The Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.
In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality’s new tool for communication between school and home. Vigilo contains a module where school and parents can communicate via a portal or app. The municipality had not established nor communicated the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use.
This spring, the municipality was notified of the Data Protection Authority’s intention to impose an administrative fine, and now the fine has been made final.
– Bergen municipality has now received the final decision of an administrative fine of EUR 276,000, says Data Protection Authority Director-General Bjørn Erik Thon. The fee was imposed because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.
Danger to life and health
The decision emphasized that the municipality had not established nor communicated the necessary guidelines for information about children who have a clear interest in the information about them being processed with the highest degree of confidentiality.
– This applies to children who have registered a confidential or strictly confidential address in the National Register and who belong to a particularly vulnerable group. These children have a high need for protection, and in the extreme, life and health could have been in danger, says Thon.
Personal information that should have been confidential has instead been available to unauthorized persons. In one case, a contact list with information about “confidential address” was distributed to parents at a grade level.
– The risk assessments were inadequate. Among other things, there was no assessment of risk associated with information about relationships between parents and children, Thon emphasizes.
You can read the orional press release on the Norwegian DPA website in English here, and in Norwegian here.
For further information, please contact the Norwegian DPA: international@datatilsynet.no