Vejen Municipality has been reported to the police by the Danish Data Protection Agency (Datatilsynet) for failing to ensure adequate data security following the theft of five laptops. The agency has also recommended that a fine of 200,000 Danish kroner be imposed on the municipality.
The incident began when Vejen Municipality self-reported a personal data breach after five laptops intended for educational use by teachers and students were stolen. These laptops contained sensitive information, including status reports on students with special needs, which were not encrypted. This lack of encryption resulted in a significant risk associated with the stolen data.
Upon further investigation, the Danish Data Protection Agency discovered that approximately 300 additional laptops in the municipality were similarly at risk of being used unencrypted. Vibeke Dyssemark Thomsen, a chief consultant at the Data Protection Agency, expressed her astonishment at the ongoing violations by municipalities: “I must say that I am surprised that we keep seeing these cases among municipalities. We have received notifications about such breaches for several years, and we have been warning them repeatedly. We have also recommended fines in previous cases,” she stated in a written statement.
Thomsen emphasized that encryption is a fundamental security measure that is both relatively simple and affordable to implement. “We therefore urge all municipalities to conduct a thorough review of their laptops and ensure encryption is in place immediately,” she added.
Vejen Municipality is not alone in facing issues related to data security. The Data Protection Agency has previously recommended fines in similar cases involving other municipalities, including Favrskov, Gladsaxe, Hørsholm, and Odsherred.