Datatilsynet (Denmark) - 2020-442-8862
Datatilsynet (Denmark) - 2020-442-8862 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 32(1) GDPR Article 33(3) GDPR Article 34(2) GDPR Article 58(2)(a) GDPR Article 58(2)(d) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 18.02.2022 |
Published: | 18.02.2022 |
Fine: | None |
Parties: | Capital Region of Denmark |
National Case Number/Name: | 2020-442-8862 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Giel Ritzen |
The Danish DPA (Datatilsynet) held that through its negligence regarding software updates of the Health Platform, the Capital Region of Denmark violated Article 32(1) GDPR, which led to two separate data breaches, involving health data of 4,459 data subjects.
English Summary
Facts
Controller is the Capital Region of Denmark (an administrative region). It operates a platform, the “Health Platform”, which is used by the Danish Health and Medicines Authority (the Authority). This platform has integrated the central database of the Authority, which holds all data on the prescriptions and medicine purchases of all Danish citizens. Both on 10 August 2020 and 8 July 2021, data breaches occurred because the Health Platform was initially updated, and affected the integrated database.
The code changes of the first update caused the database to incorrectly display the number of prescriptions patients were to receive, which led to unintended double subscriptions, affecting 2,310 data subjects. Although the controller became aware of the coding error, it did not immediately inform the Authority. The second data breach affected another 1,149 patients. Hence, in total, the two data breaches concerned sensitive personal data (health data) of 4,459 data subjects.
Holding
First, the DPA noted that the controller is obliged to take appropriate technical and organisational measures to ensure an appropriate level of security relating to its processing. Now, the DPA found during its investigation that controller, before both updates, did not qualify and perform any tests to identify how the update on the platform would affect the integrated database. In this regard, the DPA emphasised that even minor changes in integrated systems can lead to significant risks of data subjects, the sensitive nature of the personal data and the fact that there were two breaches. Lastly, as explained, the controller did not inform the Authority. Considering all of the foregoing, the DPA concluded that the controller violated Article 32(1) GDPR.
Second, the DPA considered that the breach of health data poses a high risk to the rights of the citizens concerned. Moreover, it noted that controller notified the data subjects affected by the data breach via a health professional notification. However, the DPA found that this notification satisfied the requirements of Article 34(2) and Article 33(3) GDPR.
The DPA expressed serious criticism to controller for violating Article 32(1) GDPR. Moreover, it issued a warning pursuant to Article 58(2)(a) and ordered controller to bring its processing operations into compliance with the GDPR, pursuant to Article 58(2)(d) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Serious criticism, injunctions and warnings to the Capital Region after two security breaches Date: 18-02-2022 Decision Public authorities The Danish Data Protection Agency's decision is based on two security breaches, which were reported by the Danish Health and Medicines Authority in August 2020 and July 2021. In both breaches, a data exchange service from the health platform - for which the Capital Region of Denmark was responsible for data - was involved. Journal number: 2020-442-8862 Summary The Danish Data Protection Agency has expressed serious criticism and issued an injunction and a warning to the Capital Region. The decision is based on two security breaches, which were reported by the Danish Health and Medicines Authority in August 2020 and July 2021. In both breaches, a data exchange service from the health platform - for which the Capital Region of Denmark was responsible for data - was involved. In August 2020, the security breach affected 4,223 medication prescriptions for 2,310 patients, and in July 2021, the security breach affected 1,311 drug prescriptions distributed among 1,149 patients from the Capital Region and Region Zealand. Code changes in one system resulted in unintentional changes in another Both security breaches occurred when code changes in the Health Platform (SP), where the Capital Region of Denmark is responsible for data, led to unintentional changes in the Joint Medicine Card (FMK), where the Danish Health and Medicines Authority is responsible for data. The security breaches arose on the basis that the integrations between FMK and SP enable an update in SP to affect the integrity of the display of information in FMK. After reviewing both reported breaches, the Danish Data Protection Agency has expressed serious criticism of the Capital Region of Denmark for: not having qualified relevant test scenarios in order to better identify dependencies on other IT systems, not having carried out necessary tests before the changes were put into production, not having informed the Danish Health and Medicines Authority about the security breaches when the incidents were found, It has also been an aggravating circumstance in the Danish Data Protection Agency's decision that the Capital Region of Denmark did not adequately address security after the first security breach in August 2020, and that a similar breach was therefore repeated in July 2021. The Danish Data Protection Agency has ordered the Capital Region of Denmark to prepare and introduce a process that ensures that no changes in SP's functionality or data basis are implemented and put into operation before it is ensured that known integrations with other systems do not create incorrect information in these. The order thus includes not only integrations with FMK, but all IT systems that are integrated with SP. Including IT systems that have other data controllers. The Danish Data Protection Agency has also issued a warning to the Capital Region of Denmark that it would probably be contrary to the Data Protection Ordinance to commission system changes in SP where data integration with other systems occurs, without conducting tests of data integrity. Detailed mapping and better overview of data responsibility In relation to the Danish Health and Medicines Authority, the Danish Data Protection Agency has emphasized that they must carry out a detailed mapping of the internal IT architecture and the IT environment in collaboration with the parties involved. Including a mapping of integrations between FMK and other source and customer systems, so that it is clear what data responsibility the Danish Health and Medicines Authority has in relation to the processing of personal data in FMK, and what responsibility other data controllers have for processing personal data in source and customer systems. This also enables involved parties to better identify and correct integration errors in collaboration with each other. The Danish Data Protection Agency has also clarified that it is the data controller's responsibility to report a breach of personal data security to the supervisory authority when the data controller has found a loss of integrity of personal data in its own IT system - also in situations where the breach is caused by source and customer systems belonging to another data controller. Also read the Danish Data Protection Agency's concluding letter to the Danish Health and Medicines Authority here. Notification of the data subjects The Capital Region of Denmark and the Danish Health and Medicines Authority have, in continuation of both security breaches, made a health professional notification of the affected data subjects. In this connection, the Danish Data Protection Agency has drawn attention to the fact that a health professional notification cannot simply be equated with a data protection law notification in situations where there is a high risk for the data subjects concerned. Notification in such situations must comply with the requirements set out in the Data Protection Regulation. Decision After a review of both cases, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that the Capital Region of Denmark's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation [1]. 1. At the same time, the Danish Data Protection Agency finds that there are grounds for ordering the Capital Region of Denmark to prepare and introduce a process that ensures that no changes in the health platform's functionality or data basis are implemented and put into operation before it is ensured that no known integrations with other systems create incorrect information in these. The order is shared pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter d. The deadline for compliance with the order is 10 March 2022. The Danish Data Protection Agency must request a confirmation that the order has been complied with no later than the same date. According to the Data Protection Act [2] § 41, para. 2, no. 5, is punishable by a fine or imprisonment for up to 6 months for anyone who fails to comply with an order issued by the Danish Data Protection Agency pursuant to Article 58 (1) of the Data Protection Regulation. 2, letters d and e. The Danish Data Protection Agency must also issue a warning to the Capital Region of Denmark that the commissioning of system changes in the health platform where data integration with other systems occurs without a test of data integrity is likely to be in conflict with Article 5 (1) of the Data Protection Regulation. 1, letters a and d, 32, para. The warning shall be issued in accordance with Article 58 (2) of the Data Protection Regulation. 2, letter a. Below is a more detailed review of cases and a justification for the Danish Data Protection Agency's decision. 2. Case presentation regarding. 2020-442-8862 On 10 August 2020, the Danish Health and Medicines Authority reported a breach of personal data security to the Danish Data Protection Agency. It appears from the notification that a code change in the Health Platform, for which the Capital Region of Denmark is data responsible, has led to an unintentional double prescription in Fælles Medicinkort (FMK), for which the Danish Health and Medicines Authority is data responsible, so that in the period between 16 July and on August 10, 2020, there was a loss of privacy of personal information in 4,223 medication prescriptions regarding 2,310 registrants. It appears from the case that changes in an underlying hierarchy of rules, which were not directly related to the prescription of drugs and their communication to FMK, have affected the technical setup in the Health Platform so that in the period between 16 and 23 July 2020 an error occurred in the integration mechanism between the medicine module in the Health Platform and FMK. It also appears from the case that the Capital Region of Denmark became aware of the coding error on 17 July 2020 on the basis of a user inquiry and then carried out corrections on 23 July 2020. Following the incident, the region has been in dialogue with the Danish Agency for Patient Safety and hospital boards and regional councils. in the Capital Region and Region Zealand. In this connection, the Capital Region of Denmark has stated that the region did not inform the Danish Health and Medicines Authority of the incident by mistake. 2.1. Comments from the Danish Health and Medicines Authority The Danish Health and Medicines Authority has stated in the case that the integrity error in the information in FMK was established on 8 August on the basis of mention of the incident in the press. This resulted in 2,310 registrants receiving double prescriptions of medicines in the period between 16 July and 10 August 2020. 2.2. Comments from the Capital Region The Capital Region of Denmark has stated in the case that the region had the opportunity to test the communication and discover the error. However, no tests were performed on the communication between Sundhedsplatformen and FMK, as the coding error occurred in connection with a correction of an inconvenience in a workflow in Sundhedsplatformen, which was not directly connected to prescribing drugs and communicating them to FMK. It appears from the consultation response that the Capital Region of Denmark, in continuation of the incident, has initiated work on qualifying relevant test scenarios and follow-up on procedures in order to better identify dependencies on FMK and then carry out the necessary tests before changes are put into production. The Capital Region of Denmark has also stated that the region has initiated a review of procedures to ensure that the FMK team at the Danish Health and Medicines Authority is always contacted as soon as possible after finding any similar incidents. The Capital Region of Denmark has finally stated that the region has assumed responsibility for informing the data subjects in the period between 30 July and 27 August, where after a specific health professional assessment it could be said that there is a patient safety consequence and thus a health risk for the registered. The specific health professional assessment was carried out by staff in the patient departments, who then provided contact and health professional information to the patients where it was deemed necessary. 3. Case presentation regarding. 2021-442-13762 On 8 July 2021, the Danish Health and Medicines Authority reported a breach of personal data security to the Danish Data Protection Agency. It appears from the notification that a code error when upgrading the Health Platform has led to a discrepancy in the product descriptions for 164 item numbers (medicines). This erroneous information was displayed in FMK so that in the period between 17 March and 30 June 2021, there was a loss of integrity of personal information in 1,311 drug prescriptions distributed among 1,149 patients from the Capital Region and Region Zealand. It appears from the case that code changes made by the provider of the Health Platform have resulted in the display of an incorrect prescription strength in the tab "Effects", as the drug file in question refers to an old version of the relevant item number file, which has affected the prescription strength display. of drugs in FMK. It also appears from the case that the Capital Region of Denmark became aware of the coding error on 22 June 2021 on the basis of a user inquiry and then corrected the error on 30 June 2021. The Capital Region of Denmark has stated in this connection that the region first became aware of the error affected FMK on 2 July 2021 and has by an email of 7 July 2021 informed the Danish Health and Medicines Authority about the incident. The region has stated in the case that the supplier has not tested for this error in connection with the release of the update and has therefore not discovered the code was faulty. 4. Justification for the Danish Data Protection Agency's decision On the basis of information provided by the Danish Health and Medicines Authority and the Capital Region of Denmark, the Danish Data Protection Agency assumes that integration errors between FMK and the Health Platform resulted in double prescribing of medicines. On this basis, the Danish Data Protection Agency assumes that there has been an unintentional change of personal data, which is why the Authority finds that there has been a breach of personal data security, cf. Article 4, no. 12 of the Data Protection Regulation. 4.1. Article 32 of the Data Protection Regulation It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security that is appropriate to the risks involved in the data controller's processing of personal data. Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks. The Danish Data Protection Agency is of the opinion that the requirement pursuant to Article 32 for appropriate security will normally mean that in socially critical systems with a large number of special categories of information about a large number of users, higher requirements are placed on the data controller to ensure that no unintentional change of personal data, which can lead to serious consequences for the data subjects. With regard to IT systems for which the data controller is not responsible, but where the data controller is responsible for significant inputs in the form of personal data, the Data Inspectorate is of the opinion that the requirement for appropriate security will normally mean that the data controller must create the necessary overview of its own IT architecture and IT environment, including those systems that are integrated with other systems by providing or receiving data, and where loss of privacy of personal data will entail a significant risk to the data subjects' rights, and ensure a mapping of the integrations and associated dependencies. As a result of the above, the data controller has a duty to notify code changes in integrated systems to relevant data controllers for the integrated external systems before they go into production. These requirements must ensure that external data controllers are informed in a timely manner of the planned changes and can carry out appropriate tests of the integrity of personal data exchanged between the integrated systems. The Danish Data Protection Agency finds that a risk profile as in these cases indicates that tests and quality control should have been performed with regard to the impact of the code changes on the integrated systems, including testing relevant test scenarios in order to identify dependencies with other systems and then implement the necessary tests before the changes were put into production. The Danish Data Protection Agency also finds that the data controller must ensure timely notification of all relevant data controllers in situations where errors have been found in integrations between the systems. On the basis of the above, the Danish Data Protection Agency finds that the Capital Region of Denmark - by not having qualified relevant test scenarios in order to better identify dependencies to FMK, not having carried out necessary tests before the changes were put into production, not informing the National Board of Health immediately after the events. - has not taken appropriate organizational and technical measures to ensure a level of security appropriate to the risks arising from processing activities through integrated IT systems with several independent data controllers, in accordance with Article 32 (2) of the Data Protection Regulation; 1. Following a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that the Capital Region of Denmark's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. 1. In this assessment, the Danish Data Protection Agency has placed special emphasis on the fact that even minor code changes and code errors in the integrated systems can entail significant risks to the data subjects' rights, and that it appears from the cases that the data controller has not informed all relevant parties to reduce risks to the data subjects When choosing a response, the Danish Data Protection Agency has emphasized that the Capital Region of Denmark is responsible for a platform that exhibits master / source data and services for another user system in the health service (FMK), which is crucial for citizens to receive the correct treatment and service. based on accurate data. The Danish Data Protection Agency has further emphasized the nature of personal data and the period in which the integrity of personal data was compromised. The Danish Data Protection Agency has also intensified its emphasis on the repetitive nature of the breaches. In addition, the Danish Data Protection Agency finds grounds for ordering the Capital Region of Denmark to prepare and introduce a process that ensures that no changes in the health platform's functionality or data basis are implemented and put into operation before it is ensured that no known integrations with other systems incorrect information is created in these. The order is issued pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter d. The Danish Data Protection Agency must also issue a warning to the Capital Region of Denmark that the commissioning of system changes in the health platform where data integration with other systems occurs without a test of data integrity is likely to be in conflict with Article 5 (1) of the Data Protection Regulation. Article 32 (1) (a) and (d) The warning shall be issued in accordance with Article 58 (2) of the Data Protection Regulation. 2, letter a. 4.2. Article 34 of the Data Protection Regulation It follows from Article 34 (1) of the Regulation 1, that when a breach of personal data security is likely to involve a high risk to the rights and freedoms of natural persons, the data controller shall notify the data subject without undue delay of the breach of personal data security. The Danish Data Protection Agency is of the opinion that breaches of personal data security, which entails a loss of integrity regarding information that is particularly worthy of protection, including information on health and medication prescribing, as a starting point entail a high risk for the affected citizens' rights, as loss of privacy of such information consequences for citizens. The Danish Data Protection Agency has noted that the Capital Region of Denmark has made a health professional notification of the data subjects affected. In this connection, the Danish Data Protection Agency must draw the region's attention to the fact that if a breach of personal data security entails a high risk for the data subjects and thus entails an obligation to notify the data subjects concerned, this notification must meet the requirements of Article 34 (1) of the Data Protection Regulation. .2, in accordance with Article 33 (2). 3, letters b), c), d), why a health professional notification can not simply be equated with a data protection law notification of the data subjects. The Danish Data Protection Agency must therefore emphasize that notification in cases of breaches of personal data security complies with the data protection law description requirements. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC general data protection regulation). [2] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).