Datainspektionen - DI-2019-9432
|Datainspektionen - DI-2019-9432|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32(1) GDPR
Article 32(2) GDPR
Article 33(1) GDPR
Article 33(5) GDPR
Chapter 35(1) of the Public Access to Information and Secrecy Act
Chapter 11(3) of the Public Access to Information and Secrecy Act
|National Case Number/Name:||DI-2019-9432|
|European Case Law Identifier:||n/a|
|Original Source:||Datainspektionen (in SV)|
|Initial Contributor:||Kave Noori|
The Swedish DPA (Integritetsskyddsmyndigheten) fined a university ~€54,483 for disclosing and storing special category personal data from criminal investigations in breach of Article 5(1)(f) and Article 32. The Authority also highlighted that the controller failed to report the matter to the DPA as provided for by Article 33. For instance, one investigation report was sent in an unencrypted email, while another 108 reports were stored with a US cloud provider without proper safeguards.
English Summary[edit | edit source]
Facts[edit | edit source]
Two researchers from Umeå University in Sweden acquired copies of all preliminary investigation reports in Sweden for 2014 on cases of rape of male victims from the police. In July 2016, the Swedish Police Authority sent paper copies of the investigation reports to the researchers by mail carrier.
In November 2017, the researchers contacted Swedish Police Authority and asked for additional information about one of the cases. The researchers attached a scanned copy of one of the investigations to an email sent unencrypted. When the Swedish Police Authority pointed out the inappropriateness of sending sensitive material via unencrypted emails, the researchers claimed it was an unintentional act and blamed the human factor. In February 2019, the research team wanted more information on the same rape case and sent the same investigation report again in an unencrypted email to the Swedish Police Authority. The researchers also claimed the second email to be an accident. After this incident the Swedish Police Authority wrote an official letter dated April 3, 2019, which was sent to the Swedish DPA (Datainspektionen).
The DPA launched an investigation to determine whether Umeå University had breached the GDPR. The preliminary investigatory reports contain special categories of personal data such as data about health and sex life and information about suspected offences. They also contain names, contact details and personal numbers of victims and suspects. The research team changed their routines after the first unencrypted email, but could not explain why they then sent the same report a second time in an unencrypted email
In September 2019, Umeå University analyzed the data breach and found that it did not pose a high risk to the rights and freedoms of data subjects. As the email was addressed to a staff member at Swedish Police Authority who provided the researchers with the reports, the university concluded that there was no evidence of actual harm or unauthorized disclosure.
The university also scanned 108 preliminary investigation reports and uploaded them to the cloud storage provider Box. Box is a US-based cloud provider and was a sub-processor of the processor The Swedish University computer Network. Box Transferred personal data to the US on the basis of the Privacy Shield (in force at the time) and binding corporate rules. The files were confidential under Chapter 35(1) and Chapter 11(3) of The Public Access to Information and Secrecy Act (Offentlighets- och sekretesslagen).
The researchers stored the files in a folder in Box that was accessible only to the two researchers. The information was protected by 256-bit SSL encryption in transit and 256-bit encryption at rest. Encryption keys were kept separate from the data, and backups were also encrypted. Access to files was protected by single-factor authentication (username and password). In 2016, the University considered that Box met the legal and technical requirements for storing sensitive personal data. Nevertheless, the University considered that such data should not be stored in Box as a precautionary measure.
Dispute[edit | edit source]
Holding[edit | edit source]
Personal data were not adequately protected[edit | edit source]
The DPA found that the University had breached Article 5(1)(f), Article 32(1) and Article 32(2) by failing to adequately protect the personal data in the reports. Although the emails were sent to the correct person at The Swedish Police Authority, they were sent unencrypted over the internet. The DPA recalled that the Internet is an open network and that unauthorized persons may gain access to information sent over such a network if it is not adequately protected, for example by encryption.
The data breach should have been documented and reported to the DPA[edit | edit source]
The DPA found that the University violated Article 33(1) and Article 33(5) by failing to timely document and report a data breach. According to the DPA, the university became aware of the data breach at the time the Swedish Police Authority told the researchers that it was inappropriate to send criminal investigations in unencrypted emails. According to the DPA, the university knew about the incident on at least April 3, 2019, not August 30, 2019, when it received the letter from the DPA informing it that it was under investigation.
Storage of sensitive personal data with a US cloud provider outside the EU[edit | edit source]
First of all, the University did not take sufficient technical measures with regard to the sensitivity of personal data. Although the data was encrypted in Box, anyone from any IP address could access the data if they had the correct username and password. The DPA recalled that one-factor authentication is vulnerable to phishing attacks and that it would be unlikely for the researchers to know if their username and password were in the wrong hands. The DPA held that sensitive personal data of this nature must be protected by multi-factor authentication.
The DPA reminded that a data controller must carry out a risk assessment and determine whether it is appropriate to store certain personal data with a particular processor. The assessment should be made in relation to the risk of unauthorized disclosure or access.
The DPA concluded that the preliminary investigative reports concerned rapes against men and contained sensitive personal data that was classified. The DPA considered that the data processing posed a high risk to the privacy of the data subjects if the information was disclosed to or accessed by unauthorized persons.
In addition, the DPA considered that the transfer of the personal data to the United States was problematic as the Public Access to Information and Secrecy Act does not apply in the US.
SEK 550 000 sanction fee[edit | edit source]
The DPA imposed a sanction fee of SEK 550 000 on Umeå University. SEK 450 000 related to the unencrypted emails and the storage of the preliminary investigation reports with a US cloud provider, SEK 100 000 related to the failure to document and report the data breach in a timely manner. The DPA deemed the violations in the unencrypted sending of emails and storage of the reports at the US cloud provider, as negligently caused. In this case, 108 criminal investigation reports containing highly sensitive personal data were stored with the US cloud provider without adequate data protection. On top of that, the university had stored the sensitive personal data in Box even though its own risk and vulnerability assessment concluded that such data should not be stored there.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Page 1 Decision Diarienr 1 (23) 2020-12-10 DI-2019-9432 Postal address: Box 8114, 104 20 Stockholm E-mail: email@example.com Website: www.datainspektionen.se Phone: 08-657 61 00 Umeå University 901 87 Umeå Supervision according to the Data Protection Ordinance - Umeå the university's processing of personal data Table of Contents The Data Inspectorate's decision ................................................ ..................................... 2 Report on the supervisory matter ............................................... .............................. 3 Background................................................. .................................................. ......... 3 What has emerged in the case ............................................. .......................... 3 Letter from the police authority ................................................ ......................... 3 Information from Umeå University .............................................. .................... 4 Motivation for decision ............................................... ........................................... 7 Applicable rules................................................ .................................................. 7 Responsibility of the data controller ............................................... ........... 7 Legal basis ................................................ ................................................ 8 The requirement for security in the processing of personal data .............................. 9 Obligation to report and document personal data incidents ....... 10 Transfer of personal data to third countries ........................................... 12 The Data Inspectorate's assessment ................................................ ....................... 12 Personal data responsibility ................................................. .................................. 12 Processing of personal data in unencrypted e-mail and open network .......... 12 The personal data incident should have been documented and reported ........... 14 Storage of sensitive personal data in a cloud service in third countries ........... 15 Choice of intervention ............................................... .............................................. 20 Legal regulation ................................................ ......................................... 20 Size of the penalty fee ................................................ .......................... 20 Page 1 of 23 Page 2 The Data Inspectorate DI-2019-9432 2 (23) How to appeal............................................... .............................................. 23 The Data Inspectorate's decision The Data Inspectorate states that Umeå University • has sent sensitive and privacy-sensitive personal data through unencrypted e-mail and via open network to the Police Authority on 5 February 2019. The university has therefore processed personal data in contrary to Article 5 (1) (f) and Article 32 (1) and (2) (i) Data Protection Regulation 1 by failing to take appropriate technical measures measures to ensure an appropriate level of safety in in relation to the risk. • has not reported the personal data incident to the Data Inspectorate and not documented the circumstances surrounding the incident then the university became aware of it. The university has therefore acted in breach of Article 33 (1) and (5) of the Data Protection Regulation. • in the processing of sensitive and privacy-sensitive personal data in the cloud service Box, during the period May 25, 2018 to spring 2019, no have taken appropriate technical and organizational measures to: prevent unauthorized disclosure of or unauthorized access to personal data. The university has therefore treated personal data in breach of Article 5 (1) (f) and Article 32 (1) and (2) (i) the Data Protection Regulation. Administrative penalty fee The Data Inspectorate decides on the basis of Articles 58 (2) and 83 i the Data Protection Ordinance and Chapter 6 Section 2 of the Data Protection Act (2018: 218) to Umeå universities must pay an administrative sanction fee of SEK 550,000. 1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on that free flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). Page 2 of 23 Page 3 The Data Inspectorate DI-2019-9432 3 (23) Report on the supervisory matter Background The Data Inspectorate began inspecting Umeå University on 29 August 2019. The inspectorate had received information that the university had sent sensitive personal information to the Police Authority via unencrypted e-mail. To the information was attached to the Police Authority's letter; Information about shortcomings in handling documents. The purpose of supervision is to investigate whether the personal data processing as described in the Police Authority's letter meets the requirements for security as set out in Articles 5 (1) (f) and 32 of the Data Protection Regulation. The Data Inspectorate has also examined whether Umeå University has followed the provision of Article 33 of the Data Protection Regulation, which, inter alia is about the personal data controller's obligation to report to a personal data incident. Furthermore, the Data Inspectorate has investigated the handling of sensitive personal data in the cloud service Box made in accordance with data protection rules. The Data Inspectorate's supervision will take effect on 25 May 2018 the Data Protection Regulation came into force. The inspection therefore has not examined the incident that occurred before that date. The supervision has been carried out through written communication. What has emerged in the case Letter from the police authority The Police Authority's letter states, among other things, the following. A research group at Umeå University requested all of them preliminary investigation report concerning rape against men in Sweden from 2014. On 18 July 2016, the Police Authority released the documents by courier. Page 3 of 23 Page 4 The Data Inspectorate DI-2019-9432 4 (23) In connection with a request for supplementation via email attached research group, on 19 November 2017, unintentionally one of the preliminary investigation report previously issued by the Police Authority. Po- The regulatory authority then contacted the research group and pointed out the inappropriateness of to send sensitive material over unprotected email channels. The research group regretted what had happened and referred to the human factor. In connection with another request for supplementation attached the research group, on 5 February 2019, again the same preliminary investigation report. When the Police Authority contacted once again the research group on this was admitted that this time too it was unintentional attached the sensitive material in an email. Information from Umeå University Umeå University was responsible for personal data when the email was sent to The police authority. The principal researcher left his employment at Umeå University on 31 August 2018 for employment at Uppsala University. In that it The principal researcher changed employers and the workplace has the project also changed residence. However, this happened after the current events. The financier Forte 2 decided to change the principal on 13 March 2019 and The Ethics Review Authority approved the change, which involved a change research principal at Uppsala University on 10 May 2019. The research project at Umeå University has been approved by The ethics review authority and the preliminary investigation protocols have been received and stored on the basis of a public interest that allows personal data processing. The course of events In August 2016, the research group received the preliminary investigation protocols that requested. The documents were sent in paper form to Umeå University. All police reports and preliminary investigation protocols from 2014 scanned in and stored on a password-protected file surface. A physical version locked in an archive room. The preliminary investigation protocols contain information 2 Research Council for Health, Working Life and Welfare. Page 4 of 23 Page 5 The Data Inspectorate DI-2019-9432 5 (23) about, among other things, suspicion of crime, name, social security number and contact information. In addition, these protocols contain information on sexual life and health, ie sensitive personal data. In a request for supplementation made in 2017, the intention was not to attach the minutes to the other documents sent to The police authority. After what happened, the research group has, among other things, introduced a routine of scanning sensitive material separately. The research group has not been able to explain why the group, on 5 February 2019, once again attached the minutes in an email to the Police Authority. Security when sending the preliminary investigation protocols The incorrect handling has been limited to two occasions. Otherwise have project routines to lock in physical documents, to separate administrative documents from research data and to password protect digital documents followed. Only two researchers from the university have had access to the current case the material. The university has, among other things, regulations and instructions to ensure that the processing of personal data at universities complies with the requirements set out in Article 32 of the Data Protection Regulation. The university has had a clear since 2014 rule that sensitive personal data may not be sent by e-mail, in accordance with the document E-mail service at Umeå University. Employees get continuous training and information on the subject. The university is also planning to direct a special information effort on the processing of personal data in e-mail to all employees at the university. The university has made a mistake by sending sensitive personal information via e-mail to the Police Authority. The personal data processing in question can therefore not be said to meet those requirements imposed on appropriate security measures in accordance with Article 32 i the Data Protection Regulation. The personal data incident Umeå University became aware that sensitive personal data had been sent by e-mail in connection with the authority receiving the Data Inspectorate's letter of supervision, 30 August 2019. Page 5 of 23 Page 6 The Data Inspectorate DI-2019-9432 6 (23) On September 2, 2019, the university conducted an analysis of the events and then came to the conclusion that it was unlikely that the personal data incident would may pose a risk to data subjects. The university has documented the events in the Data Inspectorate's form for reporting personal data incident. The university has stated in the form, among other things following. The university has assessed that no report should be submitted to the Data Inspectorate. (…) The 2nd September, a registered letter was received from the Swedish Data Inspectorate containing information about the incidents. Umeå University's assessment is that it is unlikely that the incident resulted high risk to the freedoms and rights of individuals. There is no indication that anyone has occurred actual damage or that any unauthorized person had access to the information during the protocol in question sent to the authority that established it and to the administrator who had the task to handle and provide the university with the same type of information. Storage and access in the cloud service Box The university has scanned in 108 preliminary examination protocols from 2014 as saved locally on a personal computer and then uploaded to cloud service provider Box. The user can access the data stored in Box by logging in via a web interface internally via the university's network with single factor authentication (that is, username and password). It is also possible to log in externally via the internet on the university's website umu.se. The login then takes place via any equipment / network. The user states first their email address and then their college ID (username) and password. User accounts in Box are integrated and linked to university ID as in in turn are integrated with SWAMID. With SWAMID, a safe is obtained identification because passwords are neither saved nor sent to Box. The authentication takes place before, by sending a "ticket" to Box som confirms the authorization. All communication is encrypted with 256 bit SSL encryption (https). All information is stored with 256-bit encryption. This means that the information is not available if someone without authorization would have access Page 6 of 23 Page 7 The Data Inspectorate DI-2019-9432 7 (23) to it. Backups are also encrypted. Box stores the encryption keys separately from data. The research project includes two researchers and only the two have had access to and access to the file area provided by Box. Since access has been restricted, no special procedures have been established. The university has a personal data assistant agreement with SUNET (Swedish University computer Network) which, among other things, applies to storage of preliminary investigation protocols. SUNET has in turn hired the Deputy Assistant Box. Box stores the information in the United States and is connected to the Privacy Shield and has signed binding corporate regulations. The preliminary investigation protocols are covered by secrecy in accordance with ch. § 1 and 11 Cape. Section 3 of the Public Access to Information and Secrecy Act (2009: 400), OSL. Starting point is thus that confidentiality applies to the information. Information that sensitive personal data should not be stored in Box has published on the university's intranet in September 2016. The university has made the assessment that there are legal and safety conditions for storing both sensitive and confidential information in Box. However, the university has in connection with its risk and vulnerability analysis for precautionary reasons judged that this should not happen. The university has assessed that the file surface maintains a satisfactory level of safety. The assessment has been based on security measures such as access, access and authorization and security in communication. Justification of decision Applicable rules The responsibility of the personal data controller The Data Protection Regulation is the primary legal regulation in processing of personal data. Page 7 of 23 Page 8 The Data Inspectorate DI-2019-9432 8 (23) The person responsible for personal data is responsible for being able to show that they the basic principles of Article 5 of the Data Protection Regulation are complied with (Article 5.2). The person responsible for personal data is responsible for implementing appropriate technical information and organizational measures to ensure and be able to demonstrate that the processing is performed in accordance with the Data Protection Regulation. The measures shall carried out taking into account the nature, scope, context of the treatment and purposes and the risks, of varying degrees of probability and severity, for freedoms and rights of natural persons. The measures must be reviewed and updated if necessary. This is stated in Article 24 (1) of the Data Protection Regulation. Legal basis Article 6 of the Data Protection Regulation states the following. A treatment is only legal if one of the conditions specified in the article is fulfilled (paragraph 1). A treatment is legal if it is necessary to perform a task of public interest (paragraph 1 (e)). Research purposes are considered a task of public interest. The task of general interest must be established in accordance with Union law or national law (paragraph 3). For state universities and colleges are the research task established in ch. the Higher Education Act (1992: 1434). As a general rule, it is forbidden to process sensitive personal data, to for example, personal data on health and sexual life. However, there are a number derogation from the prohibition in Article 9 (2) of the Data Protection Regulation. Of Article 9 (2) j in the Data Protection Regulation it follows that the processing must be necessary for research purposes and shall be subject to appropriate safeguard measures for it rights and freedoms of data subjects in accordance with Article 89 (1) (i) the Data Protection Regulation. In addition, the exemption from this prohibition requires that national law contain provisions on appropriate and specific measures to ensure it registered privacy. One is established in the Ethics Review Act 3 3 The Act (2003: 460) on Ethical Review. Page 8 of 23 Page 9 The Data Inspectorate DI-2019-9432 9 (23) appropriate and specific action required in the treatment of sensitive personal data for research purposes. Also provisions on confidentiality in OSL is an example of such an appropriate and special measure. Article 89 (1) of the Data Protection Regulation sets out specific conditions for processing of personal data for research purposes. It states that the treatment shall be subject to appropriate protective measures in accordance with Regulation. The requirement for security in the processing of personal data A basic principle for the processing of personal data is the requirement security under Article 5 (1) (f) of the Data Protection Regulation, which states that: personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unauthorized use treatment and against loss, destruction or damage by accident, using appropriate technical or organizational measures. It follows from Article 32 (1) of the Data Protection Regulation that the personal data controller and the personal data assistant shall take appropriate steps technical and organizational measures to ensure a level of security which is appropriate in relation to the risk of the treatment. That too taking into account recent developments, implementation costs and the nature, scope, context and purpose of the treatment and the risks, of varying degrees of probability and severity, for the rights of natural persons and freedoms. When assessing the appropriate level of safety, special consideration shall be given to them risks posed by the treatment, in particular from unintentional or illegal destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to the personal data transferred, stored or otherwise treated. This is stated in Article 32 (2) of the Data Protection Regulation. Recital 75 of the Data Protection Regulation states that various factors must be taken into account in the assessment of the risk to the rights and freedoms of natural persons. Among otherwise, personal data covered by the duty of confidentiality, data on health or sexual life. Furthermore, consideration must be given to whether the treatment applies personal data about vulnerable natural persons, in particular children, or about the processing involves a large number of personal data and applies to a large number of registered. Page 9 of 23 Page 10 The Data Inspectorate DI-2019-9432 1 0 (23) Recitals 39 and 83 also provide guidance on the more detailed meaning of the requirements of the Data Protection Regulation for security in the processing of personal data. If the personal data controller hires a personal data assistant to carry out a processing, the data controller shall only use personal data assistants who provide sufficient guarantees to implement appropriate technical and organizational measures. It should be done in such a way that the processing meets the requirements of the Data Protection Regulation and that it data subjects' rights are protected. It is clear from Article 28 (1) and recital 81 of the the Data Protection Regulation. These provisions also state how the relationship between the personal data controller and the personal data assistant shall be regulated. Obligation to report and document personal data incidents According to Article 4 (12) of the Data Protection Regulation, a personal data incident is a safety incident leading to accidental or unlawful destruction, loss or change or to unauthorized disclosure of or unauthorized access to the personal data transferred, stored or otherwise processed. According to Article 29 Group Guide WP250 4 may be unauthorized or illegal processing include the disclosure of personal data (or access to these) to recipients who are not authorized to receive (or access) the data, or any other form of processing that is contrary to the Data Protection Regulation. Article 33 (1) of the Data Protection Regulation states that the person responsible for personal data, in the event of a personal data incident, must report the incident to the supervisory authority without undue delay, and if so possible not later than 72 hours after learning of it. If it is it is unlikely that the personal data incident entails a risk to natural persons rights and freedoms need not be notified. About one personal data controller does not act quickly and it becomes obvious that a 4 Article 29 - Data Protection Working Party, WP250rev.01; Guidelines for notification of personal data incidents according to Regulation (EU) 2016/679; adopted on 3 October 2017; last reviewed and adopted on February 6, 2018; adopted by the European Data Protection Board, EDPB, during the first plenary session on 25 May 2018; pp. 11–12. The working group was set up pursuant to Article 29 of Directive 95/46 / EC and was an independent EU advisory body in matters concerning data protection and privacy. Page 10 of 23 Page 11 The Data Inspectorate DI-2019-9432 1 1 (23) incident has taken place, this can be considered a failure to act in in accordance with Article 33 5 . The following is stated in recital 85. A personal data incident that is not quickly remedied appropriately can for natural persons lead to physical, material or intangible damage, such as loss of control over one's own personal data or to limit their rights, discrimination, identity theft or fraud, financial loss, unauthorized revocation of pseudonym, damage to reputation, loss of confidentiality in respect of personal data subject to professional secrecy, or to another economic or social detriment to the natural person concerned. As soon as one personal data controller becomes aware that a personal data incident has occurred, it should personal data controllers therefore report the personal data incident to the supervisory authority without undue delay and, if possible, within 72 hours of becoming aware of this, unless the data controller, in accordance with the principle of liability, can demonstrate that it is unlikely that the personal data incident will entail a risk of physical rights and freedoms of persons. According to the Article 29 Working Party, a data controller shall be deemed to have received knowledge of the incident when the data controller is reasonably certain that a security incident has taken place which has resulted in personal data endangered. The data controller shall, in accordance with the Data Protection Regulation, take all appropriate technical protective measures and all appropriate organizational measures to immediately determine whether a personal data incident has taken place room and promptly inform the supervisory authority and the data subjects. Recital 87 of the Data Protection Regulation states the importance of being able to establish one incident, assess the risk to individuals and then report the incident accordingly required. Article 33 (5) of the Data Protection Regulation regulates the obligation to: document personal data incidents. The person responsible for personal data shall document all personal data incidents, regardless of whether the incident should reported to the Data Inspectorate or not. The documentation must contain information about the circumstances surrounding the personal data incident, its effects and the corrective measures taken. The documentation must enable the supervisory authority to monitor compliance with Article 33 of the Data Protection Regulation. 5 WP250, rev01, p. 13. Page 11 of 23 Page 12 The Data Inspectorate DI-2019-9432 1 2 (23) The documentation obligation in Article 33 (5) is also linked to liability in Article 5 (2) of the Data Protection Regulation, ie the person responsible for personal data must be responsible for and be able to show that they the basic principles of data protection are complied with. There is also one link between Article 33 (5) and the provision on liability for data controller in accordance with Article 24 of the Data Protection Regulation. 6 It may be added that the Article 29 Working Party's guidelines state that it personal data controllers need to have routines to detect and remedy incidents involving personal data, which is the meaning of Article 33 (5). In addition, it shows the ability to quickly detect, remedy and report An incident should be seen as an important element of the appropriate technical and organizational measures referred to in Article 32 of the Data Protection Regulation. Transfer of personal data to third countries Chapter V of the Data Protection Regulation sets out the possibilities for: transfer personal data to a third country (a country outside the EEA). Personal data may be transferred if the European Commission has decided to do so there is an adequate level of protection in the recipient country or if there is one appropriate safeguards, for example through contractual clauses or binding company regulations. 7 For recitals 101 and 116 of the Data Protection Regulation, the risk is emphasized when personal data are transferred to countries outside the Union and the importance of: the level of protection does not decrease with such transfers. This is especially true in question of the protection of unauthorized use or unauthorized disclosure of this information. Furthermore, the person responsible for personal data and the personal data assistant's responsibility to ensure compliance with the Regulation. The Data Inspectorate's assessment Personal data responsibility The Data Inspectorate states that Umeå University is personal data controller for the processing of personal data that 6 WP250, rev01, p. 28. 7 See Articles 44 to 50 of the Data Protection Regulation. Page 12 of 23 Page 13 The Data Inspectorate DI-2019-9432 1 3 (23) updated in the case until the project was transferred to Uppsala university in the spring of 2019. Processing of personal data in unencrypted e-mail and open network The Data Inspectorate states that Umeå University, within the framework of research project, has sent a preliminary investigation report concerning rapes of men in an unencrypted e-mail via an open network to The police authority. Something that the university has also admitted. The preliminary examination report contains information on health and sexual life which are sensitive personal data. Processing of sensitive personal data can involve significant risks to personal integrity and are therefore required strong protection in the processing of such data. The preliminary investigation report also contains information on suspicion about crimes and social security numbers that are so-called privacy-sensitive personal data. The processing of this type of personal data is therefore off such that the data must have strong protection. That means if about these personal data sent by e-mail, they must be protected in such a way that unauthorized persons cannot take part in them. Personal data can, for example protected by encryption. Sending information with unencrypted e-mail means that even others than it the intended recipient can access the information in the e-mail. Thus it is not ensured that only the intended recipient takes part personal data. The university has also sent the personal data via an open network. One open network, such as the internet, is characterized by others being able to take part in it information communicated on the network. This means that unauthorized persons have been able to gain access to the personal data transferred by the university. As the person responsible for personal data, Umeå University must ensure that the technical and organizational measures ensure a level of security appropriate to: in relation to the risks to the rights and freedoms of natural persons which the treatment entails (Article 32 (1)). The personal data that is processed must for example, protected against unauthorized disclosure or unauthorized access. What is the appropriate level of safety varies according to the risks, the nature, scope, context and purpose of the treatment. At Page 13 of 23 Page 14 The Data Inspectorate DI-2019-9432 1 4 (23) the assessment must therefore, for example, take into account what type it is personal data processed. 8 The university must identify the possible risks for those registered rights and freedoms and assess the likelihood of risks occurring and the consequences in such cases. In this case, it is a question of both sensitive and privacy-sensitive ones personal data. Processing this type of data requires a strong protection based on the nature of the treatment. All in all, the Data Inspectorate finds that Umeå University has processed personal data in violation of the Data Protection Ordinance by the University have not taken appropriate technical safety measures to protect the personal data in the e-mail based on the sensitivity of the data and how they were communicated unencrypted over open network. The treatment has therefore in breach of Article 5 (1) (f) and Article 32 (1) and (2) (i) the Data Protection Regulation. The personal data incident should have been documented and reported According to Umeå University, the university became aware of being sensitive personal data sent via unencrypted e-mail by the university received the Data Inspectorate's supervisory letter on 30 August 2019. According to the university also documented the incident, on September 2, 2019, in The Data Inspectorate's form for reporting personal data incidents. As regards the knowledge of the incident, the Data Inspectorate states that it is off The police authority's letter dated 3 April 2019, states that The police authority in contact with the university pointed out the inappropriateness of that send sensitive personal information via unencrypted e-mail. The Data Inspectorate considers therefore that the university must have become aware of the current the incident before 30 August 2019 and at least no later than 3 April 2019. With regard to the documentation, the Data Inspectorate thus finds that the university did not document the circumstances surrounding the personal data incident immediately after becoming aware of it. This complicates the possibility of verifying compliance with Article 33 of the 8 See recitals 75 and 76 of the Data Protection Regulation. Page 14 of 23 Page 15 The Data Inspectorate DI-2019-9432 1 5 (23) the Data Protection Regulation. That the university has subsequently filled in The Data Inspectorate's form for reporting personal data incidents changes not the assessment that the university should have documented the incident already when the Police Authority contacted the university. Furthermore, the Swedish Data Inspectorate states that the university has not been admitted with a report of a personal data incident to the Swedish Data Inspectorate. According to the university was due to the fact that it was unlikely that the incident would entail a high risk for individuals' freedoms and rights. The Data Inspectorate wants emphasize that there is always a risk that unauthorized persons may take part in it personal data if it is sent unencrypted via an open network. As The Data Inspectorate previously stated that the mailing is both sensitive and privacy-sensitive personal data. The risk for the data subjects' freedom and rights are therefore high if this type of personal data is processed in one in such a way that they, for example, benefit from unauthorized persons. All in all, the Data Inspectorate finds that Umeå University has failed to act in accordance with Article 33 (1) and (5) of the Data Protection Regulation. Storage of sensitive personal data in a cloud service in third countries Umeå University has used the cloud service Box to store 108 preliminary investigation report on rape of men. A cloud service is an Internet-based IT service provided by an external party supplier. The service can include storage but also other functions, there these are wholly or to some extent outside the internal operations of the company IT environment 9 . In this case, the storage is outside the university's internal IT environment. Via the personal data assistant SUNET hires Umeå University Deputy Assistant Box. The Data Protection Regulation does not only require that it the data controller shall ensure appropriate security for personal data. The regulation also requires that it the person responsible for personal data ensures that the personal data assistant fulfills one security level when processing personal data for it on behalf of the data controller. 9 For further definitions see Article 29 Data Protection Working Party, 01037/12 / EN WP 196, Opinion 05/2012 on Cloud Computing. Page 15 of 23 Page 16 The Data Inspectorate DI-2019-9432 1 6 (23) The person responsible for personal data is also responsible for ensuring that the person who the personal data assistant in turn hires meets the requirements in the Data Protection Regulation. Box is supplied by a US company that stores the information in the US. According to the university, Box was connected to the Privacy Shield and had signed binding corporate rules. Personal data may be transferred to third countries only if the conditions in Chapter V of the Data Protection Regulation are complied with. This applies provided that it the personal data controller and the personal data assistant can ensure that it The level of protection afforded to natural persons by the Regulation is not undermined. According to a decision by the European Commission 10 , it has been allowed for personal data controllers in the EU to transfer personal data to recipients who has joined the Privacy Shield. In the so-called Schrems II case 11 of 16 July 2020, however The European Court of Justice that the Privacy Shield agreement between the EU and the US does not provide adequate protection of personal data when it is transferred to the United States. The means that EU data controllers are no longer allowed to: with the support of Privacy Shield transfer personal data to the United States. The Schrems II target may also affect transfers of personal data that takes place with the help of binding company regulations. The as the legislation of a third country may affect the protection afforded through these provisions. The European Court of Justice has ruled that it is personal data controller who must assess the level of protection required according to EU law is complied with in the third country concerned. The Data Inspectorate states that Umeå University ceased to process the current personal data in the cloud service Box in the spring of 2019. Then it was allowed by the European Commission decision to transfer personal data to the United States with the support of Privacy Shield. The Data Inspectorate therefore stays current 10 Implementing decision (EU) 2016/1250 of 12 July 2016 under Directive 95/46 / EC of the European Parliament and of the Council on whether adequate protection is ensured through the EU and US Privacy Shield. 11 Case C-311/18 - Data Protection Commissioner v Facebook Ireland and Maximillian Scares. Page 16 of 23 Page 17 The Data Inspectorate DI-2019-9432 1 7 (23) case stating that Box is said to have been connected to the Privacy Shield at that time and that the treatment at the university had ended before The Schrems II goal. In addition to the personal data controller having support to transfer personal data to third countries, the person responsible for personal data is also responsible for the personal data assistant to process the data in a way that ensures adequate security. That personal data, like the personal data assistant, is in a third country may increase the risk that natural persons will not be able to exercise their data protection rights, in particular to protect against unauthorized use use or unauthorized disclosure of this information. 12 In this case, it is a matter of information that is protected by confidentiality. In order to be allowed to process sensitive personal data, the Data Protection Ordinance sets requirement that national law contain provisions on appropriate and special measures. The provisions on secrecy to protect it individuals is such regulation that protects the integrity of individuals in handling of public documents. 13 This means that confidentiality is one privacy protection measure such as the personal data controller and the personal data assistant has to follow. When the personal data is stored with a actor who is not covered by secrecy, this means weaker privacy protection for the information, as a statutory duty of confidentiality that is penal sanction provides stronger protection than an agreed duty of confidentiality. 14 Since Box is an actor that is not covered by OSL, the personal data receives one weaker privacy protection. There are also technical weaknesses in the selected storage. To gain access to the preliminary examination protocols in Box, the university has used a so-called single factor authentication. In this case, college ID (username and password. 12 Cf. recitals 101 and 116 of the Data Protection Regulation. 13 See the bill New Data Protection Act (Bill 2017/18: 105 p. 116). 14 JO's decision of 9 September 2014, no. 3032-2011. Page 17 of 23 Page 18 The Data Inspectorate DI-2019-9432 1 8 (23) The authentication is used so that the person responsible for personal data can see that only authorized users have access to personal data. Single factor authentication is a weak form of authentication. The risk of someone can get username and password is great. Besides, it is not surely the one who has been robbed will discover that this has happened if someone comes across username and password through for example so called phishing. Stronger authentication should make it harder for unauthorized people to get over them necessary login information needed to be able to authenticate. Stronger authentication can be achieved by using more than one factor (something you know, something you have and something you are). For example, can "Something you know" can be a username or password, "something you have" can be a smart card or mobile phone and "something you are" can be one fingerprints or facial features. The user can access the data stored in Box by logging in via a web interface internally via the university's network with single factor authentication (that is, username and password). The can also log in externally via the internet on the university's website umu.se. The login then takes place via optional equipment and optional network and the user first states his e-mail address and then his college ID (username) and password (that is, with single-factor authentication). Because access to the current data can be via the open network is the exposure area to unauthorized persons is very large, which entails the risk of the data will unauthorized to part increases. Umeå University has stated that the communication and storage of the information in the preliminary investigation protocols has been encrypted in Box. However, the Data Inspectorate does not consider that this means that the information is adequately protected against unauthorized access. For example, it may be illegal come across usernames and passwords pretending to be authorized and thus take part of the information in clear text. As previously stated, the person responsible for personal data must ensure a suitable one safety in relation to the risk of treatment. This also applies when Page 18 of 23 Page 19 The Data Inspectorate DI-2019-9432 1 9 (23) the personal data is processed by a personal data assistant. The personal data controllers must therefore make an assessment of the risks that may occur during treatment. When the personal data controller processes personal data in a cloud service, the person in charge needs to implement a suitability assessment that includes a risk analysis. That way, it gets personal data controller a basis for being able to make decisions about which appropriate technical and organizational measures that are needed or should be required by the personal data assistant. It also provides the person responsible for personal data an opportunity to ensure an appropriate level of security. When assessing the security level when storing and transferring personal data, special consideration shall be given to whether the processing entails a risk of unauthorized disclosure or unauthorized access. Umeå University has stated that the university in connection with its risk and Vulnerability analysis assessed that sensitive personal data should not be stored in Box for precautionary reasons. This information was published at the university intranet in September 2016. Despite the university scanned in preliminary investigation protocols and stored them in Box. The preliminary investigation protocols concern rapes against men and personal data in them are both sensitive and privacy-sensitive. The information is covered in addition to confidentiality. The Data Inspectorate's assessment is that the processing of this type of personal data involves a high risk to the privacy of individuals if the personal data is disclosed or if an unauthorized person gains access to it. The treatment is therefore of such a nature that it requires a high level of safety. The Data Inspectorate states that it has been a question of a treatment of personal data in a cloud service in the United States that is not covered by the regulations in OSL, and that security has not been high enough to prevent unauthorized access to the data. In addition, the Data Inspectorate states that the university in 2016 assessed that the processing of sensitive personal data in Box was not appropriate. In summary, the Data Inspectorate finds that Umeå University does not have have taken appropriate technical and organizational measures to prevent unauthorized disclosure of or unauthorized access to the sensitive and privacy-sensitive personal data stored in Box. The university has thereby not ensuring a level of safety that is appropriate in relation to Page 19 of 23 Page 20 The Data Inspectorate DI-2019-9432 2 0 (23) the risk of processing the personal data in question in the case. Umeå University has thus processed the personal data in violation of Article 5 (1) (f) and Article 32 (1) and (2) of the Data Protection Regulation. Choice of intervention Legal regulation In the event of violations of the Data Protection Ordinance, the Data Inspectorate has a number corrective powers, including reprimand, injunction and penalty fees. It follows from Article 58 (2) (a) to (j) of the Data Protection Regulation. The Data Inspectorate shall impose penalty fees in addition to or instead of other corrective measures referred to in Article 58 (2), the circumstances of each individual case. Member States may lay down rules on whether and to what extent administrative penalty fees may be imposed on public authorities. This is stated in Article 83 (7) of the Regulation. Sweden has accordingly decided that the Data Inspectorate should be allowed to charge sanction fees by authorities. For infringements of, inter alia, Articles 32 and 33, the fee shall amount to a maximum of SEK 5,000,000. For infringements of, inter alia, Article 5 i According to the ordinance, the fee shall amount to a maximum of SEK 10,000,000. It appears from Chapter 6 Section 2 of the Data Protection Act and Article 83 (4) and (5) i the Data Protection Regulation. If a personal data controller or a personal data assistant, with respect to on one or the same or interconnected data processing, intentionally or through negligence violates several of the provisions of this Regulation the total amount of the administrative penalty fee may not exceed it amounts determined for the most serious infringement. It appears from Article 83 (3) of the Data Protection Regulation. Each supervisory authority shall ensure that the imposition of administrative penalty fees in each individual case are effective, proportionate and deterrent. This is stated in Article 83 (1) of the Data Protection Regulation. Article 83 (2) sets out the factors to be taken into account in determining whether a administrative penalty fee shall be imposed, but also what shall affect the size of the penalty fee. Page 20 of 23 Page 21 The Data Inspectorate DI-2019-9432 2 1 (23) The size of the penalty fee The university has sent a preliminary investigation protocol with personal data on, among other things, health, sexual life and suspicion of crime via unencrypted e-mail mail and through open network. The personal data processed is both sensitive and privacy sensitive and covered by regulations on secrecy. The police authority sent the information to the university via courier, which should made the university aware of the protection value of the data. Despite this failed the university to take appropriate technical safety measures. The personal data was thus not protected from the risk of being exposed to, among other things other unauthorized disclosure and unauthorized access. The Data Inspectorate finds that no other assessment can be made than that the infringement took place through negligence. In addition, Umeå University has stored a large number, 108 pieces, preliminary investigation protocols with sensitive and privacy sensitive personal data in the cloud service Box. This without the university ensuring an appropriate level of security to be able to store this type of personal data in Box. The university thus also failed in this part to take appropriate technical safety measures. The university also did not ensure that personal data were covered by such appropriate organizational measures required by the data protection regulations. Contrary to its own risk and vulnerability analysis, the university stored them sensitive personal data in Box. The Data Inspectorate considers this to be one factor that must be taken into account when assessing the size of the penalty fee. Furthermore, the university has failed to report the personal data incident as occurred at the time of sending the e-mail to the Data Inspectorate. Nor the circumstances surrounding the incident were documented when the university became paid attention to it. Against this background, the Data Inspectorate finds that Umeå University through the current personal data processing has violated Article 5 (1) (f), Article 32.1 and 32.2 and Article 33.1 and 33.5 of the Data Protection Regulation. The Data Inspectorate therefore considers that Umeå University should be imposed administrative penalty fees for the said infringements. Page 21 of 23 Page 22 The Data Inspectorate DI-2019-9432 2 2 (23) The Data Inspectorate finds that the treatments via e-mail and storage in Box refers to two interconnected data processing operations under Article 83 (3) (i) the Data Protection Regulation. This is because the treatments are the same personal data within a research project and refers to a violation of the same provisions, ie Article 5 (1) (f) and 32 (1) and (2) of the Regulation. When determining the size of the penalty fee, the Data Inspectorate takes into account the above circumstances and that the administrative penalty fee shall be effective, proportionate and dissuasive. That Umeå University does not have met the security requirements is serious when it comes to personal data of such a type that the data require strong protection based on the processing species. The Data Inspectorate decides on the basis of an overall assessment that Umeå universities must pay an administrative sanction fee of a total of 550,000 kronor. For the mailing in the e-mail and the storage in the cloud service Box the university must pay a fee of SEK 450,000. For the university failure to report the personal data incident to the Data Inspectorate and for not having documented the incident, the university must pay a fee of SEK 100,000. This decision was made by Director General Lena Lindgren Schelin after presentation by lawyer Linda Hamidi. In handling the case has lawyer Caroline Cruz Julander participated. At the final processing have the unit managers Katarina Tullstedt and Malin Blixt and IT security specialists Johan Ma and Ulrika Sundling participated. Lena Lindgren Schelin, 2020-12-10 (This is an electronic signature) Appendix Information on payment of penalty fee. Copy for information to The Data Protection Officer. Page 22 of 23 Page 23 The Data Inspectorate DI-2019-9432 2 3 (23) How to appeal If you want to appeal the decision, you must write to the Data Inspectorate. Enter i the letter which decision you are appealing and the change you are requesting. The appeal must have been received by the Data Inspectorate no later than three weeks from on the day the decision was announced. If the appeal has been received in due time the Data Inspectorate forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Data Inspectorate if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision. Page 23 of 23