Lillestrøm Municipality: Insufficient technical and organisational measures to ensure information security

The Norwegian DPA has imposed a fine of EUR 30,000 on Lillestrøm Municipality. The municipality had accidentally published a document in which 10 out of 21 attachments contained personal data of students. The data included information on student names, date of birth, test results, assessments of student behavior and student challenges. This error was not detected by the responsible administrator and went through two more manual quality checks at the documentation center without the error being detected there as well. It was only a journalist who later drew attention to the data breach. During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to protect personal data. Also, the fact that the incident was discovered not by the municipality, but by a third party, indicates inadequate routines in this area.

GDPR Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 32 (1) b) GDPR
Industry: Public Sector and Education