DPC (Ireland) - IN-20-4-7

From GDPRhub
Revision as of 22:25, 1 March 2022 by Paolaleon (talk | contribs)
DPC (Ireland) - IN-20-4-7
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided: 24.01.2022
Published:
Fine: None
Parties: n/a
National Case Number/Name: IN-20-4-7
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: Paola León

The DPC commenced an own volition inquiry in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) notified on 10 December 2019. PIAB is an independent statutory body that deals with personal injury claims.

English Summary

Facts

The personal data breach occurred when a third party organisation (‘the Third Party’) contracted by PIAB returned materials containing personal data to PIAB on an unencrypted USB key in a paper envelope, which USB key was ultimately lost in the post with only a ripped envelope delivered to PIAB. The Inquiry considered whether the PIAB had complied with its obligation to implement an appropriate level of security under Article 32 GDPR.


Holding

The Inquiry established that PIAB had requested in advance that the Third Party not send the personal data to PIAB. In those circumstances, the Decision found that PIAB could not possibly have foreseen that without consultation with it, the Third Party would post an unencrypted USB storage device in an unpadded envelope by ordinary (not registered) post.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

In the matter of the General Data Protection Regulation
DPC Case Reference: IN-20-4-7
In the matter of the Personal Injuries Assessment Board
Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection
Act 2018
Further to an own-volition inquiry commenced pursuant to Section 110 of the Data Protection Act
2018
DECISION
Decision-Maker for the Commission:
Helen Dixon
Commissioner for Data Protection
24 January 2022
Data Protection Commission
2 Fitzwilliam Square South
Dublin 2, Ireland
Contents
1. Introduction .................................................................................................................................... 3
2. Legal Framework for the Inquiry and the Decision ......................................................................... 3
i. Legal Basis for the Inquiry ........................................................................................................... 3
ii. Legal Basis for the Decision ......................................................................................................... 4
3. Findings ........................................................................................................................................... 4
4. Right of Appeal ................................................................................................................................ 5

1. Introduction
2.1 This document (“the Decision”) is a Decision of the Data Protection Commission (“the DPC”)
in accordance with Section 111 of the Data Protection Act (“the 2018 Act”). I make this
Decision having considered the information obtained in the own volition inquiry (“the
Inquiry”) conducted by a Case Officer of the DPC (“the Case Officer”) pursuant to Section
110 of the 2018 Act. The Case Officer who conducted the Inquiry provided the Personal
Injuries Assessment Board (“PIAB”) with the Draft Inquiry Report and the Final Inquiry
Report. The Decision is being provided to PIAB pursuant to Section 116(1)(a) of the 2018 Act
in order to give PIAB notice of the Decision and the reasons for it.
2.2 PIAB was provided with the Draft Decision on this inquiry on 30 November 2021 to give PIAB
a final opportunity to make submissions. PIAB acknowledged receipt of the Draft Decision
on 14 December 2021 and made no submissions in this regard.
2. Legal Framework for the Inquiry and the Decision
i. Legal Basis for the Inquiry
2.1 The GDPR is the legal regime covering the processing of personal data in the European
Union. As a regulation, the GDPR is directly applicable in EU member states. The 2018 Act
gives the GDPR further effect in Irish law. As stated above, the DPC commenced the Inquiry
pursuant to Section 110 of the 2018 Act. By way of background in this regard, pursuant to
Part 6 of the 2018 Act the DPC has the power to commence an inquiry on several bases,
including on foot of a complaint, or of its own volition.
2.2 Section 110(1) of the 2018 Act provides that the DPC may, for the purpose of Section 109(5)
(e) or Section 113(2) of the 2018 Act, or of its own volition, cause such inquiry as it thinks fit
to be conducted, in order to ascertain whether an infringement has occurred or is occurring
of the GDPR or a provision of the 2018 Act, or regulation under the Act that gives further
effect to the GDPR. Section 110(2) of the 2018 Act provides that the DPC may, for the
purposes of Section 110(1), where it considers it appropriate to do so, cause the exercise of
any of its powers under Chapter 4 of Part 6 of the 2018 Act (excluding Section 135 of the
2018 Act) and/or to cause an investigation under Chapter 5 of Part 6 of the 2018 Act to be
carried out.
ii. Legal Basis for the Decision
2.3 The decision-making process for this Inquiry is provided for under Section 111 of the 2018
Act, and requires that the DPC must consider the information obtained during the Inquiry;
to decide whether an infringement is occurring or has occurred; and if so, to decide on the
proposed corrective powers, if any, to be exercised. As the sole member of the Commission,
I perform this function in my role as the Decision-Maker in the DPC. In so doing, I am
required to carry out an independent assessment of all the materials provided to me by the
Case Officer as well as any other materials that PIAB has furnished to me and any other
materials that I consider relevant, in the course of the decision-making process.
2.4 The Final Inquiry Report was transmitted to me on 21 January 2021, together with the Case
Officer’s file, containing copies of all correspondence exchanged between the Case Officer
and PIAB; and copies of all submissions made by PIAB, including the submissions made by
PIAB in respect of the Draft Inquiry Report. I issued a letter to PIAB on 04 October 2021 to
notify it of the commencement of the decision-making process.
2.5 Having reviewed the Final Inquiry Report, and the other materials provided to me by the
Case Officer, including the submissions made by PIAB, I was satisfied that the Inquiry was
correctly conducted and that fair procedures were followed throughout. This includes, but
is not limited to, notifications to the controller and opportunities for the controller to
comment on the Draft Inquiry Report before the Case Officer transmitted it to me as
decision-maker.
3. Findings
3.1 Following intensive examination of the facts in this case, including a review of the Draft and
Final Inquiry Report and the submissions made by PIAB, I find that the material issues in this
inquiry net down to a central issue of the security of processing under 32(1) of the GDPR.
This issue arises in circumstances where a third party organisation (“the Third Party”)
contracted by PIAB returned materials containing personal data to PIAB on an unencrypted
USB key in a paper envelope, which USB key was ultimately lost in the post with only a
ripped envelope delivered to PIAB.
3.2 Article 32 of the GDPR sets down obligations for both controllers and processors. In
subsection (1) it requires that :
“Taking into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, the controller and the
processor shall implement appropriate technical and organisational measures to
ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of
technical and organisational measures for ensuring the security of the
processing.”
3.3 Given that PIAB had expressly requested in advance of the Third Party posting the USB
storage device that further personal data not be sent to it (as PIAB was already in receipt of
hard copies of the main reports in the matter), it could not possibly have foreseen that
without consultation with it, the Third Party would post an unencrypted USB storage device
in an unpadded envelope by ordinary (not registered) post.
3.4 It is clear from the facts in the case that PIAB could not have foreseen that the materials in
question containing personal data would have been transmitted in this manner.
4. Right of Appeal
4.1 This Decision is issued in accordance with Sections 111 of the 2018 Act. Pursuant to
Section 150(5) of the 2018 Act, PIAB has the right to appeal against this Decision within
28 days from the date on which notice of the Decision is received by it.
_________________
Helen Dixon
Commissioner for Data Protection