Persónuvernd (Iceland) - 2020031451
|Persónuvernd (Iceland) - 2020031451|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 6 GDPR
Article 9 GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
|National Case Number/Name:||2020031451|
|European Case Law Identifier:||n/a|
|Original Source:||Persónuvernd (in IS)|
|Initial Contributor:||Cesar Manso-Sayao|
The Icelandic DPA reprimanded a primary school for mistakenly including the medical data of a student in emails sent to the parents of other students when handling a bullying case, in violation of Articles 9, 5(1)(f), 24, 25 and 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
A primary school developed an action plan to address a case of alleged bullying being carried out by one student against another two. The action plan included the opinion of a professional council on bullying from the municipal directorate of education, which issued a mental health diagnosis of the student believed to be bullying the other two.
When contacting the parents of all three children on these matters, the director of the primary school mistakenly sent out the action plan un-redacted, and hence the medical diagnosis of the student suspected of bullying was visible to the other parties. The director realised that this mistake had taken place on the same day as the email was sent, and contacted the Icelandic DPA to notify the data breach. It also notified the recipients of the email of this data breach, asking them to disregard the email, and delete it.
The Icelandic DPA informed the school that it would undertake no further action, and that the notification of the data breach by the primary school was enough up until that point. However, the DPA noted that if new facts emerged, or if a complaint was filed regarding this matter, it would reopen the case. However, the parent of the child whose medical data had been shared in the email to the other parents, eventually filed a complaint with the DPA, claiming that in the contents of subsequent correspondence regarding the bullying issue, they believed that the other parents had accessed the breached medical data belonging to their son.
Holding[edit | edit source]
The DPA held that although the school had an obligation to respond and deal with bullying cases, this did not justify sharing the medical data of a student without a legal basis under Articles 6 and 9 GDPR. Furthermore, the DPA held that although it could not verify if the email had indeed been read or not by the other parents, the breach in itself constituted a violation of Articles 5(1)(f), 24, 25 and 32 GDPR, related to the controller’s obligations regarding security of personal data. The DPA considered that in light of the nature of the data, it was reprehensible that the school had not processed this data with the appropriate level of security it required, and issued a reprimand against the school for the violation of the aforementioned GDPR provisions.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions The provision of sensitive personal information about children by primary schools is not in accordance with the law Case no. 2020031451 24.3.2022 The Data Protection Authority has ruled on the dissemination of sensitive personal information about a student by e-mail, from the principal of a primary school to the parents of other students, in connection with the processing of bullying cases. The Data Protection Authority came to the conclusion that the primary school's transfer of personal information about the complainant's child to the recipients of the e-mail was not authorized in the way that was done and the processing was therefore not in accordance with Act no. 90/2018, on personal protection and the processing of personal information, cf. Regulation (EU) 2016/679. In light of the nature of the data in question, the Data Protection Authority considered it reprehensible that the compulsory school did not ensure the appropriate security of the information as required by the Data Protection Act. Ruling On March 14, 2022, the Data Protection Authority issued a ruling in case no. 2020031451: I. Procedure 1. Outline of case On April 17, 2020, the Data Protection Authority received a complaint from [A] and [B] (hereinafter referred to as the complainants) that [primary school] had sent an e-mail containing sensitive information about their child to the parents of two other children who attended the same school. . By letter dated On 5 October 2020, [the primary school] was invited to provide explanations regarding the complaint. The answer was by letter dated. November 6, 2020. By e-mail on. On March 24, 2021, the Data Protection Authority announced a planned on-site inspection. On 14 April 2021, the Data Protection Authority carried out a site inspection at the [municipality's] office and examined the data. By email dated March 27, 2021, the complainants submitted a supplement to their complaint. All the above documents have been taken into account in resolving the case, although not all of them are specifically mentioned in the following ruling. The case has been delayed due to heavy work at the Data Protection Authority. 2. Complainants' views Complainants have stated that they believe that the then principal of [the primary school] sent sensitive personal information about their child attending [primary school] to the parents of two other children in the same school. The e-mail concerned bullying that was being worked on at the school. The complaint states that the complainants believe that it is not possible to claim that the person in question did not read the e-mail or that the e-mail had been deleted. During the proceedings, the complainants added to their complaint a screenshot from the documents they had received from [the municipality] and the complainants, with reference to what is stated there, believe that the e-mail that was sent was read. 3. Perspectives [primary school] On behalf of [the primary school] it has been stated that the complainant's child is a student at the school and that the alleged bullying case has been pending there for a long time. Various measures have been taken in order to seek solutions to the issue. Among other things, the opinion of the professional council on bullying at the Directorate of Education on the state of affairs in the school had been requested, and the professional council had given an advisory opinion with proposals for improvement. Subsequently, the school has worked on an action plan in the case regarding three students of the school, incl. children quarterback. By mistake, the action plan, which had been sent to the Professional Council on Bullying and contained sensitive information about the complainant's child diagnosis, was sent in an e-mail attachment on [date] to the parents of the two children covered by the plan, ie. four persons, without certain details of the complainant's child having been deleted from the document. It had been noted that three different copies had to be prepared, one for each party, as information on other children had been erased. Instead, the same document had been sent to the parents of all three children involved. The school's response states that as soon as the incident was discovered, the e-mail was revoked and the correct document sent. The recipients of the e-mail have been contacted and confirmed that they have not read the e-mail and that they would delete it if the revocation does not take place. The case was then reported to the Data Protection Authority as a security breach. The complainants had then been informed of the case and apologized by the school and [the municipality]. However, it is known that the recipients of the e-mail have been involved in alleged harassment cases since it first arose, had a number of meetings and conversations with school administrators, representatives of the municipality and counselors. By their nature, they therefore had information on the content of the case before the e-mail was sent. 4. On-site inspection of the Data Protection Authority On 14 April 2021, two employees of the Data Protection Authority went on a site inspection at [the municipality's office] where i.a. the [municipality]'s privacy officer and the [elementary school] principal were present and answered questions. The examination examined the accompanying document discussed in this complaint, ie. the school's action plan, which was sent to the parents of two other children and an assessment was made of its contents. The document discussed in the case contained personal information about the complainant's child, including information about the diagnosis the child had received, as well as information about the need to increase education among the school's staff about this particular diagnosis. II. Assumptions and conclusion 1. Scope - Responsible Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file. This case concerns the dissemination of personal information about the complainant's child by [the primary school] and therefore falls within the competence of the Data Protection Authority. As in this case, [compulsory school] will be considered responsible for the processing in question, cf. 6. tölul. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of the Regulation. 2. Conclusion All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act and point c of the first paragraph. Article 6 of the Regulation, or if the processing is necessary for the exercise of public authority, cf. 5. tölul. of the legal provision and point e of the regulatory provision. In addition, the processing of sensitive personal data, such as personal data concerning a person's physical or mental health, must comply with one of the additional conditions of paragraph 1. Article 11 of the Act, cf. Article 9 of the Regulation. In assessing whether the processing is authorized, the provisions of other applicable laws must also be taken into account. Act no. 91/2008 on compulsory schools and rules set according to them, e.g. Regulation on the responsibilities and obligations of members of the school community in compulsory schools no. 1040/2011. Although it can be accepted that compulsory schools have an obligation to respond to and deal with bullying cases in accordance with the above, it cannot be seen that [compulsory school] has been allowed to send parents of other children sensitive personal information about the complainant's child. As stated above, the representatives of the Data Protection Authority went on a site inspection and examined the document in question and confirmed that the e-mail attachment contained personal information about the complainant's child as well as information about a specific diagnosis, which in the Data Protection Authority's opinion was presented. The attachment was sent to the recipients without the above information being erased or made impersonal. The [primary school] has also admitted that there was a mistake, but a security breach was reported on the same day as the mail was sent, ie. [day.]. The announcement was updated on [date] s.á. By letter dated [...], [the primary school] was informed that no action was considered by the Data Protection Authority due to the security breach based on the information provided in the notification. However, the letter also stated that new information would emerge, and that if a complaint was received from an individual due to the security breach, the case could be reopened, and this was done when the complainants' complaint was received. The above notification will therefore not be considered to be of special significance in resolving this case. According to the above, it will not be considered that the [primary school]'s personal information about the complainant's child was authorized to the recipients of the e-mail in the manner specified in the complaint. For that reason alone, the Data Protection Authority considers that the processing of [the compulsory school]'s personal information about the complainant's child has not been in accordance with Act no. 90/2018, on personal protection and the processing of personal information, cf. Regulation (EU) 2016/679. It does not change the fact that the recipients of the e-mail may have been aware of the contents of the document to some extent, as the responsible party has claimed, but the Data Protection Authority cannot verify this. In light of the nature of the data in question, the Data Protection Authority considers it reprehensible that [the compulsory school] has not ensured the appropriate security of the information as required in point 6. Paragraph 1 Article 8, Articles 23, 24 and 27 Act no. 90/2018, Coll. paragraph 1 (f) Article 5, Articles 24, 25 and 32 Regulation (EU) 2016/679. As this case has grown, the conclusion of the Data Protection Authority is that there are no preconditions for the application of a fine, cf. Article 46 Act no. 90/2018. U r s k u r ð a r o r ð: The dissemination of [primary school] personal information about child [A] and [B] by e-mail to the parents of two other children at the school on [date] was not in accordance with Act no. 90/2018, on the protection of personal data and the processing of personal data, and Regulation (EU) 2016/679. Privacy, March 14, 2022 Helga Sigríður Þórhallsdóttir Steinunn Birna Magnúsdóttir