The Norwegian Data Protection Authority has sanctioned the Municipal of Asker with a fine of 1 million NOK. The amount is given after than the municipality has published private personal information, like date of birth and social security numbers on its website.

The mismatch refer to the breach of confidentiality principles of the General Data Protection Regulation and includes routine and technical breakdown.

Personal information should be protected were made available to unauthorized persons on the website of the municipality.

Background of the case

On the 19^th of May 2020, a private person notified to the municipality that the titles of the mailing lists documents of the municipality included 127 names and social security numbers of a total amount of 170 voices. Information available were the title of the document, as well as the name and the social security number.

Many cases were referred to children. In some cases, this mean that were published also sensitive personal information, for example concerning the PPT decisions, special learning or household benefits. The same document is not anymore available. The titles of the documents of the cases mentioned were immediately removed from the website of the municipality.

It loses control of who’s seen what

Personal information covered by the breach were the name, social security number and title of the document. The information has been available on the municipality’s website for a year. There is no record of who is present and sees or downloads personal information from the mailing list of the municipality.

The security breach of personal data has led people to lose control of the information about themselves and others may have seen the information about them.

The city issued a press release on the case and accepts the fee. However, they point out that the Data Inspectorate’s decision letter contains factual errors (including the number of years on the website) and that the municipality had implemented a number of measures that had not been mentioned. The Data Inspectorate takes note of this and apologizes, but the amount of the tariff is maintained.

The authority thinks it was good that the municipality acted and implemented measures.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA NORVEGIA