UiO risks a million kroner fine

Read the University of Oslo’s reply here

After an inspection, the Data Protection Authority has asked UiO to change its security procedures. The letter relates to the processing of sensitive personal information such as social security numbers, information about large groups of people, and information classified as confidential.

«If we find areas we believe have a weakness, we will give notice about what to do. This can be anything from a small change to a serious security gap,» said Veronica Jarnskjold Buer, a senior engineer in the agency.

Forgot to de-ice: UiO fined for ice hazard

Processing UiO's response

Buer is currently processing UiO’s response to the matter. After the case has been finalized, the Data Protection Authority will decide whether to accept UiO’s explanation, or to instruct the university to apply changes. Since the case is not settled, the details of the order are hidden from the public.

Quote: It could be anything from a small change to a serious security gap.» Veronica Jarnskjold Buer

In October 2016, the agency issued a letter on the topic. The University of Oslo responded by sending information about its safety practices, but the Data Protection Authority was not satisfied. A letter was sent 21 November 2017 with a decision requiring UiO to make changes in its data system. UiO chose to send a final reply rather than to accept the order.

Steep fines possible

«I may have misunderstood, and then this is not a case. The decision will be waived if it appears that the University of Oslo has followed the rules,» said Buer.

If the decision is maintained, the fine will certainly sting. That was the outcome for a health company recently, after a report from the Data Protection Authority revealed serious security breaches.