Datatilsynet (Norway) - 21/03177

From GDPRhub
Datatilsynet - 21/03177
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 32(1)(b) GDPR
The Public Administration Act § 13(1)
Type: Investigation
Outcome: Violation Found
Started: 29.09.2021
Decided: 02.02.2022
Published: 05.05.2022
Fine: 300000 NOK
Parties: Lillestrøm municipality
National Case Number/Name: 21/03177
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a municipality €29,880 for publishing a confidential document with a pupil's sensitive personal data, including potential diagnoses such as ADHD, in breach of Articles 32(1)(b), 6, and 5 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Lillestrom municipality notified the Norwegian DPA about a personal data breach concerning a document they had published on their website, where they had forgotten to classify the appendices as exempt from public disclosure. The caseworker also failed to notice the error. The document then went through two additional manual quality controls without the error being detected and it was only discovered after a local journalist notified them.

The document contained information and personal data about a pupil, including name, birth date, name and address of their parents and their description of their child, description and assessment of the pupil's behaviour and educational challenges from both the school and other public authorities, as well as a concrete assessment of how much special needs tutoring the pupil needs, the pupil's own description of their well-being at home and at school, their tests and assessments and potential diagnoses like dyslexia or ADHD.

The document was available online for about two days and was accessed by four different IP addresses before the municipality managed to remove it.

Holding[edit | edit source]

The Norwegian DPA fined the controller €29,880 for lack of sufficient technical and organisational measures under Article 32(1)(b) GDPR and Article 5 GDPR, and for having published personal data on their website without lawful grounds under Article 6 GDPR and Article 5 GDPR.

Comment[edit | edit source]

The personal data concerned is confidential as per the Norwegian Public Administration Act § 13(1). As per the corresponding regulation § 7, it is unlawful to publish such personal data online. If this still happens, the GDPR will also come into effect, requiring lawful grounds for the processing as per Article 6. However, there would be no available legal ground to rely upon as the processing is unlawful to begin with, thus violating Article 6 and Article 5(1)(a).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Fee to Lillestrøm municipality

The Norwegian Data Protection Authority has given Lillestrøm municipality an infringement fee of NOK 300,000 for breach of the Privacy Ordinance's requirements for confidentiality.

The municipality published a document in its public postal journal where 10 of 21 attachments contained personal data of special categories, cf. Article 9 no. 1 of the regulation. The municipality forgot to mark the 10 relevant attachments except for the public as they should. This was not detected by the case officer, and the document went through two more manual quality checks in the documentation center without the error being detected.

The municipality was made aware that the document with attachments was made available on the municipality's website on 27 September 2021 by a journalist in Romerikes Blad. The Data Inspectorate also received a report of a breach of personal data security from Lillestrøm municipality on 29 September.

Violation of confidentiality

Investigations showed that four different IP addresses (including Romerikes Blad) had accessed the document. The documents were removed from the mailing list and exempted from public access immediately after the incident was discovered. The affected were then notified.

The Data Inspectorate's assessment is that when a document with an appendix about a student is published on the municipality's website, it is clear that a good enough level of security has not been established, or that it does not work as intended. The fact that the incident is not detected by the municipality, but by a third party, also indicates deficient routines in this area.

The incident would involve a breach of Article 32 (1) (b) of the Privacy Regulation, which requires the establishment of a level of security that is suitable for ensuring continued confidentiality. Personal information that should have been protected had been made available to unauthorized persons on the internet. This applies to information about, for example, students' names, date of birth, test results, assessments of behavior and challenges and any diagnoses.

The Danish Data Protection Agency previously sent a notice of infringement fines of NOK 500,000. It is pointed out in the municipality's response to the notice of fee that they have routines, and that the discrepancy is due to human failure. The Data Inspectorate has noticed this and resulted in the fee being reduced from NOK 500,000 to NOK 300,000.

Published: 05.05.2022