DPC (Ireland) - IN-21-6-2
DPC - IN-21-6-2 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 30.12.2022 |
Fine: | 15000 EUR |
Parties: | A&G Couriers Limited T/A Fastway Couriers (Ireland) |
National Case Number/Name: | IN-21-6-2 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Data Protection Commission (in EN) |
Initial Contributor: | Sainey Belle |
A Controller was fined €15,000 for failing to implementing appropriate technical and organisational measures and ensuring “checks and balances” in respect of a change to data processing when undertaking a new project.
English Summary
Facts
The Controller engaged a third party provider - IT software contractors (Contractor) to undertake a "Brexit project" which aimed to provide Her Majesty’s Revenue & Customs (HMRC) with access to their internal reporting system to facilitate declarations of duty and VAT. The Contractor immediately began facilitating access to the reports for external review and made changes within the system and, during this work, the server which housed all the data became exposed to the public internet. It was suggested by the Controller that due to insufficient checks on security patches, user restrictions and access controls by the Contractor, the configuration of the affected server was done incorrectly, and the IP address of the affected server was inadvertently exposed following the implementation of the systems changes. An unknown individual gained access to the exposed server and exfiltrated the personal information pertaining to a large number of data subjects.
For a total of 2 days, the servers, which housed in total, the unencrypted personal data of 446,143 data subjects, were publicly available. This included their names, home addresses, email addresses and mobile numbers. The Controller further clarified that each of these categories of personal data may not be fully present in each record affected by the personal data breach, since the data collected is client specific and not all fields are mandatory. The hacker was able to access and exfiltrate the records of 10,000 data subjects in total.
Holding
Article 32 obligations to Controllers and Processors: Though the Controller attempted to argue that in the course of the personal data breach handling process that in some cases it was a controller, in some a joint controller and in some other a processor. The Data Protection Commission held that the obligation to implement appropriate technical and organisational measures pursuant to 32(1) GDPR applies equally to Controllers and Processors. As the Controller identified itself as holding either of those roles in respect of the personal data, the obligation to comply with Article 32(1) GDPR applies to all of those circumstances.
Categories and types of personal data:
It was highlighted above that the servers contained some or all of the following categories of personal data: names, home addresses, email addresses and mobile numbers as dependent on client requirements. In an objective assessment, the risks posed by the Controller’s processing at the time of the personal data breach involved low to moderate risks both in likelihood and severity to the rights and freedoms of data subjects. It is admitted that there was a significant quantity of personal data related to a large number of data subjects processed and stored for a period of thirty (30) days by the Controller, this personal data may be considered at the lower end of the scale in terms of sensitivity.
However, pursuant to Article 32(1)(d) GDPR and in light of the obligation to regularly evaluate the effectiveness of technical and organisational measures, it is clear the Controller should have conducted a risk assessment before initiating the process of reviewing access to its internal server in the context of the "Brexit project" in order to identify any possible risk arising from this specific change to the system. Its failure to do so aggravated the likelihood regarding the risks to the rights and freedoms of data subjects. Having an urgent project does not allow for any exceptions to the obligation to implement appropriate security measures and to follow policies and procedures that have been implemented.
Lack of security measures: At the time of the personal data breach, the personal data stored in the was not encrypted and the security controls were not designed having regard to the possibility that the affected data could be viewed by an external entity. Due to the change in the audience to whom the reporting system was exposed to, the new risks associated with such a change ought to have been firstly assessed.
Accordingly, risk-appropriate measures such as encryption and comprehensive access control procedures should have been implemented before the personal data breach. In that regard, the Controller confirmed that the risk assessment regarding the changes to the systems was not performed, and it failed to implement appropriate mitigating measures.
Not following internal procedures and processes: Contrary to its own existing policies and procedures at the time of the personal data breach, the system changes were signed off verbally by a member of the Controllers IT team and without the approval of the Data & Information Security representative. Furthermore, whilst the Controller appears to have provided the verbal approval, it was considered that the procedure for the approval of the "Brexit project" was not properly followed according to the Controllers Data Protection Policies and Procedures in one crucial respect: the staff did not request the approval of the Data & Information Security representative and instead signed off verbally themselves disregarding the applicable procedure.
Moreover, the lack of the risk assessment negatively impacted the Controller’s ability to identify and recognise the risks associated with this change. Therefore, the Data Protection Commission considered that the organisational measures implemented by the Controller were not appropriate as they did not follow its own Data Protection Policies and Procedures, nor does it appear that there were any "checks and balances" to ensure that these policies and procedures were fuly followed by their staff.
- The Controller was issued with a reprimand in respect of the infringement emphasising the requirement to take all relevant steps to ensure continuous and future compliance with Article 32(1) of the GDPR.
- An administrative fine on the Controller in the amount of €15,000 in respect of the infringement.
The Controller has a right of appeal.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Inquiry into A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022 Inquiry into A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022 Final Decision: A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022