There may be some terminology confusion at play. The data may be an "offentlig handling" ("public document"). Christian's argument is that since the data is a "public document" it can be published through his app. That argument is correct at least as long as he has an "utgivningsbevis" ("letter of publishing rights"?). However, it doesn't follow that the way his app is accessing the data is lawful. You may go to a bank and withdraw your savings but you may not break into a bank and physically take your savings.
Grades are "public documents" in all schools in Sweden. With other things like disciplinary issues it varies depending on whether the school is run by the government or a private company.
No, the app has no communication to us, we don’t even have a server. This means that from a legal standpoint we aren’t publishing any information. We only help our users to present their own data in a better format (than json).
Sorry, I see now that “they” in my comment was ambiguous. I meant “the government”, not your app that accesses the school APIs. As in, if in Sweden anything that is available from the government in an API is defined to be published, does that mean the government cannot make an API for private information such as sensitive parent/teacher communications?
Naively it seems to me that a government API could contain docs that are not published/public docs. But maybe that is so, and the argument here is simply that _in this case_ everything was in fact public, including some personal data that would seem non-public to people familiar with other legal systems.
If (and only if) the API is authenticated can you publish things that fall under various secrecy laws (sekretesslagar), the chief one I am familiar with is medical secrecy, where a person has access to all their medical records, medical staff have access to records that are relevant to ongoing treatment, and no one else has.
This can, in principle, be solved with a permission system that makes suitable decisions based on the identity of the API user (well, the identity on whose behalf the API queries are done).
For medical secrecy, should you stumble over information that you should not have, you are then legally obliged to not disclose the information, but I cannot recall to what extent you have an obligation to tell relevant document owners about the possible breach, it's simply been too long since I was working in medical IT (where, by necessity, I would occasionally stumble over secret things doing things like DB repairs or helping users with application problems).
Grades are "public documents" in all schools in Sweden. With other things like disciplinary issues it varies depending on whether the school is run by the government or a private company.