Personal data breach at the Breiðholt Upper Secondary School – Administrative fine
On 5 March 2020, the Icelandic DPA took the decision to impose an administrative fine of ISK 1.300.000 (EUR 8.945) on the Breiðholt Upper Secondary School in a case relating to a personal data breach.
The breach occurred when a teacher at the school sent an e-mail to his students and their parents/guardians, 57 people in total. Attached to the e-mail was a document that the teacher believed to contain information on consultation appointments. However, the attachment concerned a different group of students, 18 in total, and contained data on their well-being, study performance, and social conditions. To a considerable extent, the information concerned the students' problems. In one instance, the data had to do with an intervention by child protection services. Furthermore, there were data on one student's physical illness, and on another student's mental health problem.
After carrying out an investigation of the data breach, the DPA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.
When determining the fine, the DPA referred to the nature of the personal information involved in the breach, which were data concerning health and other personal issues. The DPA also cited the nature of the Breiðholt Upper Secondary School as a nonprofit institution.