Last year the Datatilsynet issued a NOK 1.2m fine (EUR 125.000 approx) to the Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF) for disclosing the personal information of 3.2m individuals online (from which 450.000 were children) for 87 days following an error that occurred when solutions were tested in connection with moving the database from a physical server environment into the cloud. The exposed personal information included names, dates of birth, addresses, telephone numbers, and email addresses.
The NIF initiated testing before conducting a sufficient risk assessment and without implementing specific routines or measures to secure the information.
The SA held that there was no legal basis for the testing and that the principles of legality, data minimisation and confidentiality had also been breached.
Interestingly, the Datatilsynet suggested that testing could have been carried out by processing synthetic data, or by using fewer personal data,
Press release and fine here (in Norwegian)
*Synthetic data is data generated from real data which attempts to emulate the statistical proprieties of real datasets
0 comentarios