[theptip]

Sorry, I see now that “they” in my comment was ambiguous. I meant “the government”, not your app that accesses the school APIs. As in, if in Sweden anything that is available from the government in an API is defined to be published, does that mean the government cannot make an API for private information such as sensitive parent/teacher communications?

Naively it seems to me that a government API could contain docs that are not published/public docs. But maybe that is so, and the argument here is simply that _in this case_ everything was in fact public, including some personal data that would seem non-public to people familiar with other legal systems.

[randomswede]

If (and only if) the API is authenticated can you publish things that fall under various secrecy laws (sekretesslagar), the chief one I am familiar with is medical secrecy, where a person has access to all their medical records, medical staff have access to records that are relevant to ongoing treatment, and no one else has.

This can, in principle, be solved with a permission system that makes suitable decisions based on the identity of the API user (well, the identity on whose behalf the API queries are done).

For medical secrecy, should you stumble over information that you should not have, you are then legally obliged to not disclose the information, but I cannot recall to what extent you have an obligation to tell relevant document owners about the possible breach, it's simply been too long since I was working in medical IT (where, by necessity, I would occasionally stumble over secret things doing things like DB repairs or helping users with application problems).