Datatilsynet - 19/01478
|Datatilsynet - 19/01478|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 5(2) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 35 GDPR
|National Case Number/Name:||19/01478|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
The Norwegian Data Protection Authority (Datatilsynet) fined Rælingen municipality 800 000 NOK (approx. 80 000 euro) in relation to the use of the school app Showbie. The fine was based on a lack of technical and organisational measures for processing special categories of data following Article 32(1)(b) GDPR, Article 32(1)(d) GDPR, no Data Protection Impact Assessment pursuant to Article 35 GDPR, and a breach of Article 5(2) cf. Article 5(1)(f) by using the app.
English Summary[edit | edit source]
Facts[edit | edit source]
The municipality sent a notification of a personal data breach to Datatilsynet concerning the use of the app Showbie, which started an investigation by Datatilsynet.
The app was used in school by a group which consisted of pupils with special needs. The main use of the app was to ease communication between the school and the home, in particular with regards to communication messages about absence. The app did not include separate accounts or logins for parents and the pupils. Information concerning “health” and “medications” could be added to tabs in the app. The tabs did not include health information, but personal data regarding medication was found in the calendar and in chats with parents. There were no guidelines or routines on how to use the app securely. Teachers and employees used the school’s wireless internet, while the parents used it on unsecured home networks or mobile internet. There was no two-factor authentication implemented, as required under security level 4 when dealing with health information
Holding[edit | edit source]
Datatilsynet highlighted statements from the municipality concerning how Showbie was not adapted for the processing of special categories of personal data, and that there had been no assessment of the risks connected to such processing. The person responsible for IT-security in the municipality stated that the app did not fulfil the requirements for the appropriate security level to process health data pursuant to Article 5(1)(f) GDPR, a conclusion Datatilsynet seemed to support in their decision.
Furthermore, Datatilsynet found it necessary to highlight that the established security level did not conform to the requirements under Article 32(1)(b), and ordered the municipality to implement measure to ensure a sufficient level of security.
Datatilsynet found that the municipality did not clearly communicate that the app should not be used to process special categories of data. The inclusion of the folders “health” and “medication” was carried out in cooperation between the special needs group at the school and the company RIKT AS. Datatilsynet emphasized that an impact assessment pursuant to Article 35 GDPR would have clearly established this.
The municipality did not find that any unauthorized persons had used or taken advantage of the lack of security. However, Datatilsynet stated that unauthorized persons could have had the opportunity to access personal data in the app due to the lacking security.
Comment[edit | edit source]
The references to security levels relates to guidelines issued by the Norwegian Digitalisation Agency. The requirements for level 3 and 4 can be found at difi.no (NOR).
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.