The Data Protection Authority has made a decision to impose an infringement penalty of NOK 150,000 on the University of Agder (UiA) for violation of the General Data Protection Regulation. The University had not taken appropriate measures to safeguard personal data security in its use of Microsoft Teams.
Note: This article was originally published on September 11th 2024, in Norwegian. This is a translation of the original article.
In February 2024, an employee at UiA discovered that documents containing personal data had been stored in open Teams folders, where employees without a need to know had access. The data breach has been ongoing since the university started using Microsoft Teams in August 2018.
The personal data has been available in the system, and employees have been able to access it through searches in open folders. The data breach covers documents containing personal data relating to employees, students and external actors. Approximately 16,000 data subjects are affected.
The information includes names, national identity numbers, information about adapted exams, the number of exam attempts and special arrangements. The data breach has also included an overview of refugees from Ukraine affiliated to the university, with information such as contact information, education and settlement status.
In most cases, only employees at UiA had access. The University is required to ensure that employees do not have access to personal data that they do not need in the performance of their work. This means ensuring that good procedures are in place and that employees receive training in protecting personal data in the systems used by the University. The university is also obliged to establish systems for logging and subsequent control that make it possible to detect data breaches.