We have adopted an infringement fee of NOK 250,000 to Grue municipality for breach of requirements in
the Personal Protection Ordinance . The decision comes after the Norwegian Data Protection Authority was notified of a breach of
confidentiality in the municipality’s postal records.
Personal information that should have been protected was made available to unauthorized persons on the municipality’s public postal record. This involves a breach of the municipality’s duty to ensure adequate security in accordance with the Personal Data Protection Ordinance.
Furthermore, we believe that the municipality breached the requirements for a legal basis under the Personal Data Protection Ordinance by publishing confidential information in the postal record. The Danish Data Protection Authority takes the publication of confidential and confidential information on the internet seriously.
Background of the case
In February 2024, the Norwegian Data Protection Authority received a notification of a breach of personal data security from Grue municipality. According to the report, the municipality had become aware that there were two entries in the public postal record that contained sensitive personal data . This turned out to be information about so-called 9A decisions under the Education Act, which are individual decisions about pupils’ right to a safe school environment. These documents revealed pupils’ names, date of birth, social security number and information about, and justification for, the 9A decisions. In addition, the parents’ telephone numbers and addresses were made public.
After a closer review of the postal record back to 2020, a further eight discrepancies were uncovered . The municipality informs that these deviations include social security numbers or account numbers that appear in various application documents. In one case, the municipality has received a letter from the police where a name appears in a criminal case.
In total, there are 14 students and their parents, as well as eight other registered students.
Must be effective and deterrent
The Danish Data Protection Authority is positive that Grue municipality reported the breach to the Danish Data Protection Authority quickly after they had become aware of it, and that they informed the affected persons about the breaches. The municipality also initiated extensive control work and measures to prevent similar incidents in the future.
Violation fees must be effective, be proportionate to the infringement and act as a deterrent. In September, we sent a notice of decision to the municipality. In the final decision, we have taken into account the municipality’s comments, and believe that consideration of the municipality’s size and financial situation speaks for a downward adjustment of the notified infringement fee.
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2024/overtredelsesgebyr-til-grue-kommune