The Municpality of Bergen has been fined 170 000€ by the Norwegian DPA, Datatilsynet.
The breach came to the DPAs attention by the report of one of the students of the public school, administrated by the Municpality of Bergen, who found a file with login credentials for 35 000 students and employees, in a public storage area.
Datatilsynet found that the municipality’s lack of appropriate measures to protect the personal data in the computer file systems constituted violations of both art. 5(1)f and art. 32 GDPR.
The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors.
The Norwegian decision points the finger on the need to perform a privacy data inventory. The Municpality of Bergen has conducted a number of projects relating to information security and access management. However. There is no point in investing in security measures and access management, until one has full control of where personal data resides within the data sources.