Datatilsynet (Denmark) - Civilstyrelsen indstilles til bøde: Difference between revisions
No edit summary |
m (800 pages, not 80) |
||
Line 70: | Line 70: | ||
The Civil Affairs Agency (controller) is a part of the Danish Ministry of Justice. Its mission is to guarantee the basic principles of the rule of law by, for instance, offering compensation to victims of criminal offenses and supporting access to justice. The nature of its work involves processing large volumes of sensitive and confidential information regarding the parties in the proceedings. | The Civil Affairs Agency (controller) is a part of the Danish Ministry of Justice. Its mission is to guarantee the basic principles of the rule of law by, for instance, offering compensation to victims of criminal offenses and supporting access to justice. The nature of its work involves processing large volumes of sensitive and confidential information regarding the parties in the proceedings. | ||
The Agency returned a USB flash drive with more than | The Agency returned a USB flash drive with more than 800 pages of personal information to a representative of a data subject. However, the flash drive was later lost under undisclosed circumstances. | ||
Notably, the USB flash drive was not encrypted, and the Agency did not have any guidelines for its caseworkers regarding the handling of removable storage devices and portable media. | Notably, the USB flash drive was not encrypted, and the Agency did not have any guidelines for its caseworkers regarding the handling of removable storage devices and portable media. |
Revision as of 09:24, 17 May 2022
Datatilsynet - Civilstyrelsen indstilles til bøde | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 32(1) GDPR Article 33(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 12.05.2022 |
Fine: | 100,000 DKK |
Parties: | Civilstyrelsen |
National Case Number/Name: | Civilstyrelsen indstilles til bøde |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Vadym Kublik |
The Danish DPA suggested to issue a fine of 100,000 DKK against an agency of the Danish Ministry of Justice. The DPA held that the agency violated Article 32(1) GDPR by not encrypting a USB flash drive which contained personal information, and Article 33(1) GDPR by not reporting the data breach after the USB flash drive was lost.
English Summary
Facts
The Civil Affairs Agency (controller) is a part of the Danish Ministry of Justice. Its mission is to guarantee the basic principles of the rule of law by, for instance, offering compensation to victims of criminal offenses and supporting access to justice. The nature of its work involves processing large volumes of sensitive and confidential information regarding the parties in the proceedings.
The Agency returned a USB flash drive with more than 800 pages of personal information to a representative of a data subject. However, the flash drive was later lost under undisclosed circumstances.
Notably, the USB flash drive was not encrypted, and the Agency did not have any guidelines for its caseworkers regarding the handling of removable storage devices and portable media.
Furthermore, the Agency learned about the data breach on 26 August 2020 but did not report it to the supervisory authority as required under Article 33(1) GDPR.
Eventually, the data subject's representative complained to the Danish DPA about the controller's way of handling personal data.
Holding
The Danish DPA held that removable storage devices (including USB flash drives) pose a higher risk for data subjects. At the same time, encryption is a relatively easy security measure for the controller to implement. Therefore encryption of such devices that contain personal data must be regarded as a necessary and required security measure.
Moreover, the DPA emphasized that where the controller processes large volumes of sensitive and confidential information, it must have guidelines for its personnel about using USB flash drives.
Comment
Datatilsynet repeatedly sanctioned the Civil Affairs Agency for mishandling personal data in the past. See the most recent reprimand in the case 2021-32-2096.
NB. The DPA in Denmark does not impose fines directly but refers such cases to the police. The police then investigate whether there are grounds for raising a charge, etc., and finally, a possible fine will be decided by a court.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Police report The National Board of Health and Welfare is fined Date: 12-05-2022 News The Danish Data Protection Agency notifies the National Board of Health and Welfare to the police and recommends a fine of DKK 100,000. The Authority assesses that the National Board of Health and Welfare has not complied with the requirements for an appropriate level of security The Danish Data Protection Agency became aware of the case when a complainant's party representative complained about the Danish Civil Agency's handling of complainant's information. It appears from the case that the National Board of Health and Welfare v / Erstatningsnævnet returned a USB connector for complaints, which contained more than 800 pages of information about complaints of a sensitive and confidential nature, which had been lost when the complainant was received. The USB connector was not encrypted, and the agency did not have guidelines targeted at the agency's caseworkers regarding any handling of removable storage devices and portable media. The Danish Civil Agency became aware of the breach on 26 August 2020, but did not report the breach to the Danish Data Protection Agency in violation of the rules in Article 33 of the Data Protection Ordinance. Lack of technical and / or organizational measures The Danish Data Protection Agency finds that the Danish Civil Agency's processing of personal data has not been in accordance with the rules on appropriate security. In its assessment, the Danish Data Protection Agency has emphasized that encryption of removable storage devices that contain personal data (including USB connectors) must be regarded as a necessary and required security measure. In continuation of this, the Authority has attached importance to the fact that removable storage means with personal data have a sharpened risk profile in relation to the handling of personal data, and that encryption is a measure that is relatively easy for the data controller to implement. In addition, the Danish Data Protection Agency has emphasized that the agency did not have guidelines targeted and known by the agency's case officers in relation to any handling of USB connectors, including dispatch. Why police report? The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Regulation. 2, in assessing which sanction is, in the Authority's opinion, the most appropriate. In its recommendation to the police, the Danish Data Protection Agency has, among other things, emphasized that it is an essential security measure to have procedures that cover all treatments and to ensure encryption of USB connectors. In addition, encryption has been a widespread and recognized technical measure for many years that should be easily counteracted by the data controller. In addition, it is a board of a state authority that must generally be assumed to process large amounts of sensitive and confidential information, and where it must be considered essential that a guide has been prepared targeted at the agency's case officers in relation to any handling of USB -stick. Do you want to know more? Press inquiries can be directed to communications consultant Anders Due on tel. +45 29 49 32 83