Infringement penalty to the University of Agder

The Data Protection Authority has made a decision to impose an infringement penalty of NOK 150,000 on the University of Agder (UiA) for violation of the General Data Protection Regulation. The University had not taken appropriate measures to safeguard personal data security in its use of Microsoft Teams.

In February 2024, an employee at UiA discovered that documents containing personal data had been stored in open Teams folders, where employees without a need to know had access. The data breach has been ongoing since the university started using Microsoft Teams in August 2018.

Many data subjects affected

The personal data has been available in the system, and employees have been able to access it through searches in open folders. The data breach covers documents containing personal data relating to employees, students and external actors. Approximately 16,000 data subjects are affected.

The information includes names, national identity numbers, information about adapted exams, the number of exam attempts and special arrangements. The data breach has also included an overview of refugees from Ukraine affiliated to the university, with information such as contact information, education and settlement status.

Demand for procedures and training

In most cases, only employees at UiA had access. The University is required to ensure that employees do not have access to personal data that they do not need in the performance of their work. This means ensuring that good procedures are in place and that employees receive training in protecting personal data in the systems used by the University. The university is also obliged to establish systems for logging and subsequent control that make it possible to detect data breaches.

Mobile: (+47) 97 08 11 20 E-mail:

Published:9/27/2024