Administrative fine of €170,000 imposed on Bergen Municipality

19 March 2019

On March 19th, the Norwegian Data Protection Authority imposed an administrative fine of NOK 1.6 million, the equivalent of EUR 170,000, on the Municipality of Bergen.
The incident relates to computer files in the municipality’s computer system, containing the personal data of over 35,000 pupils and employees of the municipality’s primary schools. Due to insufficient security measures, these files were unprotected and openly accessible for any system user regardless of type of authorization. This enabled unauthorized users to access the school’s various information systems and personal data. The fact that the majority of the affected individuals were children and that the municipality was warned several times (both by the authority and by an internal whistleblower) were considered aggravating factors. The municipality did not appeal the decision.

Inadequate Data Security
Datatilsynet found that the municipality’s lack of appropriate measures to protect the personal data in the computer file systems constituted violations of both art. 5(1)f and art. 32 GDPR. Consequently the supervisory authority issued an administrative decision, imposing a fine of 170,000 € on the municipality.
- The security in the login system has been so poor, that unauthorized persons could get access to usernames and passwords in the learning platform and in the school’s administrative systems, says director Bjørn Erik Thon.

The system in question contains information about a user’s name, password, date of birth, address, school affiliation and school grade. When employees and pupils log in, they get access to various systems, for instance the central digital learning platform, which contains the pupils’ schoolwork and the teachers’ evaluations of each individual pupil’s performance at school.

Personal data of 35 000 individuals, primarily children

The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.

- In the GDPR, children are defined as a particularly vulnerable group that shall be given special protection. It is important that municipalities and other public bodies that process personal data are aware of their responsibilities. Public authorities often process information about us that we do not control, neither do we have a choice in whether or not this information is made available to others. We should be able to trust the public sector, says director Bjørn Erik Thon.

The GDPR stipulates that administrative fines shall be effective, dissuasive and proportionate, and Datatilsynet is of the opinion that the size of the fine reflects this. The Norwegian Personal Data Act sets out that all Norwegian public authorities are subject to the provisions on administrative fines in art. 83 GDPR.  
Datatilsynet made its decision in March 2019, and on the 4th of April 2019, the municipality stated in a press conference that it did not wish to appeal the decision.

You can read the full press release in Norwegian here

For further information, please contact the Norwegian DPA:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.