APDCAT (Catalonia) - PS 54/2021

From GDPRhub
Revision as of 17:08, 30 March 2022 by Sergi (talk | contribs) (Added “to”)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APDCAT (Catalonia) - PS 54/2021
Apdcat-logo.png
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 32 GDPR
Article 83(4)(a) GDPR
Type: Complaint
Outcome: Upheld
Started: 30.06.2021
Decided:
Published: 10.03.2022
Fine: None
Parties: Departament de Salut de la Generalitat de Catalunya
National Case Number/Name: PS 54/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Catalan, Valencian
Original Source: APDCAT (in CA)
Initial Contributor: Sergi Ariño Mayans

The Catalan DPA issued a reprimand to the Catalan Department of Health for lacking adequate security measures on their COVID19 vaccination website, in violation of Article 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A citizen filed a complaint with the Catalan DPA (APDCAT) reporting that the Catalan Department of Health's website for citizens to set up COVID19 vaccination appointments, had some security vulnerabilities. The website allowed unauthorised third parties to get access to data subject's personal data just by entering their personal ID number, and neither authentication nor verification processes were requested. The personal data included name and surname, health card number, phone number, email, and vaccine type, as well as the vaccination appointment's place, date and time.

Holding[edit | edit source]

The APDCAT held that the Department of Health is responsible of an infringement of Article 32 GDPR, since no appropriate technical and organisational measures were in place to ensure a level of security appropriate to the risk in the processing. Moreover, the APDCAT pointed out that the Department of Health did not carry out the corresponding Data Protection Impact Assessment (DPIA) prior to the processing in order to assess the impact of the envisaged processing operations.

Therefore, the APDCAT requested the Department of Health to carry out a risk analysis based on Article 32 GDPR within one month, in order to determine which technical and organisational measures are appropriate to ensure the security of the vaccination data on their website.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.

                                                                                                PS 54/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




File identification

Resolution of the sanctioning procedure no. PS 54/2021, referring to the Department of Health of

the Generalitat de Catalunya.


Background


1. On 30/06/2021, a letter was sent to the Catalan Data Protection Authority
of a person who filed a complaint against the Department of Health on the occasion of a
alleged breach of personal data protection regulations.


Specifically, the complainant stated that he had detected certain vulnerabilities in
security on the website that the Department of Health has made available to the public for

request a vaccination appointment (https://vacunacovid.catsalut.gencat.cat), as it allows access to
very easily by unauthorized third parties to vaccination data, health card, mobile,
mail, full name, appointment for vaccination, etc. All you have to do is have the number
DNI (or health card) of the victim. No extra steps are required to verify authenticity, either

receive no verification SMS (other than the initial one) ”.

The complainant detailed in his writing how information could be accessed
of third parties, and literally indicated the following steps:


“1. (...)
2. (...)
3. (...)

4. (...).
5. (...)
6. (...)

7. (...)

In short, the complainant stated that once the user was validated on the website
https://vacunacovid.catsalut.gencat.cat, making certain calls to the API (application

programming interface) of the web through the browser console, could be accessed
data from third parties.

Along with his writing, the complainant provided screenshots in which

documented each of the steps it had taken in order to access information from
third parties. The documentation provided was anonymized
third parties.


This complaint was assigned the number IP 264/2021.







                                                                                          Page 1 of 8, PS 54/2021
08008 Barcelona, 214, esc. A, 1st 1st




2. The Authority shall open a prior information phase, in accordance with the provisions of Article 7 of

Decree 278/1993, of 9 November, on the sanctioning procedure for application to the areas
of competence of the Generalitat, and article 55.2 of Law 39/2015, of 1 October, of
common administrative procedure of public administrations (hereinafter, LPAC), for
determine whether the facts were likely to motivate the initiation of disciplinary proceedings.


3. On 05/07/2021, a notification was received from the Health Department of a
breach of security of personal data, in accordance with the provisions of Article 33 of the RGPD,
consisting of a possible cyberattack on the "K2 vaccination platform" as a result

detected an unusual query volume on that platform.

4. In the prior information phase initiated following the complaint, on 09/07/2021 the
Department of Health to comply with the following:


- Report on the vulnerability detected by the complainant (antecedent 1st), the
   circumstances that would have led to it and if it had already been amended.
- Indicate whether, prior to the launch of the platform
   https://vacunacovid.catsalut.gencat.cat, a risk analysis had been prepared for the

   processing of personal data through this channel. If so, please provide one
   copy.

5. On 22/07/2021, a letter from the Department of Health entered the Authority through the

which complemented the notification of the security breach he had made on 07/05/2021.

In a written statement, the Department of Health described the security breach as "the attack consists of
when making sequential DNI requests, taking advantage of a lack in the validation of the

requests, skipping the queue and directly requesting the node ”.

6. On 22/07/2021, the Department of Health responded to the request for information
of 09/07/2021 (antecedent 4th), through a letter in which he stated the following:


- That “the vulnerability described in the file was identified on July 1 as a result of
   the security incident reported in the NVS 67/2021 file against the website
   (https://vacunacovid.catsalut.gencat.cat) ”, which consists of the return of information
   linked to a person validating only the CIP or DNI. The information he returned in a

   first moment is: DNI, CIP, name and surname, mobile phone, e-mail address, day and time of
   the appointment, place of vaccination, type of vaccine ”.
- That “the following containment, mitigation and improvement measures have been taken:
    • Extend the verification code from 6 numeric digits to 6 alpha numeric digits

    • Move the Frontal code validation to the node.
    • Application of IP ban measures per number of requests per minute (maximum 500
        requests from Spain and 50 per minute from abroad)







                                                                                    Page 2 of 8, PS 54/2021
08008 Barcelona, 214, esc. A, 1st 1st




    • Blocking by a compromise indicator identified in the User Agent of the request

        attacker.
    • Blocking known attacker IPs
    • Encryption of the answer
    • Contact the abuse service of the attacking IP providers

    • Restrict the information returned by the application when making a request, leaving only the
        information regarding the appointment (date, time and place of vaccination and type of vaccination) ”.
- That “individual cases were difficult to detect but massive requests activated the

    control and monitoring system ”.
- That with regard to risk analysis, due in part to the urgency of initiating the process of
   vaccination and on the other hand, the need to incorporate the maximum volume of population in the
   vaccination process in the shortest possible time safety tests were performed for
   no in-depth risk analysis was carried out ”.


7. On 14/07/2021, another had access to the Catalan Data Protection Authority
written complaint against the Department of Health, on the grounds of an alleged breach of
regulations on the protection of personal data.


Specifically, the complainant stated that in a digital media
(https: // www. (...)) a news item had been published stating that the
self-appointment to receive the coronavirus vaccine from the Generalitat de Catalunya, he explained

personal data of citizens who have made use of this platform to third parties not
authorized ”.

This complaint was assigned the number IP 283/2021


8. On 22/09/2021 the Department of Health was required to comply with
Next:

- Report if the security issue that was reported was the same as in the

    which referred to the security vulnerability that the Department of Health had committed
    reference in his office dated 22/07/2021, in response to the request of this Authority
    had addressed to him in the framework of the previous information initiated as a result of complaint no. IP
    264/2021. And, if not, answer the following:

- Report in detail on the security issue that the news item is referring to,
    the circumstances that would have led to it and if it has already been amended.

9. On 08/10/2021, the Department of Health responded to this second request for

means of writing through which he stated the following:

- That the security problem that was echoed in the news item is the same as the one
   referred to the security vulnerability detected in the framework of the prior information initiated
   following complaint no. IP 264/2021, to the extent that the publication dates coincide and






                                                                                   Page 3 of 8, PS 54/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




   that the same news item includes the literal content of the press release made by the
   Department of Health in the sense that the safety breach had been communicated to the Authority a
   through the corresponding security breach notification that resulted in the case
   NVS 67/2021.


10. On 27/10/2021, the director of the Catalan Data Protection Authority agreed
initiate disciplinary proceedings against the Department of Health for two alleged offenses
infractions: an infraction provided for in article 83.5.a), in relation to article 5.1.f); and, another

infringement provided for in Article 83.4.a), in relation to Article 35; all of them of the Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April on the protection of
natural persons with regard to the processing of personal data and the free movement of such data
(hereinafter, RGPD. This initiation agreement was notified to the imputed entity on

10/27/2021

In the initiation agreement, the imputed entity was granted a period of 10 working days to formulate
allegations and propose the practice of evidence that he deems appropriate to defend his

interests. This deadline was far exceeded without the Department of Health
make allegations.

11. On 12/21/2021, the instructor of this procedure made a proposal to

resolution, in which it proposed the modification of the legal qualification of the imputed facts that
had been made in the initiation agreement and this in accordance with the provisions of Article 89.3 of
the LPAC. The instructor, once the documentation incorporated in the
actions, he considered that the two imputed facts constituted, each of them, a violation of the

data security. In view of the above, the instructor in the motion for a resolution
proposed that the director of the Catalan Data Protection Authority warn the
Department of Health as responsible for the violation provided for in Article 83.4.a) in relation
with Article 32 of the RGPD.


This motion for a resolution was notified on 21/12/2021 and a deadline of 10 was granted
days to make allegations.


12. The deadline has been exceeded and no allegations have been made.


Proven facts


1. From an indefinite date, but in any case until 30/06/2021, the systems
information from the Department of Health allowed that, once the user was validated on the website
https://vacunacovid.catsalut.gencat.cat (website that the Department had made available to the

in order to request a vaccination appointment), by calling the web API
access data from other health system users (such as ID, CIP, first and last name,
mobile phone, email address, date and time of appointment, place of vaccination and type of vaccine).






                                                                                      Page 4 of 8, PS 54/2021
08008 Barcelona, 214, esc. A, 1st 1st






2. In relation to the processing of data linked to the launch of the website
https://vacunacovid.catsalut.gencat.cat, the Department of Health did not perform an analysis of
risks to determine the appropriate technical and organizational measures to ensure the

data security.


Fundamentals of law


1. The provisions of the LPAC and Article 15 of the Decree apply to this procedure.
278/1993, in accordance with the provisions of DT 2a of Law 32/2010, of 1 October, of the Authority
Catalan Data Protection. In accordance with Articles 5 and 8 of Law 32/2010, the
resolution of the sanctioning procedure corresponds to the director of the Catalan Authority of

Data Protection.

2. In relation to the facts described in points 1 and 2 of the section on proven facts, relating to the
data security, reference should be made to Article 32 of the RGPD, which provides that:


        “1. Taking into account the state of the art, the costs of application, and the
        nature, scope, context and purposes of treatment, as well as risks
        of variable probability and severity for the rights and freedoms of the

        natural persons, the controller and the controller shall apply
        appropriate technical and organizational measures to ensure a level of
        risk-appropriate security, which may include, inter alia:
        a) pseudonymization and encryption of personal data;
        (b) the ability to ensure confidentiality, integrity, availability and

        permanent resilience of treatment systems and services;
        c) the ability to restore availability and access to data
        personnel quickly in the event of a physical or technical incident;
        (d) a process of regular verification, evaluation and assessment of the

        effectiveness of technical and organizational measures to ensure the security of the
        treatment.
        2. When assessing the adequacy of the level of security they will have
        particularly taking into account the risks posed by data processing, in

        particular as a result of accidental destruction, loss or alteration
        or unlawful transmission of personal data transmitted, stored or otherwise processed,
        or unauthorized communication or access to such data.
        (...) ”


As mentioned, with respect to the conduct described in points 1 and 2 of the section on proven facts, es
considers that in the course of this procedure it has been proven that the Department of Health has
violated the security measures listed below separately, by appointment
of the precepts that regulate them:






                                                                                    Page 5 of 8, PS 54/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona





2.1.- In relation to the proven fact 1st:


In accordance with the provisions of the first additional provision of Organic Law 3/2018, of 5 of
December, on the protection of personal data and the guarantee of digital rights (hereinafter
LOPDGDD), it is necessary to mention the provisions of Royal Decree 3/2010, of 8 January, which
regulates the National Security Scheme (ENS) in the field of e-government, and

specifically its section 4.2.2 “Access requirements” of Annex II (Measures of
Security ”):

        “The access requirements will be met as follows:

        a) The resources of the system will be protected by some mechanism that prevents their
        use, except for entities that enjoy access rights
        enough. ”


2.2.- In relation to the 2nd proven fact:

At this point it is necessary to make express reference to the provisions of section 2 of Article 32 of

the RGPD already transcribed, which obliges the data controller to carry out a risk analysis
of those treatments that you plan to do, in order to determine the security measures that
must be implemented.


In accordance with the above, the facts set out in points 1 and 2 of the facts section
proved to be the infringement provided for in Article 83.4.a) of the RGPD, which classifies as such the
violation of “the obligations of the manager and the manager in accordance with Articles 8, 11,
25 to 39, 42 and 43 ”, including the one provided for in Article 32.


These conducts have been listed as a serious infraction in article 73.f) of the LOPDGDD, in the
as follows:


        “F) Failure to adopt any technical and organizational measures
        appropriate to ensure a level of safety appropriate to the risk of treatment, in
        the terms required by Article 32.1 of Regulation (EU) 2016/679. "


3. Article 77.2 LOPDGDD provides that in the case of offenses committed by those responsible or
in charge listed in art. 77.1 LOPDGDD, the competent data protection authority:


        "(...) he must issue a resolution sanctioning them with a reprimand. The
        resolution shall also set out the measures to be taken to end it
        conduct or correct the effects of the offense that has been committed.
        The decision must be notified to the controller or controller, a

        the body on which it depends hierarchically, where applicable, and those affected who have the
        interested party, if any. "






                                                                                       Page 6 of 8, PS 54/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona





In terms similar to the LOPDGDD, article 21.2 of Law 32/2010, determines the following:


        “2. In the case of infringements committed in relation to publicly owned files, the
        director of the Catalan Data Protection Authority must issue
        a resolution declaring the infringement and setting out the measures to be taken for
        correct its effects (...) ”.


By virtue of this faculty, and with regard to the proven fact 2nd, it is appropriate to require the Department of Health
because as soon as possible and in any case within a maximum period of 1 month from
the day after the notification of this resolution, certify to this Authority that it has carried out

a risk analysis in accordance with Article 32 of the RGPD, in order to determine the
appropriate technical and organizational measures to ensure the security of the data processed a
through the platform https://vacunacovid.catsalut.gencat.cat.


With regard to the 1st proven fact, it is not appropriate to require the adoption of any corrective measures, as the
The Department of Health accredited this Authority, within the framework of NVS 67/2021, to have
take the appropriate steps to resolve the security incident detected on the platform

https://vacunacovid.catsalut.gencat.cat.


For all this, I resolve:


1. To reprimand the Department of Health as responsible for the infraction provided for in the article
83.4.a) in relation to Article 32, both of the RGPD.


2. Require the Department of Health to prove to this Authority that it has been carried out
the action indicated in the 3rd legal basis, within the indicated period.


3. Notify this resolution to the Department of Health.

4. Communicate the resolution to the Catalan Ombudsman, in accordance with the provisions of article 77.5
of the LOPDGDD.


5. Order that this resolution be published on the Authority’s website (apdcat.gencat.cat), of
in accordance with Article 17 of Law 32/2010, of 1 October.


Against this resolution, which terminates the administrative procedure in accordance with articles 26.2 of the
Law 32/2010, of 1 October, of the Catalan Data Protection Authority, and 14.3 of the Decree
48/2003, of 20 February, approving the Statute of the Catalan Agency for the Protection of
In this case, the accused entity may, on an optional basis, lodge an appeal for reversal

the director of the Catalan Data Protection Authority, within one month from
the day after its notification, in accordance with the provisions of Article 123 et seq






                                                                                        Page 7 of 8, PS 54/2021
Carrer Rosselló, 214, esc. A, 1st 1st
08008 Barcelona




the LPAC. You can also lodge an administrative appeal directly with the courts

administrative disputes, within two months from the day after its
notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of 13 July, regulating
administrative contentious jurisdiction.


If the accused entity declares to the Authority its intention to lodge a contentious appeal
administrative against the firm resolution in administrative way, the resolution will be suspended

precautionarily in the terms provided for in Article 90.3 of the LPAC.


Likewise, the imputed entity may file any other appeal that it deems appropriate for
defend their interests.



















































                                                                                              Page 8 of 8