It was when the city audit in Örebro Municipality in 2016 examined the compulsory school's handling of personal data that the deficiencies were discovered. Among other things, the audit report found that, in principle, all users of the student register system Adela could access personal data belonging to students with protected identities and that information from the register was disclosed without confidentiality testing.

In addition, several so-called personal data access agreements were also lacking with the suppliers behind the IT platforms, which are to ensure that personal data is protected.

"It can be very serious in a single case," says Lena Jansson (M), chair of the city audit, and believes that there may be a threat to students with protected identities and their guardians.

Lena Jansson (M), chair of the city audit. Photo: Philip Naskret / SVT

The audit addressed serious criticism of the elementary school board after the review. Several years went by and this spring, the city audit followed up the report. It was then found that several shortcomings existed and that the elementary school board did not take adequate measures to address the security problems.

- You will be disappointed, says Lena Jansson.

The municipality has started to test confidentiality

According to Linda Smedberg (S), chair of the compulsory school board, this is due, among other things, to the fact that several officials in charge of these issues changed service.

"A lot of work has been done, but we have not completed what we would," she says.

Smedberg believes that information is no longer disclosed without confidentiality testing. Right now, a major work is also going on within the various school boards to ensure that all those who use the IT platforms have signed agreements with suppliers on how they can handle personal data.

The City Audit's first report and the follow-up report that came last spring. Photo: Philip Naskret / SVT

But there are cases where the municipality of Örebro happened to disclose the student's personal information.

- We have had a couple of personal data incidents since GDPR came into force, but there we have clear routines for how we follow up, says Linda Smedberg.

Is it about students with protected personal data?

- No, not in those cases.