Datatilsynet (Denmark) - 2021-423-0235
|Datatilsynet - 2021-423-0235|
|Relevant Law:||Article 32(1) GDPR|
|National Case Number/Name:||2021-423-0235|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in DA)|
|Initial Contributor:||Vadym Kublik|
The Danish DPA reprimanded a municipality for violating Article 32(1) GDPR by not restricting terminated employee's access to its file system and not following up with control over the former employee's access rights.
English Summary[edit | edit source]
Facts[edit | edit source]
In summer 2021, the Danish DPA conducted inspections in selected municipalities. The DPA focused on the municipalities' way of administering access rights to personal data of children and young people, especially in the school area. In connection with the Gladsaxe Municipality, it inspected whether the controller withdrew terminated employees' access rights to its electronic case and document management system (SBSYS). The inspection showed that the controller had a comprehensive information security handbook regulating access rights management. However, in one instance, the DPA found that the controller did not follow the procedure of reviewing whether terminated employees still had an active user account. As a result, the DPA also assumed that the user [X] had access to SBSYS even after the employee's resignation.
Holding[edit | edit source]
First, the DPA held that the controller must always identify data processing risks and implement appropriate security measures to protect the data subjects against those risks. Such security measures must typically ensure that access rights to systems are properly allocated so that only users with a work-related need are authorised to access the information. Second, the DPA considered that in addition to a procedure for disabling access rights upon termination of employment, there must be a control procedure that effectively follows up on whether the access was truly disabled.
Consequently, the DPA held that the Gladsaxe Municipality did not take appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved in the municipality's processing of personal data under Article 32(1) GDPR. That was because a) it did not deprive the user [X] of access rights to SBSYS after the employee's resignation, and b) it did not carry out the necessary follow-up or revision of terminated employees' rights.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Supervision of Gladsaxe Municipality's rights management in one of the municipality's systems Date: 26-04-2022 Decision Public authorities On the basis of an audit focusing on the administration of access rights, the Danish Data Protection Agency has expressed criticism of Gladsaxe Municipality for not having acted in accordance with the rules on processing security. Journal number: 2021-423-0235 Summary Gladsaxe Municipality was among the selected municipalities that the Danish Data Protection Agency supervised in the summer of 2021 in accordance with the data protection rules. The audit focused on Gladsaxe Municipality's way of administering access rights to children and young people, including especially the school area. In this connection, the Danish Data Protection Agency investigated whether Gladsaxe Municipality had withdrawn retired employees' access rights to the municipality's electronic case and document management system SBSYS. The Danish Data Protection Agency found that Gladsaxe Municipality had not acted in accordance with the rules on processing security. The Danish Data Protection Agency emphasized that Gladsaxe Municipality had not deprived a user of access rights to SBSYS after the employee's resignation, and that the municipality had not carried out follow-up or control of the rights of terminated employees. Against this background, the Danish Data Protection Agency expressed criticism of Gladsaxe Municipality. 1. Written supervision of Gladsaxe Municipality's processing of personal data Gladsaxe Municipality was among the authorities that the Danish Data Protection Agency had chosen in the summer of 2021 to supervise in accordance with the Data Protection Ordinance  and the Data Protection Act . The Data Inspectorate's inspection was a written inspection which focused on Gladsaxe Municipality's way of administering access rights in the area of children and young people, including in particular the school area, cf. Article 32 (1) of the Data Protection Ordinance. 1. By letter dated 9 June 2021, the Danish Data Protection Agency notified the Authority of Gladsaxe Municipality. In this connection, the Danish Data Protection Agency requested that a list of systems in the municipality's school area be sent to it, in which information about natural persons is processed. Gladsaxe Municipality appeared on 1 July 2021 with a statement in the case. Based on the statement, the Danish Data Protection Agency chose to carry out further checks on Gladsaxe Municipality's rights management in the municipality's ESDH system SBSYS. On 11 August 2021, the Danish Data Protection Agency requested Gladsaxe Municipality to state which personal data the municipality processes in SBSYS in the school area, how the municipality creates and discontinues users in SBSYS, and how the municipality removes rights in the system in the event of employees' functional changes. Against this background, Gladsaxe Municipality submitted a supplementary statement on the matter on 1 September 2021. Following a review of Gladsaxe Municipality's supplementary answer of 1 September 2021, the Danish Data Protection Agency requested on 13 October 2021 to receive a list of resigned employees at the individual schools in the second quarter of 2021 with a view to the Danish Data Protection Agency's selection of users for random checks. On November 3, 2021, Gladsaxe Municipality submitted a list of resigned employees in the second quarter of 2021 in the school area. Against this background, the Danish Data Protection Agency requested on 17 November 2021 Gladsaxe Municipality for documentation of when 13 selected employees' access rights to SBSYS were revoked. By letter dated 7 December 2021, Gladsaxe Municipality stated that 12 out of the 13 users had not been created in SBSYS, and that the one created employee did not have access long before termination. By letter dated 9 March 2022, the Danish Data Protection Agency then requested to receive a list of resigned employees in the organizational units (at the individual schools) in the 4th quarter of 2021, which had been established in SBSYS, before resigning with a view to the Danish Data Protection Agency's selection of users for random checks. Gladsaxe Municipality replied to the letter on 6 April 2022. 2. The Danish Data Protection Agency's decision After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing criticism that Gladsaxe Municipality's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. Below is a more detailed review of the information that has emerged in connection with the written inspection and a justification for the Danish Data Protection Agency's decision. 3. Information of the case 3.1. The section on access control in Gladsaxe Municipality's information security handbook states that it must be ensured that access to the municipality's IT systems, servers, networks, common mailboxes, common drives and PCs is restricted through specific authorizations. The level of authorization is determined on the basis of a specific assessment of business-related requirements and the sensitivity of the information, and specific regulatory obligations in relation to data access must be observed in particular. It must be ensured that the employees only have access to personal information or confidential data that the employee has a functional need for. It is further stated in the information security handbook that all authorization on the municipality's IT systems, networks, servers and other IT equipment must be done by a unique and personal user identity. The user identity must be traceable to the person responsible for a given activity. When establishing joint accounts in special cases, a specifically documented risk assessment is required. The following applies to the allocation of user access in the Information Security Manual: “The responsibility for granting authorizations is between resp. The digitization department and the system owners. The procedure is determined by the individual system owner, and the allocation of rights must always be documented. The Digitization Department prepares a general procedure for creating, assigning, modifying and deleting access. For the individual systems, mailboxes, drives and other data, the owner is responsible for the preparation and compliance with the procedure on the basis of the general procedure, all access control must be documented. The system owner, mailbox owner, driveway and data owner can decide that authorizations can be done via role profiles, and it is the system owner's responsibility to create and maintain the role profiles. The system owner is responsible for ensuring that role profiles do not provide access to data for which the profile was not intended. Procedures for authorizing user access must include a formal authorization form specifying the necessary privileges. The form can be in both digital and analog form, just as forms can be signed electronically, e.g. by submitting the form by email. When creating or resetting passwords, the employee must be assigned a temporary password, which the employee must change on first use. ” Regarding the review of users' access rights, the following appears: “Users and their rights must be reviewed in all systems, mailboxes and drives. The method and frequency must be determined in a specific risk assessment. However, the frequency must not exceed every 18 months. Reviews of user accounts are initiated by the system owner, and follow-ups must be documented in writing. However, a review of whether retired employees have an active user account must always be reviewed in full. ” In addition, the following is stated about the withdrawal or adjustment of access rights: “When an employee changes work tasks or gets another organizational affiliation, an assessment must be made of the employee's authorizations and accesses, so that these continue to reflect the employee's needs. The original manager is responsible for the waiver of rights and the subsequent manager is responsible for the allocation. When the employee resigns, all IT equipment must be included. User profiles and authorizations are deactivated or deleted according to the municipality's procedure for granting, changing and deleting authorizations. It is the responsibility of the immediate supervisor to report to the authorizing functions. When closing down users, automated batches (batch runs) can be used, which, based on registrations about the employee's employment conditions, make automated deletions of users. User accounts can be deactivated after a specified period of user inactivity, so that the user can only log in after a request for reactivation. Disabled accounts can be deleted after a specified period of time. In the cases mentioned, written approval of the user closure is not required. In the event of expulsion, dismissal or dismissal of an employee, the employee's access rights must, after a specific assessment and on the recommendation of the immediate manager, be withdrawn immediately. In the event of leave or other long-term absence, the user's access rights must be deactivated, unless the employee's manager allows specific accesses to remain active. ” It is further stated in the information security handbook that all potential access to personal data must be logged. This means that all failed and successful logins must be able to be associated with a unique user. Access to logo information on the behavior of Gladsaxe Municipality's users must be available to the municipality's administrators. 3.2. It appears from the case that SBSYS is an ESDH system that Gladsaxe Municipality uses in the school area for journaling of e.g. action plans, student plans, minutes, educational readiness assessments and case files, etc. Gladsaxe Municipality has stated that the municipality i.a. processes contact information, social security numbers, health information, test information and information about school affiliation, social conditions, ethnicity and criminal conditions in SBSYS in the school area. Gladsaxe Municipality has stated that in the school area in the municipality, it is the leaders and the administrative staff at the schools, as well as the school department's staff at the town hall who have access to SBSYS. It is the individual leader in the organizational units (at the individual schools) who may via a super user orders / approves that an employee must have access to SBSYS. This is done in practice by the manager having decided which parts of the person's organization should use SBSYS and what role the employees should have in SBSYS. These organizational units (places of employment) are thus authorized to access SBSYS. In some cases, this access only applies to individual employees in an organizational unit, and here only the relevant employees are authorized to access SBSYS - or to a specific role in SBSYS. Gladsaxe Municipality has stated that the authorization for SBSYS takes place via Gladsaxe Municipality's AD (Active Directory). Organizational units and employees are continuously synchronized from the municipality's virtual organization chart GLASNOST to AD and further in / out of SBSYS. This means that users who are discontinued in AD no longer have access to SBSYS. It also means that users who do not have access to a computer on the municipality's domain also do not have access to SBSYS. When a user access is closed in SBSYS, the user is not deleted, but the user is deactivated to ensure transparency in e.g. previous logo information. Gladsaxe Municipality has also stated that the administration / access control itself, ie. allocation and deprivation of membership in security groups and roles in SBSYS, is done via AD and is done by a Hotline function in Gladsaxe Municipality's IT department. This is done on the basis of order forms which are filled in by super users in the administrations on behalf of the local manager. Via the forms, only the super users have the opportunity to order and unsubscribe rights, e.g. when users change organizational role. It is the individual manager who is responsible for ensuring that their employees have the correct roles in SBSYS, and therefore also the individual manager's responsibility to ensure that the rights are only granted according to a work-related need. When a user moves organizational location, it is the super users in the releasing organizational unit's responsibility to deregister the user's affiliation / role to old security groups. It is super users associated with the receiving organizational unit who are responsible for ordering / registering the user's affiliation / role into new relevant security groups. It appears from the case that there were two terminated employees in the school area in Gladsaxe Municipality, who were established in SBSYS before resigning in the 4th quarter of 2021. It further appears from the case that Gladsaxe Municipality on its own initiative has investigated dates for deactivation in the municipality's payroll system and administrative AD, which i.a. has provided access to SBSYS. Gladsaxe Municipality stated in this connection that the user [X] was deactivated in the payroll system with retroactive effect. This meant that the user was not shut down in time for the latest date of employment. Gladsaxe Municipality has also investigated whether the user has been active in SBSYS, which was not the case. 4. The Danish Data Protection Agency's assessment The Danish Data Protection Agency assumes that the user [X] has had access to SBSYS after the employee's resignation. The Danish Data Protection Agency also assumes that the procedure in the information security handbook that the review of whether retired employees have an active user account must always be fully reviewed was not followed in the case in question. It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security that is appropriate to the risks involved in the data controller's processing of personal data. Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks. The Danish Data Protection Agency is of the opinion that the requirement for appropriate security will normally mean that measures have been implemented for allocating and depriving access rights to systems, so that only users who have a work-related need to have access to the information are authorized to do so. The Danish Data Protection Agency finds that Gladsaxe Municipality - by not having deprived the user [X] of access rights to SBSYS after the employee's resignation, and by not having carried out the necessary follow-up or revision of terminated employees' rights - has not taken appropriate technical and organizational measures for to ensure a level of security that suits the risks involved in the municipality's processing of personal data, cf. Article 32 (1) of the Data Protection Regulation. 1. It is the opinion of the Danish Data Protection Agency that, in addition to a procedure for revocation of rights upon termination of employment, there must be a control procedure that effectively follows up on whether this has also happened. This control procedure must be organizationally and / or technically based so that it does not, by human error, be carried out The Danish Data Protection Agency then finds grounds for expressing criticism that Gladsaxe Municipality's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. 1.  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).  Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).