Datatilsynet (Denmark) - 2021-431-0151

From GDPRhub
Datatilsynet - 2021-431-0151
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided: 27.04.2022
Published: 06.05.2022
Fine: n/a
Parties: Joannahuset
National Case Number/Name: 2021-431-0151
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The Danish DPA confirmed that a children shelter's use of unsecure communication, such as SMS, to process a child's personal data was justified because the child's custodian was not available through any other means, and the child's interest in being admitted into the shelter outweighed data protection concerns.

English Summary

Facts

Joannahuset (the controller) is a crisis center offering shelter and support to children and young people in vulnerable situations. On one occasion, in connection with obtaining consent for a child's registration for shelter, the controller requested to receive the child's name and social security number via SMS. The Danish DPA (Datatilsynet) became aware of this situation and started an ex officio investigation.

According to the controller, the event occurred in the evening, when the child's custodian was no longer in the office and therefore could only be reached via SMS, and not by secure mail or any other equivalent secure communication method. The controller argued that it was legally obliged to check the identity of the child and receive the custodian's consent before accepting the child to the shelter. If it would not have reached out to the custodian via SMS, the child would have been left to spend the night on the street.

Holding

The DPA held that the requirement of appropriate security pursuant to Article 32 GDPR normally implies that the controller must offer the data subject a sufficiently secure communication method when transmitting confidential information. Moreover, the DPA found that the obligations placed on the controller under Article 32 GDPR cannot be waived by the data subject consenting to the unsecure transmission.

However, the DPA found that under exceptional circumstances, data protection requirements can be outweighed by other considerations, including, for example, the need to urgently ensure life and health concerning particularly vulnerable groups of people. Therefore, the controller must conduct a specific assessment and document its considerations when balancing such conflicting interests.

Consequently, the DPA found that in this case it was acceptable to use SMS communication for receiving the child's name and social security number.

Comment

Although the DPA did not name it directly, we can see the application of principles of necessity and proportionality in this decision.

Further Resources

Datatilsynet (Denmark) previously published its guidelines on transmitting personal data via SMS and Emails (in Danish), warning controllers against insecure transmission of personal information.

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

In a very special and concrete situation, the crisis center's request for a social security number via SMS did not give rise to criticism

Date: 27-04-2022

Decision

The Danish Data Protection Agency has made a decision in a case in which the Joannahuset crisis center had assessed that in a specific and very special situation there were other considerations than the consideration for the protection of personal data that weighed heaviest.

Journal number: 2021-431-0151

Summary

In August 2021, the Danish Data Protection Agency became aware that a child and youth crisis center, Joannahuset, had requested to receive a young person's social security number via SMS. It is the Danish Data Protection Agency's general assessment that the transmission via SMS of confidential information, such as a personal identity number, entails a significant risk to the data subjects' rights and freedoms. The Authority therefore decided to take up a case of its own motion vis-à-vis the crisis center in order to investigate the case further.

It appears from the information in the case that the crisis center found it necessary to verify the person's identity in order to be able to offer him shelter. According to the information in the case, this was an urgent and very special situation where there were no other and more secure transmission solutions available that could ensure a quick enough verification of the person's identity.

The Authority has therefore assessed that there is no basis for overriding the shelter's assessment that in the specific situation there was consideration for the young person's interests that might outweigh the consideration for the protection of personal data, and that the young person in the case could would suffer a greater loss of rights if the SMS in question was not sent.

Decision

In August 2021, the Danish Data Protection Agency became aware that Joannahuset, in connection with obtaining consent for a child's registration for shelter in Joannahuset, has requested to receive the child's name and social security number via SMS. In addition, a picture of identification has been requested, but without specifying how this identification is to be sent.

The Danish Data Protection Agency decided to investigate the matter further on its own initiative [1]. In this connection, the Danish Data Protection Agency requested Joannahuset on 3 September 2021 for an opinion on the matter, including answering a number of questions. The Joanna House represented by DLA Piper submitted a statement on the matter on September 24, 2021. On 24 February 2022, the Danish Data Protection Agency decided to request further information from Joannahuset. On March 17, 2022, DLA Piper issued another statement against this background.

Decision

In August 2021, the Danish Data Protection Agency became aware that Joannahuset, in connection with obtaining consent for a child's registration for shelter in Joannahuset, has requested to receive the child's name and social security number via SMS. In addition, a picture of identification has been requested, but without specifying how this identification is to be sent.

The Danish Data Protection Agency decided to investigate the matter further on its own initiative [1]. In this connection, the Danish Data Protection Agency requested Joannahuset on 3 September 2021 for an opinion on the matter, including answering a number of questions. The Joanna House represented by DLA Piper submitted a statement on the matter on September 24, 2021. On 24 February 2022, the Danish Data Protection Agency decided to request further information from Joannahuset. On March 17, 2022, DLA Piper issued another statement against this background.

After a review of the case, the Danish Data Protection Agency finds no basis for overriding Joannahuset's assessment that in the specific situation there is consideration for the young person's interests, arising in an emergency situation and with limited possible solutions available, which must outweigh protection considerations. of personal data and that the young person in the case would suffer a greater loss of rights if the SMS in question was not sent.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation

It appears from Joannahuset's statements to the case that Joannahuset is a child / youth crisis center that offers shelter to young people who have run away or been thrown out of their homes or from a placement.

It appears from the case that a young person on 2 September 2021 approached Joannahuset and requested shelter, which is why Joannahuset contacted the young person's placement to obtain consent for the young person to spend the night in Joannahuset, as the staff otherwise assessed , that the criteria for offering shelter were met. It also appears that Joannahuset has previously been in dialogue with the person in question and has previously provided shelter for the person. In view of the experiences from the previous dialogue with the young person's home municipality, which according to Joannahuset has been difficult, Joannahuset has stated that the staff present assessed that in the specific situation there was a special need to ensure that both the identity of the person gave the consent regarding the young person, which the young person himself, was unequivocally and documentably established, so that no subsequent doubt about the consent could be seen. The Joanna House therefore requested in the specific situation to receive the young person's social security number via SMS.

Joannahuset has further stated that it was the assessment that it could have significant negative consequences for the young person if Joannahuset could not offer shelter, which is why Joannahuset's staff chose to deviate from the normal procedure, which stipulates that only absolutely necessary information is processed and which basically not “very personal information” via SMS, and then requested that the contact person from the municipality send a consent where the young person was identified by social security number.

Joannahuset has further stated that due to the nature of the case and previous course of events, and because Joannahuset has previously experienced that children and young people in crisis sometimes get others to pretend to be authorized to give consent, Joannahuset also found it necessary to obtain documentation of the identity of the consent provider.

Regarding Joannahuset's considerations regarding requesting a social security number via SMS, Joannahuset has stated that especially in cases where the consent must be obtained from the custodian, who according to Joannahuset often has limited resources, including no access to e-mail, employees often have to find concrete solutions with the available means. Joannahuset has stated that since most people have access to a mobile phone, the consent can often be obtained in a telephone conversation, after which Joannahuset sends an SMS, which the consent giver must then confirm so that there is documentation of the consent.

It further appears from the case that Joannahuset's procedure for using SMS prescribes that the employee must consider what information it is specifically necessary to state and limit the text to this information. SMS messages that serve to confirm consent given, as a general rule, therefore do not contain the child's or young person's social security number, according to Joannahuset. In practice, however, according to Joannahuset, there may be situations where consideration for the best interests of the child or young person dictates that these procedures be deviated from, e.g. in situations where there is a risk of further and serious negative consequences for the child or young person if the Joanna House is unable to offer the necessary help due to lack of or insufficient consent. Joannahuset has stated that in the specific situation there is a deviation from the normal procedures based on a concrete assessment of the specific situation, including consideration for the young person's interests and Joannahuset's other obligations.

Joannahuset has stated in the case that Joannahuset, on the basis of the inquiry from the Danish Data Protection Agency, has emphasized to employees that consideration for the best interests of the child or young person and Joannahuset's obligations under other regulations must clearly exceed the risk of violation of children's or young people's rights and freedoms. , that their personal data is processed using forms of communication that are not in principle suitable for processing the type of information in question.

It also appears from the case that the reason why in the specific situation a request was made to send a social security number via SMS was that the communication took place in the evening when the consent provider was not at his workplace, and therefore there was no possibility according to Joannahuset to establish communication via secure mail or equivalent. However, according to Joannahuset, it was important that the consent was received the same evening, as the consent was a condition for being able to offer the young person accommodation in Joannahuset, and as SMS had to be considered the only way in which a written consent could be sent quickly enough , Joannahuset considered that the consideration for the young person's security in the specific situation had to take precedence over the consideration for the protection of personal data during transmission, which is why it was considered justified to use SMS for this communication.

Joannahuset has also stated that Joannahuset does not consider the transmission of confidential information via SMS to be sufficiently secure, and that this solution is only used in special situations where other and more secure forms of communication are not available within the time horizon where there is a need. receipt of information for the benefit of the young person. In this connection, Joannahuset has stated that young people who seek shelter in Joannahuset in these situations will be left to spend the night on the street if Joannahuset does not receive the necessary consent. Failure to use SMS as a form of communication can, according to Joannahuset, in such situations thus entail a significant and immediate danger to the young people's lives and health.

Justification for the Danish Data Protection Agency's decision

3.1.

On the basis of the information provided by Joannahuset, the Danish Data Protection Agency assumes that Joannahuset has requested to receive a young person's social security number via SMS, and that Joannahuset has not made other transmission solutions available to the person in question in this connection.

After a review of the case, the Danish Data Protection Agency finds no basis for overriding Joannahuset's assessment that in the specific situation there is consideration for the young person's interests, arising in an emergency situation and with limited possible solutions available, which must outweigh protection considerations. of personal data and that the young person in the case would suffer a greater loss of rights if the SMS in question was not sent.

The Danish Data Protection Agency is of the opinion that requirements for data protection in special cases must give way to other more weighty considerations, including, for example, the consideration of urgently ensuring life and health in relation to particularly vulnerable groups of people. It is the opinion of the Danish Data Protection Agency that such a relaxation of data protection must take place after a specific assessment, and that the considerations in this regard must be documented.

3.2.

The Danish Data Protection Agency also notes that, in the opinion of the Danish Data Protection Agency, the requirement for appropriate security pursuant to Article 32 of the Data Protection Regulation normally implies that the data controller must offer the data subjects a sufficiently secure transmission solution when transmitting e.g. confidential information when the data controller collects information from the data subjects for the purpose of processing a case or service.

The Danish Data Protection Agency is of the opinion that all transmissions of information about natural persons, in clear text, over networks over which the data controller has no control, entail a significant potential risk of loss, change, unauthorized disclosure and access to the processed information. It is the Data Inspectorate's assessment that it is possible for persons with the necessary knowledge and willingness to do so as well as for persons with access to the telecommunications infrastructure to see the content of a given SMS. Furthermore, it is technically possible for unauthorized persons to be part of the chain of mobile telephone antenna stations, whereby these unauthorized persons can have access to see the information that is transmitted. Such risk scenarios must be included as part of the risk assessments made by the individual data controller in connection with their processing, which takes place via SMS.

It is the Data Inspectorate's assessment that the transmission of sensitive information and information that must be kept confidential via SMS entails a significant risk to the data subjects' rights and freedoms, and that the risk, as is also the case with e-mails transmitted via the Internet , is at the high end of the scale. Furthermore, the Authority's assessment is that the risk of confidentiality during transport can only be mitigated to a very limited extent by measures initiated by the data controller himself.

In addition, the Danish Data Protection Agency is of the opinion that a data subject may not waive the measures deemed appropriate under Article 32.

The Danish Data Protection Agency has published guidelines on its website on the transmission of personal data via SMS and e-mail, where Joannahuset can read more about how to deal with this as a data controller: Transmission of personal data via SMS (datatilsynet.dk) and Transmission of personal data via e-mail (datatilsynet.dk).



[1] The Danish Data Protection Agency supervises all processing covered by the Data Protection Act, the Data Protection Regulation and other legislation that falls within the framework of the Data Protection Regulation for special rules on the processing of personal data. The detailed rules can be found in section 27 of the Data Protection Act.