The Data Protection Authority finds that NIF had failed to establish satisfactory security measures for the testing, and that testing with such a large quantity of personal data was not necessary.
This case started when NIF submitted a discrepancy report to the Data Protection Authority on 20 December 2019, in response to an alert from the Norwegian National Cyber Security Centre (NCSC) that the personal data was available on a public IP address. The discrepancy occurred when they were testing solutions for moving a database from a physical server environment to the cloud.
The types of personal data made public included name, gender, date of birth, address, phone number, e-mail, and association affiliation. Of the 3.2 million individuals affected by this discrepancy, 486,447 were children aged 3–17. As far as the Data Protection Authority is aware, no unauthorized parties have exploited this discrepancy.
Inadequate risk assessment and procedures
The Data Protection Authority finds that the testing involving personal data was initiated without adequate risk assessments, and without implementing specific procedures or measures to keep the data safe.
In addition, the Data Protection Authority finds that NIF did not have a legal basis for performing testing with this personal data. The processing must be necessary to achieve the purpose; the purpose cannot be achieved with less intrusion on privacy. The Data Protection Authority finds that the testing could have been achieved with processing of synthetic data — or at least with using a much smaller quantity of personal data.
“It is very important to thoroughly test any solution before it is put into production,” says Data Protection Authority Director Bjørn Erik Thon. “Testing could, for example, reveal errors or security flaws in the solution. For that reason, there is considerable risk associated with testing, especially if you use people’s personal data in the testing process. We strongly recommend using fictitious data, so-called Donald Duck data, as this mitigates the risk considerably.”
The Data Protection Authority also found the incident to be in breach of the principles of legality, data minimisation and confidentiality.
Issuing a fine
A fine must be effective, proportionate to the violation, and have a deterrent effect. While this incident did not include the types of personal data normally associated with the greatest risk, the Data Protection Authority has emphasized the very high number of people affected in this case — and especially the high number of children.
The Data Protection Authority initially gave notice of a fine in the amount of NOK 2,500,000. NIF had no objections to the description of the event by the Data Protection Authority, but objected to the size of the fine. Based on new information about NIF’s organization and finances, the Data Protection Authority has reduced the fine to NOK 1,250,000.