Comité Europe de Protección de Datos

Norwegian Data Protection Authority: Decision to Fine Bergen Municipality

Wednesday, 14 October, 2020
NO

The Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.

In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality's new tool for communication between school and home. Vigilo contains a module where school and parents can communicate via a portal or app. The municipality had not established nor communicated the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use.

This spring, the municipality was notified of the Data Protection Authority's intention to impose an administrative fine, and now the fine has been made final. 

- Bergen municipality has now received the final decision of an administrative fine of EUR 276,000, says Data Protection Authority Director-General Bjørn Erik Thon. The fee was imposed because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.


Danger to life and health

The decision emphasized that the municipality had not established nor communicated the necessary guidelines for information about children who have a clear interest in the information about them being processed with the highest degree of confidentiality.

- This applies to children who have registered a confidential or strictly confidential address in the National Register and who belong to a particularly vulnerable group. These children have a high need for protection, and in the extreme, life and health could have been in danger, says Thon.

Personal information that should have been confidential has instead been available to unauthorized persons. In one case, a contact list with information about "confidential address" was distributed to parents at a grade level.

- The risk assessments were inadequate. Among other things, there was no assessment of risk associated with information about relationships between parents and children, Thon emphasizes.

You can read the orional press release on the Norwegian DPA website in English here, and in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.