Lillestrøm Municipality

€30,000

Insufficient technical and organisational measures to ensure information security

Date de décision

2 février 2022

Autorité

Norwegian Supervisory Authority (Datatilsynet)

NO

Secteur

Public Sector and Education

Pays

NO

Droit

GDPR

Statut

FINAL

Description

The Norwegian DPA has imposed a fine of EUR 30,000 on Lillestrøm Municipality. The municipality had accidentally published a document in which 10 out of 21 attachments contained personal data of students. The data included information on student names, date of birth, test results, assessments of student behavior and student challenges. This error was not detected by the responsible administrator and went through two more manual quality checks at the documentation center without the error being detected there as well. It was only a journalist who later drew attention to the data breach. During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to protect personal data. Also, the fact that the incident was discovered not by the municipality, but by a third party, indicates inadequate routines in this area.

Citations légales

Art. 5Art. 6Art. 32 (1)

Questions et violations

Insufficient technical and organisational measures to ensure information security
Voir le document officiel
Retour à la base de données des amendes
Précédent Amende
Belgian Data Protection Authority (APD) - IAB Euro...
Prochaine amende
Data Protection Authority of Hamburg (HmbBfDI) - C...

Restez informé sur l'application de la législation en matière de protection de la vie privée

Nous respectons votre vie privée. Un courriel par mois, pas de spam, désabonnement à tout moment.