Administrative fine against the Discrimination Ombudsman when personal data was collection via a web form

The reason for the supervision is a personal data breach that DO reported to the IMY in the fall of 2021. The incident concerned the DO's web form for collecting tips and complaints about discrimination. During the supervision, it emerged that the DO had taken a security measure intended to protect the personal data collected via the web form so that the data would not be included in usage analyses of the DO's website.

However, the security measure did not work as intended , which lead to some data, potentially sensitive personal data, being inadvertently disclosed to the personal data processor that the DO had hired to conduct the analyses. It is estimated that approximately 500 tips and complaints have been affected.

As soon as DO became aware of the incident, the authority closed the web form.

- The incident lasted for a year and shows the importance of working continuously and systematically with security in order to be able to discover insufficient security measures earlier, says Petter Flink, IT and information security specialist at IMY.