Logo and page links

Main menu

Municipality of Asker fined

The Norwegian Data Protection Authority has fined Asker municipality EUR 100,000 (NOK 1,000,000). The Municipality was fined for publishing confidential personal data and National Identity Numbers (NID) on its website.

Municipality of Asker fined
Municipality of Asker fined

- The municipality has breached the data protection regulations requirements relating to confidentiality, and the matter concerns both procedural and technical failings. Personal data that should have been protected was made accessible to unauthorised third parties on the municipality’s website, says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Background

On 19 May 2020, the council was notified by a private citizen that document titles relating to a total of 170 entries in the council's correspondence log contained 127 names and NIDs. The visible data comprised the document's title, in addition to names and NIDs.

Several of the cases related to children. In some cases, this also resulted in confidential information being made public, e.g. in connection with decisions relating to the educational psychology service (PPT), special educational needs and housing support benefits. The actual documents were not accessible to the public. The document titles relating to the cases concerned were immediately removed from the municipality’s website.

Lost control over who has seen what

The items of personal data encompassed by the infringement were name, NID and the title of the document. The data was visible on the municipality’s website for one year. No record is kept of who has been in and viewed or downloaded personal data from the council’s correspondence log.

- This breach of data security has resulted in individuals losing control of their personal data and enabled others to see information about them, says Bjørn Erik Thon.

The municipality has issued a press release about the case, and accepts the fine. However, the municipality’s council points out that the Data Protection Authority’s notice of its decision contains factual errors (e.g. about the number of years on the website) and fails to mention that the council has implemented a number of measures. The Data Protection Authority takes note of this and apologises, but maintains the size of the fine.

- It is good that the municipality’s council has taken steps and implemented measures, says Bjørn Erik Thon.