Datatilsynet (Denmark) - 2021-423-0234

From GDPRhub
Datatilsynet (Denmark) - 2021-423-0234
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 30.11.2021
Fine: None
Parties: Allerød Municipality
National Case Number/Name: 2021-423-0234
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Danish
Original Source: datatilsynet.dk (in DA)
Initial Contributor: n/a

The Danish DPA issued a reprimand against the Allerød Municipality for failing to implement appropriate technical and organisational measures, as required by Article 32(1) GDPR, to ensure the proper administration of welfare.

English Summary

Facts

In summer 2021, the Danish DPA investigated the data practices of a number of national municipalities. The controller in this case, the Allerød Municipality, was one of these. The investigation focused on Allerød Municipality's way of administering access rights in the administration of social welfare, in accordance with Article 32 GDPR.

First, the DPA asked the controller for a list of systems in which data on natural persons were processed, as well as the municipality's policies on auditing and sampling for unauthorised access attempts. The municipality shared its guidelines on logging and sampling, which stated that samples were taken at different intervals (e.g. 1 month, 2½ months, 5 months, 3 months, etc.) but never more than 6 months apart. After receiving this information, the DPA requested documentation on the random checks the municipality carried out in one of its systems.

The Allerød Municipality provided this documentation, which showed that it had carried out log checks on 24 June 2020, 25 September 2020 and 13 August 2021.

Holding

Following the inspection of Allerød Municipality, the DPA held that whilst the municipality's procedures for random checks of the log in the social administration's systems were generally satisfactory, it had failed to follow its own guidelines in at least one case.

The DPA added that in its opinion, carrying out such sampling every six months constitutes the absolute minimum of auditing systems that process a lot of confidential and/or sensitive information, or where the access rights are of a broader nature.

Thus, the Danish DPA issued a reprimand against the Allerød Municipality for failing to implement appropriate technical and organisational measures, as required by Article 32(1) GDPR, to ensure the proper administration of welfare.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Appropriate access control procedures, but non-compliance
Date: 30-11-2021
Decision

The Danish Data Protection Agency has expressed criticism that Allerød Municipality has not followed its own guidelines for control. However, the municipality's procedures for sample control were generally satisfactory.

Journal number: 2021-423-0234.
Summary
Allerød Municipality was among the selected municipalities that the Danish Data Protection Agency supervised in the summer of 2021 in accordance with the data protection rules.
The audit focused on Allerød Municipality's way of administering access rights in the social administration. In connection with the audit, the Danish Data Protection Agency asked Allerød Municipality for documentation of samples taken in one of the municipality's systems.
The Danish Data Protection Agency found that Allerød Municipality's procedures for random checks of the log in the social administration's systems were generally satisfactory in relation to the risk picture.
In this connection, it was the Danish Data Protection Agency's assessment that random checks every six months constitute the absolute minimum of checks in systems that process a lot of confidential and sensitive personal data, or where access rights are of a broader nature.
However, the Danish Data Protection Agency found that in at least one case the municipality had not followed its own guidelines for control.
On that basis, the Danish Data Protection Agency criticized the fact that Allerød Municipality's processing of personal data had not taken place in accordance with the rules on processing security.
1. Written supervision of Allerød Municipality's processing is personal data
Allerød Municipality was among the public authorities that the Danish Data Protection Agency had chosen in the summer of 2021 to supervise in accordance with the Data Protection Ordinance [1] and the Data Protection Act [2].
The Data Inspectorate's inspection was a written inspection, which focused on Allerød Municipality's way of administering access rights in the social administration, cf. Article 32 of the Data Protection Regulation.
By letter dated 9 June 2021, the Danish Data Protection Agency notified the Authority of Allerød Municipality. In this connection, the Danish Data Protection Agency requested to be sent a list of systems in the municipality's social administration, in which information about natural persons is processed, and about the municipality's policies for audits and samples for unauthorized access attempts.
Allerød Municipality appeared on 30 June 2021 with a statement on the matter.
On 11 August 2021, the Danish Data Protection Agency requested Allerød Municipality to provide documentation for samples taken in one of the municipality's systems. Against this background, the municipality submitted a supplementary statement on the matter on 31 August 2021.
2. The Danish Data Protection Agency's decision
Following the audit of Allerød Municipality, the Danish Data Protection Agency finds reason to conclude:

That Allerød Municipality's procedures for random control of the log in the social administration's systems are generally satisfactory in relation to the risk picture.
That Allerød Municipality in at least one case has not followed the municipality's own guidelines for control.

The Danish Data Protection Agency then finds grounds for expressing criticism that Allerød Municipality's processing of personal data has not taken place in accordance with the rules in Article 32 of the Data Protection Regulation.
Below is a more detailed review of the information that has emerged in connection with the written inspection and a justification for the Danish Data Protection Agency's decision.
3. Information of the case
Allerød Municipality has stated that the social administration in the municipality is organizationally located in the departments Citizen Service and Families.
It appears from the lists sent that the social administration uses a number of different systems, where ordinary personal data, sensitive information and other information worthy of protection are processed, e.g. social security numbers.
Allerød Municipality has stated that employees in the municipality may only be authorized to have access to IT systems that they need in connection with their normal work. When an employee must have access to an IT system, access must be restricted so that he or she only has access to see and work with the cases that are necessary to be able to perform the specific core task.
The managers of the areas are responsible for approving user registration and deregistration at the municipality's IT service desk.
It appears from Allerød Municipality's guidelines for logging and random sampling that control of logging systems in the Citizen Service is carried out by means of random sampling, which is drawn on average every 6 weeks. The samples fall at different intervals, e.g. 1 month, 2 months, 5 months, 3 months, etc., but not more than 6 months. The dates are set out in an annex to which only security personnel have access.
A sample includes 5-6 notices made 1-3 days before the employee is asked to explain the reason for the notices.
The samples are printed out and presented to the employees who made the notices. Employees note the reason for the postings. The samples and quotations are then added to the manager who has the greatest insight into his or her work. If it gives rise to questions, the boss talks to the employee, otherwise the inspection is considered completed with a satisfactory result.
On the basis of Allerød Municipality's statement of 30 June 2021, the Danish Data Protection Agency chose to carry out further inspections of the municipality's sampling in the ESDH system Acadre. Therefore, by letter dated 11 August 2021, the Danish Data Protection Agency asked Allerød Municipality to submit documentation for samples taken in Acadre for the past year.
Allerød Municipality has stated that all withdrawals are made centrally by the administrator of Acadre, which is organizationally located in the Secretariat. The responsibility for carrying out the control lies with the manager and should be carried out twice a year.
In this connection, the municipality has stated that all extracts must be reviewed in order to check whether the municipality's employees still have access that is necessary for them to carry out their work - and no more than that.
Allerød Municipality has also stated that due to the Covid-19 situation, no samples have been taken in the period from 25 September 2020 until 13 August 2021, and normal operation will be re-established from September 2021.
It appears from the submitted random check in Acadre for Citizen Service and Families that Allerød Municipality on 24 June 2020, 25 September 2020 and 13 August 2021 has checked the log of 3-9 employees' display of e.g. cases and documents in Acadre.
4. The Danish Data Protection Agency's assessment
The Danish Data Protection Agency assumes that Allerød Municipality generally logs the use of personal data in the municipality's IT systems, including the Acadre system.
It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data.
Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks.
It is the opinion of the Danish Data Protection Agency that the requirement for appropriate security will normally mean that the data controller continuously samples the log to check that users only access information they have a work-related need for and that measures have been implemented to allocate and deprive access rights so that only users who have a work-related need to access the information are authorized to do so.
The Danish Data Protection Agency does not find grounds to override Allerød Municipality's assessment that random checks take place twice a year.
However, the Danish Data Protection Agency is of the opinion that sampling every six months constitutes the absolute minimum of control, in systems that process a lot of confidential and / or sensitive information, or where the access rights are of a broader nature.
According to the information, the Danish Data Protection Agency assumes that Acadre is a system with these types of information.
In addition, in accordance with Allerød Municipality's own explanation in this regard, the Authority assumes that no random checks have been carried out in the Acadre system in the period 25 September 2020 to 13 August 2021.
The Danish Data Protection Agency finds that Allerød Municipality - by not having kept control of the log in Acadre for more than six months - has not taken appropriate organizational measures to ensure a level of security that matches the risks involved in the municipality's processing of personal data, cf. Article 32 (1) of the Data Protection Regulation 1.
The Danish Data Protection Agency has hereby emphasized that Allerød Municipality has carried out inspections on 24 June 2020, 25 September 2020 and 13 August 2021.
The fact that the employees have been repatriated and worked from home during the Covid-19 situation cannot lead to a different assessment that inspections should take place at least every six months.
The Danish Data Protection Agency also finds it striking that Allerød Municipality has carried out the most recent inspection two days after the Authority's letter of 11 August 2021, in which the Authority requested documentation of samples taken in Acadre for the past year.
The Danish Data Protection Agency has noted that normal operation has been re-established from September 2021.
5. Conclusion
Following the audit of Allerød Municipality, the Danish Data Protection Agency finds reason to conclude:

That Allerød Municipality's procedures for random control of the log in the Social Administration's systems are generally satisfactory in relation to the risk picture.
That Allerød Municipality in at least one case has not followed the municipality's own guidelines for control.

The Danish Data Protection Agency then finds grounds for expressing criticism that Allerød Municipality's processing of personal data has not taken place in accordance with the rules in Article 32 of the Data Protection Regulation.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).
[2] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).