Administrative fines for breach of the privacy by design principle and of the duty to ensure information security in the GDPR

Two of Norway’s largest municipalities were found to be in breach of the General Data Protection Regulation (GDPR) in two separate and unrelated cases each of which involved the use of technology in the municipalities’ schools.

Bergen municipality was fined NOK 1.6 million because, due to inadequate technical and organisational measures to ensure information security, the personal data of a large group of persons, in particular, children, in the municipality's primary schools were at risk of unauthorised access. This was contrary to the integrity and confidentiality principle in article 5(1)(f), c.f. article 32 of the GDPR. The grounds for levying the fine were twofold: (i) the storage of an open and unprotected digital folder with files containing username and password to IT systems in primary schools in Bergen municipality, in plain text and in a manner such that the information was accessible for all users of the information systems, i.e. teachers and primary schoolchildren; and (ii) the failure to implement two-factor authentication for logging onto the information systems, and to achieve the requisite security level to ensure continual confidentiality, integrity, availability and resilience of processing systems.

Oslo municipality was given advance notice by the DPA of its decision to impose an administrative fine amounting to NOK 2 million for the alleged breach of the privacy by design and privacy by default principle in article 25 of the GDPR, and the requirement to ensure information security (article 5(1)(f), c.f. article 32). Schools in Oslo municipality used a newly-developed app which allowed parents to send messages in a text field to the school to inform about their children’s absence from school. Parents were able to disclose sensitive personal data relating to their children without being advised not to do so in the app, and without there being any technical measures to limit how such information could be communicated via the app. This was also deemed by the DPA to be in breach of the data minimization principle in article 5(1)(c) of the GDPR. Lack of security features in the app’s log-on process, inadequate security testing of the app and the launching of a school messaging app with an unacceptable vulnerability were also grounds for the DPA’s decision. This case is still pending.

In both cases, the fact that the personal data of a vulnerable group of people, viz. children, was at risk was deemed to be an aggravating factor, as was the fact that the technology in question was used by a relatively large number of users.