Persónuvernd - 2020031243

From GDPRhub
Revision as of 10:03, 6 May 2021 by Msm (talk | contribs) (→‎English Machine Translation of the Decision)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020031243
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 8 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 07.04.2021
Published: 15.04.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020031243
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA held that a primary school was not permitted to disclose information about a child to a consulting company after termination of collaboration.

English Summary

Facts

On March 21, 2020, the DPA received a complaint that a primary school had sent an e-mail containing sensitive information about a child to a counseling company after the school's partnership with the company ended.

According to the complainant, the company KVAN was hired by a school to work on the bullying case of the complainants’ child. The municipality’s education department and the complainant decided that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case.

Three weeks after that decision, a KVAN employee sent an e-mail to a school employee asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it. The complainants only became aware of this after requesting access to all data about themselves and their child at the school.

According to the school, the employee that had replied to KVAN’s e-mail had not been aware that the collaboration with the company had been terminated and he had therefore been in good faith in his communication. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.


Dispute

Holding

The DPA found school’s behavior reprehensible in light of the nature of the documents in question that the school did not ensure that all employees who were involved in the complainant's child's case were informed that the termination of collaboration with KVAN. The fact that the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extend did not matter.

The DPA considered that there was no authorization for the school to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the DPA held that the processing of personal information about the complainant's child was not in accordance with Act no. 90/2018 on personal protection and processing of personal information and GDPR.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

  The Data Protection Authority has ruled in a case where it was complained that the primary school had passed sensitive personal information about the complainant's child to a counseling company after the decision was made that the company would no longer be involved in the case of the child being treated at the school. The ruling concludes that the school was not allowed to continue disseminating personal information about the student to a self-employed consulting company after the decision was made that the company would no longer be involved in the student's case. Did not change that, even though the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extent. 

Ruling
On April 7, 2021, the Data Protection Authority issued a ruling in case no. 2020031243:

I.
Procedure

1.
Outline of case
On March 21, 2020, the Data Protection Authority received a complaint from [A] and [B] (hereinafter referred to as the complainants) that [primary school X] had sent an e-mail containing sensitive information about their child to a counseling company after the school's partnership with the company ended.

By e-mail from the Data Protection Authority to the complainants on 29 September 2020, the subject of the complaint was further defined and a reply was received from the complainants by e-mail on 5 October. By letter dated On 5 October 2020, [compulsory school X] was invited to submit explanations regarding the complaint. The answer was by letter dated. November 6, 2020.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.

2.
Complainants' views
On behalf of the complainants, it has been stated that the company KVAN has been hired to work on the bullying case of the complainant's child who attends [primary school X]. In [...] a joint decision was made by the education department of [municipality Y, [primary school X] and the complainants that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case. Three weeks after that decision [...], a KVAN employee sent an e-mail to an employee [primary school X] asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it.

The complainants only became aware of this after requesting access to all data about themselves and their child at [primary school X].

3.
Perspectives [primary school X]
[Primary school X] has stated that the consulting company KVAN has been contacted in connection with the bullying case of the complainant's child at the school. KVAN's consultant has been working on the case [for several months] or until it has been decided that KVAN will not be further involved in the case and that the bullying team [primary school X] will take over. Three weeks later, a KVAN employee sent an e-mail to an employee [elementary school X] asking about the situation. An employee of the school had replied to the e-mail, but the employee had not been aware that the collaboration with KVAN had been terminated and he had therefore been in good faith in his communication with KVAN. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.

II.
Assumptions and conclusion

1.
Scope - Responsible
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file.

This case concerns the dissemination of personal information about the complainant's child by [compulsory school X] and therefore falls within the competence of the Data Protection Authority.

The dissemination of personal information took place on behalf of [compulsory school X] and [compulsory school X] will therefore be considered responsible for the processing in question, cf. 6. tölul. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of the Regulation.

2.
Conclusion
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act (cf. item c of the first paragraph of Article 6 of the Regulation), or in the exercise of public authority, cf. 5. tölul. of the legal provision (cf. item e of the regulatory provision). In addition, the processing of sensitive personal data, such as personal data concerning the physical or mental health of an individual, must comply with any of the additional conditions of paragraph 1. Article 11 of the Act, cf. Article 9 of the Regulation.

In assessing whether the processing is authorized, the provisions of other applicable laws must also be considered. Act no. 91/2008 on compulsory schools and rules set according to them, for example Regulation on the responsibilities and obligations of members of the school community in compulsory schools no. 1040/2011.

Although it can be accepted that compulsory schools have an obligation to respond to and process bullying cases in accordance with the above, it cannot be seen that the school is allowed to continue disseminating personal information about students to a self-employed counseling company after a decision has been made that the company no longer exists. to the case. The Data Protection Authority considers it reprehensible in light of the nature of the documents in question that [compulsory school X] did not ensure that all employees who were involved in the complainant's child's case were informed that the collaboration with KVAN had ended. Does not change the fact that the recipient of the e-mail has already been informed of the case and therefore it is not new information except to a limited extent.

According to the above, it will not be considered that there was an authorization for [primary school X] to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the Data Protection Authority considers that the processing [of primary school X] of personal information about the complainant's child has not been in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. Regulation (EU) 2016/679.


Ú r s k u r ð a r o r ð:
The dissemination of [primary school X] of personal information about child [A and B] by e-mail to KVAN [...] was not in accordance with Act no. 90/2018, on personal data protection and processing, and Regulation (EU) 2016/679.


Privacy, April 7, 2021


Helga Þórisdóttir Helga Sigríður Þórhallsdóttir