The Sámi Parliament's public records made 474 personal files publicly accessible, official sources confirmed. At least 50 of the files contained names or information that made it easy to identify the employees, according to official sources. For 19 of these individuals, the titles also revealed highly sensitive and very personal information, official sources stated.
The leak was discovered by NRK, which then informed the Sámi Parliament. The Sámi Parliament contacted affected individuals after NRK's discovery, according to official sources. However, several affected individuals first learned of the leak when NRK called; the Sámi Parliament contacted them afterwards.
It's a terribly uncomfortable feeling. I wonder how in the world something like this can happen.
According to NRK Troms og Finnmark, former employee Berit Oskal-Somby described being told by the Sámi Parliament that the files may have been online since 2009. Lawyer and privacy expert Jan Sandtrø, speaking to NRK Troms og Finnmark, described the notification as too late, stating that the Sámi Parliament has a duty to notify affected persons without undue delay. Sandtrø described the entire leak as a serious mistake and said it appears to be beyond what can be expected from routine procedures.
The Norwegian Data Protection Authority's Legal Director, Susanne Lie, stated that publishing confidential information through public records is a serious privacy breach. She noted that confidential information and health information are considered particularly worthy of protection. Official sources confirmed that such security breaches must be reported to the Data Protection Authority within 72 hours of discovery, and the Sámi Parliament must also inform the affected persons immediately.
They told me that this may have been online since 2009.
The exposure of personal files, some containing names and identifiable details, raises concerns about the handling of sensitive data. The fact that some files may have been accessible since 2009 suggests a long-standing vulnerability in the Sámi Parliament's record-keeping systems. The delayed notification to affected individuals, as highlighted by Jan Sandtrø, underscores potential failures in the Sámi Parliament's incident response protocols.
The Data Protection Authority's emphasis on the seriousness of publishing confidential information reflects the legal obligations that organizations must uphold. It remains unclear whether the Sámi Parliament has reported the breach within the required timeframe or what specific sensitive information was exposed in the 19 most severe cases.
I thought it was incredibly sad to learn that such information is on the internet and that anyone could have searched for it.
It's not just me who is affected in this case, and perhaps my file is not the worst. This affects many, including the families of those affected, and is a very serious matter.
Publication of confidential information through public records is a serious privacy breach for those affected.
We therefore assume that publication of confidential information will typically be particularly offensive for those affected.
It sounds like those affected were contacted or notified too late. The Sámi Parliament has a duty to notify them without undue delay. And that is pretty much immediately.
It seems to be beyond what can be expected of routines, because it is so serious. Personnel files should only be accessible to those who need them in their work.