Administrative fine issued to Grue municipality Datatilsynet

pThis website uses cookies If a cookie is not essential to ensure the function of our website it will not be stored on your unit unless you approve Read more about our use of cookies in the footer in NorwegianppThese cookies support our core functionality pertaining to security We consider these necessary and they are stored without prior approvalppThese cookies are necessary if you wish to use forms on our website Other functions on our website will not be affected if you do not consent The choice you make in this category is valid for until 90 daysppWe are considering using a tool for web analytics based on cookies Therefore such cookies are currently not present ppYou can withdraw your consent at any time by selecting Manage cookies in the footerppWe have adopted a decision to impose an administrative fine of NOK 250000 on Grue municipality for breach of GDPR requirements The decision comes after the Norwegian Data Protection Authority was notified of a breach of confidentiality in the municipalitys public recordsppPersonal data that should have been confidential was made available to unauthorised persons in the municipalitys public records This constitutes a breach of the municipalitys duty to ensure adequate security in accordance with the General Data Protection Regulation GDPRppFurthermore we believe that the municipality breached the requirements for a legal basis under the GDPR by publishing confidential information in its public records The Norwegian Data Protection Authority takes the publication of confidential information on the internet very seriouslyppIn February 2024 Grue municipality notified the Norwegian Data Protection Authority of a breach of personal data security According to the notification the municipality had become aware that there were two entries in public records that contained sensitive personal data This turned out to be information about individual administrative decisions on pupils right to a sound school environment 9A decisions under the Education Act The documents revealed pupils names dates of birth national ID numbers and information about and reasons for the 9A decisions The parents phone numbers and addresses were also disclosedppOn closer examination of the public records dating back to 2020 a further eight nonconformities were identified The municipality has stated that these nonconformities comprise national ID numbers and account numbers that appear in various application documents One case involves a letter sent by the police to the municipality in which a name appears in a criminal caseppIn all the discrepancy concerns 14 pupils and their parents as well as eight other data subjectsppThe Norwegian Data Protection Authority finds it positive that Grue municipality reported the breach to the Authority soon after they became aware of it and that they informed the affected persons of the breach The municipality also initiated extensive control work and measures to prevent similar incidents in the futureppAdministrative fines should be effective proportionate and dissuasive We sent an advance notification of the decision to the municipality in September In the final decision we have taken the municipalitys remarks into account and believe that consideration of the municipalitys size and financial situation indicates a downward adjustment of the notified administrative finepp
Legal senior advisor
pp
Datatilsynet
PO Box 458 Sentrum
NO0105
Oslo
pp
Orgno
974 761 467
ppOther websitesp