SiT stores data illegally
During a shift for NTNUi on Gløshaugen sport's centre, Hans Aleksander Østhagen discovered that SiT registers data about NTNUi members' exercise habits.
Translator: Tommy Lian Taraldsen
Østhagen is the leader of NTNUi's Orienteering group and as many other active members of NTNUi sat watch at the desk at the sport's centre. There he made sure that those who exercised had a valid membership card. In addition to name and membership card, he noticed that other data that were registered when swiping the card were open to all who sit shifts for an indefinite time.
– Not acceptable
– When a person enters the sport's centre and swipes his or her card, the person sitting the shift is supposed to check for a valid membership in NTNUi, and have the possibility to confirm the identity of the card holder. The person sitting the shift is not supposed to read about all previous visits to the centre and when and where the person usually exercises, says Knut Inge Engelbreth of NTNUi's Head Board.
He thinks it is not acceptable that the Student's Organization in Trondheim (SiT) does not follow current regulation in handling personal information
– We have made SiT aware of the problem, and expect that they take matters into hand immediately. This meaning that they will delete all the members' information about visits and from here on follow the regulations regarding this. It is important that all NTNUi members feel safe that their personal information is handled securely, Engelbreth says.
The personal information stored is date of birth, name and all registered visits over a long period of time.
An offense
Senior engineer Frank Eriksen in the Data Inspectorate says it is alarming that this much information is stored and made easily accessible at SiT Sports.
– According to the law of personal protection, no information about clients be stored unless there are valid reasons for this. SiT does not fulfil the necessary requirements to store the information, and violates their duty to delete the information. If there were any reasons to why the information should be stored, it would have to be with every member's consent and a maximum storage duration of one year, Eriksen says.
Sports centre chain SATS was in 2009 involved in a major case where they eventually were forced to delete three years of client information by decree of the Data Inspectorate.
– Might be misused
Director of information Ove Skåra of the Data Inspectorate thinks SiT's handling of personal information is disrespectful to students.
– It is bad enough that they have not reflected on this and restricted the access to the exercise data, he says.
Skåra thinks that the information should not have been stored in the first place.
– It is obvious that they have to limit the storing and distribution of information, even though the possibility for misuse is rather small in this case.
Yet, the potential for misuse is still present.
– A boy might, for example, look up a girl he likes in the system and find out when and where she exercises to be sure to run into her. Many will feel violated by the fact that random people have access to their personal information, Skåra says.
Four years of exercise
Hans Aleksander Østhagen, who first notified of SiT's illegal storing, thinks it is unnecessary to make snooping so easily accessible, and thinks that there is no valid reason for SiT Sports to store so much personal information.
– It is highly unnecessary that this much information is stored, but it is far worse that they are as accessible as they are. All my visits to the sports centres from 2006 up until current are, for example, stored and easily accessed.
– Does not see the problem
The head of SiT Sports does not see the problem with keeping personal data of over 12 000 members in NTNUi without their consent or proper protection.
– I don't see any problem with the situation as it is today. The information could be made anonymous, but I have not reflected any further on this. We bare use any of the information that's stored. I honestly don't think the members test the program and find lists over members' visits to the sports centres, says the head of SiT Sports Arne Brevik.
Other sports centres have, according to him, the same system for registration of visits.
– This is standard software from Nortrim, which is also distributed to other member registers. When we bought this program, we assumed that the supplier was up to code on current rules and regulations, says the head of sports.
He does not see the problem with storing data.
– The storage function that registers the members' visits is embedded in the program, but this is a version we are about to phase out. We won't be able to do anything before we get a new solution next semester, Brevik says.
He points out that the information that is stored is limited in that it does not contain e-mail addresses or social security numbers.
When the program is switched next semester, Brevik will make sure that everything is as it should be.
– We will make sure that the new system follows the current rules and regulations for handling data, Brevik says.
