Swedish Authority for Privacy Protection has received a number of personal data breach notifications from the City of Stockholm's Board of Education. The incidents all relate to the School Platform, which is the IT system used for, among other things, student administration in Stockholm. The school platform contains information of up to 500 000 pupils, guardians and teachers. The system contains sensitive data, including special categories of personal data, as well as information about pupils and teachers with classified information or protected identity.
The DPA has reviewed four subsystems in the School Platform and has found serious shortcomings. In one of the subsystems, deficiencies in the ability to restrict users' access to data have allowed large parts of the staff to access information about students with a protected identity. In another subsystem, guardians have been able to access information on other children concerning, for example, grades and evaluations talks in a relatively easy way. Through Google's search engine, it has been possible to find links for login to an administration interface in which information about teachers with a protected identity has been accessible.
— In an IT system like this, large amounts of personal data are processed. For such systems it is extremely important that the controller has put in place sufficient security measures in order to protect the data and furthermore to ensure continuous evaluation of the level of protection," says Ranja Bunni, a lawyer at Swedish Authority for Privacy Protection who participated in the investigation.
In its decision, Swedish Authority for Privacy Protection finds that the Education Board has not ensured that the personal data in question is processed securely. The Board has failed to take adequate technical and organisational measures to ensure a level of security appropriate in relation to the risk, including a procedure for regularly testing, examining and evaluating the effectiveness of the technical measures in place.
Swedish Authority for Privacy Protection issues an administrative fine of four million SEK for the concluded infringements. In Sweden, the maximum amount for administrative fines against public authorities is 10 million SEK.
— According to the General Data Protection Regulation, GDPR, administrative fines must be effective, proportional and dissuasive. In this case, the infringements have affected several hundred thousand data subjects, including children and pupils, as well as includes deficiencies in the handling of sensitive and special categories of personal data such as data regarding persons with protected identity and health data, says Salli Fanaei, who also participated in the investigation of Swedish Authority for Privacy Protection.
Read Swedish Authority for Privacy Protection's decision in pdf format (Swedish only) (pdf, 550 kB)
For more information, please contact
Lawyer Ranja Bunni, telephone +46-8-657 61 46
Lawyer Salli Fanaei, telephone +46-8-657 61 45
IT Security Specialist Adolf Slama, telephone +46-8-657 61 12
Press office, +46-8-515 15 415