Norway: Datatilsynet notifies intention to fine Bergen Municipality NOK 3M for inadequate data security
The Norwegian data protection authority ('Datatilsynet') announced, on 20 May 2020, that it has notified the Bergen Municipality of its intention to issue a fine of NOK 3 million (approx. €275,000) for inadequately securing personal information in the context of the school's communication system between homes and the school. In particular, Datatilsynet noted that Bergen Municipality failed to take sufficient technical and organisational measures to ensure the security, confidentiality, and integrity of personal information. In addition, Datatilsynet highlighted, among other things, that children, who require the highest degree of confidentiality, had not received adequate guidelines, that personal information was accessed by unauthorised third parties, and that the risk assessment failed to account for the risk associated with the processing of information regarding parent and children relationships. Moreover, Datatilsynet stated that it had encountered numerous cases of inadequate security of digital communication tools used by schools and that Bergen Municipality, following the notification of Datatilsynet, is required to submit comments by 22 June 2020.