Norwegian SA issues administrative fine to the University of Agder

Background information

• Date of final decision: 4 September 2024 
• National case
• Legal references: Article 32 (Security of processing), Article 24 (Responsibility of the controller)  
• Decision: Administrative fine
• Key words: Responsibility of the controller,  Publicly available data, Data security,  Employment

Summary of the Decision

Origin of the case

In February 2024, an employee at the University of Agder discovered that documents containing personal data had been stored in open Teams folders, that employees without a need to know had access to.

The data breach has been ongoing since the university started using Microsoft Teams in August 2018.

Key findings

The personal data has been available in the system, and employees have been able to access it through searches in open folders. The data breach covers documents containing personal data relating to employees, students and external actors. 

Approximately 16 000 data subjects are affected. The information includes names, national identity numbers, information about adapted exams, the number of exam attempts and special arrangements. The data breach also included an overview of refugees from Ukraine affiliated to the university, with information such as contact information, education and settlement status.

Decision

The Norwegian Supervisory Authority (SA) made a decision to impose an infringement penalty of approximately EUR 12 700 on the University of Agder for violation of the GDPR. The University had not taken appropriate measures to safeguard personal data security in its use of Microsoft Teams.

For further information: news article Infringement penalty to the University of Agder (English), Overtredelsesgebyr til Universitetet i Agder (Norwegian)