On May 11, 2021, the Norwegian Data Protection Authority (‘Datatilsynet’) fined the Norwegian Olympic and Paralympic Committee and Confederation of Sports (‘NIF’) of NOK 1.2 million (approx. €124,430)for disclosing the personal information of 3.2 million individuals.
In the present issue, the NIF had initiated testing before conducting a sufficient risk assessment and without implementing specific routines or measures to secure the information. The personal information about 3.2 million Norwegians remained available online for 87 days after an error in connection with testing a cloud solution. On the same, the Datatilsynet outlined that testing could have been carried out by processing synthetic data, or by using fewer personal data, and therefore held that there was no legal basis for the testing and that the principles of legality, data minimisation and confidentiality had also been breached.
The Datatilsynet also noted that the exposed personal information included names, dates of birth, addresses, telephone numbers, and email addresses and considers the Norwegian Sports Confederation had not implemented good enough security routines for testing, and that it was not necessary to test with such a scope of personal data.