The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.
Inadequate Data Security
Datatilsynet found that the municipality’s lack of appropriate measures to protect the personal data in the computer file systems constituted violations of both art. 5(1)f and art. 32 GDPR. Consequently the supervisory authority issued an administrative decision, imposing a fine of 170.000 € on the municipality.
- The security in the login system has been so poor, that unauthorized persons could get access to usernames and passwords in the learning platform and in the school’s administrative systems, says director Bjørn Erik Thon.
The system in question contains information about a user’s name, password, date of birth, address, school affiliation and school grade. When employees and pupils log in, they get access to various systems, for instance the central digital learning platform, which contains the pupils’ schoolwork and the teachers’ evaluations of each individual pupil’s performance at school.
Personal data of 35 000 individuals, primarily children
The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.
- In the GDPR, children are defined as a particularly vulnerable group that shall be given special protection. It is important that municipalities and other public bodies that process personal data are aware of their responsibilities. Public authorities often process information about us that we do not control, neither do we have a choice in whether or not this information is made available to others. We should be able to trust the public sector, says director Bjørn Erik Thon.
The GDPR stipulates that administrative fines shall be effective, dissuasive and proportionate, and Datatilsynet is of the opinion that the size of the fine reflects this. The Norwegian Personal Data Act sets out that all Norwegian public authorities are subject to the provisions on administrative fines in art. 83 GDPR.
Datatilsynet made its decision in March 2019, and on the 4th of April 2019, the municipality stated in a press conference that it did not wish to appeal the decision.