- The case started when we received a notification of a personal data breach from the municipality. Upon further investigation of the case,, it appeared that the level of security of the application was not proportionate with the risk, says Director-General of the Norwegian Data Protection Authority, Bjørn Erik Thon. – This is obviously a significant issue, as it has to do with both children and personal data concerning health.
The infringement affects 15 children in with special needs. The application Showbie has been used to send health related personal data between the school and the homes of the children.
The necessary risk and data protection impact assessments and testing has not been completed before the application was put to use. Lack of security measures when logging in to the application has made it possible to obtain information about other children in the group.
After the notification, the municipality has pointed out that there is no indication that any of the children have actually been victims to material or non-material damage, but the Norwegian Data Protection Authority has not put emphasized on this in the consideration of the case. We find that the infringement itself states a risk, regardless of whether the risk actually manifests itself in a more concrete form of damage to the affected or not.
In the notice of decision the administrative fine was 800 000 NOK (EUR 76,000 EUR), but in the final decision this has been adjusted to 500 000 NOK. The Norwegian Data Protection Authority has chosen to reduce the fine after an overall assessment, made on the basis of an inquiry from Rælingen municipality. An assessment was also made in relation to previous practice under the old law. The case has not been appealed, and the fee of 500 000 NOK is final.