Datatilsynet (Denmark) - 2023-420-0001
Datatilsynet - 2023-420-0001 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 32 GDPR Article 25 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2023-420-0001 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | 2023-420-0001 (in DA) |
Initial Contributor: | sh |
The Danish DPA criticised several muncipalities for failing to have appropriate technical and organisational measures in relation to Denmark's AULA's IT system.
English Summary
Facts
AULA is Denmark's school communication platform. AULA therefore, processes personal data, including confidential and sensitive personal data, about vulnerable data subjects, including children. The users of the system are often persons who do not work primarily with data protection (including teachers, staff as well as pupils and parents) and so high security measures under Article 32 GDPR and Article 25 GDPR are required.
The Danish DPA observed a number of personal data breaches in connection with the processing of personal data in AULA within Danish municipalities. A large proportion of the notifications of personal data breaches in AULA concern personal data being sent to one or more incorrect recipients in AULA. For example, where a message or secure file about a child has been sent to another child's parents, or where a message has been sent by mistake to a group of recipients instead of a specific recipient.
The DPA therefore, decided to conducted inspections into the processing of data in the AULA IT system across six municipalities. The investigations focused on the security of technical and organisational measures.
The DPA decided to inspect these municipalities collectively. Since all muncipalites used the same IT systems the same general data protection law issues would arise. The investigation included Esbjerg Municipality, Frederikshavn Municipality, Hillerød Municipality, Copenhagen Municipality, Lolland Municipality and Randers Municipality, which were selected with the aim of gaining a broad and representative insight into the municipalities' considerations in relation to the security of processing when using AULA.
The Danish DPA decided in five of the six cases. The investigation case with the City of Copenhagen contained some additional elements, which is why the Danish DPA has not yet made a decision in this case. Overall. the inspections revealed concerns about personal data breaches, especially regarding the inadvertent transmission of sensitive information to unintended recipients within AULA.
Holding
The Danish DPA criticised all five municipalities for failing to implement appropriate technical and oranisational measures under Article 32 GDPR and failing to have appropropriate mitigating factors under Article 25 GDPR.
First, the municipalities handled the task of documenting their assessments of the security of processing in different ways. Three municipalities prepared risk assessments. The Danish DPA reviewed these and assessed that none of them fulfill all the minimum requirements.The other two did not prepare them and were ordered by the DPA to prepare them within three months.
Second, the municipalities were not clear on the divide between risk and impact assesments under the GDPR. Some of the risk assessments had been incorporated into the municipalities' impact assessments. Other risk assesments had been prepared separately in Excel sheets and then were reffered linked in the impact assesment.
Upon reviewing the impact and risk assesments. the DPA highlighted several general observations:
Clarification of Data Responsibility: It stressed the importance of clearly defining data responsibility, especially in collaborative systems like AULA, to ensure proper risk and impact assessments. The muncipalities should have communicated with AULA and early on established that they were the controller. Had they done this, it would have been easier to write and submit risk and impact assesments.
Documentation of Assessments: The agency found variations in how municipalities documented their risk assessments, emphasising the need for a coherent documentation style to ensure GDPR compliance. Some of the municipalities' risk assessments even state that the processing of personal data in AULA does not involve high risks. A risk assessment under Article 32 GDPR, in the opinion of the DPA, should include an assessment of the consequence (e.g. high, medium, low) for the data subjects in case of loss of confidentiality, availability and integrity. The risk assessment should then identify the threats to loss of confidentiality, availability and integrity and the likelihood (e.g. high, medium, low) of the threat being realized. Finally, the risk assessment must map the existing security measures and their contribution to reducing the risk.
Risk of Error Transmission: A significant number of reported breaches involved the incorrect transmission of personal data within AULA. The agency recommended exploring technical solutions to mitigate this risk. For example, AULA's message module is designed in such a way that it will send a message to the wrong recipient. Suggestions for recipients are automatically made when the user starts typing in the recipient field "To". In this connection, employees, children and parents are suggested as recipients. In the opinion of the DPA, this entails a risk that users select one or more incorrect recipients in the list of suggested recipients
Rights Management and Access Control: The agency emphasized the need for robust access controls and periodic audits to prevent unauthorised access to personal data. Article 32(1)(d) of the GDPR states that, where appropriate, procedures shall be established for periodic testing, assessment and evaluation of the effectiveness of the technical and organiational measures to ensure security of processing. The controller should at a minimum, continuously check whether access to systems and physical material containing personal data is limited to those users who have a legitimate need for access to the information. It is not sufficient that user access to AULA is simply added and removed locally in the individual institutions and locally at the schools without a subsequent periodic check of whether the users in question still need the access they have been granted.
The agency also issued recommendations:
Joint Impact Assessment and Code of Conduct: It suggested that municipalities consider preparing joint impact assessments and a code of conduct to streamline data protection efforts, especially when using shared systems like AULA.
Managing the Risk of Error Transmission: It recommended that municipalities explore technical measures to reduce the risk of error transmission within AULA's messaging function by changing its messaging features.
The DPA informed all Danish municipalities, including those that were not selected for the inspection. The purpose was to encourage all municipalities to consider the implementation of additional security measures in relation to their processing of personal data in AULA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Skip the main navigation Search Information on the Danish Data Protection Authority's decisions regarding AULA Date: 15-01-2024 Decision Public authorities Criticism Serious criticism Order Supervision / self-operation case Processing security Basic principles Risk assessment and impact analysis The Danish Data Protection Authority has made a decision in five supervisory cases regarding processing security in AULA. The Danish Data Protection Authority found reason to issue orders for the preparation of impact analyzes in two of the cases. In addition, the supervisory authority has expressed criticism and serious criticism in the cases. Journal number: 2023-420-0001. 1. Introduction In autumn 2021, the Danish Data Protection Authority initiated a series of inspections of a total of 6 municipalities' processing of information in the AULA IT system. The inspections were focused on compliance with the data protection regulation, with a particular focus on which technical and organizational security measures have been observed to meet the requirement for an appropriate level of security for the treatments. The inspection included Esbjerg Municipality, Frederikshavn Municipality, Hillerød Municipality, Copenhagen Municipality, Lollands Municipality and Randers Municipality, which were selected with the aim of gaining a broad and representative insight into the municipalities' considerations in relation to processing safety when using in AULA. The Norwegian Data Protection Authority has now made a decision in all cases except the case concerning the Municipality of Copenhagen. The supervisory case with Copenhagen Municipality contains some additional elements, which is why the Data Protection Authority has not yet made a decision in this case. The Danish Data Protection Authority finds that the supervisory cases raise some general data protection legal issues across the municipalities, which can be advantageously handled collectively rather than separately by the individual municipalities. The Norwegian Data Protection Authority has therefore chosen to inform the National Association of Municipalities (KL), the Norwegian Agency for IT and Learning and Kombit A/S (hereafter KOMBIT) about the Norwegian Authority's decisions in these cases. At the same time, the Danish Data Protection Authority has found occasion to make some recommendations for further work with processing security in AULA. The Norwegian Data Protection Authority also expects to inform all the country's municipalities, including the municipalities that were not selected for this inspection. The purpose is to encourage the municipalities to consider whether the material gives rise to (further) assessments etc. or ensure the implementation of additional security measures in relation to their processing of personal data in AULA. 1.1. Background for the inspections The reason why the Danish Data Protection Authority initially found it relevant to carry out these inspections with the municipalities is that the Danish Data Protection Authority has seen (and continues to see) a number of breaches of personal data security in connection with the processing of personal data in AULA. In AULA, personal data, including confidential and sensitive personal data, is processed about vulnerable data subjects, such as includes children. In addition, the users of the system are often people who do not work with data protection as their primary occupation (including teachers, educational staff as well as students and parents), which in the opinion of the supervisory authority – in light of the many reported breaches – may mean that stricter requirements should be imposed for the data controllers to observe both technical and organizational measures, cf. the data protection regulation's article 32, and mitigating measures for compliance with the regulation's article 25. A large part of the notifications of breaches of personal data security in AULA relate to personal data being sent to one or more wrong recipients in AULA. Eg. where a message or secure file about a child is sent to another child's parents, or where a message is mistakenly sent to a group of recipients instead of a specific recipient. The Danish Data Protection Authority has also seen cases where, when documents were sent to one or more parents, an incorrect document containing information about another child was attached. There has thus been a number of accidental disclosures of personal data about children in AULA, including descriptions of children's difficulty concentrating, settings for educational-psychological assessment, information about dyslexia, school statements as well as action plans and assessment of educational readiness. The inspection is a continuation of the Danish Data Protection Authority's previous inspection of KOMBIT in December 2019, where the Danish Data Protection Authority was able to ascertain on an inspection visit that KOMBIT cannot be regarded as a data controller for AULA according to Article 4, No. 7 of the Data Protection Regulation. At the inspection meeting, the Danish Data Protection Authority informed KOMBIT that KOMBIT had to ensure that all municipalities were informed about their data responsibility, and that KOMBIT had to hand over to the municipalities all necessary material and information on that occasion. 1.2. Focus in supervisory cases The Danish Data Protection Authority notified the supervision of the municipalities on 15 October 2021, where the supervision requested the municipalities to submit their risk assessments and impact analyzes regarding the processing of personal data in AULA. In addition, the supervisory authority requested the municipalities to review their considerations in relation to the data protection regulation's requirements in Article 25 on data protection through design and standard settings in connection with the acquisition and development of AULA, as well as a review of their authorization and access management models. Based on the opinions of the 6 selected municipalities, the Danish Data Protection Authority has chosen to limit the focus of the inspections to the municipalities' risk assessment and possible impact analysis regarding AULA. 1.3. Decisions in supervisory cases The Norwegian Data Protection Authority has now made a decision in 5 out of 6 of the supervisory cases. Attached is a copy of the 5 decisions. The Danish Data Protection Authority can state that all 5 municipalities have received either criticism or serious criticism in relation to the part of the cases dealing with impact analysis. Two of the municipalities have received serious criticism as they have not prepared an impact analysis. The Danish Data Protection Authority has also notified the two municipalities of an order to prepare an impact analysis within three months. The three other municipalities have prepared impact analyses. The Norwegian Data Protection Authority has reviewed the three impact assessments and assessed that none of them meet all the minimum requirements for an impact assessment. In addition, the Danish Data Protection Authority has looked at the timing of the preparation of the impact analyses. In this connection, the Danish Data Protection Authority has taken into account the fact that there has been uncertainty about where the data responsibility for the processing of personal data in the solution is located. The municipalities and KOMBIT have thus taken the view that the data responsibility for the processing of personal data in AULA - and thus also the responsibility for carrying out risk assessments and impact analyzes - was placed with KOMBIT. At the Danish Data Protection Authority's supervisory visit to KOMBIT in December 2019, the Danish Data Protection Authority found, as mentioned above, that KOMBIT cannot be considered as the data controller. However, all three municipalities are seen to have only prepared impact analyzes long after there was clarity about the data responsibility for the processing of personal data in AULA. Two of the municipalities have also only prepared impact analyzes after the supervisory authority has requested the material in connection with the implementation of the supervision, which is why the Danish Data Protection Authority has expressed serious criticism towards these two municipalities. The Danish Data Protection Authority has criticized the third municipality. All 5 municipalities have also received either criticism or serious criticism in relation to the part of the cases that deal with the municipalities' risk assessment. The criticism concerns the documentation requirement in relation to being able to demonstrate that they have identified and reduced the risks that the processing of personal data in AULA poses for the persons to whom the information relates, so that an appropriate level of security is ensured. In addition, the criticism relates to the lack of identification and implementation of relevant measures to ensure an adequate level of security. Two of the municipalities have not submitted actual risk assessments, and the Danish Data Protection Authority has issued serious criticism to both municipalities. One of the municipalities stated in January 2023 that they had not yet completed the initial work to identify relevant measures that can be implemented in order to reduce the identified high risks when processing personal data in AULA. Instead of submitting a risk assessment, the other municipality had referred to a number of annexes as documentation of the mitigating measures the municipality had taken to reduce the risk for those registered. The other three municipalities have submitted risk assessments. The Danish Data Protection Authority has criticized these municipalities, as they have not sufficiently demonstrated that they have ensured an adequate level of security. Several municipalities have forwarded material from KOMBIT, in which a number of high risks from the use of AULA have been identified. It is different how the 6 municipalities have dealt with this material. Some municipalities have stated that they have agreed with KOMBIT's risk assessment, and they have then taken it as a starting point when they have described which measures they have implemented to reduce these risks. One municipality states that it has orientated itself in the material from KOMBIT but concluded that it could not immediately be used as a starting point for actual risk assessments. Other municipalities have carried out their own assessment, where some of the risks they have identified have been assessed to constitute a lower risk than what appears from KOMBIT's material - without, however, being able to sufficiently document the basis on which this assessment was made . 2. The Norwegian Data Protection Authority's general observations Based on the work with the supervisory cases, the Data Protection Authority has made some general observations in relation to the municipalities' work with the risks that the processing of personal data in AULA entails, and about certain processing security issues. 2.1. Clarification of data responsibility for new solutions As stated in section 1.1. above, the Danish Data Protection Authority was able to ascertain during the physical inspection visit to KOMBIT in December 2019 that KOMBIT was not to be considered the data controller for AULA, but that the individual municipalities were independently data controllers for their processing of personal data in AULA. The municipalities and KOMBIT were thus of the opinion that the data responsibility for the processing of personal data in AULA - and thus also the responsibility for carrying out risk assessments and impact analyzes - was placed with KOMBIT. The Danish Data Protection Authority assumes that this lack of clarity about data responsibility has been a reason why the municipalities have not prepared impact analyzes prior to their commissioning of AULA. The Danish Data Protection Authority is of the opinion that it is crucial that, at an early stage, it is thoroughly considered where the data responsibility for the processing of personal data in a new technical solution is located. This is particularly important when developing or purchasing solutions to be used by several different organizations. In this connection, the supervisory authority notes that all relevant stakeholders should be included in the deliberations - especially the organizations that must use the system. Such clarification is essential for the data controllers to begin work with e.g. impact analyzes and risk assessments, so that the required analyzes and assessments are prepared before a new solution is put into use. The Danish Data Protection Authority notes in this connection that the purpose of an impact analysis is to determine the specific risks that the processing poses to the rights and freedoms of the data subjects and subsequently ensure that – before the processing begins – measures are determined to remedy these risks and reduce the risk to a level that is less than high. 2.2. Documentation of assessments in accordance with Article 32 and Article 5, subsection 1, letter f The Danish Data Protection Authority has established in the supervisory cases that the municipalities have handled the task in relation to documenting their assessments of processing security in different ways. Only three municipalities have prepared actual risk assessments, which they have forwarded to the supervisory authority. One of the municipalities has instead referred to a number of annexes which the municipality has forwarded to the supervisory authority as documentation of the mitigating measures the municipality has taken to reduce the risk for those registered. The municipality has thus not submitted an actual risk assessment, which states which risks the municipality has identified and which measures have been implemented to reduce these risks. Another of the municipalities has referred to the risk assessment material from KOMBIT, where a number of risks have been identified, including several high risks. The municipality has subsequently stated that they had begun work on identifying which measures could reduce these risks, but that the work was still ongoing. Some of the risk assessments carried out are incorporated into the municipalities' impact analyses, and others are prepared separately in Excel sheets, which the municipality refers to in their impact analyses. However, the Danish Data Protection Authority has assessed in one of the supervisory cases that the municipality in question had not identified and assessed the most significant risks that the processing of personal data in AULA poses for the data subjects. In addition, in the three cases where the municipalities had submitted actual risk assessments, the Danish Data Protection Authority found that the municipalities had not proven that the measures that had been implemented were sufficient to reduce the risk to low (with two of the municipalities) and medium (with one of the municipalities). The Danish Data Protection Authority assessed that the municipalities had not sufficiently demonstrated that they had ensured a level of security that suited the risks that the processing of personal data in AULA entailed. The Danish Data Protection Authority has generally reviewed the material from the municipalities with a focus on which risks they had identified, how they had assessed these risks, which measures they had described, which were (or would be) implemented, and what effect they assessed that the measures had on the risk . In this connection, the Data Protection Authority has, among other things, looked at whether the municipality had dealt with KOMBIT's assessment of the risk. The Danish Data Protection Authority finds that the documentation obligation that follows from the data protection regulation implies that it must be possible to present material that documents how and on what basis the data protection legal considerations have been made and what they have concretely given rise to. It should thus appear which considerations, choices and opt-outs have been made in order to ensure that the processing of the information is in accordance with the data protection regulation. In this connection, it must be possible to determine when and with what content relevant assessments and decisions have been made. This is a prerequisite in relation to being able to ensure and ensure the legality of the processing and the ability to ensure compliance with the rights of the data subjects, compliance with the data protection legal principles and ensuring an appropriate level of security. The Danish Data Protection Authority is of the opinion that a risk assessment should include an assessment of the consequence (e.g. high, medium, low) for the data subject in the event of a loss of confidentiality, availability and integrity. The risk assessment must then identify which threats there are to loss of confidentiality, availability and integrity, as well as the probability (e.g. high, medium, low) that the threat will be realised. Finally, the risk assessment must map the existing security measures and their contribution to reducing the risk. On this basis, the data controllers can assess the risk and decide whether it is an acceptable risk or whether additional measures must be taken. By considering these elements in a risk assessment, the data controllers can thus document how they have assessed the risk to the data subjects of the processing activities in question, as well as on what basis they assess that the implemented measures have reduced the risk. As mentioned above under point 1.3. the risk assessment material from KOMBIT states in general that a number of processing activities carried out in AULA entail a high risk for the data subjects. It is the Danish Data Protection Authority's assessment that if a supplier, data processor or available analyzes determine or indicate certain risk scenarios, the data controllers should comply with these assessments. The Danish Data Protection Authority can ascertain that several of the municipalities have not considered these assessments in their risk assessment. Some of the municipalities' risk assessments also state that the processing of personal data in AULA does not involve high risks. The Danish Data Protection Authority notes in this connection that the data controllers should, as a minimum, carry out a documented, substantiated assessment that relates to why the conditions uncovered in e.g. a supplier's assessment, are not relevant for the data controller. 2.3. Risk of mistransmission in AULA It is generally the opinion of the Danish Data Protection Authority that data controllers who, to a certain systematic extent, use a technical functionality to send messages with e.g. confidential and/or sensitive information should investigate whether it is possible to implement one or more technical measures to reduce the risk of mistransmission, or whether it is possible to design the messaging function in a way that reduces such risk. Alongside the case processing in the specific supervisory cases, the Data Protection Authority has therefore also focused on which personal data security breaches the municipalities report, which relate to AULA. In this connection, the Danish Data Protection Authority has found that a large part of the reported breaches relate to the incorrect transmission of personal data to one or more wrong recipients in AULA. Several of the municipalities that were covered by the inspection have, for the same reason, implemented organizational measures with a view to making AULA's users aware of this risk when they send e.g. messages via AULA. In addition, one of the municipalities has also implemented a change request that the municipality had sent to KOMBIT, after which it is possible to delete and edit sent content in messages. Despite this, the Norwegian Data Protection Authority continues to receive a number of notifications of breaches of personal data security from municipalities in general, which relate to incorrect transmissions in AULA. In this connection, the Danish Data Protection Authority can mention that the Danish Data Protection Authority has established that AULA's message module is set up in such a way that in messages sent to several recipients, it is most obvious to reply to all persons in the message thread. There is a less visible field where it is possible to reply directly to the sender of the message. However, in the field where the user replies to everyone in the message thread, there is information about how many people the user is replying to. In the Danish Data Protection Authority's opinion, such an arrangement of the message function entails a risk of users of AULA inadvertently sending a message to all recipients in a message thread instead of just to the sender of the message. In this connection, there is a risk of unauthorized disclosure of (sensitive or confidential) personal data to the wrong recipients. In addition, the Danish Data Protection Authority has established that proposals for recipients are automatically drawn up when the user starts writing in the recipient field "To". In this connection, both employees, children and parents are proposed as recipients. In the Danish Data Protection Authority's opinion, this entails a risk of users choosing one or more wrong recipients in the list of proposed recipients, or that they choose e.g. all proposed parents whose first or last name contains the letters entered, instead of one specific recipient. 2.4. Rights management and access control The Danish Data Protection Authority is of the opinion that the requirement for adequate security in Article 32 of the Data Protection Regulation will normally mean that user access to systems is limited to the personal data that is necessary for the needs of the users in question. In this connection, the Danish Data Protection Authority must note that rights management in systems with personal data must prevent unauthorized access to personal data as well as unauthorized changes or loss of personal data in the system in cases where users have access to change or delete information. The Danish Data Protection Authority is of the opinion that in systems such as AULA, where a large number of confidential and protection-worthy information about a large number of persons is processed, higher requirements must be placed on the diligence of the data controller in ensuring that there is no unauthorized access to personal data. In addition, the Danish Data Protection Authority is of the opinion that the requirement for adequate security will normally entail that the data controller continuously checks whether access to systems and physical material with personal data is limited to those users who have a legitimate need for access to the information. It follows from the data protection regulation article 32, subsection 1, letter d, that, if relevant, procedures must be established for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure processing security. Periodic checks (audits) must, depending on the circumstances, also include checks on authorizations and established access. In connection with this, it should be noted that, in the opinion of the Danish Data Protection Authority, a lack of periodic control (audit) entails an unnecessarily high risk of insufficient or defective access control not being identified in a timely manner. In addition, the Danish Data Protection Authority is of the opinion that the control of access rights should, as a minimum, consist of a verification of the work-related need at the time of allocation, an ongoing control based on verification that this need is still present and some form of auditing thereof. If the auditing is carried out as random checks, the number and frequency of random samples taken must be representative in relation to the number of possible incidents and the risk to the rights of data subjects. Against this background, the Danish Data Protection Authority is of the opinion that it is not sufficient for user access to AULA to simply be added and removed locally in the individual institutions and locally in the schools, without subsequent periodic checks to see whether the users in question still need the access they are assigned. 3. The Data Protection Authority's recommendations 3.1. Joint impact assessment and code of conduct In system landscapes where several data controllers use the same systems and carry out approximately the same processing of personal data, there can be significant synergy in making joint assessments of risk factors, possible impact analyzes and mitigating measures. The Danish Data Protection Authority notes that it may be relevant to carry out a joint impact analysis if several data controllers together plan to introduce a joint IT system or processing platform, e.g. within the municipal sector. In order for several data controllers to come together to prepare a joint impact analysis, it is a prerequisite that it is the same type of system, the same processing activity of the same personal data, and that the processing activities involve similarly high risks. It is not essential that there is complete identity between the systems and the processing activities, but that the system, data and especially that the processing activities do not differ significantly from each other. Otherwise, a supplement to the joint impact analysis must necessarily be prepared. Thus, the Danish Data Protection Authority is of the opinion that, for example, it will be sufficient for several municipalities to prepare one impact analysis regarding data protection for the processing of personal data in the same system, which is provided by the same supplier, if the same processing activities are carried out in the system, and the same types of data are processed personal data and the processing activities involve the same high risks.[1] It is the data controllers who concretely assess whether a joint impact analysis can be carried out for the processing activities in the systems. The data controllers in a joint impact assessment are each responsible for carrying out the impact assessment.[2] The Danish Data Protection Authority is of the opinion that, in relation to the municipalities' processing of personal data in AULA, the municipalities use the same type of system for the same processing activities of the same types of personal data, and that the municipalities' processing activities involve similarly high risks. In addition, the system is supplied by the same supplier. The municipalities thus have the opportunity to prepare a joint impact analysis regarding data protection for their processing of personal data in AULA. The Danish Data Protection Authority must therefore encourage consideration across the municipalities and possibly in collaboration with KL and KOMBIT to prepare a joint impact analysis regarding the municipalities' processing of personal data in AULA. The Danish Data Protection Authority has received from several municipalities KOMBIT's template for impact analysis, which concerns the processing of personal data in AULA, which could possibly form a starting point for further work. In associations and bodies representing categories of data controllers, a code of conduct may also be advantageously drawn up in accordance with Article 40 of the Data Protection Regulation in order to specify the application of the Data Protection Regulation. A code of conduct can provide correct and practical instructions on how, in connection with one or more processing activities, one must arrange oneself in order to comply with the data protection rules. It can, for example, be by determining procedures to be followed for a particular treatment activity. A code of conduct will therefore be a useful tool to help comply with data protection rules for the authorities that have signed up to the code. This facilitates compliance with the rules, but does not deprive the individual data controller of the duties and tasks incumbent on them as data controller. This is particularly important in situations where the data controller chooses to deviate from the prerequisites in the common concepts and treatments, e.g. when using a system for other purposes. Against this background, the Data Protection Authority must encourage consideration across the municipalities and possibly in collaboration with KL and KOMBIT to prepare a code of conduct in accordance with Article 40 of the Data Protection Regulation regarding the municipalities' processing of personal data in AULA. This may also be relevant to consider in relation to other processing activities in the municipalities, where the municipalities use the same system for processing the same types of personal data for the same purposes. 3.2. Managing the risk of sending errors in AULA The Danish Data Protection Authority also recommends that KOMBIT, together with the municipalities responsible for the data, carry out an investigation into whether it is possible to implement one or more technical measures to reduce the risk of sending errors, or whether it is possible to arrange the message function in a way that reduces such risk. [1] See also the Danish Data Protection Authority's guidance on supervision of data processors from October 2021, where it e.g. it appears that several data controllers can jointly assess risks and investigate similarities/differences in the use of the same data processor with a view to deciding whether a joint supervision of the data processor can be carried out. [2] Reference is made to the Norwegian Data Protection Authority's guidance on impact analysis from March 2018. The Norwegian Data Protection Authority Carl Jacobsens Vej 35 2500 Valby Tel. 33 19 32 00 dt@datatilsynet.dk About us About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement Shortcuts Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme follow us The Norwegian Data Protection Authority on LinkedIn Information on the Danish Data Protection Authority's decisions regarding AULA Date: 15-01-2024 Decision Public authorities Criticism Serious criticism Order Supervision / self-operation case Processing security Basic principles Risk assessment and impact analysis The Danish Data Protection Authority has made a decision in five supervisory cases regarding processing security in AULA. The Danish Data Protection Authority found reason to issue orders for the preparation of impact analyzes in two of the cases. In addition, the supervisory authority has expressed criticism and serious criticism in the cases. Journal number: 2023-420-0001. 1. Introduction In autumn 2021, the Danish Data Protection Authority initiated a series of inspections of a total of 6 municipalities' processing of information in the AULA IT system. The inspections were focused on compliance with the data protection regulation, with a particular focus on which technical and organizational security measures have been observed to meet the requirement for an appropriate level of security for the treatments. The inspection included Esbjerg Municipality, Frederikshavn Municipality, Hillerød Municipality, Copenhagen Municipality, Lollands Municipality and Randers Municipality, which were selected with the aim of gaining a broad and representative insight into the municipalities' considerations in relation to processing safety when using in AULA. The Norwegian Data Protection Authority has now made a decision in all cases except the case concerning the Municipality of Copenhagen. The supervisory case with Copenhagen Municipality contains some additional elements, which is why the Data Protection Authority has not yet made a decision in this case. The Danish Data Protection Authority finds that the supervisory cases raise some general data protection legal issues across the municipalities, which can be advantageously handled collectively rather than separately by the individual municipalities. The Norwegian Data Protection Authority has therefore chosen to inform the National Association of Municipalities (KL), the Norwegian Agency for IT and Learning and Kombit A/S (hereafter KOMBIT) about the Norwegian Authority's decisions in these cases. At the same time, the Danish Data Protection Authority has found occasion to make some recommendations for further work with processing security in AULA. The Danish Data Protection Authority also expects to inform all the country's municipalities, including the municipalities that were not selected for this inspection. The purpose is to encourage the municipalities to consider whether the material gives rise to (further) assessments etc. or ensure the implementation of additional security measures in relation to their processing of personal data in AULA. 1.1. Background for the inspections The reason why the Danish Data Protection Authority initially found it relevant to carry out these inspections with the municipalities is that the Danish Data Protection Authority has seen (and continues to see) a number of breaches of personal data security in connection with the processing of personal data in AULA. In AULA, personal data, including confidential and sensitive personal data, is processed about vulnerable data subjects, such as includes children. In addition, the users of the system are often people who do not work with data protection as their primary job (including teachers, educational staff as well as students and parents), which in the opinion of the supervisory authority – in light of the many reported breaches – may mean that stricter requirements should be imposed for the data controllers to observe both technical and organizational measures, cf. the data protection regulation's article 32, and mitigating measures for compliance with the regulation's article 25. A large part of the notifications of breaches of personal data security in AULA relate to personal data being sent to one or more wrong recipients in AULA. Eg. where a message or secure file about a child is sent to another child's parents, or where a message is mistakenly sent to a group of recipients instead of a specific recipient. The Danish Data Protection Authority has also seen cases where, when documents were sent to one or more parents, an incorrect document containing information about another child was attached. There has thus been a number of accidental disclosures of personal data about children in AULA, including descriptions of children's difficulty concentrating, settings for educational-psychological assessment, information about dyslexia, school statements as well as action plans and assessment of educational readiness. The inspection is a continuation of the Danish Data Protection Authority's previous inspection of KOMBIT in December 2019, where the Danish Data Protection Authority was able to ascertain on an inspection visit that KOMBIT cannot be regarded as a data controller for AULA according to Article 4, No. 7 of the Data Protection Regulation. At the inspection meeting, the Danish Data Protection Authority informed KOMBIT that KOMBIT had to ensure that all municipalities were informed about their data responsibility, and that KOMBIT had to hand over to the municipalities all necessary material and information on that occasion. 1.2. Focus in supervisory cases The Danish Data Protection Authority notified the supervision of the municipalities on 15 October 2021, where the supervision requested the municipalities to submit their risk assessments and impact analyzes regarding the processing of personal data in AULA. In addition, the supervisory authority requested the municipalities to review their considerations in relation to the data protection regulation's requirements in Article 25 on data protection through design and standard settings in connection with the acquisition and development of AULA, as well as a review of their authorization and access management models. Based on the opinions of the 6 selected municipalities, the Danish Data Protection Authority has chosen to limit the focus of the inspections to the municipalities' risk assessment and possible impact analysis regarding AULA. 1.3. Decisions in supervisory cases The Norwegian Data Protection Authority has now made a decision in 5 out of 6 of the supervisory cases. Attached is a copy of the 5 decisions. The Danish Data Protection Authority can state that all 5 municipalities have received either criticism or serious criticism in relation to the part of the cases dealing with impact analysis. Two of the municipalities have received serious criticism as they have not prepared an impact analysis. The Danish Data Protection Authority has also notified the two municipalities of an order to prepare an impact analysis within three months. The three other municipalities have prepared impact analyses. The Norwegian Data Protection Authority has reviewed the three impact assessments and assessed that none of them meet all the minimum requirements for an impact assessment. In addition, the Danish Data Protection Authority has looked at the timing of the preparation of the impact analyses. In this connection, the Danish Data Protection Authority has taken into account the fact that there has been uncertainty about where the data responsibility for the processing of personal data in the solution is located. The municipalities and KOMBIT have thus taken the view that the data responsibility for the processing of personal data in AULA - and thus also the responsibility for carrying out risk assessments and impact analyzes - was placed with KOMBIT. At the Danish Data Protection Authority's supervisory visit to KOMBIT in December 2019, the Danish Data Protection Authority found, as mentioned above, that KOMBIT cannot be considered as the data controller. However, all three municipalities are seen to have only prepared impact analyzes long after there was clarity about the data responsibility for the processing of personal data in AULA. Two of the municipalities have also only prepared impact analyzes after the supervisory authority has requested the material in connection with the implementation of the supervision, which is why the Danish Data Protection Authority has expressed serious criticism towards these two municipalities. The Danish Data Protection Authority has criticized the third municipality. All 5 municipalities have also received either criticism or serious criticism in relation to the part of the cases that deal with the municipalities' risk assessment. The criticism concerns the documentation requirement in relation to being able to demonstrate that they have identified and reduced the risks that the processing of personal data in AULA poses for the persons to whom the information relates, so that an appropriate level of security is ensured. In addition, the criticism relates to the lack of identification and implementation of relevant measures to ensure an adequate level of security. Two of the municipalities have not submitted actual risk assessments, and the Danish Data Protection Authority has issued serious criticism to both municipalities. One of the municipalities stated in January 2023 that they had not yet completed the initial work to identify relevant measures that can be implemented in order to reduce the identified high risks when processing personal data in AULA. Instead of submitting a risk assessment, the other municipality had referred to a number of annexes as documentation of the mitigating measures the municipality had taken to reduce the risk for those registered. The other three municipalities have submitted risk assessments. The Danish Data Protection Authority has criticized these municipalities, as they have not sufficiently demonstrated that they have ensured an adequate level of security. Several municipalities have forwarded material from KOMBIT, in which a number of high risks from the use of AULA have been identified. It is different how the 6 municipalities have dealt with this material. Some municipalities have stated that they have agreed with KOMBIT's risk assessment, and they have then taken it as a starting point when they have described which measures they have implemented to reduce these risks. One municipality states that it has orientated itself in the material from KOMBIT but concluded that it could not immediately be used as a starting point for actual risk assessments. Other municipalities have carried out their own assessment, where some of the risks they have identified are assessed to be a lower risk than what appears from KOMBIT's material - without, however, being able to sufficiently document the basis on which this assessment was made . 2. The Data Protection Authority's general observations Based on the work with the supervisory cases, the Data Protection Authority has made some general observations in relation to the municipalities' work with the risks that the processing of personal data in AULA entails, and about certain processing security issues. 2.1. Clarification of data responsibility for new solutions As stated in section 1.1. above, the Danish Data Protection Authority was able to ascertain during the physical inspection visit to KOMBIT in December 2019 that KOMBIT was not to be considered the data controller for AULA, but that the individual municipalities were independently data controllers for their processing of personal data in AULA. The municipalities and KOMBIT had thus been of the opinion that the data responsibility for the processing of personal data in AULA - and thus also the responsibility for carrying out risk assessments and impact analyzes - was placed with KOMBIT. The Danish Data Protection Authority assumes that this lack of clarity about data responsibility has been a reason why the municipalities have not prepared impact analyzes prior to their commissioning of AULA. The Danish Data Protection Authority is of the opinion that it is crucial that, at an early stage, it is thoroughly considered where the data responsibility for the processing of personal data in a new technical solution is located. This is particularly important when developing or purchasing solutions to be used by several different organizations. In this connection, the supervisory authority notes that all relevant stakeholders should be included in the deliberations - especially the organizations that must use the system. Such clarification is essential for the data controllers to begin work with e.g. impact analyzes and risk assessments, so that the required analyzes and assessments are prepared before a new solution is put into use. The Danish Data Protection Authority notes in this connection that the purpose of an impact analysis is to determine the specific risks that the processing poses to the rights and freedoms of the data subjects and subsequently ensure that – before the processing begins – measures are determined to remedy these risks and reduce the risk to a level that is less than high. 2.2. Documentation of assessments in accordance with Article 32 and Article 5, subsection 1, letter f The Danish Data Protection Authority has established in the supervisory cases that the municipalities have handled the task in relation to documenting their assessments of processing security in different ways. Only three municipalities have prepared actual risk assessments, which they have forwarded to the supervisory authority. One of the municipalities has instead referred to a number of annexes which the municipality has forwarded to the supervisory authority as documentation of the mitigating measures the municipality has taken to reduce the risk for those registered. The municipality has thus not submitted an actual risk assessment, which states which risks the municipality has identified and which measures have been implemented to reduce these risks. Another of the municipalities has referred to the risk assessment material from KOMBIT, where a number of risks have been identified, including several high risks. The municipality has subsequently stated that they had begun work on identifying which measures could reduce these risks, but that the work was still ongoing. Some of the risk assessments carried out are incorporated into the municipalities' impact analyses, and others are prepared separately in Excel sheets, which the municipality refers to in their impact analyses. However, the Danish Data Protection Authority has assessed in one of the supervisory cases that the municipality in question had not identified and assessed the most significant risks that the processing of personal data in AULA poses for the data subjects. In addition, in the three cases where the municipalities had submitted actual risk assessments, the Danish Data Protection Authority found that the municipalities had not proven that the measures that had been implemented were sufficient to reduce the risk to low (with two of the municipalities) and medium (with one of the municipalities). The Danish Data Protection Authority assessed that the municipalities had not sufficiently demonstrated that they had ensured a level of security that suited the risks that the processing of personal data in AULA entailed. The Danish Data Protection Authority has generally reviewed the material from the municipalities with a focus on which risks they had identified, how they had assessed these risks, which measures they had described, which were (or would be) implemented, and what effect they assessed that the measures had on the risk . In this connection, the Data Protection Authority has, among other things, looked at whether the municipality had dealt with KOMBIT's assessment of the risk. The Danish Data Protection Authority finds that the documentation obligation that follows from the data protection regulation implies that it must be possible to present material that documents how and on what basis the data protection legal considerations have been made and what they have concretely given rise to. It should thus appear which considerations, choices and opt-outs have been made in order to ensure that the processing of the information is in accordance with the data protection regulation. In this connection, it must be possible to determine when and with what content relevant assessments and decisions have been made. This is a prerequisite in relation to being able to ensure and ensure the legality of the processing and the ability to ensure compliance with the rights of the data subjects, compliance with the data protection legal principles and ensuring an appropriate level of security. The Danish Data Protection Authority is of the opinion that a risk assessment should include an assessment of the consequence (e.g. high, medium, low) for the data subject in the event of a loss of confidentiality, availability and integrity. The risk assessment must then identify which threats there are to loss of confidentiality, availability and integrity, as well as the probability (e.g. high, medium, low) that the threat will be realised. Finally, the risk assessment must map the existing security measures and their contribution to reducing the risk. On this basis, the data controllers can assess the risk and decide whether it is an acceptable risk or whether additional measures must be taken. By referring to these elements in a risk assessment, the data controllers can thus document how they have assessed the risk to the data subjects of the processing activities in question, as well as on what basis they assess that the implemented measures have reduced the risk. As mentioned above under point 1.3. the risk assessment material from KOMBIT states in general that a number of processing activities carried out in AULA entail a high risk for the data subjects. It is the Danish Data Protection Authority's assessment that if a supplier, data processor or available analyzes determine or indicate certain risk scenarios, the data controllers should comply with these assessments. The Danish Data Protection Authority can ascertain that several of the municipalities have not considered these assessments in their risk assessment. Some of the municipalities' risk assessments also state that the processing of personal data in AULA does not entail high risks. The Danish Data Protection Authority notes in this connection that the data controllers should, as a minimum, carry out a documented, substantiated assessment relating to why the conditions uncovered in e.g. a supplier's assessment, are not relevant for the data controller. 2.3. Risk of mistransmission in AULA It is generally the opinion of the Danish Data Protection Authority that data controllers who, to a certain systematic extent, use a technical functionality to send messages with e.g. confidential and/or sensitive information should investigate whether it is possible to implement one or more technical measures to reduce the risk of mistransmission, or whether it is possible to design the messaging function in a way that reduces such risk. Alongside the case processing in the specific supervisory cases, the Data Protection Authority has therefore also focused on which personal data security breaches the municipalities report, which relate to AULA. In this connection, the Danish Data Protection Authority has found that a large part of the reported breaches relate to the incorrect transmission of personal data to one or more wrong recipients in AULA. Several of the municipalities that were covered by the inspection have, for the same reason, implemented organizational measures with a view to making AULA's users aware of this risk when they send e.g. messages via AULA. In addition, one of the municipalities has also implemented a change request that the municipality had sent to KOMBIT, after which it is possible to delete and edit sent content in messages. Despite this, the Norwegian Data Protection Authority continues to receive a number of notifications of breaches of personal data security from municipalities in general, which relate to incorrect transmissions in AULA. In this connection, the Danish Data Protection Authority can mention that the Danish Data Protection Authority has established that AULA's message module is set up in such a way that in messages sent to several recipients, it is most obvious to reply to all persons in the message thread. There is a less visible field where it is possible to reply directly to the sender of the message. In the field where the user replies to everyone in the message thread, however, there is information about how many people the user is replying to. In the Danish Data Protection Authority's view, such an arrangement of the message function entails a risk of users of AULA inadvertently sending a message to all recipients in a message thread instead of just to the sender of the message. In this connection, there is a risk of unauthorized disclosure of (sensitive or confidential) personal data to the wrong recipients. In addition, the Danish Data Protection Authority has established that proposals for recipients are automatically drawn up when the user starts writing in the recipient field "To". In this connection, both employees, children and parents are proposed as recipients. In the Data Protection Authority's view, this entails a risk of users choosing one or more wrong recipients in the list of proposed recipients, or of them choosing e.g. all proposed parents whose first or last name contains the letters entered, instead of one particular recipient. 2.4. Rights management and access control The Danish Data Protection Authority is of the opinion that the requirement for adequate security in Article 32 of the Data Protection Regulation will normally mean that user access to systems is limited to the personal data that is necessary for the needs of the users in question. In this connection, the Danish Data Protection Authority must note that rights management in systems with personal data must prevent unauthorized access to personal data as well as unauthorized changes or loss of personal data in the system in cases where users have access to change or delete information. It is the opinion of the Danish Data Protection Authority that in systems such as AULA, where a large number of confidential and protection-worthy information about a large number of persons is processed, higher requirements must be placed on the care of the data controller in ensuring that there is no unauthorized access to personal data. In addition, the Danish Data Protection Authority is of the opinion that the requirement for adequate security will normally mean that the data controller continuously checks whether access to systems and physical material with personal data is limited to those users who have a legitimate need for access to the data. It follows from the data protection regulation article 32, subsection 1, letter d, that, if relevant, procedures must be established for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure processing safety. Periodic checks (audits) must, depending on the circumstances, also include checks on authorizations and established access. In connection with this, it should be noted that, in the Data Protection Authority's view, a lack of periodic control (audit) entails an unnecessarily high risk of inadequate or defective access control not being identified in a timely manner. In addition, the Danish Data Protection Authority is of the opinion that the control of access rights should, as a minimum, consist of a verification of the work-related need at the time of allocation, an ongoing control based on verification that this need is still present and some form of auditing thereof. If the auditing is carried out as random checks, the number and frequency of random samples taken must be representative in relation to the number of possible incidents and the risk to the rights of data subjects. Against this background, the Danish Data Protection Authority is of the opinion that it is not sufficient for user access to AULA to simply be added and removed locally in the individual institutions and locally in the schools, without subsequent periodic checks to see whether the users in question still need the access they are assigned. 3. The Data Protection Authority's recommendations 3.1. Joint impact assessment and code of conduct In system landscapes where several data controllers use the same systems and carry out approximately the same processing of personal data, there can be significant synergy in making joint assessments of risk factors, possible impact analyzes and mitigating measures. The Danish Data Protection Authority notes that it may be relevant to carry out a joint impact analysis if several data controllers together plan to introduce a joint IT system or processing platform, e.g. within the municipal sector. In order for several data controllers to come together to prepare a joint impact analysis, it is a prerequisite that it is the same type of system, the same processing activity of the same personal data, and that the processing activities involve similarly high risks. It is not essential that there is complete identity between the systems and the processing activities, but that the system, data and especially that the processing activities do not differ significantly from each other. Otherwise, a supplement to the joint impact analysis must necessarily be prepared. Thus, the Danish Data Protection Authority is of the opinion that, for example, it will be sufficient for several municipalities to prepare one impact analysis regarding data protection for the processing of personal data in the same system, which is provided by the same supplier, if the same processing activities are carried out in the system, and the same types of data are processed personal data and the processing activities involve the same high risks.[1] It is the data controllers who concretely assess whether a joint impact analysis can be carried out for the processing activities in the systems. The data controllers in a joint impact assessment are each responsible for carrying out the impact assessment.[2] The Danish Data Protection Authority is of the opinion that, in relation to the municipalities' processing of personal data in AULA, the municipalities use the same type of system for the same processing activities of the same types of personal data, and that the municipalities' processing activities involve similarly high risks. In addition, the system is supplied by the same supplier. The municipalities thus have the opportunity to prepare a joint impact analysis regarding data protection for their processing of personal data in AULA. The Danish Data Protection Authority must therefore encourage consideration across the municipalities and possibly in collaboration with KL and KOMBIT to prepare a joint impact analysis regarding the municipalities' processing of personal data in AULA. The Danish Data Protection Authority has received from several municipalities KOMBIT's template for impact analysis, which concerns the processing of personal data in AULA, which could possibly form a starting point for further work. In associations and bodies representing categories of data controllers, a code of conduct may also be advantageously drawn up in accordance with Article 40 of the Data Protection Regulation in order to specify the application of the Data Protection Regulation. A code of conduct can provide correct and practical instructions on how to arrange one or more processing activities in order to comply with the data protection rules. It can, for example, be by determining procedures to be followed for a particular treatment activity. A code of conduct will therefore be a useful tool to help comply with data protection rules for the authorities that have signed up to the code. This facilitates compliance with the rules, but does not deprive the individual data controller of the duties and tasks incumbent on them as data controller. This is particularly important in situations where the data controller chooses to deviate from the prerequisites in the common concepts and treatments, e.g. when using a system for other purposes. Against this background, the Danish Data Protection Authority must encourage consideration across the municipalities and possibly in collaboration with KL and KOMBIT to draw up a code of conduct in accordance with Article 40 of the Data Protection Regulation regarding the municipalities' processing of personal data in AULA. This may also be relevant to consider in relation to other processing activities in the municipalities, where the municipalities use the same system for processing the same types of personal data for the same purposes. 3.2. Managing the risk of sending errors in AULA The Danish Data Protection Authority also recommends that KOMBIT, together with the municipalities responsible for the data, carry out an investigation into whether it is possible to implement one or more technical measures to reduce the risk of sending errors, or whether it is possible to arrange the message function in a way that reduces such risk. [1] See also the Danish Data Protection Authority's guidance on supervision of data processors from October 2021, where it e.g. it appears that several data controllers can jointly assess risks and investigate similarities/differences in the use of the same data processor with a view to deciding whether a joint supervision of the data processor can be carried out. [2] Reference is made to the Norwegian Data Protection Authority's guidance on impact analysis from March 2018.