Datatilsynet (Denmark) - 2021-442-13989

From GDPRhub
Datatilsynet - 2021-442-13989
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Directive 2016/679
Type: Other
Outcome: n/a
Started:
Decided: 12.05.2022
Published: 12.05.2022
Fine: n/a
Parties: Syddansk Universitet
National Case Number/Name: 2021-442-13989
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Alvorlig kritik af Syddansk Universitets utilstrækkelige testning af softwareopdatering (in DA)
Initial Contributor: lou_schda

The Danish DPA also issued a reprimand against the Syddansk Universitet for violating security requirements under Article 32 GDPR by accidentally making 400 personal files accessible to more than 7,000 employees for a period of two weeks. The university also had no access log to check who accessed the information during that time period.

English Summary[edit | edit source]

Facts[edit | edit source]

In August 2021, the University of Southern Denmark (Syddansk Universitet) reported a personal data breach to the Danish DPA. The University uses an HR system where employees are assigned to roles so that they can access applications. Due to an update of the system, the role management was reset completely, so that all 7011 employees of the university had access to more than 400 applications for a period of 14 days. These applications contained personal data such as name, social security number and health data of the applicants. Normally only about 400 employees have access to this kind of information. The university had not performed an adequate testing of the software update before it was implemented. It claimed that they had no knowledge that the update would make a change in the role management.

The university also did not keep access logs, so that it was not able to see whether unauthorised employees accessed the data in that time period or not.

Holding[edit | edit source]

The Danish DPA held that the controller did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk under Article 32 GDPR. The DPA was of the opinion that controllers must perform adequate testing in order to be able to identify and assess conditions that may, for example, lead to changes or reset previously selected settings. The controller's liability cannot lapse simply because the software provider had not adequately disclosed the extent of the update.

The Danish DPA therefore issued a serious reprimand.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Serious criticism of the University of Southern Denmark's insufficient testing of software updates

Date: 12-05-2022

Decision

In connection with a software update in the University of Southern Denmark's HR system, the rights management was reset, which meant that all 7011 employees at the university had access to see 417 applications. The university had not tested the software update sufficiently prior to the implementation and therefore only discovered the changed rights management subsequently.

Journal number: 2021-442-13989

Summary

The Danish Data Protection Agency has made a decision in a case in which the University of Southern Denmark has reported a breach of personal data security.

The University of Southern Denmark (SDU) uses an HR system where employees can be assigned a role so that they can access applications. In connection with a software update, however, the system's rights management was reset, which meant that all employees at the University of Southern Denmark had access to the applications. According to SDU, this meant that a total of 7011 employees had had potential access to access applications from a total of 417 applicants. Out of these, approx. 400 employees a conditional need to be able to access personal information in the HR system. Furthermore, the university did not keep a log of access to the application material and therefore could not identify what had been accessed.

Insufficient testing

The university had not performed sufficient testing of the software update before it was implemented in the production system, and therefore first discovered the changed rights management.

SDU noted in the case that they were not aware that the update would make a change in role management and therefore did not have the opportunity to perform a 14-day test on the test system, which was otherwise practice.

The Danish Data Protection Agency found that the data controller, as part of the development and adaptation of IT solutions for the processing of personal data, must test a solution in order to be able to identify and assess conditions that e.g. may change or reset previously selected settings. This is especially important when it comes to a basic function such as rights management.

The data controller's liability cannot lapse simply because the software vendor has not adequately disclosed the extent of the update.

Against this background, the Danish Data Protection Agency expressed serious criticism.

Decision

Following a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that the University of Southern Denmark's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation [1]. 1.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation

On 5 August 2021, the University of Southern Denmark reported a breach of personal data security to the Danish Data Protection Agency.

It appears from the case that the University of Southern Denmark uses an HR system where employees can be assigned a role so that they can access applications. In connection with an update of the production system, the rights management was set to default settings, which gave all employees at the University of Southern Denmark access to the applications.

The University of Southern Denmark has stated about their rights management that employees are assigned a standard role and can have a role added to the recruitment and assessment committee. In addition, it is possible to add additional roles in connection with recruitment procedures and access management. Access was made according to each recruitment process. It follows from the case that persons with the specific roles of hiring manager, member of the hiring committee and member judging committee all had full access to view applications from all postings.

In connection with one of the four default qualification updates of the HR system, the rights management was incorrectly set to default settings. This abolished the former management of rights. The result of this was that all employees at the University of Southern Denmark were given access to see applications that had previously been reserved for employees assigned the admissions role. According to the University of Southern Denmark, this meant that a total of 7011 employees had had potential access to access applications from a total of 417 applicants. Out of these, approx. 400 employees a conditional need to be able to access personal information in the HR system.

The University of Southern Denmark has stated in the case that they did not perform tests on the test system before the update came into force. This is justified by the fact that SDU was not aware that the update would make a change in the role management. Because SDU was not aware of this, they did not have the opportunity to perform a 14-day test on the test system, which was otherwise practice. SDU further notes that Oracle - which provides the software and performs the update - has not stated in its letters that the update would lead to the changes in the roles and their associated features.

It appears from the case that the University of Southern Denmark does not keep a log of view access. SDU does not have the opportunity to check whether any employees have wrongfully accessed the applications in question. In addition, the University of Southern Denmark has not investigated whether access to the affected personal data has been utilized during the period. It is SDU's assessment that the information has a low degree of utilization and that the probability that it has been accessed is small. SDU further states that on that basis it is difficult to investigate whether anyone has utilized the knowledge they have gained by looking at the applications.

The University of Southern Denmark has stated in the case that the incident began in week 29 (2021). The incident was established on 2 August 2021 by SDU's own IT technician and ended on 5 August 2021. The affected personal information consists - in addition to the application material itself - of name, contact information, social security numbers and health information. The University has stated that the health information has been limited to those relevant to an application process. The University of Southern Denmark has notified the registered on 1 March 2022.

It appears from the case that the University of Southern Denmark, at each subsequent quarterly update, will run tests on the test system before the quarterly update is run on the production system. This is to ensure that access - as in this case - is not mistakenly granted again.

The University of Southern Denmark concludes that they are working on the process of purchasing IT systems and handling security breaches on the basis of this case. They further intend to implement better instructions regarding applicants' exclusion of social security numbers in their applications.

Justification for the Danish Data Protection Agency's decision

On the basis of the information provided by the University of Southern Denmark, the Danish Data Protection Agency assumes that 7011 employees have had unauthorized access to 417 applicants' personal information for 14 days, including the application material itself, social security numbers and health information. The Danish Data Protection Agency finds that there has been a breach of personal data security, cf. Article 4, no. 12 of the Data Protection Regulation.

3.1. Article 32 of the Data Protection Regulation

It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data.

Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks.

The Danish Data Protection Agency is of the opinion that, as the data controller, it must be ensured that information about data subjects, including information worthy of special protection, does not come to the knowledge of unauthorized persons.

The Danish Data Protection Agency is of the opinion that the requirement pursuant to Article 32 for appropriate security will normally mean that data controllers, as part of the development and adaptation of IT solutions for the processing of personal data, must ensure that the solution is tested in order to identify conditions that may lead. for accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data.

Furthermore, the Danish Data Protection Agency is of the opinion that it is the data controller's responsibility to have made an assessment of the processing that takes place in connection with the potential changes, including e.g. resetting or changing permissions, based on an upcoming software update. The Danish Data Protection Agency is of the opinion that what the University of Southern Denmark stated about the University's lack of knowledge of the content and scope of the update cannot lead to a different result.

On the basis of the above, the Danish Data Protection Agency finds that the University of Southern Denmark - by not testing the quarterly update before final implementation in the production system - has not taken appropriate organizational and technical measures to ensure a level of security appropriate to the university's processing of personal data. see Article 32 (2) of the Data Protection Regulation 1.

Following a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that the University of Southern Denmark's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. 1.

When choosing a response, the Danish Data Protection Agency has emphasized that a function - in the form of rights management, which basically determines who has access to personal data - must be subjected to such a follow-up that ensures that the data controller is updated with the consequences. upcoming update can and will result. This is a basic prerequisite for an adequate testing of the update and the opportunity to mitigate any identified issues before the final implementation. The Danish Data Protection Agency has also emphasized that the University of Southern Denmark does not keep logs of access to application documents and thereby cannot identify whether personal data has been used.

In addition, the Danish Data Protection Agency has emphasized that a large number of employees have had access to 417 registered applicants' application material, e.g. social security numbers and health information. Particularly for internal applicants, such access poses an increased risk.

Due to mitigating circumstances, the Danish Data Protection Agency has emphasized that the University of Southern Denmark has contributed to the clarification of the case and, in finding the breach of personal data security, quickly implemented measures that limited the exposure of information. In addition, the Authority has emphasized that the University of Southern Denmark has general guidelines for testing before final implementation of updates, and the limited duration of the incident.

The Danish Data Protection Agency has noted that the University of Southern Denmark intends to carry out a test on the test system at each subsequent quarterly update before it is run on the production system. In addition, the Danish Data Protection Agency must emphasize that the University of Southern Denmark will in future independently seek knowledge about the consequences of future updates, despite the fact that the software supplier itself has provided more or less complete information.

3.2. Summary

The Danish Data Protection Agency finds that there are grounds for expressing serious criticism that the University of Southern Denmark's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. 1.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).