Iceland’s data protection authority (DPA) has ordered InfoMentor to pay a financial penalty for security slips that included two unauthorised people accessing ID numbers and avatars of 424 children.

The Reykjavik-headquartered company, which develops programmes in support of national curriculums for schools internationally, admitted human error meant a weakness in its computer systems had not been fully corrected as instructed.

The vulnerability was only eradicated after the data leaked. The DPA said it considered that could have been prevented through adequate follow up and testing of security measures. 

Also, InfoMentor failed to ensure adequate security of personal information by mistakenly sending the ID numbers of children caught up in the system breach to the wrong school and privacy officer in several cases, the authority added.

It is of great importance that children’s personal information has special protection under the country’s data protection laws and regulations, a principle which places even greater demands on a company such as InfoMentor given it processes personal information about children as part of its business, the DPA added.

The authority noted there is no indication that the 424 youngsters whose data leaked had suffered any damage as a result and that the company demonstrated the numerous measures it has taken to ensure security of personal information in its systems.

InfoMentor was fined ISK3.5m ($27,800, €23,200).

One of the people who accessed the children’s ID numbers and avators without permission was in Iceland, the other in Sweden.

InfoMentor helps schools and teachers develop curriculum-related activities in Sweden, the UK, Switzerland and Germany, as well as Iceland.

Register to receive the latest privacy and data protection news and analysis straight to your inbox