IMY (Sweden) - DI-2021-5595
IMY (Sweden) - DI-2021-5595 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 07.05.2019 |
Decided: | 26.01.2022 |
Published: | |
Fine: | 1,600,000 SEK |
Parties: | n/a |
National Case Number/Name: | DI-2021-5595 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | Cesar Manso-Sayao |
The Swedish DPA imposed a fine of approximately €150,000 on a hospital for a violation of Articles 5(1)(f) and 32(1) GDPR by emailing unencrypted medical records to patients and hospitals abroad.
English Summary
Facts
Uppsala regional authorities notified the Swedish DPA (Integritetsskyddsmyndigheten - IMY) that a personal data breach had occurred in their jurisdiction in 2019. Based on this notification, the Swedish DPA initiated an investigation into the medical data which the Uppsala University Hospital sent to patients from abroad which had been treated at the hospital, as well as to the foreign hospitals which referred those patients.
According to its internal procedures, once the hospital had finalized treatment given to a patient from abroad, a medical report was sent to the patient and the referring hospital. Although it can be sent by post, the hospital gave the recipient the option of choosing its preferred channel to receive the report, which in the majority of cases is via email.
These medical reports have been sent by email without encryption since 2014. Although at some point the hospital began using Microsoft Outlook’s Transport Layer Security (TLS) encryption, if the email software on the recipients’ side did not support TLS, the emails were sent without encryption. Once sent, the emails and medical records themselves remained stored in the hospital’s Outlook. In 2019, after conducting an internal risk analysis and a Data Protection Impact Assessment (DPIA) the hospital introduced an encryption solution for secure email.
Holding
In its decision, the IMY established that its investigation was limited to analysing matters related to the security of the processing of personal data, and that it had not examined whether this processing complied with the other GDPR provisions, such as those related to the transfer of personal data to third countries.
The IMY took into account Recital 75 and 76 GDPR in order to carry out an assessment of the responsibilities of the University Hospital Board, according to the risks involved in the data it was processing. The IMY highlighted that this case involved large amounts of medical data, which is a special category of data with extra protections under Article 9 GDPR, including children’s data. The AMY held that in this case, because of the fact that the data sent was only encrypted once Outlook’s TLS was eventually adopted, and also only when recipients’ software supported this protocol, the hospital had not been able to ensure that the emails it sent were encrypted according to the risk involved in the processing, in breach of Article 5(1)(f) GDPR.
The IMY also noted that the local government of Uppsala had issued a policy document related to the handling of emails which specifically prohibited sending sensitive personal data by email, and therefore should have identified the risks posed through processing the data in this manner. Additionally, the AMY stated that purpose of an email system like Outlook is to disseminate and communicate information, and not an appropriate place for the storage medical data, because of its exposure to unauthorised access on the internet. Therefore, the IMY held that the University Hospital Board had violated Article 32(1) GDPR by failing to take appropriate technical and organisational measures to ensure a level of security appropriate to the risk represented by the processing.
In order to determine the fine for these violations, as aggravating factors, the IMY took into consideration the large amount of data and the long period of time over which it was shared, as well as the fact that the hospital had violated specific regional policy guidelines. As a mitigating factor, the IMY recognised that the hospital had eventually introduced an encryption solution for files in 2019. Based in these considerations, the IMY imposed a fine of approximately €150,000 (1,600,000 SEK) on the University Hospital Board for the violation of Articles 5(1)(f) and 32(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (11) The National Board of Health and Welfare in the Uppsala Region 751 85 Uppsala Record number: DI-2021-5595 Decision after supervision according to Date: the Data Protection Regulation against 2022-01-26 The National Board of Health and Welfare in the Uppsala Region Table of Contents The decision of the Integrity Protection Authority ................................................ ........................... 2 Report on the supervisory matter ............................................... ....................................... 2 The starting point for the supervisory matter ............................................... ...................... 2 Information from the hospital board ............................................... ............................. 3 Personal data responsibility ................................................. .............................. 3 E-mail sent unencrypted over an open network to third countries .................... 3 Storage in the e-mail hosting service Outlook ............................................ ............ 4 Grounds for the decision ............................................... .................................................. ... 5 Applicable rules................................................ .................................................. .. 5 The responsibility of the personal data controller ............................................... ...... 5 The requirement for security in the processing of personal data, etc ..................... 5 IMY's assessment .............................................. .................................................. 6 Personal data responsibility ................................................. .............................. 6 Sensitive personal data has been sent unencrypted via open network ............... 6 Sensitive personal data has been stored in Outlook ......................................... 7 Choice of intervention ............................................... .................................................. 8 Legal regulation ................................................ ....................................... 8 Imposition of a penalty fee ............................................... ..................... 8 How to appeal............................................... .................................................. ..... 11 Postal address: Box 8114 104 20 Stockholm Website: www.imy.se E-mail: imy@imy.se Phone: 08-657 61 00 Page 1 of 11, Integrity Protection Authority Record number: DI-2021-5595 2 (11) Date: 2022-01-26 The decision of the Integrity Protection Authority The Integrity Protection Authority (IMY) states that the Hospital Board in the Uppsala Region (the hospital board) as the person responsible for personal data, during the period from 25 May 2018 until 7 May 2019, processed personal data in violation of Articles 5.1 f and 32.1 i the Data Protection Regulation as follows: The hospital board has sent sensitive personal data that was not encrypted via open network to patients and referrers. The treatment has also taken place in combat with Region Uppsala's own guidelines. This means that the hospital board does not have have taken appropriate technical and organizational measures to ensure a level of safety appropriate to the risk of treatment. The hospital board has stored sensitive personal data in the e-mail hosting service Outlook. This means that the hospital board has not taken appropriate technical measures measures to ensure a level of safety appropriate to: the risk of treatment. The IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Ordinance and Chapter 6. § 2 of the Data Protection Act that the hospital board, for violation of Articles 5.1 f and 32.1 in the Data Protection Regulation, shall pay an administrative penalty fee of 1,600,000 (a million six hundred thousand) kronor. Report on the supervisory matter The starting point for the supervisory matter IMY decided to initiate an investigation against the Uppsala Region due to the region's notification on 7 May 2019 of personal data incident. IMY's review includes the processing of personal data carried out by the hospital board in connection with the University Hospital sending e-mails with patient information to patients and remittances in third countries. IMY's review also includes the storage of patient information in the Outlook e-mail hosting service. Within the framework of this supervision, the IMY has reviewed the matter in question the processing of personal data meets the security requirements set out in Articles 5 (1) (f) and 32 of the Data Protection Regulation. IMY has not reviewed the processing of personal data is compatible with the regulation in the Data Protection Regulation in other, for example, the provisions on the transfer of personal data to third countries. The Data Protection Ordinance came into force on 25 May 2018. IMY's supervision covers therefore the period from 25 May 2018 to 7 May 2019 (when notification was received). IMY has Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with concerning the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation). 2The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation. Page 2 of 11, Integrity Protection Authority Record number: DI-2021-5595 3 (11) Date: 2022-01-26 has not reviewed the measures that the hospital board has stated that it has taken after the 7th May 2019. Information from the hospital board The Regional Board of the Uppsala Region has stated that it has the right to represent the region outwards. The hospital board has stated that it agrees with what the regional board has stated. The Hospital Board has, through the Regional Board, stated, among other things, the following. Personal data responsibility The hospital board is responsible for personal data for the processing of personal data occurs when e-mails are sent from and to patients or referrers abroad. The treatment takes place at the administration, Akademiska sjukhuset, which is located under the board the hospital board. This assessment is made in light of the fact that the hospital board is one independent managing authority that determines the purpose and means with personal data processing. E-mail sent unencrypted over an open network to third countries Processing of personal data in e-mail The academic hospital sends e-mails to patients and referrers (that is the home hospital) abroad at the initiative of the patient or the referrer. It's up to the patient or the referrer to choose how the information is to be submitted. The dialogue between the patient or the referrer and the Academic Hospital takes place mainly via E-mail. A patient from abroad who receives care at the Academic Hospital is registered in the main journal system Cosmic. Journal documents obtained from the patient about hens health status is scanned into Cosmic. Also the care performed at Akademiska the hospital is documented in Cosmic. When the care is terminated, the doctor in charge writes one compilation of care in a so-called Medical report in Cosmic. Medical report sent to the patient or referrer by mail, but if urgent, it is sent via e-mail. The purpose of the treatment is to provide highly specialized health care at Academic Hospital. The University Hospital sends an estimated 500-1,000 such e-mails per month. The emails were sent in 2018 to patients alternatively remittances in Lebanon, Morocco, Nepal, Pakistan, Peru, Russia, Saudi Arabia, Switzerland, Thailand, Turkey, USA, Argentina, Australia, India, Iraq, Iran, Israel, Canada, Kenya and China. The e-mails usually contain journal documents and are forwarded to those concerned operations manager, specialist and in some cases other staff within Akademiska the hospital. Two people have access to the personal data. It's administrative staff with a care background who have access to personal data and staff covered by confidentiality. The personal data that is processed is information about health and information about the patient name, backup number, home address, e-mail address, telephone number, remittant, Page 3 of 11, Integrity Protection Authority Record number: DI-2021-5595 4 (11) Date: 2022-01-26 affected area of activity and time of booked care. The registered are employees, patients and children. As far as employees are concerned, information about them only appears in sending and receiving email addresses. The processing of personal data concerned approximately 300 registered persons per year from 2014 onwards May 2019. The number applies to both people who have submitted requests for care and those treated at the Academic Hospital. The processing of personal data has been ongoing since 2014 and is still ongoing. The appears from a letter from the hospital board dated June 2, 2021. Encryption Personal data is sent unencrypted over an open network. This means that the transfer of the e-mail and the information in the e-mails are not protected by encryption. Since the introduction of Outlook, the hospital board has used Microsoft default settings, which means that the transmission of the e-mail takes place with it 3 Opportunistic Cryptographic Communication Protocol, OTLS. The National Board of Health and Welfare uses version 1.2 of the cryptographic communication protocol (TLS 1.2). This means that if the recipient's email provider does not have this version of TLS, select a previous version of TLS. If TLS is not supported by the recipient's e-mail provider, the e-mail the mail messages are unencrypted at the time of transmission. According to the hospital board, this is approx 1 of 9,000 emails. However, the hospital board has not verified exactly how many of these emails per day are sent unencrypted in this personal data processing. The hospital board has not fulfilled the requirements for the transfer of personal data in the open networks must be made in such a way that unauthorized persons cannot access them. This then the transfer was made unencrypted via Outlook. Control document According to Region Uppsala's governing document on handling e-mail gets sensitive personal data is not communicated via e-mail. Measures taken after the incident In September 2019, the Hospital Board introduced an encryption solution for files, which enabled secure email transfer. Systematic improvement work is underway and the hospital board has worked on one risk analysis and an impact assessment. Storage in the e-mail hosting service Outlook In Outlook, the e-mails are stored between the patient or remit and the Academic the hospital. The journal documents are also stored in Outlook. 3Opportunistic Transport Layer Security. Page 4 of 11, Integrity Protection Authority Record number: DI-2021-5595 5 (11) Date: 2022-01-26 Justification of the decision Applicable rules The responsibility of the personal data controller He who alone or together with others decides the purposes and means for the processing of personal data is the person responsible for personal data. It is stated in Article 4 (7) in the Data Protection Regulation. The person responsible for personal data is responsible for and must be able to show that the basics the principles of Article 5 of the Data Protection Regulation are complied with (Article 5 (2)). The person responsible for personal data is responsible for implementing appropriate technical and organizational measures to ensure and be able to demonstrate that the treatment is carried out in in accordance with the Data Protection Regulation. The measures shall be implemented taking into account the nature, scope, context and purpose of the treatment and the risks, of varying degrees of probability and seriousness, for the freedoms and rights of natural persons. The measures must be reviewed and updated as necessary. It is stated in Article 24 (1) (i) the Data Protection Regulation. The requirement for security in the processing of personal data, etc. A basic principle for the processing of personal data is the requirement for security in accordance with Article 5 (1) (f) of the Data Protection Regulation, which states that personal data shall: processed in a way that ensures appropriate security for personal data, including protection against unauthorized or unauthorized treatment and against loss, destruction or damage by accident, using appropriate technical or organizational measures. Health information constitutes so-called sensitive personal data. It is forbidden to process such personal data in accordance with Article 9 (1) of the Data Protection Regulation, unless the treatment is not covered by any of the exceptions in Article 9 (2) of the Regulation. It follows from Article 32 (1) of the Data Protection Regulation that the controller and the personal data assistant shall take appropriate technical and organizational measures to: ensure a level of safety that is appropriate in relation to the risk of the treatment. This must be done taking into account the latest developments, the implementation costs and the nature, scope, context and purpose of the treatment and the risks, of varying degrees of probability and seriousness, for the rights and freedoms of natural persons. In assessing the appropriate level of safety, special consideration shall be given to the risks involved the treatment entails, in particular from accidental or unlawful destruction, loss or change or to unauthorized disclosure of or unauthorized access to the personal data that transferred, stored or otherwise processed. It is clear from Article 32 (2) (i) the Data Protection Regulation. Recital 75 of the Data Protection Regulation sets out the factors to be taken into account the assessment of the risk to the rights and freedoms of natural persons that may arise in the processing of personal data. Among other things, should be reconsidered the processing concerns personal data on health or on vulnerable natural persons, especially children, or if the processing involves a large number of personal data and applies to a large number of registered. Page 5 of 11, Integrity Protection Authority Record number: DI-2021-5595 6 (11) Date: 2022-01-26 Recitals 39 and 83 also provide guidance on the more detailed meaning of the requirements of the Data Protection Regulation on security when processing personal data. IMY's assessment Personal data responsibility The National Board of Health and Welfare has stated that it is responsible for personal data for it personal data processing that takes place when e-mail is sent from the University Hospital to patients and remittances abroad. This is supported by the other investigation in the case. IMY therefore considers that the hospital board is responsible for personal data for the e- postal transfers in question. Furthermore, IMY assesses that The hospital board is also responsible for the processing of personal data which occurs during storage in the e-mail hosting service Outlook because the e-mail transmissions happens from there. Sensitive personal data has been sent unencrypted via the open network As the person responsible for personal data, the hospital board must take appropriate technical and organizational measures to ensure an appropriate level of security in relation to the risks (Article 32 of the Data Protection Regulation). The personal data as treated must, for example, be protected against unauthorized disclosure or unauthorized access. What is the appropriate level of security varies in relation to, among other things, the risks for the rights of natural persons which the treatment entails and the nature of the treatment, scope, context and purpose. In the assessment, it must, for example take into account the type of personal data being processed, such as data on health.4 The hospital board has sent a large number of personal data via e-mail to patients and remitters abroad. These are an estimated 500-1,000 sent e-mails mail messages per month. The current emails contained personal data on health that are sensitive personal data. Treatment of sensitive personal data can pose significant risks to personal privacy and therefore, strong protection is required in the processing of such data. This means that if such personal data sent by e-mail must be protected in such a way that unauthorized persons cannot take part in them. Personal data can, for example, be protected by encryption. The hospital board's information shows that the hospital board used a technology, so called OTLS, which means that the transmission of the e-mail is encrypted for that case receiving e-mail server supports TLS. If the receiving e-mail server does not support TLS, the transmission of the e-mail becomes unencrypted. This means that the hospital board uses a technology that is dependent on the receiver's technical settings, which means that the hospital board can not ensure that the transmission of the e-mail is encrypted. E- the mail has been sent externally (ie outside the Uppsala Region), which has resulted that it was not possible to ensure that the e-mail sent from the Academic Hospital received with an encryption that is appropriate in relation to the risk of the treatment. The National Board of Health and Welfare has itself stated that it has not verified how many of the the mail messages sent unencrypted via open network per day. In the present case, the information is sent in the emails without encryption, that is say the information has been read in plain text via the open network (internet). This means that 4See recitals 75 and 76 of the Data Protection Regulation. Page 6 of 11, Integrity Protection Authority Record number: DI-2021-5595 7 (11) Date: 2022-01-26 unauthorized persons have been able to access the personal data in the e-mails and that other than intended recipients have been able to access the information both below the transmission, in cases where the recipient's e-mail server did not support TLS, and after the transmission of the e-mail. According to IMY, there is a risk that the data will come in wrong hands after the transfer, as the person sending the data would be able to write an incorrect recipient address [1. IMY finds that the information in the emails should have been protected against unauthorized use disclosure or unauthorized access, and this regardless of the transmission of the e-mail been encrypted or not. The hospital board should have taken technical measures, to examples in the form of encryption, to protect personal data and thereby ensure an appropriate level of data protection. That a large number of sensitive personal data has been exposed to for a long time internet without protection against unauthorized disclosure or unauthorized access, means according to IMY that the lack of security has been of such a serious nature that it also involves one infringement of Article 5 (1) (f) of the Data Protection Regulation. According to the hospital board, Region Uppsala's governing document on handling mail states and e-mail that sensitive personal data may not be communicated via e-mail. The hospital board has thus identified the risks of treating the sensitive personal data in e-mail entails but has not taken sufficient measures to comply guidelines. IMY thus finds that the hospital board has not taken the appropriate ones organizational measures required to ensure the safety of treatment. Overall, IMY finds that the hospital board, by not taking appropriate action technical and organizational measures to ensure a level of security that is appropriate in relation to the risk of the processing, has processed personal data in violation with Articles 5 (1) (f) and 32 (1) of the Data Protection Regulation. Sensitive personal data has been stored in Outlook The hospital board has stated that the medical records are also stored in Outlook in addition storage in the main journal system Cosmic. The journal documents contain personal information about health that is sensitive personal data. Processing of sensitive personal data can mean significant risks to privacy and therefore strong protection is required during treatment of such information. This means, among other things, that this personal data must protected in such a way that unauthorized persons cannot access them. The purpose of an email system (in this case Outlook) is to disseminate and communicate information. An e-mail system is exposed to the internet, which means that the information in the system risks becoming inaccessible to unauthorized persons. Outlook is therefore generally one inappropriate storage for sensitive personal data. By storing journal documents in Outlook, the current data has been exposed to one high risk that they will be disclosed or that unauthorized persons will gain access to them. This means that the hospital board has not taken the technical measures required under Article 32 i the Data Protection Regulation to ensure adequate data protection. That a large number of sensitive personal data has been exposed to for a long time internet without protection against unauthorized disclosure or unauthorized access, means according to IMY [1See the Swedish Data Inspectorate's report Reported personal data incidents 2019 (report 2020: 2). Page 7 of 11, Integrity Protection Authority Record number: DI-2021-5595 8 (11) Date: 2022-01-26 that the lack of security has been of such a serious nature that it also involves one infringement of Article 5 (1) (f) of the Data Protection Regulation. In summary, IMY considers that the hospital board has not taken appropriate technical measures measures to prevent unauthorized disclosure of or unauthorized access to the personal data stored in Outlook. As a result, the hospital board has not ensure a level of safety that is appropriate in relation to the risk of the treatment. The Hospital Board has thus processed the personal data in violation of Articles 5.1 f and 32.1 of the Data Protection Regulation. Choice of intervention Legal regulation In the event of violations of the Data Protection Regulation, the IMY has a number of corrections powers available under Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia reprimand, injunction and penalty fees. IMY shall impose penalty fees in addition to or in lieu of other corrective actions referred to in Article 58 (2), depending on the circumstances of each case. Member States may lay down rules on whether and to what extent administrative penalty fees can be imposed on public authorities. It is clear from Article 83 (7) (i) Regulation. Sweden has accordingly decided that the supervisory authority shall receive charge sanction fees by authorities. For infringements of, inter alia, Article 32, the fee amounts to a maximum of SEK 5,000,000. For infringements of, inter alia, Article 5 i According to the ordinance, the fee shall amount to a maximum of SEK 10,000,000. It appears from ch. 6 2 § of the Data Protection Act and Article 83 (4) and 83 (5) of the Data Protection Ordinance. If a personal data controller or a personal data assistant, with respect to a and the same or interconnected data processing, intentionally or by negligence violates several of the provisions of this Regulation may it the total amount of the administrative penalty fee does not exceed the amount determined for the most serious infringement. It is clear from Article 83 (3) (i) the Data Protection Regulation. Each supervisory authority shall ensure that the imposition of administrative penalty fees in each individual case are effective, proportionate and dissuasive. The provided for in Article 83 (1) of the Data Protection Regulation. Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account in order to: decide whether to impose an administrative penalty fee, but also at determining the amount of the penalty fee. If it is a question of a smaller infringement may IMY as set out in recital 148 instead of imposing a issue a reprimand in accordance with Article 58 (2) (b) of the Regulation. Consideration shall taken to aggravating and mitigating circumstances in the case, such as the infringement character, degree of difficulty and duration as well as previous violations of relevance. Imposition of a penalty fee IMY has above assessed that the hospital board has violated Articles 5.1 f and 32.1 i the Data Protection Regulation. Violations of these provisions may, as is apparent above, give rise to penalty fees. Page 8 of 11, Integrity Protection Authority Record number: DI-2021-5595 9 (11) Date: 2022-01-26 The violations have taken place because the hospital board has sent a large amount patient data via unencrypted e-mail via open network to patients and referrers in third country and because the patient data has been stored in Outlook. The personal data which were processed were sensitive personal data, which means a high risk for those freedoms and rights were registered. The treatments described in the case have taken place systematically and for a long time. The treatments via e-mail have also taken place in conflict with Region Uppsala's own guidelines. Taken together, these factors mean that one penalty fee should be imposed. IMY estimates that the treatments via e-mail and storage refer to two interconnected data processing in accordance with Article 83 (3) of the Data Protection Regulation. This because the treatments concern the handling of the same personal data in Outlook and refer to violation of the same provisions. In determining the size of the penalty fee, the IMY shall take into account both aggravating and mitigating circumstances and that the administrative penalty fee should be effective, proportionate and dissuasive. It is aggravating that the personal data processing has been going on for a long time, that is say during the period under review from 25 May 2018 to 7 May 2019, and that the hospital board did not promptly take measures to protect personal data despite that the hospital board was aware of the shortcomings in safety. It is also aggravating that the treatments included a large amount of health information that was sent unencrypted via open network and stored in Outlook. It has been about between 500 and 1,000 e-mails per month that unauthorized persons have been able to access to via the internet and included about 300 registered per year. Through the information provided processed, the data subjects can be identified directly by name, contact details and health information. IMY therefore considers the nature, scope and nature of the data the dependent's dependency gives the hospital board a special responsibility to ensure appropriate protection of personal data, which has not happened. It is further aggravating that the treatments have taken place systematically and that they have taken place in contrary to Region Uppsala's own guidelines that sensitive personal data should not sent by e-mail. As a mitigating circumstance, it is taken into account that the hospital board introduced in September 2019 technical measures in the form of an encryption solution for files. IMY decides based on an overall assessment that the hospital board should be imposed on one administrative penalty fee of 1,600,000 (one million six hundred thousand) kronor. This decision was made by Director General Lena Lindgren Schelin after the presentation by lawyer Linda Hamidi. At the final hearing, the Chief Justice also has David Törngren, unit manager Malin Blixt and IT security specialist Ulrika Sundling participated. Lena Lindgren Schelin, 2022-01-26 (This is an electronic signature) Page 9 of 11, Integrity Protection Authority Record number: DI-2021-5595 10 (11) Date: 2022-01-26 Appendix Information on payment of penalty fee. Copy to The Data Protection Officer. Page 10 of 11, Integrity Protection Authority Record number: DI-2021-5595 11 (11) Date: 2022-01-26 How to appeal If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the date of the decision was announced. If the appeal has been received in time, send The Integrity Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision. Page 11 of 10