Datatilsynet (Denmark) - 2021-32-2067

From GDPRhub
Datatilsynet (Denmark) - 2021-32-2067
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32 GDPR
Article 33 GDPR
Article 32(1) of the Danish Data Protection Ordinance
Article 33 of the Danish Data Protection Ordinance
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.10.2021
Published:
Fine: None
Parties: Falkonergården (High School)
National Case Number/Name: 2021-32-2067
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Florence D'Ath

The Danish DPA reprimanded a high school for not reporting a data breach, in violation of Article 33 GDPR. The breach was caused by a human error and consisted in the sending of a warning message to the wrong student with respect to the absence rate of another student.

English Summary[edit | edit source]

Facts[edit | edit source]

Falkonergården, a Danish high school, sent a written message with respect to the high absence rate of a student (the Complainant) to the wrong recipient. The message included the Complainant's full name, absence rate, as well as a warning that he or she may have been suspended from school in case his or her attendance would not improve. This breach was the result of a human error; the person in charge of sending the warning messages forgot to type in the correct social security number of the Complainant. As a result, the message was sent to another student.

On the same day, Falkonergården informed the Complainant about the incident and apologized for their error. They also requested the other student to whom the message had been sent to delete it and keep this information confidential.

Falkonergården decided not report the incident as a breach with the Danish DPA, because they considered that the information did not contain any sensitive data in the sense of Article 9 GDPR and that the breach was thus unlikely to have a negative impact on the Complainant's rights or freedoms.

The Complainant however started suffering from rumors circulating among students in relation to his or her absence rate. As a result, the Complainant decided to file a complaint with the Danish DPA, arguing that Falkonergården should have implemented better security measures (Article 32 GDPR) and should have reported the personal data breach to the Danish DPA (Article 33 GDPR).

Holding[edit | edit source]

Regarding the need to implement organisational and technical measures to ensure an appropriate level of security of the personal data, the Danish DPA found that Falkonergården was not in breach of its obligations under Article 32 GDPR. The Danish DPA noted in particular that the procedure for sending warning messages is conducted by trained employees, who have been instructed to be careful when entering student's information in the school management system, and to always double check such information before sending any messages.

Regarding the obligation to report personal data breach to the DPA, the Danish DPA found that Falkonergården was in breach of Article 33 GDPR. In particular, the Danish DPA stressed that all personal data breaches must in principle be reported to the competent DPA, unless it is unlikely that the breach would result in a risk to the rights or freedoms of the individuals concerned. According to the Danish DPA, a risk to the rights and freedoms of natural persons includes i.a. discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality or any other significant economic or social inconvenience to the data subject. In this case, the Danish DPA considered that Falkonergården had failed to establish the unlikeliness of such a risk, especially given the confidential nature of the information at stake.

The Danish DPA therefore decided that Falkonergården should have notified the breach to the Danish DPA in accordance with Article 33(1) of the Danish Data Protection Ordinance (i.e. Article 33 GDPR).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Complaint about security breach at Falkonergårdens Gymnasium and HF
Date: 18-10-2021
Decision

The Danish Data Protection Agency has expressed criticism that Falkonergården had not reported a security breach to the audit. Furthermore, the Danish Data Protection Agency did not find grounds to override the school's assessment of what were appropriate security measures.

Journal number: 2021-32-2067.
Summary
The Danish Data Protection Agency has made a decision in a case where a student at Falkonergården complained that the school by mistake sent a written warning in connection with too much absence to another student. The error occurred when an employee entered an incorrect social security number when sending via e-Boks. Subsequently, it was found that information on the complainant's absence rate was known by others at the school.
The Danish Data Protection Agency expressed criticism that Falkonergården had not lived up to the requirement that breaches of personal data security must in principle be reported to the Danish Data Protection Authority.
In the assessment, the Danish Data Protection Agency emphasized that Falkonergården had not proved that it was unlikely that the incident entailed a risk to the complainant's rights. This could e.g. be damage to the complainant's reputation.
Furthermore, the Danish Data Protection Agency did not find grounds to override Falkonergården's assessment of what were appropriate security measures.
In this connection, the Danish Data Protection Agency emphasized that this was a one-off incident, that only a few trusted employees sent the letters in question, that the management often emphasized to these employees the importance of entering the correct social security number and that the individual employee always double-checks the social security number.
However, the Danish Data Protection Agency called on Falkonergården to reconsider their measures in the event of a recurrence.
Decision: The Danish Data Protection Agency hereby returns to the case where [complainants] (hereinafter complainants) on [date] 2021 has complained that Falkonergårdens Gymnasium and HF (hereinafter Falkonergården) have passed on complainants' personal information to unauthorized persons.
Decision
Following a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing criticism that Falkonergården's processing of personal data has not taken place in accordance with the rules in Article 33 (1) of the Data Protection Regulation [1]. 1.
The Danish Data Protection Agency also finds that there is no basis for stating that Falkonergården's processing of personal data has taken place in violation of Article 32 (1) of the Data Protection Ordinance. 1.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
It appears from the case that the complainant is a student at Falkonergården, and that the school on [date] 2021 by mistake sent a written warning with the complainant's absence information and the complainant's full name to another student at the school.
On the same day, Falkonergården drew complaints about the situation and apologized for the error.
2.1. Falkonergården's remarks
Falkonergården has stated that the unjustified disclosure took place when a secretary had to prepare letters with negligence notice to several students. The letters contained information about the student's failure rate and a notice that the student will be discharged from the school if attendance does not improve. In the process of submission, the secretary accidentally forgot to change the social security number when the letter was sent to e-Boks through the school's electronic student archive.
Falkonergården has also stated that only a few trusted employees send information to e-Boks, and the management has regularly emphasized to these employees the importance of entering the correct social security number. The employees who work with student information, including sending to e-Boks, are very aware of the type of information they work with. Employees are fully aware of the importance of sending the correct information to the correct recipient. In this connection, Falkonergården has stated that the individual employee always double-checks that shipments via e-Box are made to the correct social security number.
Falkonergården has claimed that sending to e-Boks always takes place by manually entering the social security number. Falkoner farms therefore did not have the opportunity to implement technical measures that secured against this type of incident.
Falkonergården has stated that the school has asked the recipient to delete the letter and remain silent about the contents. Falkonergården has also asked for a confirmation that the recipient has deleted the information.
Furthermore, Falkonergården has stated that the management has emphasized to employees who send to e-Boks that when preparing and sending several letters in the same work process, in the future must be restarted with each letter, and not based on a previous letter . Employees who send to e-Boks will in future make sure to be extra careful every time information is sent via e-Boks, and make sure that it is the correct recipient who is sent to.
Falkonergården has considered whether the school can take technical measures that can ensure that similar incidents do not happen in the future. The school is not aware of such measures that can remedy human errors such as entering the wrong social security number.
Falkonergården has stated that the school did not report the incident as a breach of personal data security to the Danish Data Protection Agency, as the school based on a risk assessment found that it was unlikely that the incident would or could involve a risk to complainants' rights or freedoms, even if complainants are young. Falkonergården has, however, for the sake of good order informed complaints about the incident.
Falkonergården has further assumed that the information in question in the erroneously submitted document is not covered by Article 9 of the Data Protection Regulation, nor that there is any information of a confidential nature in the document.
In the decision not to report the incident to the Danish Data Protection Agency, Falkonergården has further emphasized that the content of these warnings for students with too much absence is standard letters, where there is nothing but a recommendation to the student to reduce the absence and the consequences of not comply with the warning. Compared with the risk assessment, it was assessed that the complainant's rights would not be harmed or endangered in any way.
Falkonergården has argued that it appears from previous decisions from the Danish Data Protection Agency that it is the sensitivity of the information that is important for the handling of the type of information and in which cases notification should be made to the Authority.
Finally, Falkonergården has stated that the assessment of not making a notification to the Danish Data Protection Agency was made on the basis of which category of information was in the letter sent, and that the wrong recipient was another student at Falkonergården.
2.2. Complainant's remarks
Complainants have stated that there has been a security breach which Falkonergården should report to the Danish Data Protection Agency. Complainants have further stated that [complainants] are very much affected by the situation, as rumors of [complainants'] absence rate abound at the school.
Justification for the Danish Data Protection Agency's decision
The Danish Data Protection Agency assumes that there has been a breach of personal data security (unauthorized disclosure of personal data), as Falkonergården has by mistake sent information about a written warning to complainants due to too much absence and complainant's absence percentage to another student.
3.1.
It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data. This involves i.a. that you, as the data controller, must ensure that information about the data subject does not come to the knowledge of unauthorized persons.
It is the Data Inspectorate's opinion that it will normally be an appropriate security measure that only a few trusted employees can - following a duly given instruction - use the manual transmission of documents in e-Boks. This requires that there is an appropriate check of the entered social security number before the shipment takes place.
The Danish Data Protection Agency assumes that only a few trusted employees send information via e-Boks, that the management regularly emphasizes to these employees the importance of entering the correct social security number, and that the individual employee always double-checks that sending via e-Boks Box is made to the correct social security number.
Against this background, and as there is no further documentation of precedents, the Danish Data Protection Agency finds no basis for overriding Falkonergården's assessment that the measures are appropriate in relation to the described risks.
The Danish Data Protection Agency therefore has no basis for stating that Falkonergården's processing of personal data has taken place in violation of Article 32 (1) of the Data Protection Regulation. 1.
However, the Authority must emphasize that in the event of a recurrence, the data controller must cause the data controller to reconsider his actions; source e.g. the student's pedigree or similar.
3.2.
In the event of a breach of personal data security, the data controller must report the breach to the Danish Data Protection Agency in accordance with Article 33 (1) of the Data Protection Regulation. However, notification shall not be made if the breach of personal data security is unlikely to involve a risk to the data subject's rights or freedoms.
The Danish Data Protection Agency finds that Falkonergården - by not reporting the breach to the Danish Data Protection Agency - has not complied with the requirements of Article 33 (1) of the Data Protection Ordinance. 1, which gives the Authority an opportunity to express criticism.
In this connection, the Danish Data Protection Agency has emphasized that all breaches of personal data security must in principle be reported to the Danish Data Protection Agency, and that it is only if it is unlikely that the breach of personal data security entails a risk to natural persons' rights or freedoms. review.
In this connection, the Danish Data Protection Agency is of the opinion that Falkonergården has not proved that it is unlikely that the breach of personal data security entails a risk to the complainant's rights or freedoms. A risk to the rights and freedoms of natural persons includes i.a. discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data subject to professional secrecy or any other significant economic or social inconvenience to the data subject.
The Danish Data Protection Agency is also of the opinion that information on the absence rate and information that a person has received a warning due to too much absence is confidential information.
The Danish Data Protection Agency also finds that the fact that the incorrect recipient of the information was another student at Falkonergården cannot lead to a different assessment of whether a notification should be made to the Danish Data Protection Agency. In this connection, the Danish Data Protection Agency has emphasized that precisely because it was another student, there was subsequent information about the complainant's absence rate at the school.
The Danish Data Protection Agency must emphasize that Falkonergården will in future report similar security breaches to the Danish Data Protection Agency in accordance with Article 33 (1) of the Data Protection Ordinance. 1.
Concluding remarks
In conclusion, the Danish Data Protection Agency must state that Falkonergården in this case must not make a separate notification of the breach of personal data security, cf. Article 33 (1) of the Data Protection Ordinance. In this connection, the Danish Data Protection Agency has emphasized that the breach has been adequately covered in connection with the processing of the case by the Authority.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).