Datatilsynet - 2020-32-1579

From GDPRhub
Datatilsynet - 2020-32-1579
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Decided:
Published: 16.02.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020-32-1579
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: V

Danish Data Protection Agency criticized Vejen Municipality for not having ensured sufficient level of security in connection with the publication of information on the municipality's website, resulting in an unintended disclosure of data subject's national identification number.

English Summary[edit | edit source]

Facts[edit | edit source]

Dispute[edit | edit source]

Holding[edit | edit source]

Danish Data Protection Agency finds that Vejen Municipality has not implemented appropriate technical and organizational measures to ensure an appropriate level of security, cf. Article 32 (1) of the GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Complaint about publication of social security number on municipal website
Published 16-02-2021
Decision
Public authorities

On the basis of a complaint - after the case has been submitted to the Data Council - the Danish Data Protection Agency has expressed criticism that Vejen Municipality had not ensured a sufficient level of security in connection with the publication of information on the municipality's website. Journal number: 2020-32-1579
Summary
In connection with Vejen Municipality having to publish a consultation response that was submitted by a citizen via digital mail, the municipality mistakenly published the citizen's social security number, which appeared on the signature certificate.
In connection with the decision of the case, the Danish Data Protection Agency has stated that it follows from the requirement of appropriate security that material that a data controller receives or prepares for publication, and where the material often contains personal data, must implement control measures to avoid unintentional publication.
In the opinion of the Danish Data Protection Agency, such control measures involve at least a prior process to review the material and, depending on the nature and extent of the personal data, it will normally also be an appropriate security measure to carry out an additional prior manual or technical check of whether the information has actually been deleted or anonymised. as intended.
Decision
The Danish Data Protection Agency hereby returns to the case, where a citizen on 30 June 2020 has complained to the Authority that Vejen Municipality has inadvertently published information about her social security number on the municipality's website in the period 19 June 2020 at 09.52 to 22 June 2020 at 08.00.
After a review of the case, the Data Inspectorate finds - after the case has been submitted to the Data Council - that there is a basis for expressing criticism that Vejen Municipality's processing of personal data has not taken place in accordance with the rules in the Data Protection Regulation [1]. 1.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
It appears from the case that Vejen Municipality by mistake posted information about the complainant's social security number on the municipality's website in connection with the complainant's submission of a consultation response of 10 January 2020. The information was available on the website in the period 19 June 2020 at 09.52 to 22 June 2020 at 08.00.
It also appears that Vejen Municipality reported the breach to the Danish Data Protection Agency on 22 June 2020, and that the Authority sent a final letter to the municipality on 14 July 2020.
In addition, it appears that the municipality informed complaints about the breach by letter of 24 June 2020.
On the basis of the complaint, the Danish Data Protection Agency decided to collect more information about the facts about the breach from Vejen Municipality in order to be able to process the complaint.
2.1. Complainant's remarks
Complainants have generally stated that information about the citizen's social security number has been available on Vejen Municipality's website, and that she was informed of this via email from the municipality.
2.2. Vejen Municipality's comments
Vejen Municipality has generally stated that the municipality has unjustifiably published the complainant's social security number on the municipality's website.
Vejen Municipality has stated that the error occurred in connection with the processing of a case in the municipality's Finance Committee, where complainants had submitted consultation responses via digital mail regarding a reduction in the basic value of forest properties. In this connection, the municipality was not aware that the complainant's social security number appeared on the signature certificate.
Vejen Municipality has also stated that a CPR checker is permanently running on the municipality's website, which checks whether social security numbers are published on the municipality's website by mistake. The complainant's social security number was published on a Friday and the CPR check's results were handled on Monday morning, after which the error and the information were immediately removed. The municipality has stated that the municipality's CPR check only checks the documents after they have been posted on the website. The municipality has further stated that the CPR checker scans the municipality's website every five days and that due to capacity it cannot be done more frequently. The municipality has informed the Danish Data Protection Agency that the municipality continuously monitors whether there is a better system than the one the municipality is currently using.
After consulting the municipality's Webmaster, Vejen Municipality has stated that the information about the complainant's social security number has not been accessed by anyone either internally or externally during the period in which the information appeared on the municipality's website.
Vejen Municipality has emphasized to the municipality's employees that the case officers must be very aware of whether the digital communication in particular contains sensitive personal information. The municipality has further stated that new employees in the municipality in connection with employment must undergo an e-learning module, where the general rules on confidentiality and data protection are reviewed. The municipality has further stated that the municipality has so far held 10 physical basic courses in personal data for the employees in the municipality from 1 November 2019 to 28 January 2020.
Justification for the Danish Data Protection Agency's decision
The Danish Data Protection Agency assumes that Vejen Municipality in connection with the processing of a case in the municipality's Finance Committee has by mistake published the complainant's social security number on the municipality's website in the period 19 June 2020 at 09.52 to 22 June 2020 at 08.00.
Article 32 (1) of the Data Protection Regulation 1, states that the data controller, taking into account the current technical level, the implementation costs and the nature, scope, coherence and purpose of the processing in question, as well as the risks of varying probability and seriousness of natural persons' rights and freedoms, implement appropriate technical and organizational measures to ensure a level of safety appropriate to these risks.
The Data Inspectorate finds - after the case has been submitted to the Data Council - that it follows from the requirement of appropriate security, cf. Article 32, that public authorities that receive or prepare material for publication, and where the material often contains personal data, for example attached or in in the form of metadata, must implement control measures in order to avoid accidental disclosure of personal data.
In the opinion of the Danish Data Protection Agency, such control measures involve at least a prior process for reviewing the material with a view to deleting or anonymising personal data that are not to be published. Depending on the nature and extent of the personal data, it would normally also be an appropriate security measure to carry out an additional prior manual or technical check to see if the data has actually been deleted or anonymised as intended. Such additional control can e.g. be continuously automated monitoring for selected personal data, e.g. social security numbers, or by a similar organizational measure.
On this basis, the Danish Data Protection Agency finds that Vejen Municipality has not implemented appropriate technical and organizational measures to ensure an appropriate level of security, cf. Article 32 (1) of the Data Protection Regulation. 1.
The Danish Data Protection Agency has hereby emphasized what Vejen Municipality stated, including that the error was due to an employee at the municipality not being aware that information about the complainant's social security number appeared on the signature certificate, and that the municipality has no processes for further control before publishing material. on the municipality's website.
The Danish Data Protection Agency notes on this occasion that a data controller who already has a technical solution that can review code on a website for certain types of personal data could reduce the risk of the data subject's rights considerably if the content on new pages was screened. with the tool before publication. The Danish Data Protection Agency notes that the Data Protection Regulation does not contain a requirement that the measure must be of a technical nature.
The Danish Data Protection Agency acknowledges that the subsequent check of the website for unintentionally published personal data is still a good security measure. In this connection, the Authority notes that such a control i.a. may find personal data in material where it was not obvious that information of this type exists and that it may at all reduce the time period for a possible unintentional disclosure of information.
The Danish Data Protection Agency has noted that Vejen Municipality is aware of whether there are better technical solutions than the current system that the municipality currently uses.
The Danish Data Protection Agency has further noted that Vejen Municipality has made a notification to the Danish Data Protection Agency in accordance with Article 33 (1) of the Data Protection Ordinance. And notified complaints in accordance with Article 34 (1) of the Data Protection Regulation. 1.
The Danish Data Protection Agency finds that there are grounds for expressing criticism that Vejen Municipality's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. 1.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).