Municipality of Oslo fined
The Norwegian Data Protection Authority has fined the Municipality of Oslo EUR 40,000 (NOK 400,000) for making documents containing sensitive personal data public.
The Norwegian Data Protection Authority has fined the Municipality of Oslo EUR 40,000 (NOK 400,000) for making documents containing sensitive personal data public.
The case concerns an HR issue posted on eInnsyn — a joint publication service for central and local government. The posting included sensitive personal data, including health information about the person in question. The Data Protection Authority finds this to be a serious violation and has therefore issued a NOK 400,000 fine.
“The Data Protection Authority is critical of the publication on eInnsyn, which included sensitive personal data, including health information and information about the employee’s personal life. This is a serious violation,” says Data Protection Authority Director Bjørn Erik Thon.
The document in question was a writ of summons, forwarded by the municipal lawyer on paper, with no cover letter, to the City Council’s Standing Committee on Finance. The writ of summons was not marked “exempt from public access” by the municipal lawyer. The writ was therefore not exempt from public access upon registration and subsequently not filed on the internal section of the case and archive filing system. Furthermore, the writ was not exempted from public access by the executive office, and thus approved for publication. The document was available to the public for 5 hours before it was removed.
The person in question personally notified the Municipality. The document was removed from eInnsyn once the incident was reported, and moved to a secure section of the case and archive filing system.