IMY (Sweden) - DI-2019-9457
From GDPRhub
| IMY (Sweden) - DI-2019-9457 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 26.01.2022 |
| Fine: | 300000 SEK |
| Parties: | Municipality of Uppsala |
| National Case Number/Name: | DI-2019-9457 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | Elisavet Dravalou |
The investigation on the first data breach concerns sensitive personal data and social security numbers sent via e-mail, despite that, according to the internal governance policy, sensitive personal data shall not be communicated via email. The actual transmission of the e-mail was encrypted but not the information in the e-mails. This concerns e-mails with patient data that have been sent automatically to the relevant healthcare administrations within the region. The second data breach concerns e-mails with patient data that have been sent manually to researchers and doctors within the region.
English Summary
Facts
The municipality of Uppsala reported two (2) personal data breaches on 7 May 2019 and as a result the Swedish Data Protection Authority (IMY)investigated the municipality Uppsala, the regional board and the hospital board.
Holding
IMY has examined whether the personal data processing in the e-mail meets the requirements for security provided for in Article 32 of the GDPR. IMY issued a fine of 300.000 SEK
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (10)
The Regional Board of the Uppsala Region
751 85 Uppsala
Record number:
DI-2019-9457 Decision after supervision according to
Date: the Data Protection Regulation against
2022-01-26
The Regional Board of the Uppsala Region
Table of Contents
The decision of the Integrity Protection Authority ................................................ ........................... 2
Report on the supervisory matter ............................................... ....................................... 2
The starting point for the supervision ............................................... ................................. 2
Information from the regional board ............................................... ............................... 2
The first category of personal data processing - e-mail as
was sent automatically ................................................ ........................... 3
The second category of personal data processing - e-mail as
sent manually ................................................ ................................... 3
Information relating to both personal data processing ......................... 4
Grounds for the decision ............................................... .................................................. ... 5
Applicable rules................................................ .................................................. .. 5
The responsibility of the personal data controller ............................................... ...... 5
The requirement for security in the processing of personal data, etc ..................... 5
IMY's assessment .............................................. .................................................. 6
Personal data responsibility ................................................. .............................. 6
Sensitive personal data has been sent unencrypted within the region .............. 6
Choice of intervention ............................................... .................................................. 7
Legal regulation ................................................ ....................................... 7
Imposition of a penalty fee ............................................... ..................... 7
How to appeal............................................... .................................................. ..... 10
Postal address:
Box 8114
104 20 Stockholm
Website:
www.imy.se
E-mail:
imy@imy.se
Phone:
08-657 61 00
Page 1 of 10, Integrity Protection Authority Record number: DI-2019-9457 2 (10)
Date: 2022-01-26
The decision of the Integrity Protection Authority
The Integrity Protection Authority (IMY) states that the Regional Board in the Uppsala Region
(regional board) as the person responsible for personal data, during the period from 25 May 2018
until 7 May 2019, processed personal data in violation of Article 32 (1) of
the Data Protection Regulation. This has been done by the regional board within the region
sent sensitive personal data and social security numbers via e-mail. The transmission of e-
the mail was encrypted but not the information in the emails. The treatment has
also occurred in violation of Region Uppsala's own guidelines. This means that the regional board
have not taken appropriate technical and organizational measures to ensure a
level of safety appropriate to the risk of treatment.
The IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Ordinance and Chapter 6.
§ 2 of the Data Protection Act that the regional board, for violation of Article 32 (1) i
the Data Protection Regulation, shall pay an administrative penalty fee of 300,000
(three hundred thousand) kronor.
Report on the supervisory matter
The starting point for supervision
IMY decided to initiate an investigation against the regional board after a report of
personal data incident from the regional board on 7 May 2019.
IMY's review covers two categories of personal data processing.
The first category refers to emails with patient information sent
automated to relevant care administrations within the Uppsala Region for, among other things
administration and quality assurance.
The second category refers to emails with patient information sent
manually to researchers and doctors within the Uppsala Region for, among other things, research and
quality monitoring.
IMY has examined whether the personal data processing in the e-mail meets the requirements
security provided for in Article 32 of the Data Protection Regulation.
The Data Protection Ordinance came into force on 25 May 2018. IMY's supervision covers
therefore the period from 25 May 2018 to 7 May 2019 (when notification was received). IMY has
has not reviewed the measures that the regional board has stated that it has taken after the 7th
May 2019.
Information from the regional board
The Regional Board has stated, among other things, the following.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with
concerning the processing of personal data and on the free movement of such data and on the repeal of
Directive 95/46 / EC (General Data Protection Regulation).
2The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation.
Page 2 of 10, Integrity Protection Authority Record number: DI-2019-9457 3 (10)
Date: 2022-01-26
The first category of personal data processing - e-mail sent
automated
The statistical database Cosmic Intelligence retrieved personal data from
the main journal system Cosmic. The personal information was then retrieved by Business
Objects that put the information in an excel file. The transfers took place automatically each
month. Business Objects then sent the Excel files to the relevant healthcare administrations
within the Uppsala Region, such as the University Hospital and the Hospital in Enköping. E-
the mail messages were sent automatically every month to Region Uppsala's e-mail
postal domains. The emails were sent only to authorized persons within it
administration that was concerned within the Uppsala Region.
The current excel files could contain all the information from the patient record,
in addition to the running text from the patient record's free text field. Depending on the type of
report, other information could also be included, such as waiting times and patient category.
The Excel files also contained information about social security number, name, care unit and
contact date.
About 25 emails were sent each month to about a hundred recipients within
The academic hospital's area of activity. Hundreds of transmitters and receivers within
The Uppsala region had access to the personal data.
The overall purpose of the processing of personal data has been administration,
for example, to correct errors in the operations and to rectify them. In addition,
the purpose has been to develop and ensure the quality of the business.
The processing of personal data has been ongoing since 2015 until the Regional Board
notification of the incident to IMY on May 7, 2019. The treatment was stopped completely in
in connection with the discovery of the incident.
The second category of personal data processing - e-mail sent
manually
The statistical database Cosmic Intelligence retrieved personal data from
the main journal system Cosmic. The Diver output system then retrieved personal data
from Cosmic Intelligence and the patient administration systems IMX and PAS. Socket
of personal data was then done manually from Diver to Excel files. The manual
the withdrawals were made by, among others, the system developer and the administrator at
the regional office. These excel files were then sent to doctors when they had requested
information for quality monitoring purposes and to researchers when requested
research data. The emails were sent only to recipients who were
employees within Region Uppsala, ie only to Region Uppsala's e-
postal domains. This means that the emails were not sent to email addresses
affiliated with Uppsala University.
The Excel files could, among other things, contain information about social security numbers, diagnostic codes,
contact date, area of activity, age, county, action code and department. The Excel files
did not contain name information. The Excel files only concerned patients who were being treated
at the Academic Hospital.
Approximately 200−250 emails were sent per year. Hundreds of transmitters and
recipients within the Uppsala Region had access to the personal data.
The personal data was processed for administrative purposes and to develop and secure
the quality of the business and for research purposes.
Page 3 of 10, Integrity Protection Authority Record number: DI-2019-9457 4 (10)
Date: 2022-01-26
The processing of personal data lasted from September 2014 until the regional board's notification
about the incident to IMY on May 7, 2019. The treatment was stopped completely in connection with
that the incident was discovered and work began to develop a solution for
email encryption.
Information concerning both personal data processing
Personal data responsibility
The Regional Board is responsible for personal data for the personal data processing that concerns
compilation of data in Business Objects and for the processing that takes place at
automatic transmission by e-mail. The processing takes place at the administration regional office,
which is placed under the board's regional board. This assessment is made against
given that the regional board is an independent administrative authority which
determines the purpose and means of the processing of personal data.
The Regional Board is also responsible for personal data for the processing that takes place in Diver
and for the processing that takes place via the manual transmission via e-mail.
The Regional Board has attached the documents Regulations for boards and committees in
Uppsala Region and the Regional Board's delegation procedure.
Control document
According to Region Uppsala's governing document on handling mail and e-mail gets sensitive
personal data is not communicated via e-mail.
Categories of registered
Categories of registered are employees, patients, children and persons with protection
identity. In the case of employees, information about them only appears in sending and
receiving e-mail addresses.
The personal data processing affects a total of between 100,000 and 500,000 individuals
for the period 2015−2019.
Categories of users
The categories of users who have access to the personal data are administrative
personnel with access to source systems and storage areas.
Encryption
The transport (transmission) of e-mail within the region was encrypted though
the information in the excel files was not protected by encryption.
The transport of the e-mail was sent encrypted with the cryptographic
the communication protocol TLS1.2 to recipients within the Uppsala Region.
In the first processing of personal data, the Regional Board used a local e-
mail server when transporting e-mail between Business Objects and recipients within
the region. In the second reading, the Regional Board used Microsoft's Outlook for e-
the mail.
Page 4 of 10, Integrity Protection Authority Record number: DI-2019-9457 5 (10)
Date: 2022-01-26
There were no technical protection measures to prevent reading and modification of
the information in the excel files. There were also no protective measures in place to prevent that
unauthorized persons took part in the information.
Justification of the decision
Applicable rules
The responsibility of the personal data controller
He who alone or together with others decides the purposes and means for
the processing of personal data is the person responsible for personal data. It is stated in Article 4 (7)
in the Data Protection Regulation.
The person responsible for personal data is responsible for and must be able to show that the basics
the principles of Article 5 of the Data Protection Regulation are complied with (Article 5 (2) of the Regulation).
The person responsible for personal data is responsible for implementing appropriate technical and
organizational measures to ensure and be able to demonstrate that the treatment is carried out in
in accordance with the Data Protection Regulation. The measures shall be implemented taking into account
the nature, scope, context and purpose of the treatment and the risks, of
varying degrees of probability and seriousness, for the freedoms and rights of natural persons.
The measures must be reviewed and updated as necessary. It is stated in Article 24 (1) (i)
the Data Protection Regulation.
The requirement for security in the processing of personal data, etc.
Health information constitutes so-called sensitive personal data. It is forbidden to
process such personal data in accordance with Article 9 (1) of the Data Protection Regulation, unless
the treatment is not covered by any of the exceptions in Article 9 (2) of the Regulation.
It follows from Article 32 of the Data Protection Regulation that the controller and
the personal data assistant shall take appropriate technical and organizational measures to:
ensure a level of safety that is appropriate in relation to the risk of the treatment.
This must be done taking into account the latest developments, the implementation costs
and the nature, scope, context and purpose of the treatment and the risks, of
varying degrees of probability and seriousness, for the rights and freedoms of natural persons.
In assessing the appropriate level of safety, special consideration shall be given to the risks involved
the treatment entails, in particular from accidental or unlawful destruction, loss or
change or to unauthorized disclosure of or unauthorized access to the personal data that
transferred, stored or otherwise processed. It is clear from Article 32 (2) (i)
the Data Protection Regulation.
Recital 75 of the Data Protection Regulation sets out factors that must be taken into account in the assessment
of the risk to the rights and freedoms of natural persons. Among other things, the loss of
confidentiality of personal data covered by the obligation of professional secrecy and whether
the treatment concerns information about health or sexual life. Furthermore, if
the processing concerns personal data about vulnerable natural persons, in particular children,
or if the processing involves a large number of personal data and applies to a large
number of registered.
Recitals 39 and 83 also provide guidance on the more detailed meaning of
the requirements of the Data Protection Regulation on security when processing personal data.
Page 5 of 10, Integrity Protection Authority Record number: DI-2019-9457 6 (10)
Date: 2022-01-26
IMY's assessment
Personal data responsibility
The Regional Board has stated that it is responsible for personal data for the e-
mail transfers described in the case, which is supported by the investigation in the case. IMY
therefore assesses that the regional board is responsible for personal data for those concerned
the treatments.
Sensitive personal data has been sent unencrypted within the region
The Regional Board has sent excel files with patient information within the region via e-mail.
In the case of the first category of personal data processing, about 25 e-mails were sent
mail messages automatically every month and for the second category
about 200-250 emails were sent manually per year. The transmission of e-
the entry within the region was encrypted but not the information in the excel files.
The Regional Board has stated that sensitive personal data may not be communicated via e-
mail according to Region Uppsala's governing document on handling mail and e-mail.
As the person responsible for personal data, the regional board shall take appropriate technical and
organizational measures to ensure an appropriate level of security in
relation to the risks (Article 32 of the Data Protection Regulation). The personal data as
treated must, for example, be protected against unauthorized disclosure or unauthorized access.
What is the appropriate level of security varies in relation to, among other things, the risks for
the rights and freedoms of natural persons arising from the treatment and
the nature, scope, context and purpose of the treatment. In the assessment must
it is taken into account, for example, what type of personal data is processed, to
for example, in the case of health information. 3
The current Excel files contained personal health information that is sensitive
personal data. Processing of sensitive personal data can mean significant
risks to privacy. In addition, the excel files contained social security numbers
4
which are considered to be particularly personal data. The information in e-
the mail messages were therefore of such a nature that they required strong protection.
The transmission of the e-mail from the regional board was encrypted but not the information in
the emails. This meant that the information in the excel files could not be intercepted
(read) during the actual transfer. However, the information could be read in clear text by
both authorized and unauthorized recipients after the transfer. At an automated
transmission, there is a certain risk that data will fall into the wrong hands if the system
would be updated incorrectly. In the case of a manual transfer of personal data, there is one more
higher risk of the data falling into the wrong hands compared to an automated one
transfer. This is because the person sending the information could write one
incorrect recipient address. According to IMY's assessment, the regional board should have taken action
technical measures, for example in the form of encryption, to protect the information in the
automated and the manual e-mails against unauthorized disclosure or
unauthorized access and thereby ensure an appropriate level of protection.
According to the regional board, Region Uppsala's governing document on handling mail states
and e-mail that sensitive personal data may not be communicated via e-mail.
3
4See recitals 75 and 76 of the Data Protection Regulation.
See Article 87 of the Data Protection Ordinance and Chapter 3. Section 10 of the Data Protection Act.
5See the Swedish Data Inspectorate's report Reported personal data incidents 2019 (report 2020: 2).
Page 6 of 10, Integrity Protection Authority Record number: DI-2019-9457 7 (10)
Date: 2022-01-26
The Regional Board has thus identified the risks that the treatment of sensitive
personal data in e-mail entails but has not taken sufficient measures to comply
guidelines. IMY thus finds that the regional board has not taken the appropriate ones
organizational measures required to ensure the safety of treatment.
Overall, IMY finds that the Regional Board has not taken appropriate technical and
organizational measures to ensure an appropriate level of security in
in relation to the risk of the treatment. The Regional Board has therefore considered
personal data in breach of Article 32 (1) of the Data Protection Regulation.
Choice of intervention
Legal regulation
In the event of violations of the Data Protection Regulation, the IMY has a number of corrections
powers available under Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia
reprimand, injunction and penalty fees.
IMY shall impose penalty fees in addition to or in lieu of other corrective actions
referred to in Article 58 (2) of the Data Protection Regulation, depending on the circumstances of
each individual case.
Member States may lay down rules on whether and to what extent administrative
penalty fees can be imposed on public authorities. It is clear from Article 83 (7) (i)
Regulation. Sweden has accordingly decided that the supervisory authority shall receive
charge sanction fees by authorities. For infringements of, inter alia, Article 32,
the fee amounts to a maximum of SEK 5,000,000. It appears from ch. 6 Section 2 of the Data Protection Act
and Article 83 (4) of the Data Protection Regulation.
If a personal data controller or a personal data assistant, with respect to a
and the same or interconnected data processing, intentionally or by
negligence violates several of the provisions of this Regulation may it
the total amount of the administrative penalty fee does not exceed the amount determined
for the most serious infringement. It is clear from Article 83 (3) (i)
the Data Protection Regulation.
Each supervisory authority shall ensure that the imposition of administrative
penalty fees in each individual case are effective, proportionate and dissuasive. The
provided for in Article 83 (1) of the Data Protection Regulation.
Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account in order to:
decide whether to impose an administrative penalty fee, but also at
determining the amount of the penalty fee. If it is a question of a smaller
infringement may IMY as set out in recital 148 instead of imposing a
issue a reprimand in accordance with Article 58 (2) (b) of the Regulation. Consideration shall
taken to aggravating and mitigating circumstances in the case, such as the infringement
character, degree of difficulty and duration as well as previous violations of relevance.
Imposition of a penalty fee
IMY has above assessed that the regional board has violated Article 32 (1) i
the Data Protection Regulation. Infringements of that provision may, as stated above,
give rise to penalty fees.
Page 7 of 10, Integrity Protection Authority Record number: DI-2019-9457 8 (10)
Date: 2022-01-26
The violations have taken place because the regional board has sent a large amount
unencrypted patient data within the region via encrypted email.
The personal information in the e-mail included sensitive personal information and
social security number, which entailed a high risk to the data subjects' freedoms and rights.
The treatments have taken place systematically and for a long time. The treatments have
also occurred in violation of Region Uppsala's own guidelines. These factors mean
overall that a penalty fee should be imposed.
IMY states that the manual and the automatic transmission of e-mail
constitute interconnected data processing within the meaning of Article 83 (3) (i)
the Data Protection Regulation. This is because the treatments concern patient data such as
was retrieved from the main journal system Cosmic for similar purposes such as
administration and quality assurance. In addition, it is a matter of violation of
the same provision, ie Article 32 (1) of the Regulation.
In determining the size of the penalty fee, the IMY shall take into account both aggravating and
mitigating circumstances and that the administrative penalty fee should be
effective, proportionate and dissuasive.
It is aggravating that the personal data processing has been going on for a long time,
that is, during the period under review from 25 May 2018 to 7 May 2019,
and that they have taken place systematically. It is also aggravating that the treatments included
a large amount of health information that unauthorized persons have been able to access after the transfer.
As for the first category of personal data processing, it has been about
about 25 emails per month that unauthorized persons have been able to access and
in the case of the second category, it has been around 200−250 e-
mail messages per year. The Regional Board estimates that
the personal data processing has in total touched between 100,000 and 500,000
individuals for the period 2015−2019. It is thus a question of a large number of registered
during a year. Through the data processed, the data subjects can be identified directly
through, for example, names, social security numbers and health information. IMY therefore considers that
the nature, scope of the data and the dependency of the data subjects
the regional board has a special responsibility to ensure appropriate protection for
personal data, which did not happen.
It is also aggravating that the treatments took place in violation of Region Uppsala's own
guidelines that sensitive personal data should not be sent by e-mail.
As mitigating circumstances, IMY considers that the transmission of the e-mail was
encrypted and that the e-mail was sent internally within the region. This means that
the regional board has taken certain measures in order to comply with the requirements and reduce them
the risks of the treatments. IMY also considers that the regional board stopped
the processing in connection with the notification of a personal data incident to IMY on 7 May
2019.
IMY decides on the basis of an overall assessment that the regional board must pay one
administrative sanction fee of SEK 300,000 (three hundred thousand).
Page 8 of 10, Integrity Protection Authority Record number: DI-2019-9457 9 (10)
Date: 2022-01-26
This decision was made by Director General Lena Lindgren Schelin after the presentation
by lawyer Linda Hamidi. At the final hearing, the Chief Justice also has David
Törngren, unit manager Malin Blixt and IT security specialist Ulrika Sundling
participated.
Lena Lindgren Schelin, 2022-01-26 (This is an electronic signature)
Appendix
Information on payment of penalty fee.
Copy to
The Data Protection Officer.
Page 9 of 10, Integrity Protection Authority Record number: DI-2019-9457 10 (10)
Date: 2022-01-26
How to appeal
If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the date of the decision
was announced. If the appeal has been received in time, send
The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or data that may be covered by
secrecy. The authority's contact information can be found on the first page of the decision.
Page 10 of 10
