Data Protection Academy » Data Protection News » Data protection fine imposed on the Municipality of Oslo Education Authority

A person holds five euro notes in his hand. A symbolisation of the fine against the Education Department of the Municipality of Oslo

Data protection fine imposed on the Municipality of Oslo Education Authority

Date: 18.02.2020

Reason for the data protection fine: Security of the app "Skolemelding" was not guaranteed

Against the Education Authority of the Municipality of Oslo, an administrative fine of 120,000 euros has been imposed because the security of processing the mobile app "Skolemelding" was not guaranteed. The app is used for communication between school staff, parents and students.

The fine was imposed because the city administration had not taken appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. The following points were key elements in the assessment of the data protection authority:

  1. One of the intended uses of the app is for parents to send messages about their children and their absence from school via a free text field. This allows the communication of special categories of personal data, such as health data, relating to the children. There are no technical measures in place to prevent this and no information is provided within the app that such transmission should be avoided. In accordance with the "data protection by design" and the default settings, alternative measures such as drop-down lists and check boxes are more appropriate.
  2. Due to the poor security of the app login, unauthorized persons were able to access and change the personal data of more than 63,000 students in grades one to ten.
  3. As a consequence of the insufficient security tests before the app went live, it contained known security holes.

Previously, the DPA had notified its intention to impose a fine of 200 000 euro in response to the above findings. However, the final amount was reduced to 120,000 Euros due to mitigating circumstances in this case.

The municipality has taken measures to mitigate the damage as soon as the safety deficiencies were brought to its attention and has shown its willingness to resolve the problems. The Municipality of Oslo has not appealed against the decision.

Amount of the data protection fine: 120,000 euros

Country: Norway

SourceEuropean Data Protection Supervisor

Back to the overview of the data breaches

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Hamburg imposes data protection fine on Facebook

The reason is the failure of the DPO to notify the supervisory authority. Find out what you have to consider when reporting.

Data protection fine for using the Bradford factor

Evaluation of sick days using Bradford factor violates DSGVO. Fines of 82,000 euros enforced.

Investigation by the Greek supervisory authority

E-mails from the employee concerned were rightly viewed by the employer. Company illegally monitors employees by video recording.