The State Data Inspectorate has examined the school platform, the computer system used, inter alia, for the student administration of schools in the city of Stockholm. The review reveals security shortcomings that are so serious that the authority issues an administrative sanction of 4 million SEK to the Board of Education of the city of Stockholm.
The Data Inspectorate has received a number of accident reports concerning personal data from the City of Stockholm’s Board of Education. The accidents concern the school platform, which is the computer system used, inter alia, for the student administration in Stockholm. The school platform includes information on more than 500,000 students, tutors and teachers. The system includes privacy-sensitive information as well as information about students and teachers with confidential information or protected identity.
The authority has examined four subsets of the school platform and has revealed serious shortcomings. In one of the subsets, the shortcomings in the possibility of limiting user access to data on identity-protected students In another subset, tutors have been able to access other children’s information, for example on voting and developmental discussions in a relatively simple way. Through Google searches it was possible to search for links to an administration exchange and to find information about teachers with protected identities.
In a computer system like this, large amounts of personal data are processed. It is therefore extremely important that the person responsible for the personal data has taken sufficient security measures to protect data and constantly ensures protection. Ranja Bunni, who is a member of the Swedish Data Inspectorate and has participated in the review.
In its decision, the Data Inspectorate: “The Board of Education has not guaranteed adequate security for personal data”.
The Board has not adopted sufficient technical and organisational measures to ensure an adequate level of security in relation to risk, including a procedure for regularly testing, examining and evaluating the effectiveness of technical security measures.
The Data Inspectorate issues a penalty of 4 million SEK for successful violations. In Sweden, the upper limit for sanctions against the authorities is 10 million SEK.
According to the General Data Protection Regulation, GDPR, sanctions have to be effective, proportionate and dissuasive.
In this case, the violations affected hundreds of thousands of respondents, including children and students, and included shortcomings in the processing of sensitive personal data from a privacy perspective, such as data on persons with protected identities and health data.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA SVEZIA