Data Protection Academy » Data Protection News » Data protection fine imposed on the Municipality of Oslo Education Authority
Data protection fine imposed on the Municipality of Oslo Education Authority
Date: 18.02.2020
Reason for the data protection fine: Security of the app "Skolemelding" was not guaranteed
Against the Education Authority of the Municipality of Oslo, an administrative fine of 120,000 euros has been imposed because the security of processing the mobile app "Skolemelding" was not guaranteed. The app is used for communication between school staff, parents and students.
The fine was imposed because the city administration had not taken appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. The following points were key elements in the assessment of the data protection authority:
- One of the intended uses of the app is for parents to send messages about their children and their absence from school via a free text field. This allows the communication of special categories of personal data, such as health data, relating to the children. There are no technical measures in place to prevent this and no information is provided within the app that such transmission should be avoided. In accordance with the "data protection by design" and the default settings, alternative measures such as drop-down lists and check boxes are more appropriate.
- Due to the poor security of the app login, unauthorized persons were able to access and change the personal data of more than 63,000 students in grades one to ten.
- As a consequence of the insufficient security tests before the app went live, it contained known security holes.
Previously, the DPA had notified its intention to impose a fine of 200 000 euro in response to the above findings. However, the final amount was reduced to 120,000 Euros due to mitigating circumstances in this case.
The municipality has taken measures to mitigate the damage as soon as the safety deficiencies were brought to its attention and has shown its willingness to resolve the problems. The Municipality of Oslo has not appealed against the decision.
Amount of the data protection fine: 120,000 euros
Country: Norway
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023
- NIS2: EU directive for more cyber security - 18 October 2023
This might interest you too:
https://media.robin-data.io/2022/05/23150359/Header-Bussgeld.jpg
343
685
Nadine Porrmann
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Nadine Porrmann2019-12-19 13:24:362022-09-21 09:10:46Highest data protection fine to date hits Delivery Hero
https://media.robin-data.io/2022/05/23150359/Header-Bussgeld.jpg
343
685
Caroline Schwabe
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Caroline Schwabe2019-12-19 13:24:202022-09-21 09:10:57Data protection fine for the City of Oslo
https://media.robin-data.io/2022/05/23150359/Header-Bussgeld.jpg
343
685
Caroline Schwabe
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Caroline Schwabe2019-12-09 14:23:182022-09-21 09:06:59BfDI imposes fine on Rapidata GmbH
