Norwegian DPA: Municipality of Asker fined

13 May 2021 Norway

The Norwegian Data Protection Authority has fined Asker municipality EUR 100,000 (NOK 1,000,000). The Municipality was fined for publishing confidential personal data and National Identity Numbers (NID) on its website.

  • The municipality has breached the data protection regulations requirements relating to confidentiality, and the matter concerns both procedural and technical failings. Personal data that should have been protected was made accessible to unauthorised third parties on the municipality’s website, says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Background
On 19 May 2020, the council was notified by a private citizen that document titles relating to a total of 170 entries in the council's correspondence log contained 127 names and NIDs. The visible data comprised the document's title, in addition to names and NIDs.

Several of the cases related to children. In some cases, this also resulted in confidential information being made public, e.g. in connection with decisions relating to the educational psychology service (PPT), special educational needs and housing support benefits. The actual documents were not accessible to the public. The document titles relating to the cases concerned were immediately removed from the municipality’s website.

Lost control over who has seen what
The items of personal data encompassed by the infringement were name, NID and the title of the document. The data was visible on the municipality’s website for one year. No record is kept of who has been in and viewed or downloaded personal data from the council’s correspondence log.

  • This breach of data security has resulted in individuals losing control of their personal data and enabled others to see information about them, says Bjørn Erik Thon.

The municipality has issued a press release about the case, and accepts the fine. However, the municipality’s council points out that the Data Protection Authority’s notice of its decision contains factual errors (e.g. about the number of years on the website) and fails to mention that the council has implemented a number of measures. The Data Protection Authority takes note of this and apologises, but maintains the size of the fine.

  • It is good that the municipality’s council has taken steps and implemented measures, says Bjørn Erik Thon.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.