DPC (Ireland) - IN-20-4-7
DPC (Ireland) - IN-20-4-7 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 32 GDPR |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | 24.01.2022 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | IN-20-4-7 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Data Protection Commission (in EN) |
Initial Contributor: | Paola León |
The Irish DPC found no personal data breach pursuant to Article 32 GDPR when the Personal Injuries Assessment Board (PIAB) unexpectedly received an unencrypted USB storage device in a ripped envelope by ordinary post.
English Summary
Facts
The controller is the Personal Injuries Assessment Board (PIAB), an independent statutory body that deals with personal injury claims.
The personal data breach occurred when a third party organisation contracted by the PIAB returned materials containing personal data to the PIAB on an unencrypted USB key in a paper envelope. That USB key was ultimately lost in the post with only a ripped envelope delivered to the PIAB. The inquiry considered whether the PIAB had complied with its obligation to implement an appropriate level of security under Article 32 GDPR.
Holding
The inquiry established that the PIAB had requested in advance that the third party not send personal data to the PIAB. In those circumstances, the DPC found that the PIAB could not possibly have foreseen that without consultation, the third party would post an unencrypted USB storage device in an unpadded envelope by ordinary (not registered) post.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
In the matter of the General Data Protection Regulation DPC Case Reference: IN-20-4-7 In the matter of the Personal Injuries Assessment Board Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act 2018 Further to an own-volition inquiry commenced pursuant to Section 110 of the Data Protection Act 2018 DECISION Decision-Maker for the Commission: Helen Dixon Commissioner for Data Protection 24 January 2022 Data Protection Commission 2 Fitzwilliam Square South Dublin 2, Ireland Contents 1. Introduction .................................................................................................................................... 3 2. Legal Framework for the Inquiry and the Decision ......................................................................... 3 i. Legal Basis for the Inquiry ........................................................................................................... 3 ii. Legal Basis for the Decision ......................................................................................................... 4 3. Findings ........................................................................................................................................... 4 4. Right of Appeal ................................................................................................................................ 5 1. Introduction 2.1 This document (“the Decision”) is a Decision of the Data Protection Commission (“the DPC”) in accordance with Section 111 of the Data Protection Act (“the 2018 Act”). I make this Decision having considered the information obtained in the own volition inquiry (“the Inquiry”) conducted by a Case Officer of the DPC (“the Case Officer”) pursuant to Section 110 of the 2018 Act. The Case Officer who conducted the Inquiry provided the Personal Injuries Assessment Board (“PIAB”) with the Draft Inquiry Report and the Final Inquiry Report. The Decision is being provided to PIAB pursuant to Section 116(1)(a) of the 2018 Act in order to give PIAB notice of the Decision and the reasons for it. 2.2 PIAB was provided with the Draft Decision on this inquiry on 30 November 2021 to give PIAB a final opportunity to make submissions. PIAB acknowledged receipt of the Draft Decision on 14 December 2021 and made no submissions in this regard. 2. Legal Framework for the Inquiry and the Decision i. Legal Basis for the Inquiry 2.1 The GDPR is the legal regime covering the processing of personal data in the European Union. As a regulation, the GDPR is directly applicable in EU member states. The 2018 Act gives the GDPR further effect in Irish law. As stated above, the DPC commenced the Inquiry pursuant to Section 110 of the 2018 Act. By way of background in this regard, pursuant to Part 6 of the 2018 Act the DPC has the power to commence an inquiry on several bases, including on foot of a complaint, or of its own volition. 2.2 Section 110(1) of the 2018 Act provides that the DPC may, for the purpose of Section 109(5) (e) or Section 113(2) of the 2018 Act, or of its own volition, cause such inquiry as it thinks fit to be conducted, in order to ascertain whether an infringement has occurred or is occurring of the GDPR or a provision of the 2018 Act, or regulation under the Act that gives further effect to the GDPR. Section 110(2) of the 2018 Act provides that the DPC may, for the purposes of Section 110(1), where it considers it appropriate to do so, cause the exercise of any of its powers under Chapter 4 of Part 6 of the 2018 Act (excluding Section 135 of the 2018 Act) and/or to cause an investigation under Chapter 5 of Part 6 of the 2018 Act to be carried out. ii. Legal Basis for the Decision 2.3 The decision-making process for this Inquiry is provided for under Section 111 of the 2018 Act, and requires that the DPC must consider the information obtained during the Inquiry; to decide whether an infringement is occurring or has occurred; and if so, to decide on the proposed corrective powers, if any, to be exercised. As the sole member of the Commission, I perform this function in my role as the Decision-Maker in the DPC. In so doing, I am required to carry out an independent assessment of all the materials provided to me by the Case Officer as well as any other materials that PIAB has furnished to me and any other materials that I consider relevant, in the course of the decision-making process. 2.4 The Final Inquiry Report was transmitted to me on 21 January 2021, together with the Case Officer’s file, containing copies of all correspondence exchanged between the Case Officer and PIAB; and copies of all submissions made by PIAB, including the submissions made by PIAB in respect of the Draft Inquiry Report. I issued a letter to PIAB on 04 October 2021 to notify it of the commencement of the decision-making process. 2.5 Having reviewed the Final Inquiry Report, and the other materials provided to me by the Case Officer, including the submissions made by PIAB, I was satisfied that the Inquiry was correctly conducted and that fair procedures were followed throughout. This includes, but is not limited to, notifications to the controller and opportunities for the controller to comment on the Draft Inquiry Report before the Case Officer transmitted it to me as decision-maker. 3. Findings 3.1 Following intensive examination of the facts in this case, including a review of the Draft and Final Inquiry Report and the submissions made by PIAB, I find that the material issues in this inquiry net down to a central issue of the security of processing under 32(1) of the GDPR. This issue arises in circumstances where a third party organisation (“the Third Party”) contracted by PIAB returned materials containing personal data to PIAB on an unencrypted USB key in a paper envelope, which USB key was ultimately lost in the post with only a ripped envelope delivered to PIAB. 3.2 Article 32 of the GDPR sets down obligations for both controllers and processors. In subsection (1) it requires that : “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” 3.3 Given that PIAB had expressly requested in advance of the Third Party posting the USB storage device that further personal data not be sent to it (as PIAB was already in receipt of hard copies of the main reports in the matter), it could not possibly have foreseen that without consultation with it, the Third Party would post an unencrypted USB storage device in an unpadded envelope by ordinary (not registered) post. 3.4 It is clear from the facts in the case that PIAB could not have foreseen that the materials in question containing personal data would have been transmitted in this manner. 4. Right of Appeal 4.1 This Decision is issued in accordance with Sections 111 of the 2018 Act. Pursuant to Section 150(5) of the 2018 Act, PIAB has the right to appeal against this Decision within 28 days from the date on which notice of the Decision is received by it. _________________ Helen Dixon Commissioner for Data Protection