The University of Agder in Kristiansand in Norway has been fined NKr 150,000 ($13,870) for breaching requirements for security and internal control when processing personal data while using Microsoft Teams.
In February 2024, an employee at the university discovered documents with personal data in open Teams folders – open for all employees to access and in some cases even students.
Datatilsynet, the Norwegian Data Protection Authority, believes that this violation has been going on since August 2018 when the university started using Microsoft Teams.
The information was also searchable within the folders, and included personal details about employees, students and external actors. Around 16,000 registered users were affected, with information about preparation of exams for 568 students, and some information going back to 2014.
The documents included some of the following information:
- name;
- social security number;
- information about exams;
- the number of exam attempts and special arrangements;
- employee number;
- resignation date; and
- organizational unit.
One document from 2014 also listed everyone who had called in sick during the autumn term.
Information on Ukrainian refugees
Some of the documents also held an overview of 64 refugees from Ukraine associated with the university, and showed information such as:
- full name;
- address;
- student number;
- date of birth;
- telephone number;
- previous educational background;
- field of study;
- whether they have registered to Lånekassen (the Norwegian State Educational Loan Fund);
- planned course of study; and
- residence status.
Datatilsynet also found that the university failed to have a proper function to log activity in Microsoft Teams until it was established six months ago. Because there was no proper logging function, it is also not possible to detect unauthorized access to the data, which is mandatory under GDPR Articles 32 and 24.
“We emphasize that it is the management’s responsibility to take measures to achieve a level of safety which are suitable with regard to the risk, including internal routines for safe storage and adequate training of employees,” Datatilsynet said.