Insufficient security measures at a local authority in Denmark has led to a fine of DKr 200,000 ($29,560) from Danish data protection authority Datatilsynet.
Vejen Municipality has also been reported to the police after the discovery of five stolen laptops containing unencrypted information about students.
During its investigation, Datatilsynet found a failure to encrypt around 300 other computers in the municipality.
“I must say that I am surprised that we continue to see these cases in the municipalities. We have received notifications about this kind of breach for several years, we have been out and warned several times, and we have also proposed to fine in previous cases,” said Vibeke Dyssemark Thomsen, chief consultant at the danish data protection authority.
Information about students with special challenges
The computers were only intended to be used by teachers and students for teaching purposes. However, they were also found being used by teachers to make status descriptions of students, class handovers, and more, and contained information about students with special challenges.
“Encryption is a very basic security measure which is relatively easy and not very expensive to implement. Therefore, we encourage all municipalities to take a thorough look at their portable devices and get control on encryption now,” Dyssemark Thomsen said.
“We have received notifications about this kind of breach for several years, we have been out and warned several times.”
Vibeke Dyssemark Thomsen, chief consultant at Datatilsynet
Datatilsynet has previously recommended – or levied – fines in similar cases regarding the lack of encryption of portable devices in:
- January 2024: Odsherred Municipality – DKr 100,000 – 200,000 ($14,775 – $29,546)
- May 2022: The Civil Agency – DKr 100,000 ($14,775);
- September 2021: Favrskov Municipality – DKr 75,000 ($11,081); and
- March 2020: Gladsaxe and Hørsholm Municipality – DKr 100,000 kr vs DKr 50,000 ($14,775 vs $7,387).
