Data Protection Academy » Data Protection News » Data protection fine imposed on the Municipality of Oslo Education Authority
Data protection fine imposed on the Municipality of Oslo Education Authority
Date: 18.02.2020
Reason for the data protection fine: Security of the app "Skolemelding" was not guaranteed
Against the Education Authority of the Municipality of Oslo, an administrative fine of 120,000 euros has been imposed because the security of processing the mobile app "Skolemelding" was not guaranteed. The app is used for communication between school staff, parents and students.
The fine was imposed because the city administration had not taken appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. The following points were key elements in the assessment of the data protection authority:
- One of the intended uses of the app is for parents to send messages about their children and their absence from school via a free text field. This allows the communication of special categories of personal data, such as health data, relating to the children. There are no technical measures in place to prevent this and no information is provided within the app that such transmission should be avoided. In accordance with the "data protection by design" and the default settings, alternative measures such as drop-down lists and check boxes are more appropriate.
- Due to the poor security of the app login, unauthorized persons were able to access and change the personal data of more than 63,000 students in grades one to ten.
- As a consequence of the insufficient security tests before the app went live, it contained known security holes.
Previously, the DPA had notified its intention to impose a fine of 200 000 euro in response to the above findings. However, the final amount was reduced to 120,000 Euros due to mitigating circumstances in this case.
The municipality has taken measures to mitigate the damage as soon as the safety deficiencies were brought to its attention and has shown its willingness to resolve the problems. The Municipality of Oslo has not appealed against the decision.
Amount of the data protection fine: 120,000 euros
Country: Norway
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023