The Swedish DPA, Datainspektionen, issues a fine of SEK 4 million to the Board of Education in the city of Stockholm.
The fine applies to the city’s school platform, which on examination of the system has been shown to have serious shortcomings with regards to personal integrity.
Among other things, it has been shown that the system lacks the opportunity to restrict permissions for employees access to personal data in a relevant way.
Datainspektion states that the Board of Education has not ensured an appropriate security level for personal data. Nor have sufficient appropriate technical and organizational measures been taken to ensure a level of safety appropriate to the risk.
The system handles personal data for 500,000 students, guardians and teachers.
The maximum fine for authorities in Sweden is SEK 10 million, so the fine imposed is 40% of the maximum amount.
The Data Inspectorate’s decision gives us some important insights:
– DPAs now also conduct investigations by actual inspections of systems and data storage.
– It is of absolute importance to take relevant measures for “privacy by design” also for historical data and systems.
– It is a serious violation of the GDPR to lack, and thus not be able to demonstrate, the ability to restrict access to personal data.
The problems can, as in the case of the city of Stockholm, be found in older systems, but the biggest problem is found in files and e-mails.
In the unstructured data there are often large amounts of unknown and undocumented personal data, which is why the control of access to these is non-existent and completely without control and supervision.