The Data Protection Authority decided before the summer to impose an infringement penalty of NOK 250,000 to Eidskog Municipality for breach of the requirements for a legal basis in the General Data Protection Regulation.
Note: This article was originally published on September 6, 2024, in Norwegian. This is a translation of the original article.
Our conclusion is based on the municipality’s extensive publication of confidential information about a whistleblower via the public records over several years.
Furthermore, we believe that the municipality breached the requirements for a legal basis when they gave two former colleagues access to the complainant’s notification. Access was given without sufficient redaction, so that, among other things, information about the person’s physical and mental health, as well as financial situation, was disclosed.
The Data Protection Authority finds that the breaches overall show a lack of understanding of and compliance with the municipality’s duty of confidentiality under the Freedom of Information Act. We emphasise the importance of public administration in general taking into account whether the disclosure of information may harm or identify individuals. It is an advantage for the complainant and for the whistleblowing system in general that municipalities are cautious about making exceptions to the duty of confidentiality in whistleblowing cases.
Infringement penalties shall be effective, proportionate and dissuasive. We announced an infringement penalty of NOK 500,000 on 1 February 2023 due to the seriousness of the case. However, as a result of the long case processing time, we reduced the amount by NOK 250,000 in the final decision.