The Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.
In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality's new tool for communication between school and home. Vigilo contains a module where school and parents can communicate via a portal or app. The municipality had not established nor communicated the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use.
This spring, the municipality was notified of the Data Protection Authority's intention to impose an administrative fine, and now the fine has been made final.
- Bergen municipality has now received the final decision of an administrative fine of EUR 276,000, says Data Protection Authority Director-General Bjørn Erik Thon. The fee was imposed because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.
Danger to life and health
The decision emphasized that the municipality had not established nor communicated the necessary guidelines for information about children who have a clear interest in the information about them being processed with the highest degree of confidentiality.
- This applies to children who have registered a confidential or strictly confidential address in the National Register and who belong to a particularly vulnerable group. These children have a high need for protection, and in the extreme, life and health could have been in danger, says Thon.
Personal information that should have been confidential has instead been available to unauthorized persons. In one case, a contact list with information about "confidential address" was distributed to parents at a grade level.
- The risk assessments were inadequate. Among other things, there was no assessment of risk associated with information about relationships between parents and children, Thon emphasizes.
You can read the original press release on the Norwegian DPA website in English here, and in Norwegian here.
Update: 18/11/2020
Guidance to Vigilo regarding applicable obligations
Earlier this autumn, the Norwegian Data Protection Authority decided on an administrative fee for Bergen municipality because personal information in the communication system between school and home was not adequately secured. We have now given guidance to Vigilo that they too must take responsibility for the communication failure between the company and the municipality.
Bergen Municipality was fined NOK 3 million for breaches of personal data security due to poor routines for processing addresses where confidentiality is necessary (confidential address). The Norwegian Data Protection Authority has pointed out to Vigilo that those who process data have a duty under the GDPR to assist the municipality in ensuring compliance with the data processing agreement between the parties.
- As we see it, there has been a significant communication failure between Bergen municipality and Vigilo. We are also critical of the fact that the chat functionality that was made available was not part of the agreement between the municipality and Vigilo. This indicates poor communication between the parties for which Vigilo must bear the main responsibility, says Head of section Camilla Nervik.
To read the update in Norwegian, click here
For further information, please contact the Norwegian DPA: international@datatilsynet.no