Lillestrøm Municipal Council fined
The Norwegian Data Protection Authority has fined Lillestrøm Municipal Council NOK 300,000 (EUR 30,000) for violation of the General Data Protection Regulation’s confidentiality requirements.
The Norwegian Data Protection Authority has fined Lillestrøm Municipal Council NOK 300,000 (EUR 30,000) for violation of the General Data Protection Regulation’s confidentiality requirements.
The municipality published a document in its official correspondence log, where 10 of 21 attachments contained special categories of personal data, see Article 9 (1) of the GDPR. The municipality neglected to mark the 10 attachments in question as being exempt from public access, which they should have been. The executive officer failed to notice this, and the document passed through two additional manual quality controls in the documentation centre without the error being discovered.
The municipality was made aware that the document and attachments had been made public on the municipality’s website on 27 September 2021, by a reporter from Romerikes Blad. The Data Protection Authority also received notice of a personal data breach from Lillestrøm Municipal Council on 29 September.
An investigation revealed that four different IP addresses (including Romerikes Blad) had accessed the document. The documents were removed from the public record and exempted from public access immediately upon discovery of the incident. The affected persons were then notified.
The Data Protection Authority’s assessment is that when a document, with attachments, about a pupil is published on a municipality’s website, it is clear indication that security measures are inadequate or not working as intended. The fact that the incident was not discovered by the municipality itself, but by a third party, is further indication of inadequate procedures in this area.
The incident is a violation of Article 32 (1) (b) of the General Data Protection Regulation, which requires implementation of a level of security capable of ensuring ongoing confidentiality. Personal data that should have been restricted, was made available online to unauthorised parties. This includes information such as pupil names, dates of birth, test scores, assessments of behaviours and challenges, and diagnoses.
The Data Protection Authority has previously issued notice of a fine in the amount of NOK 500,000. In its response to the notice, the municipality pointed out that it does have procedures, and that the incident was the result of human error. The Data Protection Authority has taken this into account, and the fine was reduced from NOK 500,000 to NOK 300,000.