As seen on the European Data Protection Board (EDPB):
The Norwegian Data Protection Authority has fined the Municipality of Indre Østfold EUR 20 000 (NOK 200,000) for a confidentiality violation. Personal data that should have been restricted was available to unauthorized persons.
The Municipality of Indre Østfold, formerly the Municipality of Askim, published the records file of a former pupil on its municipal website. This file included confidential personal data.
Tipped off by a local newspaper
The background for this incident was that the pupil needed his record file in connection with his further studies, and asked the municipality to send it to them. The municipality routinely enters such Access to Information requests in the public record. This process also entails the document to which access has been requested, being scanned and made available for public access.
The pupil’s file was available on the municipality’s website from Friday 27 September to Monday 30 September. The municipality was made aware of the incident by a journalist from the local newspaper Smaalenenes Avis. The documents were removed from the public record and exempted from public access as soon as they were discovered. The affected person was then notified.
Fine not adjusted
The municipality responded to the Data Protection Authority’s notice of fine. In its response, the municipality apologized for “sensitive personal data” having been included in the public record. At the same time, the municipality urged the Data Protection Authority to reconsider the size of the fine, considering the measures implemented after the fact.
A fine should reflect the severity of the violation. Norwegian law requires the municipality to implement any measures necessary to prevent future violations. The Data Protection Authority has found that, given the severity of the violation, the measures later implemented to remedy the incident do not significantly affect the amount of the fine imposed.
The Norwegian Data Protection Authority have therefore decided not to reduce the fine.
For further information, please contact the Norwegian DPA: international@datatilsynet.no
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.