Persónuvernd (Iceland) - 2022081293

From GDPRhub
Persónuvernd - 2022081293
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 4 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 09.08.2022
Decided: 10.03.2023
Published:
Fine: n/a
Parties: City of Reykjavik
National Case Number/Name: 2022081293
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: ls

According to the Icelandic DPA, a controller violated Article 32 GDPR by sending a health report per e-mail to an unauthorised party, along with another e-mail containing the password to unlock the document.

English Summary[edit | edit source]

Facts[edit | edit source]

The city of Reykjavik (controller) sent a health report about a child to the wrong person by email. The document was locked but the password to open it was sent to the same wrong email address.

The recipient reported the error on the same day he received the e-mail. The controller reported the data breach to the DPA as a security breach within 72 hours, explaining that the breach was due to a human error when entering the email address. The controller also informed the parents of the child that their child’s data had been disclosed to an unauthorised recipient and contacted the latter asking him to delete the emails.

The parents considered that the controller did not implement technical and organizational measures in order to ensure the security of personal data. Therefore, they filed a complaint with the DPA. In its defence, the controller argued that it had appropriate measures in place since the document was locked with a password, that it reported the data breach to the DPA and notified the parents.

Holding[edit | edit source]

The DPA first stressed that the sending per email of a locked report containing health information to an unauthorised party, along with the password to unlock the document constitutes processing of personal data pursuant to Article 4 GDPR.

The DPA explained that locking the document was useless since the password was communicated in the same way as the document, i.e. in contiguous e-mails to the same e-mail address. The controller therefore did not ensure the security of the data as required by Article 32.

Taking into account that the controller reported the breach as required by Article 34, notified the parents and contacted the recipient of the report for its deletion, the DPA stated that there was no reason for further action. It did not consider necessary to fine the controller or to order special measures.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Processing of personal information by the City of Reykjavík

Case no. 2022081293

10.3.2023

One of the main obligations of those who work with personal data is to ensure its security. In this case, the mistake was that a document containing health information was sent to the wrong person by email. Although the document was locked, appropriate security was not considered guaranteed, as a password to open the document was sent to the same email address as the document.

----

Personal protection ruled in a case where there was a complaint about Reykjavík City's Eastern Center sharing sensitive personal information with unauthorized parties via e-mail. More specifically, it involved sending a locked report, which contained a child's health information, along with a password to open the report.

The conclusion of the Personal Protection Agency was that the communication was neither based on a processing authorization nor was it compatible with the principles of the Personal Data Protection Act regarding the legal, fair and transparent processing and security of personal information.

Ruling



on a complaint about the sharing of personal information to unauthorized parties by the City of Reykjavík in case no. 2022081293:

i
Procedure
1.
Complaint and views of the parties

On 9 August 2022, Personal Protection received a complaint from [A] (hereinafter the complainant). The complaint was based on the fact that Reykjavík City's Eastern Center had sent a locked report, which contained health information about his child, and a password to open the report, to an unauthorized party via e-mail.

Personal Protection invited the City of Reykjavík to comment on the complaint by letter, dated 8 November s.á., and the city's answers, together with supporting documents, were received on 22. s.m. The complainant was then given the opportunity to submit comments to the City of Reykjavík's responses by letter, dated 30 p.m., and they were received by e-mail on 7 December s.á. In addition, Personal Protection received a letter from the City of Reykjavík on the 6th, in which the city reported on the measures that had been implemented at Austurmíðstóð in connection with the transmission of data.

When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

___________________

There is a dispute as to whether the City of Reykjavík has implemented technical and organizational measures in order to ensure the security of personal information in the case in question, according to Article 27. Act no. 90/2018 on personal protection and processing of personal information.

The complainant relies on the fact that condition IV. chapter of law no. 90/2018 on the security of personal information was not fulfilled, since the report in question was sent to the same email address as the password to open it, even though it was done with two emails. The complainant believes that the City of Reykjavík should have prevented the incident in question by implementing appropriate technical and organizational measures designed to enforce the principles of personal protection. The complainant also wants to know whether the City of Reykjavík's response to the incident was in accordance with the provisions of the Personal Protection Act.

The City of Reykjavík believes that it has taken appropriate technical and organizational measures in order to ensure the security of personal information in the case in question, cf. Article 27 Act no. 90/2018. In this regard, the City of Reykjavík refers to the fact that the personal information was sent in a locked document in an e-mail and a password in another e-mail to open the document. The City of Reykjavík has also reported the incident as a security breach to Personal Protection within 72 hours. since it took place, and the parties concerned have been notified of it, both by phone and by letter. In addition, the deviation involved in the said mistake has been documented by the City of Reykjavík.

2.
Security breach notification

Personal protection received a notification from the City of Reykjavík about a security breach on July 1, 2022 (cf. case no. 2022071178). The notification stated that a mistake had led to the fact that an employee of the Reykjavík City Eastern Center had sent a locked report, which contained the health information of the complainant's child, and a password to open the report, to an unauthorized party by e-mail. When sending the report, there was a human error when entering the email address, which caused the report and password to be sent to the wrong person.

The notice states that the recipient of the e-mails reported the error on the same day it occurred. Subsequently, the recipient would have been contacted and asked to delete the emails. In addition, the child's parents would have been informed of the mistake, but they would have been contacted by phone. It also says that the staff of Austurmiðstóður had not been aware that there had been a reportable security breach, but the personal protection representative of the city of Reykjavík had received information about the incident the day after it took place, when the complainant forwarded the e-mails in question.

By email on August 4, 2022, the Data Protection Authority informed the City of Reykjavík that the agency did not consider there to be grounds for action based on the information contained in the notification. The letter also stated that the case may be reopened, in whole or in part, if new information comes to light, a complaint is received from an individual or new notifications of security breaches are received.

II.
Conclusion
1.
Scope - Responsible parties

Scope of law no. 90/2018, on personal protection and processing of personal data, and regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of Personal Protection, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic.

This case concerns the sending of a locked report, which contained health information about the complainant's child, via email to an unauthorized party, along with a password to unlock the report. It concerns the processing of personal data that falls under the authority of the Personal Protection Agency.

As is the case here, the City of Reykjavík is considered to be the party responsible for the processing in question according to Act no. 90/2018 on personal protection and processing of personal data, and regulation (EU) 2016/679.

2.
Lawfulness of processing and outcome

All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. The processing of sensitive personal information must also be compatible with one of the additional conditions of paragraph 1. Article 11 of the law, cf. Paragraphs 1 and 2 Article 9 of the regulation. From the case documents, the council must have worked with health information about the complainant's child, but it is considered sensitive personal information, cf. b-point 3. no. Article 3 of the Act, and paragraph 1 Article 9 of the regulation

In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Article 5 of regulation (EU) 2016/679. Among other things, it is stipulated that personal data shall be processed in a lawful, fair and transparent manner towards the data subject (paragraph 1 of the legal provision) and that it shall be processed in such a way that its appropriate security is guaranteed (paragraph 6).

The security of personal information is discussed in more detail in Article 27. Act no. 90/2018. In paragraph 1 of the provision states that the responsible party shall take appropriate technical and organizational measures to ensure adequate security of personal data taking into account the latest technology, the cost of implementation, the nature, scope, context and purpose of the processing and risks, unlikely and of varying severity, for the rights and freedoms of individuals according to further instructions Article 32 of regulation (EBS) 2016/679. According to paragraph 2 of the regulatory clause, when assessing adequate security, take into account the risk that the processing of personal information entails in terms of it being lost, changed, published or accessed without permission.

From the information available in this case, as well as the above-mentioned notification by the City of Reykjavík about a security breach to the Data Protection Authority, it can be concluded that the City of Reykjavík considers the processing under discussion to be a security breach within the meaning of section 11. Article 3 Act no. 90/2018 and No. 12 Article 4 of regulation (EU) 2016/679. It has not been claimed by the City of Reykjavík that the processing was authorized according to Article 9. Act no. 90/2018, cf. Article 6 Regulation (EU) 2016/679, nor that the conditions of Article 11 have been met. the same law for the processing of sensitive personal information, cf. Article 9 of the regulation. It also follows that the processing was not legal, cf. Number 1. Paragraph 1 Article 8 of the law, cf. point a, paragraph 1 Article 5 of the regulation.

It will then be examined whether information security has been taken care of in accordance with section 6. Paragraph 1 Article 8 and Article 27 Act no. 90/2018, cf. point f, paragraph 1 Article 5 and paragraph 2 Article 32 of regulation (EU) 2016/679. As mentioned above, the City of Reykjavík believes that it has taken appropriate technical and organizational measures, as the personal information was sent in a locked document in an e-mail and a password in another e-mail to open the document. As is the case here, Personal Protection does not believe that it is possible to agree to that position, since locking the report was of little use since the password was communicated to parties in the same way as the report, i.e. in contiguous e-mails, to the same e-mail address. In the opinion of the Data Protection Authority, the City of Reykjavík therefore did not ensure the security of the complainant's child's personal information in the manner required by the provisions of Article 27. Act no. 90/2018 and Article 32 of regulation (EU) 2016/679.

It is also known that the City of Reykjavík reported the aforementioned security breach to the Personal Protection Agency within 72 hours. since it took place, cf. Paragraph 2 Article 27 Act no. 90/2018 and paragraph 1 Article 33 of regulation (EU) 2016/679. The parents of the child to whom the personal information relates were also informed about the case, both by phone and by letter, cf. Paragraph 3 Article 27 of the Act and paragraph 2 Article 34 of the regulation. In addition, the City of Reykjavík contacted the recipient of the report so that it would be deleted. As is the case here, the Data Protection Authority does not believe that there was a reason for further action on the part of the City of Reykjavík, and that the municipality's response was therefore consistent with the aforementioned provisions.

In view of the above, it is the conclusion of the Personal Protection Authority that the processing of the personal data of the complainant's child by the Reykjavík City Eastern Center, which is discussed here, did not comply with Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

Taking into account the measures that Reykjavík City's Eastern Center has implemented in connection with the sending of data, which are specified in the letter from the City of Reykjavík to the Personal Protection Agency from December 6, 2022, the Personal Protection Agency does not consider it necessary to give the City of Reykjavík special instructions.

Ruling:

The City of Reykjavík's sharing of personal information about child [A], which consisted of sending a report containing health information about the child to an unauthorized party, was neither based on a processing authorization nor did it comply with the provisions of Act no. 90/2018, on personal protection and processing of personal data and Regulation (EU) 2016/679 on the lawful, fair and transparent processing and security of personal data.

Privacy March 10, 2023

Bjarni Freyr Rúnarsson Harpa Halldórsdóttir