DPC (Ireland) - DPC ref: IN-20-4-1

From GDPRhub
DPC (Ireland) - DPC ref: IN-20-4-1
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1) GDPR
Article 32(1) GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.12.2021
Published:
Fine: 60,000 EUR
Parties: n/a
National Case Number/Name: DPC ref: IN-20-4-1
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Irish DPC (in EN)
Initial Contributor: czapla

The Irish DPC fined a teaching council €60,000 for violations of Articles 5(1)(f), 32(1) and 33(1) GDPR by failing to notify a data breach in due time, and lacking appropriate technical and organisational measures to secure processing.

English Summary

Facts

The Council’s IT team was first alerted on 17 February 2020 via Office 365 of the suspected creation of a forwarding/redirect rule in relation to an account of a staff member. Between 17 February 2020 and 6 March 2020, 4 similar alerts were triggered with severity levels varying from low to high. The Council’s IT team reacted to these alerts by changing the staff member’s password and by checking the server for virus threats. The Outlook client or user’s OWA personal access (and the forwarding rule) were not initially checked. The issue was tackled as low severity until 6 March 2020, which was also the date when the Council’s DPO was first alerted.

The DPC received notification of a personal data breach from the Council on 9 March 2020. The breach notification indicated a potential contravention of the data protection legislation by the Council. The breach notification stated that a phishing email had been received and accessed by two members of staff in the Council.

Further investigation of the incident unveiled that two staff members responded to phishing emails by entering their passwords online. This caused a script to be activated that established an auto forwarding rule to an external Gmail account. The staff members were not aware that they entered their passwords online and perceived it to be a normal activity. In total, 323 email messages were forwarded to the external Gmail account. Some of these emails contained the vetting status details of 9,735 teachers, including names, addresses, PPS numbers and vetting clearance status. The teachers’ personal details were shared internally via emails with unprotected excel spreadsheets.

Holding

The DPC imposed an administrative fine of €60,000 on the Council. The decision issued the Council with a reprimand in respect of the infringements.

The DPC identified, amongst others, several shortcomings of the Council's technical and organisational security measures:

Firstly, the personal data was shared via excel spreadsheet generated by one staff member and sent to another via email while a shared drive should be used instead.

Secondly, the Acceptable Usage Policy in place at the time of the breach contained a section on password usage, but only in respect of the circulation of external documents. The spreadsheet which was generated was therefore sent unencrypted and without password protection over an inadequately secured email system, which had allowed the creation of forwarding rules.

Thirdly, the Council did not have Advanced Threat Protection enabled in Office 365 due to licensing issues.

Further, the Council did not implement adequate technical and organisational measures to account for human error.

With regard to the delayed data breach notification, the DPC decided that the Council failed to appropriately investigate and follow all appropriate steps, and ignored the specifics of an alert when received. As a result, the Council failed in its obligation to notify the DPC of the breach within the prescribed time period of obtaining knowledge of a data breach.

With due regard to the measures already implemented by the Council since the personal data breach and during the inquiry, a deadline of 2 June 2022 was given to the Council to bring its processing operations into compliance with Articles 5(1) and 32(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.