Datainspektionen - DI-2019-9432

From GDPRhub
Revision as of 08:43, 22 December 2020 by Kave (talk | contribs)
Datainspektionen - DI-2019-9432
LogoSE.png
Authority: Datainspektionen (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 33(1) GDPR
Article 33(5) GDPR
Chapter 35(1) of the Public Access to Information and Secrecy Act
Chapter 11(3) of the Public Access to Information and Secrecy Act
Type: Investigation
Outcome: Violation Found
Started:
Decided: 10.12.2020
Published:
Fine: 550000 SEK
Parties: Umeå University
National Case Number/Name: DI-2019-9432
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: Datainspektionen (in SV)
Initial Contributor: Kave Noori

The Swedish DPA (Datainspektionen) fined a university SEK 550,000 for mishandling sensitive data from criminal investigations. One investigation report was sent in an unencrypted email. 108 investigation reports were stored with a US cloud provider wihthout proper protection.

English Summary

Facts

Two researchers from Umeå University in Sweden acquired copies of all preliminary investigation reports in Sweden for 2014 on cases of rape of male victims from the police. In July 2016, the Swedish Police Authority sent paper copies of the investigation reports to the researchers by mail carrier.

In November 2017, the researchers contacted Swedish Police Authority and asked for additional information about one of the cases. The researchers attached a scanned copy of one of the investigations to an email sent unencrypted. When the Swedish Police Authority pointed out the inappropriateness of sending sensitive material via unencrypted emails, the researchers claimed it was an unintentional act and blamed the human factor. In February 2019, the research team wanted more information on the same rape case and sent the same investigation report again in an unencrypted email to the Swedish Police Authority. The researchers also claimed the second email to be an accident. After this incident the Swedish Police Authority wrote an official letter dated April 3, 2019, which was sent to the Swedish DPA (Datainspektionen).

The DPA launched an investigation to determine whether Umeå University had breached the GDPR. The preliminary investigatory reports contain special categories of personal data such as data about health and sex life and information about suspected offences. They also contain names, contact details and personal numbers of victims and suspects. The research team changed their routines after the first unencrypted email, but could not explain why they then sent the same report a second time in an unencrypted email

In September 2019, Umeå University analyzed the data breach and found that it did not pose a high risk to the rights and freedoms of data subjects. As the email was addressed to a staff member at Swedish Police Authority who provided the researchers with the reports, the university concluded that there was no evidence of actual harm or unauthorized disclosure.

The university also scanned 108 preliminary investigation reports and uploaded them to the cloud storage provider Box. Box is a US-based cloud provider and was a sub-processor of the processor The Swedish University computer Network. Box Transferred personal data to the US on the basis of the Privacy Shield (in force at the time) and binding corporate rules. The files were confidential under Chapter 35(1) and Chapter 11(3) of The Public Access to Information and Secrecy Act (Offentlighets- och sekretesslagen).

The researchers stored the files in a folder in Box that was accessible only to the two researchers. The information was protected by 256-bit SSL encryption in transit and 256-bit encryption at rest. Encryption keys were kept separate from the data, and backups were also encrypted. Access to files was protected by single-factor authentication (username and password). In 2016, the University considered that Box met the legal and technical requirements for storing sensitive personal data. Nevertheless, the University considered that such data should not be stored in Box as a precautionary measure.

Dispute

Holding

Personal data were not adequately protected

The DPA found that the University had breached Article 5(1)(f), Article 32(1) and Article 32(2) by failing to adequately protect the personal data in the reports. Although the emails were sent to the correct person at The Swedish Police Authority, they were sent unencrypted over the internet. The DPA recalled that the Internet is an open network and that unauthorized persons may gain access to information sent over such a network if it is not adequately protected, for example by encryption.

The data breach should have been documented and reported to the DPA

The DPA found that the University violated Article 33(1) and Article 33(5) by failing to timely document and report a data breach. According to the DPA, the university became aware of the data breach at the time the Swedish Police Authority told the researchers that it was inappropriate to send criminal investigations in unencrypted emails. According to the DPA, the university knew about the incident on at least April 3, 2019, not August 30, 2019, when it received the letter from the DPA informing it that it was under investigation. Storage of sensitive personal data with a US cloud provider outside the EU

The DPA found that the University breached Article 5(1)(F), Article 32(1) and Article 32(2) by storing the 108 preliminary investigation reports with the cloud provider Box.

First of all, the University did not take sufficient technical measures with regard to the sensitivity of personal data. Although the data was encrypted in Box, anyone from any IP address could access the data if they had the correct username and password. The DPA recalled that one-factor authentication is vulnerable to phishing attacks and that it would be unlikely for the researchers to know if their username and password were in the wrong hands. The DPA held that sensitive personal data of this nature must be protected by multi-factor authentication.

The DPA reminded that a data controller must carry out a risk assessment and determine whether it is appropriate to store certain personal data with a particular processor. The assessment should be made in relation to the risk of unauthorized disclosure or access.

The DPA concluded that the preliminary investigative reports concerned rapes against men and contained sensitive personal data that was classified. The DPA considered that the data processing posed a high risk to the privacy of the data subjects if the information was disclosed to or accessed by unauthorized persons.

In addition, the DPA considered that the transfer of the personal data to the United States was problematic as the Public Access to Information and Secrecy Act does not apply in the US.

SEK 550 000 sanction fee The DPA imposed a sanction fee of SEK 550 000 on Umeå University. SEK 450 000 related to the unencrypted emails and the storage of the preliminary investigation reports with a US cloud provider, SEK 100 000 related to the failure to document and report the data breach in a timely manner. The DPA deemed the violations in the unencrypted sending of emails and storage of the reports at the US cloud provider, as negligently caused. In this case, 108 criminal investigation reports containing highly sensitive personal data were stored with the US cloud provider without adequate data protection. On top of that, the university had stored the sensitive personal data in Box even though its own risk and vulnerability assessment concluded that such data should not be stored there.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>University failed to sufficiently protect sensitive personal data - Datainspektionen </title><link rel="icon" type="image/png" href="/Client/dist/images/favicon-32x32.png"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" /><link rel="stylesheet" type="text/css" href="/Client/app/scripts/external/jquery-ui-1.12.1/jquery-ui.min.css"><link rel="stylesheet" type="text/css" href="/ui-cms/css/editmode.css"><link rel="stylesheet" type="text/css" href="/Client/dist/styles/vendor.bundle.min.css"><link rel="stylesheet" type="text/css" href="/Client/dist/styles/global.min.css"><script src="/Client/app/scripts/external/10101_webReader/webReader.js?pids=wr" type="text/javascript"></script><link href="/nyheter/university-failed-to-sufficiently-protect-sensitive-personal-data/" rel="canonical" /><meta name="google-site-verification" content="_Lt2mFNRblu6L6_wWFv18SpImT5VvDKKg59lOUKgoos" /><meta name="referrer" content="same-origin"><meta property="og:title" content="The Data Inspectorate" /><meta property="og:image" content="https://www.datainspektionen.se/globalassets/bilder/logotyper/og.png" /><!-- Custom.css --><style type="text/css">
#spalter .venster{width:45%;float:left;margin-right:10px}#spalter .hoger{width:45%;float:left;margin-left:10px}#spalter:after{content:".";display:block;height:0;clear:both;visibility:hidden}.link-arrow:before{margin-right:10px}.area-text a.link-arrow:before{margin-right:10px}.item-link{margin-top:0}.search-result .result-list>.list-item .item-link .link-external{margin-top:10px;margin-bottom:0;font-size:1.125rem}figcaption{margin-top:20px;font-size:18px;line-height:25px}table{font-size:16px;line-height:22px;background-color:#e4ebee;border:2px solid #999;margin-bottom:20px;font-family:FrutigerLTStd-LightCn,Corbel,sans-serif;width:100%}td{padding:12px}.breadcrumb{margin-bottom:30px}.breadcrumb__mini{margin-bottom:0}.teaser-link-text:last-of-type{margin-bottom:30px}.footer-link{font-family:FrutigerLTStd-LightCn,sans-serif;font-size:18px;line-height:25px}.footer .footer-content ul li.content-phone a{color:#43433c}.info-block{font-family:Constantia}.info-block p{margin-bottom:20px}.info-block a.link-arrow:before{background:url(/client/dist/images/arrow.svg) no-repeat}.info-block-red{border-radius:10px;background-color:#e5dfcf;margin-top:30px;margin-bottom:20px;padding:20px}.form a.link-arrow:before{content:"";display:inline-block;background:url(/client/dist/images/arrow.svg) no-repeat;top:5px;width:22px;height:15px;min-width:22px;min-height:15px;margin-top:3px;margin-right:20px}.form p a{font-family:FrutigerLTStd-LightCn}a[href^="mailto:"]{font-family:Constantia}.area-text a.link-arrow{margin-top:0}.right-image{float:right;width:auto!important;margin:5px 0 5px 20px}.vanster-bild{float:left;width:auto!important;margin:0 20px 5px 5px}ol ul,ul ul{list-style-type:disc}h2{margin-bottom:8px}h3{margin-bottom:6px}h4{margin-bottom:4px}.news-list h3{text-align:center}.area-text h2{padding-top:15px}.area-text h3{padding-top:15px}.area-text h4{padding-top:10px}@media (max-width:1200px) and (min-width:769px){.area-text img{width:100%;height:auto}}@media (min-width:992px){h2{font-size:32px;line-height:1.3}h3{font-size:1.65rem;line-height:32px}h4{font-size:20px;line-height:24px}.news-list{margin-bottom:30px}.news-list h3{font-size:1.65rem}}
</style></head><body class="bg-login"><header class="header"><a class="mobile-logo" href="/"><img class="logo-horizontal" alt="logo" src="/client/dist/images/di-logo-liggande.svg" /><img class="logo-vertical" alt="logo" src="/client/dist/images/di-logo-staende.svg" /></a> <div class="global-nav-container d-lg-none"><div role="button" class="global-nav-toggle toggle-fallout" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"><div class="menu-icon menu-closed"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></div></div></div> menu <div class="mobile-nav"><form action="/sok/" class="nav-search" method="get"><input type="text" name="q" class="SearchKeywords" placeholder="Sök frågor och svar, vägledning och regler..."><svg class="search-icon"><use xlink:href="#icon-search" /></svg></form><nav class="nav-main"><ul class="lvl-1"><li class="link-item"><div class="lvl-1-link"> <a href="/aktuellt/" class="">Currently</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/tillsyn/" class="">Supervision</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/corona/" class="">Corona</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/remissvar/" class="">Referral response</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/personuppgiftsincidenter/" class="">Personal data incidents</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/publikationer/" class="">Publications</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/aktuellt/internationellt-arbete/" class="">International work</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/fragor-och-svar/" class="">Questions and answers</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/gdpr/" class="">Data Protection Regulation</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/kreditupplysning/" class="">Credit information</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/inkasso/" class="">Collection</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/fragor-och-svar/kamera/" class="">Camera surveillance</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/vagledningar/" class="">Guides</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/" class="">An introduction to the Data Protection Ordinance</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/vad-ar-en-personuppgift/" class="">What is a personal information</a></div></li><li><div class="lvl-3-link"><a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/kanslig-personuppgift/" class="">Sensitive personal information</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/sa-har-hanger-lagarna-ihop/" class="">This is how the laws are connected</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/en-introduktion-till-dataskyddsforordningen/ordforklaringar/" class="">Glossaries</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/vara-vanligaste-fragor/" class="">common questions and answers</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-dig-som-privatperson/" class="">For you as a private person</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/vad-dataskyddsforordningen-innebar-for-dig-som-privatperson/" class="">The Data Protection Ordinance for you as an individual</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/for-medborgare---dina-rattigheter2/" class="">Your rights</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/utgivningsbevis/" class="">Sites with publishing certificates</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/fa-bort-sokresultat/" class="">The right to have search results removed</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/registerutdrag-och-rattelser/" class="">Registry extracts and corrections</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/personnummer/" class="">Social security number</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/klagomal-och-tips/" class="">Complaints and tips</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/privatpersoners-kamerabevakning/" class="">Private camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/sa-har-begar-du-en-laglighetskontroll/" class="">How to request a legality check</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/for-dig-som-kund/" class="">For you as a customer</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-privatperson/informationssakerhet-for-dig-som-privatperson/" class="">Information security for you as a private person</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/kamerabevakning/" class="">Camera surveillance</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/privatpersoner/" class="">Private individuals</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/offentlig-verksamhet/" class="">Government controlled businesses</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/foretag/" class="">Business</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/batklubbar-och-hamnar/" class="">Boat clubs and ports</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/bostadsrattsforeningar-och-hyresvardar/" class="">Tenancy associations and landlords</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/kollektivtrafiken/" class="">Public transport</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/informera/" class="">Inform about camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/anmal-olaglig-kamerabevakning/" class="">Report illegal camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/registrerades-rattigheter/" class="">Registered rights during camera surveillance</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/ansiktsigenkanning-och-dataskydd/" class="">Face recognition and data protection</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kamerabevakning/lagringstid-och-behorighet/" class="">Storage time and authorization</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/oschysst-behandlad-pa-natet/" class="">Cyberbullying</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-dig-som-har-foretag/" class="">For you who have a business</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-dig-som-har-foretag/barn-och-ungas-rattigheter/" class="">Children and young people's rights on digital platforms</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/" class="">Associations and member organizations</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/det-har-behover-ni-gora/" class="">This is what you need to do</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/det-har-behover-ni-veta/" class="">You need to know this</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/for-foreningar-och-sma-organisationer/fragor-och-svar/" class="">Questions and answers</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/inkasso/" class="">Collection</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/fran-faktura-till-anmarkning/" class="">From invoice to note</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/Det-har-gor-vi-inte/" class="">We do not do this</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/klagomal-om-inkasso/" class="">Complaints about debt collection</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/inkassotillstand/" class="">Debt collection permit</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/inkasso/for-dig-som-bedriver-inkassoverksamhet/" class="">For you who conduct debt collection activities</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/kreditupplysningar/" class="">Credit information</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/fragor-och-svar/" class="">Questions and answers</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/betalningsanmarkningar/" class="">Payment remarks</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/kreditupplysningar/kreditupplysningslagen/" class="">The Credit Information Act</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/skolor-och-forskolor/" class="">Schools and preschools</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/livesanda-luciatag/" class="">Live Lucia trains during the corona pandemic</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/livesanda-skolavslutningar/" class="">Live school graduations during the corona pandemic</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/digital-undervisning/" class="">Digital teaching</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/for-personuppgiftsansvariga-inom-skola-och-forskola/" class="">For data controllers within school and preschool</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/skolor-och-forskolor/lucia-fotografering/" class="">Lucia photography</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/personuppgiftsbitraden/" class="">Personal data assistants</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/for-myndigheter/" class="">For authorities</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/informationssakerhet/" class="">Information security</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/informationssakerhet/informationssakerhet-for-dig-som-privatperson/" class="">Information security for you as a private person</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/informationssakerhet/informationssakerhet/" class="">Information security and data protection regulation</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/vagledningar/arbetsliv/" class="">Working life</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/nar-galler-dataskyddsforordningen/" class="">What about the Data Protection Regulation?</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/arbetsgivarens-personuppgiftsansvar/" class="">The employer's personal data responsibility</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/tillaten-behandling-vilka-krav-galler/" class="">Permitted treatment - what requirements apply?</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/rekryteringssystem-och-kompetensdatabaser/" class="">Recruitment systems and competence databases</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/kontroll-och-overvakning/" class="">Control and monitoring of employees</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/biometri/" class="">Biometrics</a></div></li><li><div class="lvl-3-link"> <a href="/vagledningar/arbetsliv/tillsyn-sanktionsavgifter-och-skadestand/" class="">Supervision, penalty fees and damages</a></div></li></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/lagar--regler/" class="">Laws and regulations</a> <svg class="icon-plus-white"><use xlink:href="#icon-plus-white" /></svg></div><ul class="lvl-2"><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/dataskyddsforordningen/" class="">Data Protection Regulation</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsombud/" class="">Data Protection Officer</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsforordningens-syfte-och-tillampningsomrade/" class="">Purpose and scope of the Data Protection Regulation</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/grundlaggande-principer/" class="">Fundamental principals</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/rattslig-grund/" class="">Legal basis</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/kansliga-personuppgifter/" class="">Sensitive personal data</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/de-registrerades-rattigheter/" class="">Rights of data subjects</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsansvariga-och-personuppgiftsbitraden/" class="">Personal data controllers and personal data assistants</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/fora-register-over-behandling/" class="">Keep records of treatment</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsincident/" class="">Personal data incidents</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/konsekvensbedomningar-och-forhandssamrad/" class="">Impact assessments and prior consultation</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/uppforandekoder-och-certifieringar/" class="">Code of conduct and certifications</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/informationssakerhet/" class="">Information security</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/inbyggt-dataskydd-och-dataskydd-som-standard/" class="">Built-in data protection and data protection as standard</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/" class="">Third country transfer</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/sanktionsavgifter-och-varningar/" class="">Penalty fees and warnings</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/gransoverskridande-personuppgiftsbehandling/" class="">Cross-border processing of personal data</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/dataskyddsforordningen/personuppgifter-om-lagovertradelser/" class="">Personal data relating to violations of the law</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/kamerabevakningslagen/" class="">The Camera Surveillance Act</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/inkassolagen/" class="">Debt collection law</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/innehavare-av-datainspektionens-inkassotillstand/" class="">Holders of debt collection permits</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/ansok-om-inkassotillstand/" class="">Apply for a debt collection permit</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/for-dig-som-fatt-ett-inkassokrav/" class="">For you who have received a debt collection claim</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/dataskydd-i-inkassoverksamhet/" class="">Data protection in debt collection operations</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/inkassolagen/digitala-inkassokrav/" class="">Digital debt collection requirements</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/kreditupplysningslagen/" class="">The Credit Information Act</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/kreditupplysningslagen/ansok-om-tillstand/" class="">Apply for a permit</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/patientdatalagen/" class="">Patient data layers</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/patientdatalagen/systematisk-logguppfoljning/" class="">Systematic log follow-up</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/patientdatalagen/hur-forhindrar-man-obefogad-spridning-av-patientuppgifter/" class="">How to prevent unauthorized dissemination of patient data?</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/brottsdatalagen/" class="">Criminal Data Act (BdL)</a> <svg class="icon-circle"><use xlink:href="#icon-circle" /></svg></div><ul class="lvl-3"><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/syfte-och-tillampningsomrade/" class="">Purpose and scope</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/granskning-och-kontroll/" class="">Review and control</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/laglighetskontroller/" class="">Legality checks</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/anmala-personuppgiftsincidenter/" class="">Report personal data incident according to the Criminal Data Act</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/forhandssamrad-enligt-brottsdatalagen/" class="">Prior consultation according to the Criminal Data Act</a></div></li><li><div class="lvl-3-link"> <a href="/lagar--regler/brottsdatalagen/forebyggande-och-korrigerande-befogenheter/" class="">Preventive and corrective powers</a></div></li></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/datainspektionens-foreskrifter-och-allmanna-rad/" class="">Regulations and general advice</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/dataskyddslagen/" class="">The Data Protection Act</a></div><ul class="lvl-3"></ul></li><li class="link-item"><div class="lvl-2-link"> <a href="/lagar--regler/pnr-lagen/" class="">PNR law</a></div><ul class="lvl-3"></ul></li></ul></li><li class="link-item"><div class="lvl-1-link"> <a href="/utbildningar/" class="">Trainings and conferences</a></div></li></ul></nav><div class="nav-aside"> <a href="/om-oss/">About us</a> <a href="/kontakta-oss/">Contact us</a> <a href="/press/">Press</a> <a href="/a-till-o/">A-Ö</a> <a href="/other-lang/">På svenska</a> </div></div></header><svg style="display:none"><symbol id="icon-arrow" viewBox="0 0 22 15"><path d="M13.8392147,0.00589452011 C13.3488775,0.0526378592 12.9299969,0.382299983 12.7698367,0.847272105 C12.607212,1.31470361 12.7328765,1.83133909 13.0901571,2.17084188 L17.1705497,6.24487919 L1.32206805,6.24487919 C1.28264397,6.24241918 1.24321988,6.24241918 1.2037958,6.24487919 C0.50648216,6.27686121 -0.0306706659,6.8673014 0.00136124446,7.56352894 C0.0333931548,8.25975649 0.624754412,8.79607268 1.32206805,8.76409066 L17.1705497,8.76409066 L13.070445,12.838128 C12.5751801,13.3326215 12.5751801,14.1346364 13.070445,14.6291299 C13.5657099,15.1236234 14.3689759,15.1236234 14.8642408,14.6291299 L21.0932461,8.39014521 L22,7.50448492 L21.0932461,6.61882464 L14.8642408,0.379839973 C14.5981283,0.106761228 14.2211356,-0.0310081492 13.8392147,0.00589452011 Z"></path></symbol></svg><div class="icons"><svg style="display:none"><symbol id="icon-arrow" viewBox="0 0 22 15"><path d="M13.8392147,0.00589452011 C13.3488775,0.0526378592 12.9299969,0.382299983 12.7698367,0.847272105 C12.607212,1.31470361 12.7328765,1.83133909 13.0901571,2.17084188 L17.1705497,6.24487919 L1.32206805,6.24487919 C1.28264397,6.24241918 1.24321988,6.24241918 1.2037958,6.24487919 C0.50648216,6.27686121 -0.0306706659,6.8673014 0.00136124446,7.56352894 C0.0333931548,8.25975649 0.624754412,8.79607268 1.32206805,8.76409066 L17.1705497,8.76409066 L13.070445,12.838128 C12.5751801,13.3326215 12.5751801,14.1346364 13.070445,14.6291299 C13.5657099,15.1236234 14.3689759,15.1236234 14.8642408,14.6291299 L21.0932461,8.39014521 L22,7.50448492 L21.0932461,6.61882464 L14.8642408,0.379839973 C14.5981283,0.106761228 14.2211356,-0.0310081492 13.8392147,0.00589452011 Z"></path></symbol></svg><svg style="display:none"><symbol id="icon-plus" viewBox="0 0 34 34"><path d="M17,0 C7.6256087,0 0,7.6256087 0,17 C0,26.3743913 7.6256087,34 17,34 C26.3743913,34 34,26.3743913 34,17 C34,7.6256087 26.3743913,0 17,0 Z M25.8695652,17.7391304 L17.7391304,17.7391304 L17.7391304,25.8695652 L16.2608696,25.8695652 L16.2608696,17.7391304 L8.13043478,17.7391304 L8.13043478,16.2608696 L16.2608696,16.2608696 L16.2608696,8.13043478 L17.7391304,8.13043478 L17.7391304,16.2608696 L25.8695652,16.2608696 L25.8695652,17.7391304 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-check" viewBox="0 0 21 16"><polygon points="18.5405093 0 7.4613233 11.079186 2.4685571 6.08641975 0.28125 8.27372685 6.36766975 14.3601466 7.4613233 15.40625 8.55497685 14.3601466 20.7278164 2.1873071"></polygon></symbol></svg><svg style="display:none"><symbol id="icon-search" viewBox="0 0 32 33"><path d="M12.7624633,0 C5.70674524,0 0,5.75017946 0,12.8595989 C0,19.969019 5.70674524,25.7191977 12.7624633,25.7191977 C15.2815251,25.7191977 17.6129036,24.9745702 19.5894428,23.7098854 L28.8093842,33 L32,29.7851003 L22.8973607,20.6368195 C24.5337247,18.4738539 25.5249267,15.7937856 25.5249267,12.8595989 C25.5249267,5.75017946 19.8181822,0 12.7624633,0 Z M12.7624633,3.02578797 C18.1671556,3.02578797 22.5219941,7.4137713 22.5219941,12.8595989 C22.5219941,18.3054264 18.1671556,22.6934097 12.7624633,22.6934097 C7.35777107,22.6934097 3.00293255,18.3054264 3.00293255,12.8595989 C3.00293255,7.4137713 7.35777107,3.02578797 12.7624633,3.02578797 Z" id="Shape" transform="translate(16.000000, 16.500000) scale(-1, 1) translate(-16.000000, -16.500000) "></path></symbol></svg><svg style="display:none"><symbol id="icon-doc" viewBox="0 0 34 34"><path d="M9.09939256,0 L0,0 L0,18 L14,18 L14,4.93104639 L9.09939256,0 Z M8.94444444,5.08695652 L8.94444444,0.938519217 L13.0672745,5.08695652 L8.94444444,5.08695652 Z"></path></symbol></svg><svg style="display:none"><symbol id="icon-angle" viewBox="0 0 10 16"><path d="M1.83921466,0.00589452011 C1.34887746,0.0526378592 0.92999688,0.382299983 0.769836698,0.847272105 C0.607212037,1.31470361 0.732876462,1.83133909 1.09015706,2.17084188 L6.5,7.5 L1.07044502,12.838128 C0.575180126,13.3326215 0.575180126,14.1346364 1.07044502,14.6291299 C1.56570992,15.1236234 2.36897594,15.1236234 2.86424083,14.6291299 L9.09324607,8.39014521 L10,7.50448492 L9.09324607,6.61882464 L2.86424083,0.379839973 C2.59812827,0.106761228 2.22113562,-0.0310081492 1.83921466,0.00589452011 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-circle" viewBox="0 0 34 34"><path d="M17,0 C7.6256087,0 0,7.6256087 0,17 C0,26.3743913 7.6256087,34 17,34 C26.3743913,34 34,26.3743913 34,17 C34,7.6256087 26.3743913,0 17,0 Z M25.8695652,17.7391304 L17.7391304,17.7391304 L17.7391304,25.8695652 L16.2608696,25.8695652 L16.2608696,17.7391304 L8.13043478,17.7391304 L8.13043478,16.2608696 L16.2608696,16.2608696 L16.2608696,8.13043478 L17.7391304,8.13043478 L17.7391304,16.2608696 L25.8695652,16.2608696 L25.8695652,17.7391304 Z" id="Shape"></path></symbol></svg><svg style="display:none"><symbol id="icon-plus-white" viewBox="0 0 13 13"><path d="M3.55178455,2.5245531 L2.55106461,3.52527304 L11.5503447,12.5245531 L12.5510646,11.5238332 L3.55178455,2.5245531 Z M2.55106461,11.6369612 L3.55178455,12.6376811 L12.5510646,3.63840107 L11.5503447,2.63768114 L2.55106461,11.6369612 Z" id="Shape"></path></symbol></svg></div><main><div class="container"><div class="row justify-content-md-center"><div class="col-md-12"><nav class="breadcrumb"><ol class="breadcrumb-list"><li class="list-item"> <a href="/" class="item-link">Start</a></li><li class="list-item"> <a href="/nyheter/" class="item-link">News</a></li><li class="list-item"> <a href="/nyheter/university-failed-to-sufficiently-protect-sensitive-personal-data/" class="item-link active">University failed to sufficiently protect sensitive personal data</a> </li></ol></nav></div><div class="col-md-8"><article class="content" id="readspeaker-content"><header class="content-header"><time class="item-created"> Published 2020-12-11</time><h1 class="header-text"> University failed to sufficiently protect sensitive personal data</h1><p class="header-ingress"> Umeå University has processed special categories of personal data concerning sexual life and health through, amongst others, storage in a cloud service, without sufficiently protecting the data. The Swedish Data Protection Authority is therefore issuing a fine of SEK 550,000 against the university.</p></header><div class="readspeaker rs_skip rs_preserve"> <a class="readspeaker-activate"><img class="activate-icon" src="/Client/app/images/Ear.svg" /><span class="activate-text">Listen</span></a> <a class="readspeaker-hide"><span class="hide-icon">×</span> <span class="hide-text">Hide player</span></a><div class="readspeaker-app rsbtn" id="readspeaker_button1"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to the text of the page with ReadSpeaker webReader" href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=10101&lang=sv_se&readid=readspeaker-content&url=http%3a%2f%2fwww.datainspektionen.se%2fnyheter%2funiversity-failed-to-sufficiently-protect-sensitive-personal-data%2f"><span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span><span class="rsbtn_right rsimg rsplay rspart"></span></a> </div></div><div class="content-area"><figure class="area-figure"></figure><div class="area-text"><p> The Swedish Data Protection Authority has now completed an audit of Umeå University, concluding that the University has violated the General Data Protection Regulation by processing special categories of personal data without applying appropriate technical and organizational measures to protect the data.</p><p> A research group at the University had requested from the police preliminary investigation reports concerning cases of male rape and, upon receiving such reports, proceeded to scan and storing them digitally. The reports contained information on, among other things, suspicion of crime, name, personal identity number and contact details, as well as sensitive data about sexual life and health.<br /><br /> The Swedish Data Protection Authority's investigation shows that the research group stored over a hundred scanned preliminary investigation reports in an American cloud service, despite the University having informed via its intranet that special categories of data should not be stored in the cloud service in question.<br /><br /> <span>-</span> The cloud service and the way the university uses it does not provide sufficient protection for this type of personal data, says Linda Hamidi, who led the Swedish Data Protection Authority's audit.<br /><br /> When the research group sent an e-mail to the police requesting further information, one of the scanned reports was attached as a reference, a practice that the research group later repeated despite the fact that the police pointed out the inappropriateness in sending sensitive material in unencrypted emails.<br /><br /> - These events show that the University has not taken necessary measures to ensure a level of security appropriate in relation to the risk.<br /><br /> The Swedish Data Protection Authority also criticizes the University for failing to report the incident as a personal data breach. Since 25 May 2018, organizations are obliged to report personal data breaches to the Swedish Data Protection Authority.<br /><br /> - The controller is obliged to notify the DPA of data breaches and furthermore to present to us what has been done to mitigate the effects of the incident and to prevent similar incidents from happening in the future.<br /><br /> The overall assessment of concluded infringements led to the Swedish Data Protection Authority issuing an administrative fine of SEK 550,000 against the University.</p><p> <a title="Supervision according to the Data Protection Ordinance - Umeå University's processing of personal data (in Swedish)" href="/globalassets/dokument/beslut/2020-12-10-beslut-tillsyn-umea-universitet.pdf">Read the Swedish Data Protection Authority's decision in pdf format (Swedish only)</a></p><p> For further information, please contact:<br /> Legal advisor Linda Hamidi, phone + 46-8-657 61 81<br /> IT security specialist Johan Ma, phone + 46-8-657 61 67<br /> Press office, phone + 46-8-515 15 415 </p></div></div></article></div></div></div></main><section class="pre-footer"><div class="container"><div class="row justify-content-md-center"><div class="col-md-4"><div class="news-list"><h3> Service</h3><h4> For private individuals</h4><ul><li> <a href="/vagledningar/for-dig-som-privatperson/klagomal-och-tips/">Send tips and complaints</a></li><li> <a href="/lagar--regler/brottsdatalagen/laglighetskontroller/">Request a legality check</a></li></ul><h4> For companies and organizations</h4><ul><li> <a href="/lagar--regler/dataskyddsforordningen/dataskyddsombud/">Report to data protection officer</a></li><li> <a href="/lagar--regler/dataskyddsforordningen/personuppgiftsincident/anmala-personuppgiftsincident/">Report personal data incident</a></li><li> <a href="/lagar--regler/dataskyddsforordningen/konsekvensbedomningar-och-forhandssamrad/forhandssamrad/">Request prior consultation</a></li><li> <a href="/vagledningar/kamerabevakning/offentlig-verksamhet/behover-ni-soka-tillstand/sok-tillstand-for-kamerabevakning/">Apply for a camera surveillance permit</a> </li></ul></div></div><div class="col-md-4"><div class="news-list-footer"><div class="news-list"><h3> News</h3><div class="list-link"> <a href="/nyheter/granskning-klar-av-brottsbekampande-myndigheter/">Review completed by law enforcement agencies</a><time> 2020-12-18</time></div><div class="list-link"> <a href="/nyheter/datainspektionen-inleder-granskning-av-eu-system-for-efterlysningar/">The Data Inspectorate begins examination of EU systems for inquiries</a><time> 2020-12-16</time></div><div class="list-link"> <a href="/nyheter/300-000-kr-i-sanktionsavgift-mot-bostadsbolag/">SEK 300,000 in sanction fee against housing companies</a><time> 2020-12-15</time></div><br /><ul><li> <a href="/nyheter/">News archive</a> </li></ul></div></div></div></div></div></section><footer class="footer"><div class="container"><div class="footer-wrapper"><div class="footer-content"><h2> Find and contact us</h2><ul><li class="content-phone"><p> Phone</p> <a href="tel:08-657 61 00">08-657 61 00</a></li><li> <a href="/kontakta-oss/">Contact Us</a></li><li> <a href="/press/">Press and media</a></li></ul></div><div class="footer-content"><h2> About the Data Inspectorate</h2><ul><li> <a href="/om-oss/lediga-jobb/">Free jobs</a></li><li> <a href="/om-oss/om-webbplatsen/">About the website</a></li><li> <a href="/om-oss/om-webbplatsen/#cookies">Use of cookies</a></li><li> <a href="/om-oss/information-om-hur-datainspektionen-behandlar-personuppgifter/">Processing of personal data</a></li></ul></div><div class="footer-content"><h2> Common shortcuts</h2><ul><li> <a href="/vagledningar/inkasso/">Have you received a debt collection claim?</a></li><li> <a href="/vagledningar/kreditupplysningar/betalningsanmarkningar/">Have you received a payment remark?</a></li><li> <a href="/vagledningar/kamerabevakning/">Camera surveillance</a></li></ul></div><div class="footer-content"><h2> follow us</h2><ul><li> <a href="http://www.twitter.com/Datainspektion">On Twitter</a></li><li> <a href="https://www.linkedin.com/company/datainspektion/">On Linkedin</a></li><li> <a href="https://www.datainspektionen.se/nyheter/rss.xml">RSS</a></li></ul></div><div class="footer-home"><a href="/"><img src="/client/dist/images/di-logo-staende.svg" alt="Logotype" /></a><p> At datainspektionen.se we use cookies. Read more about cookies on our page <a title="About the website" href="/link/9f36ff08eec74e95971fa8e677833e4d.aspx">About the website</a> . </p></div></div></div></footer><script type="text/javascript" src="/Client/app/scripts/external/epi-util/find.js"></script><script type="text/javascript">
if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}
</script><script type="text/javascript" src="/client/dist/scripts/vendor.bundle.min.js"></script><script type="text/javascript" src="/client/dist/scripts/app.bundle.min.js"></script><script type="text/javascript" src="/Client/app/scripts/external/jquery-ui-1.12.1/external/jquery/jquery.js"></script><script type="text/javascript" src="/Client/app/scripts/external/jquery-ui-1.12.1/jquery-ui.min.js"></script><script>
        function closeModal() {
            $('.modal-wrapper').remove(".modal-wrapper");
        }
    </script></body></html>