Swedish SA fines Board of Education in the City of Stockholm

24 November 2020

The Swedish Data Protection Authority has reviewed the so-called School Platform, the IT system used for, among other things, student administration of schools in the City of Stockholm. The review shows an insufficient level of security of such grave nature that the authority issues an administrative fine of four million SEK against the Board of Education in the City of Stockholm.

The Swedish Data Protection Authority has received a number of personal data breach notifications from the City of Stockholm's Board of Education. The incidents all relate to the School Platform, which is the IT system used for, among other things, student administration in Stockholm. The school platform contains information of up to 500 000 pupils, guardians and teachers. The system contains sensitive data, including special categories of personal data, as well as information about pupils and teachers with classified information or protected identity.

The DPA has reviewed four subsystems in the School Platform and has found serious shortcomings. In one of the subsystems, deficiencies in the ability to restrict users' access to data have allowed large parts of the staff to access information about students with a protected identity. In another subsystem, guardians have been able to access information on other children concerning, for example, grades and evaluations talks in a relatively easy way. Through Google's search engine, it has been possible to find links for login to an administration interface in which information about teachers with a protected identity has been accessible.

— In an IT system like this, large amounts of personal data are processed. For such systems it is extremely important that the controller has put in place sufficient security measures in order to protect the data and furthermore to ensure continuous evaluation of the level of protection," says Ranja Bunni, a lawyer at the Swedish Data Protection Authority who participated in the investigation.

In its decision, the Swedish Data Protection Authority finds that the Education Board has not ensured that the personal data in question is processed securely. The Board has failed to take adequate technical and organisational measures to ensure a level of security appropriate in relation to the risk, including a procedure for regularly testing, examining and evaluating the effectiveness of the technical measures in place.

The Swedish Data Protection Authority issues an administrative fine of four million SEK for the concluded infringements. In Sweden, the maximum amount for administrative fines against public authorities is 10 million SEK.

— According to the General Data Protection Regulation, GDPR, administrative fines must be effective, proportional and dissuasive. In this case, the infringements have affected several hundred thousand data subjects, including children and pupils, as well as includes deficiencies in the handling of sensitive and special categories of personal data such as data regarding persons with protected identity and health data, says Salli Fanaei, who also participated in the investigation of the Swedish Data Protection Authority.

To read the original press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: imy@imy.se

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.