Misuse of video camera system at the Centre for Elite Sports in Granåsen from March 2014 to 6 August 2015
In 2015, NTNU and the Norwegian Olympic Sports Centre (Olympiatoppen) discovered that outsiders had gained unauthorized access to the network that runs the video camera system in the gym and the laboratory for research on the 3rd floor of The Centre for Elite Sports in Granåsen. In connection with the unauthorized access, videos of people who were training were recorded, and these were posted online. The videos have been recorded in a way that can be defined as sexualized.
NTNU and Olympiatoppen reported this to the Norwegian Data Inspection Authority as a discrepancy. The Data Inspecion Authority has completed its assessment of the case and imposed a penalty of NOK 100 000 on NTNU and Olympiatoppen for violation of The Personal Data Act [personopplysningsloven] and The Personal Data Regulations [personopplysningsforskriften]. In addition, we were criticized for a lack of safeguards to prevent security breaches.
The Data Inspection Authority requested us to notify all those potentially affected who might have been on the premises during the period from March 2014 to 6 August 2015. Everyone who could be identified in known videos or photographs has been notified.
What has happened?
Unauthorized parties have accessed the network in the video camera system of NTNU and Olympiatoppen in the gym and the laboratory for research on the 3rd floor of the Centre for Elite Sports in Granåsen. The unauthorized access was discovered in August 2015 (incident 1). In May 2016, it was discovered that the unauthorized access had been more extensive and serious than initially assumed (incident 2).
Incident 1: In August 2015, NTNU was informed that three photographs from the cameras in the gym and the training laboratory in the Centre for Elite Sports in Granåsen had been posted on the Facebook website. NTNU and Olympiatoppen responded by shutting down the video camera system and reconfiguring the network connection so that the cameras were no longer accessible online. The system was put back into operation when the security measures were in place.
Incident 2: On 3 May 2016, the IT Division at NTNU was informed that new and more photos and videos had been posted on a file-sharing website. An unknown person has had control over the cameras’ control system before August 2015 and recorded an unknown number of videos and photos of users in training activities sometime between March 2014 and 6 August 2015. Some of the videos have been recorded and edited in a way that means they can be defined as having a sexualized nature.
NTNU and Olympiatoppen have implemented security and information measures in accordance with privacy protection regulations and legislation. As a matter of routine, the unauthorized access was reported to the police, but the police have decided not to proceed with the case. Everyone who could be identified in videos or photographs has been notified.
What is the camera system used for?
The video camera system at the Centre for Elite Sports is used for research and training purposes. For example, the camera system enables coaches to view an athlete’s technique from various angles so that they can give direct feedback to the athlete.
Who has had access to the camera system?
The video camera system is based on four motorized IP cameras that stream video to a separate PC. The cameras were controlled using a tablet computer. The security of the data exchange between these devices was not good enough, so that it was possible for anyone with the right type of software to connect to the system, take over the control system in the cameras and make recordings from the live feed from the cameras. After the unauthorized access, a number of security measures have been implemented to ensure that outsiders can no longer access the camera system.
Does NTNU or Olympiatoppen have copies of the data that were stored?
When the unauthorized access was initially discovered (incident 1), the camera system was immediately shut down and security measures were implemented. In connection with incident 2, it was discovered that there were more videos than had initially been assumed. These were downloaded and they were properly safeguarded at NTNU. Everyone who could be identified was notified directly. NTNU’s copies of the material have been deleted.
Employees at NTNU and Olympiatoppen have violated the privacy of users of the Centre for Elite Sports by installing and using a video camera system without adequate risk assessment and security measures. NTNU and Olympiatoppen express our deepest apologies for this. It is our responsibility that the regulations in force for the use of personal data have not been followed and steps have been taken to prevent this from happening again.
If you would like further information on this matter, please contact:
- Faculty of Medicine and Health Sciences: Jorunn Helbostad (email: firstname.lastname@example.org, telephone: +47 725 75888)
- The Norwegian Olympic Sports Centre: Frode Moen (email: email@example.com, telephone: +47 93248750)