Lillestrøm municipality – €26,100 Fine (Norway, 2022)

Lillestrom municipality notified the Norwegian DPA about a personal data breach concerning a document they had published on their website, where they had forgotten to classify the appendices as exempt from public disclosure. The caseworker also failed to notice the error. The document then went through two additional manual quality controls without the error being detected and it was only discovered after a local journalist notified them. The document contained information and personal data about a pupil, including name, birth date, name and address of their parents and their description of their child, description and assessment of the pupil's behaviour and educational challenges from both the school and other public authorities, as well as a concrete assessment of how much special needs tutoring the pupil needs, the pupil's own description of their well-being at home and at school, their tests and assessments and potential diagnoses like dyslexia or ADHD. The document was available online for about two days and was accessed by four different IP addresses before the municipality managed to remove it. The Norwegian DPA fined the controller €29,880 for lack of sufficient technical and organisational measures under Article 32(1)(b) GDPR and Article 5 GDPR, and for having published personal data on their website without lawful grounds under Article 6 GDPR and Article 5 GDPR.