Is there any way to write an app that doesn’t “publish the data” by this definition? It seems like publishing was not their intent, and furthermore they were not legally allowed to “publish” personal data.
For example if their system includes an app that lets you see your students grades and disciplinary issues, presumably you would not want that published. Is it simply impossible to build an app with such data in Sweden now as it would be “published”?
Edited to add: and just to be clear, I am fully supportive of this use case. Just trying to understand the restrictions better.
No, because applications, publishing and intent doesn't factor in.
Student grades and disciplinary issues become official documents as soon as the teacher documents them regardless of form (i.e. paper, audio recording, IT-system, etc). The school is then obligated to provide those official documents to anyone upon request.
The school could argue that this information should be kept secret but student grades are not explicitly protected by law and it has already been established that this type of information is in fact public. I don't know about disciplinary issues but interactions with social services and psychologists are explicitly protected by law.
The Swedish government has always been obligated to make information accessible to humans and with new regulation regarding Open data and Digital government that obligation has increased to also make information accessible to machines. Attempting to create an application that makes this difficult would be misconduct - the Swedish government is obligated to provide APIs.
Can a different parent look at my child's grades? Or is there still some level of privacy where only certain parties are allowed to view certain documents even if they are official.
Edit 1: I figured I should back this up with a source but all the ones I could find are written in Swedish. So either accept my translation or ask a trustworthy Swede to translate it for you.
> Skolbetyg är allmänna handlingar, och vem som helst kan beställa fram betyg från arkiven. Journalister brukar t ex ofta vilja se på nytillträdda ministrars skolbetyg.
School grades are official documents, and anyone can request grades from the archives. Journalists often like to see the school grades of newly elected government officials.
This source is the Swedish National Archive but this also applies to non-historical grades.
Edit 2:
> Or is there still some level of privacy where only certain parties are allowed to view certain documents even if they are official.
The government can, and will, opt-in to secrecy for things like social services and medical records.
Right, ok, but you can only request final grades. So you can only do this once on 15-year-olds, after they've finished primary school. And the next time you can do this on a person, they're gonna be 18 and have graduated high school.
I thought the primary school final grades were protected until you're an adult, but apparently not.
There may be some terminology confusion at play. The data may be an "offentlig handling" ("public document"). Christian's argument is that since the data is a "public document" it can be published through his app. That argument is correct at least as long as he has an "utgivningsbevis" ("letter of publishing rights"?). However, it doesn't follow that the way his app is accessing the data is lawful. You may go to a bank and withdraw your savings but you may not break into a bank and physically take your savings.
Grades are "public documents" in all schools in Sweden. With other things like disciplinary issues it varies depending on whether the school is run by the government or a private company.
No, the app has no communication to us, we don’t even have a server. This means that from a legal standpoint we aren’t publishing any information. We only help our users to present their own data in a better format (than json).
Sorry, I see now that “they” in my comment was ambiguous. I meant “the government”, not your app that accesses the school APIs. As in, if in Sweden anything that is available from the government in an API is defined to be published, does that mean the government cannot make an API for private information such as sensitive parent/teacher communications?
Naively it seems to me that a government API could contain docs that are not published/public docs. But maybe that is so, and the argument here is simply that _in this case_ everything was in fact public, including some personal data that would seem non-public to people familiar with other legal systems.
If (and only if) the API is authenticated can you publish things that fall under various secrecy laws (sekretesslagar), the chief one I am familiar with is medical secrecy, where a person has access to all their medical records, medical staff have access to records that are relevant to ongoing treatment, and no one else has.
This can, in principle, be solved with a permission system that makes suitable decisions based on the identity of the API user (well, the identity on whose behalf the API queries are done).
For medical secrecy, should you stumble over information that you should not have, you are then legally obliged to not disclose the information, but I cannot recall to what extent you have an obligation to tell relevant document owners about the possible breach, it's simply been too long since I was working in medical IT (where, by necessity, I would occasionally stumble over secret things doing things like DB repairs or helping users with application problems).
For example if their system includes an app that lets you see your students grades and disciplinary issues, presumably you would not want that published. Is it simply impossible to build an app with such data in Sweden now as it would be “published”?
Edited to add: and just to be clear, I am fully supportive of this use case. Just trying to understand the restrictions better.