 35 of the Privacy Regulation or
risk assessment, this is a system failure of a serious nature. The Danish Data Protection Agency will also point out that
treatment of students at the adapted department in Showbie in isolation will require a similar
security.
Beyond reasonable doubt, Rælingen municipality has used Showbie without implementing it
organizational and technical measures to ensure lasting confidentiality and integrity in
the Showbie application, cf. Article 5 (1) (f) of the Privacy Ordinance, cf. Article 32
No. 1 letter b), and ensure an efficient process for regular testing, analysis and
assessment of how effective the security measures are, cf. Article 5 (1) of the Privacy Ordinance
letter f), cf. Article 32 (1), letter d).
Showbie was taken into use at Marikollen ungdomsskole in early 2018. In an e-mail of 13 September
2019, the municipality announces the following:
«Marikollen ungdomsskole and the FINE group started with Showbie from January 2018.
However, the parents of the children at FINEgruppa did not receive training in using the app
before September / early October 2018. The head of department at FINE was a little uncertain
at specific time. Communication between parents / school for the students at FINE came
started in October 2018 ».
This indicates a lack of awareness of the importance of necessary safety measures.
The lack of awareness must be described as negligent, and in our opinion it is
about a serious degree of negligence, which is important in the assessment of whether infringement fines must be imposed.
c) any measures taken by the data controller or data processor to
limit the damage suffered by the data subjects
When the breach of personal data security was revealed, it was clear
communication failure about the severity of the breach. This is stated in the statement from
Protection Officer. Measures eventually came into place, and the personal information was removed from
the app two days after the breach of personal data security was discovered.
d) the degree of responsibility of the data controller or data processor, taking into account
to the technical and organizational measures they have implemented in accordance with Article 25 and
32
The Privacy Ordinance has introduced a higher degree of responsibility for it
persons responsible for processing, cf. the principle of liability in Article 5 no. 2. Rælingen municipality has
has not ensured an adequate level of safety, cf. Article 32. It can therefore be stated that
Rælingen municipality has not shown the necessary responsibility in relation to acceptable
level of protection.
e) any relevant previous violations committed by the data controller or
data processor
No previous violations can be found.
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it
There has been no cooperation between the municipality and the Norwegian Data Protection Authority beyond what follows
the Personal Data Act and the requirements of the Privacy Ordinance, to remedy the infringement and
reduce the possible consequences of it.
g) the categories of personal data affected by the infringement
We can state that special categories of personal data, as defined in
Article 9 of the Privacy Regulation has been exposed in Showbie. Since the violation includes
children, we refer to point 75 of the Privacy Ordinance, where it is pointed out that it must be taken
special consideration of the risk associated with children's personal data.
Personal information that has been registered in Showbie is health information about day form and
seizures (epilepsy), as well as any additional diagnoses, medications and medication.
The fact that the breach of personal data security includes students when facilitated
department makes the case particularly serious, and has been given great weight in the assessment of whether
violation fee must be given. 
h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
possibly to what extent the data controller or data processor has
notified of the infringement
The Norwegian Data Protection Authority was notified of the deviation from Rælingen municipality on 8 May 2019.
(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data processor with respect to the same subject matter, that
the said measures are complied with
No measures have previously been taken against Rælingen municipality with regard to
same subject matter.
(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42
This point is not relevant to the case.
k) any other aggravating or mitigating factor in the case, e.g. economic benefits
which has been obtained, or losses which have been avoided, directly or indirectly, as a result of
violation
The Data Inspectorate has not established that Rælingen municipality has had financial benefits, or
avoided losses directly or indirectly as a result of the infringement, and there is rather
no aggravating circumstances other than those mentioned above. We can not see that either
there are other mitigating factors in the case.
7. Summary
In assessing whether an infringement fee should be imposed, the Norwegian Data Protection Authority places particular emphasis on the fact that
the violations have significantly violated basic principles that the regulation protects, cf.
Article 5 (1) (f) of the Regulation, which states that ' personal data shall be processed
in a manner that ensures adequate security of personal data, including protection against
unauthorized or illegal treatment and against unintentional loss, destruction or damage, by the use of
appropriate technical or organizational measures ("integrity and confidentiality") ".
The Norwegian Data Protection Authority places particular emphasis on the fact that an acceptable level of security had not been established in
Showbie. The Data Inspectorate considers this to be serious. The users of the municipality's services have one
clear and protected interest against deficient security measures where confidentiality is
required. This can have serious consequences for the individual both because the environment can have
access to information that the data subject has not himself chosen to make known, but also because
the availability makes it unpredictable how many people have obtained the information.
General preventive reasons and the consideration that the rules should have effect and work as intended,
then speaks with force for it to react with an instrument such as an infringement charge. 
According to the Norwegian Data Protection Authority, the breach of personal data security is particularly serious as this
applies to students in an adapted department who have little or no ability to take care of theirs
rights and freedoms.
The Data Inspectorate cannot see that the other aspects that the law emphasizes apply in
significant degree - neither in an aggravating nor mitigating direction.
The conclusion is that the Data Inspectorate has come to impose an infringement fee.
8. The size of the fee
With regard to the size of the fee, the same factors shall be given weight as in wood
the assessment of whether a fee should be imposed. The fee should be set so high that it also has an effect
beyond the specific case. At the same time, the size of the fee must be in a reasonable proportion to
the infringement and the business.
We have particularly noted that the municipality had not established an acceptable level of security in
Showbie, and that the relevant processing of personal data applies to children when facilitated
department.
Furthermore, we have looked at the general expectation that citizens should be able to have that municipal
bodies follow the rules given. We assume that the signal effect of this case,
the general preventive considerations are significant. It is important that such incidents do not occur, and
that all public bodies that process citizens' personal data and information
about vulnerable persons such as children, must take the responsibility that the law imposes on them.
Inadequate routines often have the consequence that the risk of errors increases. In this case have weak
routines and non-compliance with the routines actually had a real consequence in that it is
found health information under daily schedules, as well as in chat with parents. This indicates a sharpened
reaction.
The municipality has stated that certain circumstances in the municipality's view should have been added
weight in a mitigating direction. The municipality has pointed out that it was the municipality itself that sent
notification of the breach of personal data security, that the breach concerned a relatively low number
persons, and that the relevant information was deleted two days after the breach was discovered.
We point out that the duty to report a breach to the Norwegian Data Protection Authority
the personal data security is required by law, cf. the Privacy Ordinance art 33, and that this
the duty rests with the person responsible for processing - in this case the municipality. We do not see that
relatively low number of people should be given significant weight in the mitigating direction, but we
emphasizes that the number of people affected has not been given weight in an aggravating direction either.
With regard to the last allegation, that the personal data was deleted after two days, has
we found that this can be given some weight in a mitigating direction. We refer to the Privacy Council
guidelines on administrative sanctions (WP 253), which state that “timely action
taken by the data controller / processor to stop the infringement from continuing
or expanding to a level or phase which would have had a far more serious impact than it did ”,
can be given weight. 
After this, we have come to the conclusion that the infringement fee can be reduced to NOK 500,000 .
9. Recovery of infringement fines
The infringement fee is due for payment four weeks after the decision is final, cf.
the Personal Data Act (2018) § 27. The decision is a coercive basis for disbursement. Recovery of
the claim will be implemented by the Central Government Collection Agency.
10. Right of appeal
You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision,
we send the case to the Privacy Board for processing complaints, cf. the Personal Data Act § 22.
11. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
that all documents are in principle public, cf. the Public Access to Information Act § 3, but
emphasizes at the same time that security documentation is as a general rule exempt from public access, cf.
the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.
With best regards
Bjørn Erik Thon
director
Knut Brede Kaspersen
legal director
The document is electronically approved and therefore has no handwritten signatures 
1 Originally prepared by the Article 29 Working Party, but adopted by the Privacy Council, see the Privacy Council
"Endorsement 1/2018", section 16. The documents are available at https://edpb.europa.eu