Lillestrøm Municipality
Insufficient technical and organisational measures to ensure information security
Sprendimo priėmimo data
2022 m. vasario 2 d.
Institucija
Norwegian Supervisory Authority (Datatilsynet)
NO
Sektorius
Public Sector and Education
Šalis
NO
Teisė
GDPRStatusas
FINALAprašymas
The Norwegian DPA has imposed a fine of EUR 30,000 on Lillestrøm Municipality. The municipality had accidentally published a document in which 10 out of 21 attachments contained personal data of students. The data included information on student names, date of birth, test results, assessments of student behavior and student challenges. This error was not detected by the responsible administrator and went through two more manual quality checks at the documentation center without the error being detected there as well. It was only a journalist who later drew attention to the data breach. During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to protect personal data. Also, the fact that the incident was discovered not by the municipality, but by a third party, indicates inadequate routines in this area.