Datatilsynet (Denmark) - 2020-442-8099
Datatilsynet - 2020-442-8099 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 21.04.2022 |
Published: | 16.05.2022 |
Fine: | n/a |
Parties: | Finanstilsynet |
National Case Number/Name: | 2020-442-8099 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Vadym Kublik |
The Danish DPA reprimanded a public authority for breaching Article 32(1) GDPR by passing information about whistleblowers to a journalist. The disclosure resulted from an inadequate anonymisation technique when email addresses could still be revealed from the redacted pdf documents.
English Summary
Facts
Controller, the Danish Financial Supervisory Authority (FSA), received a request for access to documents from a journalist regarding the information collected via the whistleblower scheme. On 31 May 2020, the FSA complied with the request under The Public Access to Information Act after removing the personal identifiable information relating to the reporting individuals.
However, on 6 June 2020, one of the data subjects informed the FSA that the journalist contacted them by email regarding the whistleblowing reports. The FSA investigated the matter and learned that it was possible to find out the information about the email address by holding the cursor over places in the pdf document, which were supposedly anonymised by a blackout redaction.
The FSA's job description contained instructions for its caseworkers to remove personal information from the documents before handing them over to requesting parties. Additionally, new employees underwent peer training about processing requests for access to records. The most common method for anonymisation was to cross out text with ink and scan the document afterwards. Alternatively, personal information could be replaced with Xs.
After learning about the data breach, Datatilsynet (Danish DPA) assessed whether the controller implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks of processing.
Holding
The DPA held that processing information received via a whistleblower scheme poses a higher risk to data subjects' rights. Therefore, the appropriate security measure must ensure that material passed on to others does not contain personal data that should have been anonymised.
According to the DPA, the controller must choose an anonymisation method that does not leave traces of the removed personal data, not even in metadata. As a result, it should not be easy to circumvent the redaction with standardised tools.
The DPA established that the controller's job description was not clear and precise enough to ensure the caseworkers' adequate anonymisation of personal data. Also, the peer training did not provide appropriate security without clear and accurate instructions.
Moreover, it was pertinent to the DPA that the controller lacked the necessary understanding of which methods it must implement to delete information from the documents, including the metadata, so that the information can no longer be retrieved.
Consequently, the DPA reprimanded the controller for violating Article 32(1) GDPR by not taking appropriate organisational and technical measures to ensure a level of security that matches the risks involved in the processing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The Danish Data Protection Agency expresses serious criticism of the Danish FSA's processing of personal data Date: 21-04-2022 Decision Public authorities The Danish Data Protection Agency expresses serious criticism of the Danish Financial Supervisory Authority for not having complied with the requirement for adequate security, as the Danish Financial Supervisory Authority inadvertently handed over information about whistleblowers to a journalist. Journal number: 2020-442-8099 Summary The Danish Data Protection Agency has made a decision in a case where the Danish Financial Supervisory Authority inadvertently passed on information about whistleblowers to a journalist in connection with a request for access to documents. The unintentional disclosure took place because the Danish Financial Supervisory Authority had not removed personal data from the material that had been provided with information in a sufficiently secure manner. The Danish Financial Supervisory Authority had thus crossed out personal data in the handed out pdf documents "Hold the mouse cursor" on crossed out passages. It appears from the case that the Danish Financial Supervisory Authority was not aware that it is necessary to delete the hidden information behind the displayed document (metadata, etc.) in order to ensure that it will no longer be available. Lack of technical and organizational measures In assessing the case, the Danish Data Protection Agency, among other things, emphasizes that the requirement for adequate security implies that the data controller must establish measures to ensure that material passed on does not contain personal data that should have been anonymised. In addition, the Danish Data Protection Agency has placed special emphasis on the fact that the risk to the data subject's rights must generally be considered higher when the information originates from a whistleblower scheme, just as the Danish Data Protection Agency found that it is a well-known part of the functionality in programs underline that metadata information or underlying layers of information can be found after underline. Against this background, the Danish Data Protection Agency expressed serious criticism of the Danish FSA's processing of personal data, as these have not taken place in accordance with the rules in the Data Protection Regulation. Decision Following a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that the Danish FSA's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation [1]. 1. Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision. 2. Case presentation It appears from the case that the Danish FSA received a request for access to documents from a journalist regarding insight into the inquiries that the Danish FSA had received via the Danish FSA's whistleblower mailbox, which concerned good practice for financial companies in 2019 and 2020. In addition, the Danish Financial Supervisory Authority has stated that access to documents was granted pursuant to the Public Access to Information Act, and that information that could identify the persons in question who had contacted the Danish Financial Supervisory Authority's whistleblower mailbox was excluded from the documents. Access to the file was announced on 31 May 2020. On Saturday 6 June 2020, the Danish Financial Supervisory Authority was contacted via e-mail by one of the persons who had reported an inquiry to the Danish Financial Supervisory Authority. The person stated that he or she had been contacted regarding the inquiry to the Danish Financial Supervisory Authority via e-mail by the journalist who had applied for access to documents. The Danish FSA became aware of the breach when the email was read on Monday 8 June 2020. The Danish Financial Supervisory Authority then contacted the journalist, who stated that he could find out the information about the e-mail address by holding the cursor over places in the pdf document, which was immediately anonymised by black underlining. The places during the anonymisation where there was an underlying link or email address, the journalist could thus see by holding the cursor over the black line. In this way, the journalist had been informed of the email address. The handed out material has been reviewed by the Danish Financial Supervisory Authority, which has been able to establish that e-mail addresses can be found for seven people who have sent inquiries to the Danish Financial Supervisory Authority's whistleblower mailbox. The Danish FSA's job description for processing access to documents cases that were valid at the time of the breach of personal data security contained a section on extracting information. The section included the following: "The extraction of information will in practice take place by exceeding everything that is not covered by the extraction obligation as a case officer". In addition, the Danish Financial Supervisory Authority has stated that the job description must be seen in connection with ordinary peer training when new employees process requests for access to documents in the Danish Financial Supervisory Authority. The most common method of anonymisation in the Danish Financial Supervisory Authority has in practice been to cross out with ink, after which the document was scanned. An alternative option has been to replace the information that needed to be anonymized with Xs. The Danish Financial Supervisory Authority has stated that it was the Danish Financial Supervisory Authority's view before the data breach of 31 May 2020 that the job description for processing access to documents cases was adequate. In this connection, the Danish Financial Supervisory Authority has stated that the Danish Financial Supervisory Authority has not previously had incidents where inadequate anonymisation has led to a breach of personal data security. Since the breach, the Danish Financial Supervisory Authority has updated the job description for handling requests for access to documents. The Danish FSA has also stated that the material that has been granted access to documents should have been scanned as a pdf file after anonymisation prior to submission. As a result, it would not have been possible to become acquainted with the personal data that immediately appeared anonymised. The error that led to the journalist having access to the exempted information was due to the fact that the Danish FSA was not aware that it is possible to find information about, for example, e-mail addresses and other underlying links by holding the cursor over places in a pdf document which is immediately anonymised by black underlining. The Danish FSA was thus not aware that it is necessary to delete the hidden information behind the displayed document (metadata, etc.) in order to ensure that it will no longer be possible to find it. Justification for the Danish Data Protection Agency's decision It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security that is appropriate to the risks involved in the data controller's processing of personal data. Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks. The Danish Data Protection Agency is of the opinion that the requirement in Article 32 for appropriate security implies that the data authority or company must establish appropriate measures to ensure that material passed on does not contain personal data that should have been anonymised. In this respect, it is essential that the extraction method chosen cannot be easily bypassed or masks removed with standardized tools. It is therefore the Data Inspectorate's opinion that a technical solution must not leave traces of the removed personal data, not even in metadata. A data controller must therefore be fully aware of the functionality of the program used, and provide the necessary instructions to the employees, which ensures that the "layers" in the document that contain personal information - which must be excluded - are effectively removed. Additional measures which - depending on the circumstances - may constitute an appropriate measure may e.g. be a requirement for a manual physical deletion based on prior review of the material on the basis of clear instructions from the data controller, if any. combined with a scanning tool. The Danish Data Protection Agency assumes that in the material that was given insight into, personal data had been crossed out in order to exclude these, but that the information could be read by "holding the mouse cursor" on crossed-out passages. In addition, according to what the Danish FSA itself explained, the Danish Data Protection Agency assumes that the Danish FSA was not aware that it was possible to see the information in this way. The Danish Data Protection Agency is of the opinion that the Danish Financial Supervisory Authority had not implemented appropriate technical and organizational measures prior to the breach, as the Danish Financial Supervisory Authority did not have sufficient procedures for anonymising information in connection with requests for access to documents. The Danish Data Protection Agency has emphasized that the Danish Financial Supervisory Authority did not have the necessary clear and precise instructions for anonymising personal data in connection with. requests for access to documents, etc., and that the Danish FSA did not have the necessary understanding of which methods must be implemented to delete - also - the hidden information that is behind the deletion in the document shown (metadata, etc.), to ensure that the personal data does not longer will be able to be found. It is the Data Inspectorate's assessment that a job description that only stipulates that caseworkers must cross out everything that is not covered by the extraction obligation is not precise enough to provide sufficient assurance of correct anonymisation. Especially not in relation to the - in this case - chosen technical solution. The fact that employees were also trained in a safe workflow during peer training does not change the need for clear and precise instructions in correct anonymisation. The Danish Data Protection Agency has placed particular emphasis on the fact that the risk to the data subject's rights must generally be considered higher when the information has been received via a whistleblower scheme. The Danish Data Protection Agency notes that it is a well-known part of the functionality of programs that are technically used for deletion that metadata information or underlying layers of information can be found after deletion. In view of this and as the Danish Financial Supervisory Authority was not aware of the need to delete the hidden information behind the document shown (metadata, etc.) in order to ensure that it will no longer be possible to find it, peer training cannot ensure adequate security. Against this background, the Danish Data Protection Agency finds that the Danish FSA has not taken appropriate organizational and technical measures to ensure a level of security that matches the risks involved in the Danish FSA's processing of personal data, cf. Article 32 (1) of the Data Protection Regulation. 1. After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that the Danish FSA's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. 1. When choosing a sanction, the Danish Data Protection Agency has emphasized that the information in question came from a whistleblower scheme, where the disclosure of information requires special attention from the data controller. In the mediating direction, the Danish Data Protection Agency has placed special emphasis on the long case processing time at the Authority. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).