Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
NORWEGIAN SUPERVISORY AUTHORITY: Violation fee to Grue Municipality

NORWEGIAN SUPERVISORY AUTHORITY: Violation fee to Grue Municipality

We have adopted an infringement fee of NOK 250,000 to Grue municipality for breach of requirements in 
the Personal Protection Ordinance . The decision comes after the Norwegian Data Protection Authority was notified of a breach of 
confidentiality in the municipality’s postal records.

Personal information that should have been protected was made available to unauthorized persons on the municipality’s public postal record. This involves a breach of the municipality’s duty to ensure adequate security in accordance with the Personal Data Protection Ordinance.

Furthermore, we believe that the municipality breached the requirements for a legal basis under the Personal Data Protection Ordinance by publishing confidential information in the postal record. The Danish Data Protection Authority takes the publication of confidential and confidential information on the internet seriously.

Background of the case

In February 2024, the Norwegian Data Protection Authority received a notification of a breach of personal data security from Grue municipality. According to the report, the municipality had become aware that there were two entries in the public postal record that contained sensitive personal data . This turned out to be information about so-called 9A decisions under the Education Act, which are individual decisions about pupils’ right to a safe school environment. These documents revealed pupils’ names, date of birth, social security number and information about, and justification for, the 9A decisions. In addition, the parents’ telephone numbers and addresses were made public.

After a closer review of the postal record back to 2020, a further eight discrepancies were uncovered . The municipality informs that these deviations include social security numbers or account numbers that appear in various application documents. In one case, the municipality has received a letter from the police where a name appears in a criminal case.

In total, there are 14 students and their parents, as well as eight other registered students.

Must be effective and deterrent

The Danish Data Protection Authority is positive that Grue municipality reported the breach to the Danish Data Protection Authority quickly after they had become aware of it, and that they informed the affected persons about the breaches. The municipality also initiated extensive control work and measures to prevent similar incidents in the future.

Violation fees must be effective, be proportionate to the infringement and act as a deterrent. In September, we sent a notice of decision to the municipality. In the final decision, we have taken into account the municipality’s comments, and believe that consideration of the municipality’s size and financial situation speaks for a downward adjustment of the notified infringement fee.

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2024/overtredelsesgebyr-til-grue-kommune

Recommended to you

Advanced Research