Norwegian Data Protection authority fines school for poor data protection of pupil and teachers info

The Norwegian data protection Authority (Datatilsynet) has imposed an administrative fine of 1.6 million Norwegian kroner, or the equivalent of €170,000, at the Municipality of Bergen.

The incident pertains to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer. The user accounts associated with both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to inadequate security measures, these files had been unprotected and openly accessible. The lack of security measures inside the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data referring to the students and employees of the schools.

You can read the full press release in Norwegian here

The source of this article can be found here

Insufficient data protection Datatilsynet determined that the municipality’s lack of appropriate measures to protect the personal data inside the computer file structures constituted violations of both articles. 5(1)f and article. 32 GDPR.

The security in the login system has been so bad, that unauthorised persons could get access to usernames and passwords in the learning platform and the school’s administrative systems, says director Bjørn, Erik Thon.

The system in question contains information about a user’s name, password, date of birth, address, school affiliation and school grade. When employees and pupils log in, they get access to various systems, for instance, the central digital learning platform, which includes the students’ schoolwork and the teachers’ reviews of each pupil’s performance at school.

personal data of 35 000 individuals, primarily children

The fact that the security breach encompasses personal data to over 35 000 people, and that the majority of those are kids, had been taken into consideration to be aggravating factors. The municipality had also been warned several times, each by the authority and an internal whistleblower, that the data security was inadequate.

In the GDPR, children are defined as a specific vulnerable group that shall be given special protection. Municipalities and other public bodies that process personal data must be aware of their responsibilities. Public authorities often process information about us that we do not control; neither do we have a choice in whether or not or not, this information is made available to others. We should be able to trust the public sector, says director Bjørn Erik Thon.

The GDPR stipulates that administrative fines shall be effective, dissuasive and proportionate, and Datatilsynet believes that the size of the fine reflects this. The Norwegian personal data Act sets out that all Norwegian public authorities are subject to the provisions on administrative fines in article. 83 GDPR. 

Datatilsynet made its decision in March 2019, and on the 4th of April 2019, the municipality said in a press conference that it did not wish to appeal the decision.