Background information
- Date of final decision: 05 May 2022
- Cross-border case or national case: National
- Controller: Lillestrøm Municipal Council
- Legal Reference: Security of processing (Art. 32)
- Decision: Infringement of the GDPR and fine imposed
- Key words: special categories of personal data, unauthorised access
Summary of the Decision
Origin of the case
The municipality published a document in its official correspondence log, where 10 of 21 attachments contained special categories of personal data, see Article 9 (1) of the GDPR. The municipality neglected to mark the 10 attachments in question as being exempt from public access, which they should have been. The executive officer failed to notice this, and the document passed through two additional manual quality controls in the documentation centre without the error being discovered.
The municipality was made aware that the document and attachments had been made public on the municipality’s website on 27 September 2021, by a reporter from Romerikes Blad. The Supervisory Authority also received notice of a personal data breach from Lillestrøm Municipal Council on 29 September.
Key Findings
An investigation revealed that four different IP addresses had accessed the document. The documents were removed from the public record and exempted from public access immediately upon discovery of the incident. The affected persons were then notified.
The Norwegian SAs assessment is that when a document, with attachments, about a pupil is published on a municipality’s website, it is clear indication that security measures are inadequate or not working as intended. The fact that the incident was not discovered by the municipality itself, but by a third party, is further indication of inadequate procedures in this area.
The incident is a violation of Article 32 (1) (b) of the General Data Protection Regulation, which requires implementation of a level of security capable of ensuring ongoing confidentiality. Personal data that should have been restricted, was made available online to unauthorised parties. This includes information such as pupil names, dates of birth, test scores, assessments of behaviours and challenges, and diagnoses.
The Norwegian SA has previously issued notice of a fine in the amount of EUR 50.000 (NOK 500,000). In its response to the notice, the municipality pointed out that it does have procedures, and that the incident was the result of human error. The SA has taken this into account, and the fine was reduced.
Decision
The Norwegian SA has fined Lillestrøm Municipal Council EUR 30.000 (NOK 300,000) for violation of the General Data Protection Regulation’s confidentiality requirements.
For further information:
- Lillestrøm Municipal Council fined (EN), Datatilsynet, Norwegian SA
- Gebyr til Lillestrøm kommune (NO), Datatilsynet, Norwegian SA
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.