Substantial fine by Norwegian data protection supervisory authority demonstrates need for cooperation with DPAs
The Norwegian supervisory authority Datatilsynet has issued a substantial fine to the municipality of Bergen for a breach of data security.
The personal log-in credentials of over 35,000 pupils and employees of the municipality's primary schools were stored unencrypted and were publicly accessible. The use of these credentials would enable access to various categories of personal data relating to the pupils and employees stored on the computer systems. Amongst the personal data which would have been accessible were users' names, home addresses, dates of birth and school grades.
As a result of the lack of data security, Datatilsynet found that there had been a breach of Art. 5 (1)(f) and Art. 32 GDPR. It imposed a fine of 1.6 million Norwegian Kroner, approximately equivalent to EUR 165,000 for the breach, which Bergen has announced it will not be appealing.
Data of Children involved - this might have an influence on the level of fine
In particular two factors appeared to have acted as aggravating factors when the authority was determining the level of the fine. Firstly, the majority of the personal data concerned were those of children. Secondly, the municipality had been warned several times, including by Datatilsynet itself, about its inadequate data security and had clearly failed to react.
The lesson to learn: be prepared and cooperate
The case highlights the need for timely cooperation with supervisory authorities when informed of potential GDPR breaches. Once again it has been proven that good communication and a readiness to react are indispensable when dealing with the supervisory authorities. A more productive and dynamic reaction from the municipality may have resulted in a substantial reduction in the fine imposed, or even have obviated the necessity of a fine at all. Those who are prepared to work with the supervisory authorities will see substantial reductions in their punishments, as has been previously demonstrated by the comparatively low fine issued by a German DPA in a similar case involving a much higher number of log-in credentials. Failure to be responsive to the DPA in the present case seems to have cost the municipality dearly.
If you have any questions regarding this topic, please feel free to contact Dr Axel von Walter and Sam Cross, LL.M.
Dr Axel von Walter
Lawyer, Licensed Specialist for Copyright and Media Law, Licensed Specialist for Information Technology Law