On 4 September 2024, the Norwegian Data Protection Authority imposed a fine of NOK 150,000 on the University of Agder (UiA) following a six-year-long breach of personal data security. UiA had been storing sensitive personal data in open Microsoft Teams folders without proper access controls, making this information available to unauthorized employees and students.
Scope of the Breach
UiA’s non-compliance began in 2018 when the university implemented Microsoft Teams and SharePoint. A total of nine documents containing personal data of 16,000 employees and students were exposed. Key documents included:
- Information on 4,851 employees and 10,419 external individuals, including national ID numbers.
- Data on 568 students with specialized exam arrangements.
- A list of 64 Ukrainian refugees studying at the university.
- Other sensitive personal information, including health data.
Inadequate Access and Log Controls
The breach occurred because UiA failed to implement sufficient access controls and logging mechanisms in Microsoft Teams. Employees without a business need could access personal data through shared folders. The university’s internal controls only logged activities for the previous six months, making it impossible to confirm whether unauthorized individuals accessed the data over the six-year period.
Corrective Measures
Upon discovering the breach in February 2024, UiA reviewed all shared folders, restricted access, and notified affected individuals by 21 February 2024. The university also improved internal procedures, updated staff training, and ensured that shared Teams folders were made private to prevent unauthorized access.
Legal Assessment
The DPA determined that UiA violated Articles 24 and 32 of the GDPR, which mandate appropriate technical and organizational measures to safeguard personal data. The authority found the university’s actions to be negligent and imposed the fine based on the serious nature of the breach, which affected sensitive data over a prolonged period.
The press release and decision are available here (in Norwegian).
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
