On 17.12.2018, the Norwegian Data Protection Authority (DPA) issued a warning that it will 1) exercise its corrective power (GDPR Article 58.2(d)) vis-a-vis Bergen municipality, and 2) issue a fine to Bergen municipality (GDPR Article 83) for having made files with user-names and passwords belonging to more than 35 000 students accessible to school students, employees and other personel, thereby infringing the data security requirements laid down in the GDPR.
DPA decision is not final
Before the DPA makes its final decision, Bergen municipality is given the opportunity to explain itself (in accordance with forvaltningsloven $ 16).
Bergen municipality used a cloud service login solution, named eFEIDE, for central user registration, single sign-on and login for teachers and students to access - from devices connected to the Internet - different systems used by the primary schools in Bergen. eFEIDE is delivered by Identum.
Employees and students used FEIDE to log in to and access e.g. Its Learning (which is a learning platform with e.g. teachers' assessments of student performances, communications between students and teachers) and Conexus Engage (for e.g. teachers' characterizations of students' academic and social).
eFeide contains students' and employees' names, user-names, passwords, date of birth, address, school belonging and school class. Per 24.08.2018, eFeide had 35 601 unique users.
On 15.05.2018 (at the time when the previous Data Protection Act was in force), a school employee reported to ICT Helpdesk of Bergen municipality that several files that contained the user-names and passwords of students and employees were accessible for students. This was discovered by a student who had reported this to the school employees.
The student had logged into eFEIDE 5 times before reporting the lack of security to the school. The first login happened 13.03.2018. The school did not follow up with any security measures.
The student found the user-names and passwords with administrator access in a file that was accessible for students. Hence, all employees and students could access information about all the users of the FEIDE catalogue that belonged to the Bergen municipality. The file was used to move data between different systems that the school used. Each year at school start, new users were created, and by each fall break, all passwords were nullified to require every user to make a new password after the fall break, but existing passwords were not checked to eliminate for further use. Hence, users could continue using previously used passwords after the fall break.
Between 22.06.18 and 30.07.18, someone with a user account belonging to Bergen municipality had accessed eFEIDE and changed the contact information for the customer relationship to Identum. This was discovered by Identum 13.08.18.
On 14.08.18, the student logged into Its Learning using the account of the dean and from this account, the student sent messages to several persons. The message contained the password of the dean.
On 16.08.18, this was reported to the police. The student admitted to guessing the password of the dean and to logging into Its learning by using ten different accounts.
Knowing these facts, Identum nullified all passwords for all administrator accounts for Bergen municipality on 13.08.18, and nullified all other passwords on 15.08.18.
On 17.03.2017, Identum sent Bergen municipality an offer to use eFEIDE with two factor authentication of users to access eFEIDE.
The DPO of Bergen municipality informed the DPA that the municipality had routines for access control to eFEIDE, but that these routines had not been followed.
On, 17.08.18, after the facts were publicized in the media, Bergen municipality introduced two-factor authentication to access the user administration accounts via eFEIDE, however, two-factor authentication to access the user other accounts via eFEIDE was not introduced.
Previous Data Protection Act or GDPR?
The infringement was discovered on 15.05.18, which was before the GDPR entered into force in Norway.
Paragraph 33 of the Norwegian Act on data protection (personopplysningsloven) says that when the rules for administrative fines are to be applied, the rules that applied at the time of the infringement shall apply.
With support in the European Convention on Human Rights Article 7, the preparatory works for the Norwegian Act on data protection and the practise of Personvernnemnda, the DPA considered that the infringing act is the act that continues until the controller ends the infringement.
Since Bergen municipality ended the infringement in August 2018, the time of the infringing act is after the GDPR entered into force in Norway, which was on 20.07.2018. Hence, GDPR applies to the case.
The DPA went through the GDPR rules relevant for the case, which are Article 5, in particular Article 5.1(f) and Article 5.2, and Article 32.1(a) and (b).
The DPA warned it will exercise its corrective power in GDPR Article 58.2(d) to order Bergen municipality to bring processing operations into compliance with the provisions of the GDPR.
The DPA considered that:
- the storage of an open, unprotected digital file, that contained the user-names and passwords to the information systems of the primary schools of Bergen municipality, and that was available to teachers and students, is an infringement of GDPR Article 32.1.
- Lack of two-factor authentication for employee login to Bergen municipality's information systems that contain the personal data of students, to achieve a necessary level of security to ensure ongoing confidentiality, integrity, availability and resilience of the information system, is an infringement of GDPR Article 32.1.
- The DPA referred to Recital 38 of the GDPR that says
“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”
The DPA warning for an order is as follows:
- the municipality of Bergen must establish a two factor authentication for login via network to all information systems that contain personal data about students, in accordance with GDPR Article 5.1(f) and Article 32.1(b)
- the municipality of Bergen must establish organisational and technical measures to protect the passwords of students and employees (e.g. hashing and salting of passwords, encryption, access controls and administrative routines), in accordance with GDPR Article 5.1(f) and Article 32.1(a) and (b).
The Norwegian Act on data protection (personopplysningsloven) paragraph 26.2 states that the DPA can impose on public authorities an administrative fine pursuant to GDPR Article 83 and Article 83.7.
The preparatory works to the Norwegian Act on data protection (Prop. 56 LS (2017-2018)) says that the DPA in many cases has fined public authorities and that there is no reason not to continue this practise under the GDPR.
(Also, see GDPR Recital 150 which states that: “It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines.”)
The DPA went through the GDPR rules on fines, which are Article 83.1 and 83.5, in particular Article 5.1(f) and Article 5.2, and Article 32.1(a) and (b), and refers to the Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP 253 endorsed by the EDPB.
The DPA said administrative fines are measures to ensure efficient adherence and enforcement of the GDPR, and that such fines may be considered as criminal charges as conceived in the European Convention on Human Rights Article 6 and the practise of the Norwegian Supreme Court (Rt. 2012, p 1556).
Therefore, there must be clear preponderance of evidence of an infringement of GDPR Article 32 in order to issue an administrative fine, which the DPA found to be the case.
Extent of fine
Moving on to assess the extent of the administrative fine in accordance with GDPR Article 83, the DPA reasoned:
GDPR Article 83.2(a):
- The infringement is a result of lack of technical and organisational measures to ensure an appropriate level of security with regard to confidentiality and integrity, as required by GDPR Article 32. The DPA also refers to Recital 83.
- The infringement encompasses more than 35 000 teachers and students whose user-names and passwords potentially could have been exposed to all the users, and in worst case 35 000 people.
- Most of the infringed were children who are less able to protect their rights and freedoms, and who are required to be registered in the primary school and therefore could not freely choose to be registered on the platform where Its Learning is compulsory for all children. Children merit specific protection with regard to their personal data (Recital 38). Infringement of children makes the infringement grave. The DPA emphasizes the fact that the children were required to use the platform.
- The data security breach reported to the school on 15.05.18 was not reported to the DPA, as required by the previous Data Protection Act.
- The digital file, that contained the user-names and passwords to the information systems of the primary schools of Bergen municipality, was stored unprotected and available for a longer period.
- The principle of accountability in GDPR Article 5.2 and 5.1(f) requires Bergen municipality to adhere to the principle in Article 5.
GDPR Article 83.2(b):
- During 2013-14, the DPA controlled the school sector in Norwegian municipalities. The DPA found a lack of access control for employees' access the personal data of students, and therefore issued statements to the municipalities to use strong authentication, i.e. two-factor authentication for employees' access to learning platforms and school administrative systems. Specifically, the DPA controlled Møhlenpris school in Bergen municipality to use two-factor authentication when using the School Wide Information System (SWIS).
- The DPA has also issued a guide on two-factor authentication, which is available at its website.
- Identum, who delivers eFEIDE to Bergen municipality, on 17.03.18 gave an offer to Bergen municiaplity with the option of two-factor authentication. More than a year later, that option was not used.
- Identum had informed Bergen municipality that two-factor authentication is a necessary security measure.
- The DPO of Bergen municipality had pointed out to Bergen municipality that two-factor authentication is required.
- Based on this, the DPA found it beyond doubt that Bergen municipality knew that two-factor authentication for using eFEIDE was a necessary security measure.
- Knowing about the infringements, Bergen municipality remained passive.
- By not taking steps to secure the personal data of students and teachers, Bergen municipality acted with a grave degree of culpability.
GDPR Article 83.2(c):
- Bergen municipality had routines for handling infringements, but the warning from employees was not passed on.
- When the infringement was reported on 17.08.18, Bergen municipality made the file unavailable, and has later introduced two-factor authentication.
- GDPR Article 83.2(d):
- GDPR Article 5 establishes a high degree of accountability for the data controller. Bergen municipality has not introduced technical and organisational measure that meet the privacy by default principles as required by GDPR Article 25, and has not taken measures to achieve a security level that is appropriate with regard to the risk, as required by GDPR Article 32. Hence, Bergen municipality has not demonstrated accountability with regard to an acceptable security level.
GDPR Article 83.2(e):
- Earlier, the DPA had imposed on Møhlenpris school in Bergen municipality to use two-factor authentication when using the School Wide Information System (SWIS).
- GDPR Article 83.2(f):
- Bergen municipality has reported the infringement to the DPA and has been i dialogue with the DPA about the infringement, but this has not reduced the negative effects of the infringement.
GDPR Article 83.2(g):
- The DPA could not see that special categories of personal data (GDPR Article 9) had been exposed.
- The DPA refered to Recital 75 which points out that special regard shall be given to the risk associated with the personal data of children, whether processing involves a large amount of personal data and affects a large number of data subjects. The personal data that were available were user-names, passwords, full name, to which school a student belonged, and the address of each student. In addition, in eFEIDE, it was possible to see the personal identification number and address of each person, as well as the phone number of employees. Hence, the infringement could potentially lead to access to sensitive personal data, e.g. whether people had been absent from school due to illness.
GDPR Article 83.2(h):
The DPA's first knowledge about the infringement was via media. Bergen municipality notified the DPA about the data security breach 15.08.18.
GDPR Article 83.2(i):
No earlier measures referred to in Article 58(2) have previously been ordered against Bergen municipality with regard to the same subject-matter.
GDPR Article 83.2(j):
Not relevant for the case.
GDPR Article 83.2(k):
The DPA could not see that Bergen municipality had financial gains, or losses avoided, directly or indirectly, from the infringement.
The DPA gave special weight to:
- Grave infringement of GDPR Article 5.1(f).
- Lack of two-factor authentication in eFEIDE in spite of knowing it was necessary.
- The infringement concerns children.
- Students were required to register.
- Availability of files made it unforeseeable to know how many that had accessed the information.
- Student and employees must expect that municipalities adhere to the GDPR, in particular rules that ensure confidentiality.
- Bergen municipality have weak routines, which increases the probability of infringements.
- Bergen municipality is the next largest municipality in norway and had a budget surplus of 1.1 billion NOK in 2017.
- Rules shall prevent infringement by Bergen municipality and shall signal to others.
- Rules shall be efficient.
The DPA warning for a fine is as follows:
- an administrative fine of 1,6 million NOK pursuant to Article 83.5 for not having proper technical and organisational measures to achieve a security level that is appropriate with regard to the risk, the lack of pseudynomisation and lack of ongoing confidentiality, as required by GDPR Article 5.1(f) and Article 32.1(a) and (b).