Persónuvernd - 2020010382

From GDPRhub
Persónuvernd - 2020010382
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 83(2)(c) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 05.03.2020
Published: 10.03.2020
Fine: 1300000 ISK
Parties: Breiðholt Multicultural School
National Case Number/Name: 2020010382
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

Persónuvernd imposed a fine of 1 300 000 ISK (approx. 9000 euro) on Breiðholt Multicultural School for lacking technical and organisational measures and being in breach of Article 5(1)(f) and Article 32 GDPR. The security breach took place when a teacher mistakenly attached a document, which included special categories of data from earlier interviews, in an email to new students at the school.

English Summary

Facts

Persónuvernd received a notification of a personal data breach from Breiðholt Multicultural School. According to the notification, an attachment containing sensitive information about earlier students was mistakenly sent by a teacher to new students. The teacher mistakenly sent an email with an attachment that included information about interviews that had been conducted the previous semester. The document contained special categories of data concerning the former students. The comments included information about the students’ well-being, learning outcomes and social conditions. The information was to a large extent about qualities that the students’ lacked. In one case it related to the fact that the child protection authorities were connected. In another case there was information about mental health, and in another case, physical health.

Holding

Persónuvernd highlighted that personal data must be processed in accordance to the principles found in Article 5 GDPR, in this case Article 5(1)(f) GDPR. In addition, Persónuvernd highlighted Article 32 GDPR as operationalising the requirement to implement adequate technical and organisational measures to ensure the secure processing of personal data.

In light of the requirements for controllers to provide adequate security of personal data, Persónuvernd found that the dissemination of special categories of data was not in line with the requirements as found in GDPR.

In reference to Article 83(2)(c), the Supervisory Authority referenced mitigating factors carried out by the school when assessing the fine.


Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

decision


On March 5, 2020, the Privacy Policy Board made a clear decision in case no. 2020010382 (previously 2019081527):
I.

procedures
1.
Start of case

On August 16, 2019, the Data Protection Authority received a notification of a security breach from the Breiðholt Multicultural School (hereinafter FB). According to the announcement, an attachment containing sensitive information about interviews with students by mistake was emailed to unauthorized parties on 15th

The notice states that a teacher at the school sent e-mails to new students, ie. their new supervisors and their guardians. He included an attachment that he considered to be a document containing a record of interview time. The teacher mistakenly sent an e-mail attachment in error, which included information about interviews that had been taken by supervisors from the previous semester. The document contained, among other things, sensitive personal information about the senior supervisors of the relevant teacher.

The teacher received an email from two guardians within a short time, informing him of the attachment. Subsequently, the teacher responded to the suggestions and sent an e-mail to recipients stating that the wrong attachment had made a mistake and asked the guardians and newcomers to delete the previous e-mail. It is also stated in FB's announcement that a request for apology has been followed by a request to guardians and newcomers about the deletion of data, as well as that a general notification be sent to the school staff with a recommendation to safeguard the security of the processing of personal information.

Furthermore, the notice states that the teacher in question intends to meet with some of the guardians along with some of the newcomers on the day the notification was received and will then have the opportunity to verbally delete the said email. Regarding guardians and newcomers who did not meet with teachers on August 16, 2019, it is stated that the school intends to contact them by telephone with the same request on the same day.
2.
The impact of the security breach

Upon receiving the notice, or on August 20, 2019, the Data Protection Authority contacted the school teacher by telephone. Then the school sent a letter, day. sd, confirming what had been stated in the call that a meeting would be held the following day and the information that had been transmitted had been sent to newcomers and their guardians.

On August 21, 2019, employees of the Data Protection Authority went on a field visit to FB. The situation was investigated and the proposals for the security breach were reviewed. Privacy Protection staff reviewed the data sent out in the security breach. The actions taken by FB in the wake of the security breach were also reviewed.

The document sent contains the following reviews about students, but the students who protected the information turned out to be a total of 18:

[In the comments, which do not seem appropriate to be published in the light of student privacy, the students' well-being, learning outcomes and social conditions were taken into account. To a large extent, the information related to something that was lacking in them and in one case to the fact that the child protection authorities had interfered with the person in question. Then, in one case, there was information about mental health and in another case physical health.]
3.
Correspondence and other communications

Privacy considered it necessary for FB to disclose whether the guardians of the students concerned had been contacted, as well as whether FB had formulated a security breach and presented a procedure for handling sensitive personal information that reduced the likelihood of similar mistakes in the future. Therefore, FB sent a letter, dated. October 25, 2019, where replies to these items were requested.

FB's reply was received by letter, dated. October 31, 2019. Says there that FB contacted the guardians of the students in question on August 16, 2019, both by e-mail and by telephone. The guardians of all students, with two exceptions, have been reached by telephone. It also states that FB has formulated an internal privacy policy which provides procedures for the processing of personal data for employees. It will be published for that in the next few days. If the school's privacy officer has given educational lectures for most staff on safety deficiencies, the main content of the rules of procedure, and how the procedures should be conducted. For example, it has been considered how the handling of sensitive personal data should be handled and how e-mail procedures should be handled. It remains to be seen that a small group of employees did not attend the meetings that had been set up and it was envisaged that they would receive the same education from a privacy officer. In addition, training on safety failures will be provided on a regular basis for staff where the procedures will also be reiterated, the aim of which is to establish clear procedures for staff to reduce the likelihood of similar mistakes and took place on August 15, 2019.

Privacy considered further explanations of the need and reason for the opportunity to object to a possible fine decision. It was done with a letter to FB, dated. January 9, 2020. Complied with the Agency's request for clarification on how the security of personal data was generally maintained at the school, including on m. about how security documentation was organized in that regard. In the letter of Privacy, the views that were used in the determination of such fines were also considered and the comments made on them were made available.

FB's reply was received by letter, dated. January 23, 2020. It says that the school considers the security breach in question very serious. Once he has become, the school has recently started implementing Act no. 90/2018 and it was clear that if the school had started work earlier, the failure would have been less likely. It is clear that the security breach was due to negligence and not intention. In order to prevent further security breaches and to enforce privacy legislation, the school has taken measures to ensure the security of personal information. If he has adopted procedures in the form of an internal privacy policy on the processing of personal information. All staff of the school involved in the processing of personal information have been instructed on security breaches and presentation of the procedures. In addition, a written information security policy has been prepared which sets out the purpose, scope, objectives, ways of achieving goals and responsibilities. It is stated that the information security policy will be reviewed annually, or more often if required, so that it is in line with the objectives of the school. In addition, the school has undertaken a written risk assessment and will, after that, select appropriate security measures, a description of which will be presented in writing. Risk assessments and safeguards will be reviewed regularly.

The school's assessment is that its response was in accordance with the Privacy Act and the Privacy Act. Does this apply to the manner in which Privacy was made known about the security breach, the measures taken to reduce the damage of the registered person, as well as the extent of cooperation with the Privacy Protection to mitigate the consequences of the breach and to reduce its harmful effects. In light of this, as well as the fact that the first security breach at the school is concerned, he does not consider grounds for sanctions to be imposed by the Data Protection Authority.

Privacy sent FB such a letter, dated. January 30, 2020, requesting confirmation of the number of individuals / e-mail addresses that had received the attachment, as well as requesting a copy of the written documentation of the personal data processing at FB, to which the school had referred in previous communications .

Reply received by letter, date. February 5, 2020. It was confirmed that an attachment containing the sensitive personal information had been sent to 20 students and 37 guardians, in addition to which the sender had also sent a copy to himself. In total, the attachment had been sent to 58 email addresses. A letter from FB also included a copy of the school's privacy policy and information security policy, which entered into force on January 23, 2020.
II.
Assumptions and conclusion
1.
Scope - Guarantee

Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and processing by methods other than automatic processing of personal data that is or should be part of a file.

Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.

Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.

This case concerns the processing of personal information by the educational institution. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.

The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. also point 7. Article 4 Regulation. As is the case here, the Broad School in Breiðholt is considered to be the guarantor of the processing in question.
2.
Legality of processing

All processing of personal data must be subject to any of the provisions of Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 Regulation (EU) 2016/679. These include mentioning that personal information may be processed to fulfill the legal obligation that rests with the party responsible, cf. Point 3 the provision of the Act, cf. point c of the provision. In addition, the processing of sensitive personal data must be compatible with any of the additional requirements of the first paragraph. Article 11 of the Act, cf. Paragraph 2 Article 9 Regulation. According to point 3 (b). Article 3 the law is health information, ie. personal information relating to the physical or mental health of a person, sensitive, cf. also paragraph 1 Article 9 of the regulation, but information from the case will be that information on the physical and mental health of students has been worked out. As is the case here, especially in point 7. Paragraph 1 Article 11 of the Act, allowing the processing of sensitive personal data if necessary, for reasons of significant public interest and taking place on the basis of laws that provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject, cf. also paragraph 1 (h) Article 9 Regulation. In this connection, refer to the provisions of Article 33. a to 34. a in Act no. 92/2008 on upper secondary schools, which discusses, among other things, how such schools are obliged to monitor the situation of their students and, as stated in the first paragraph. Article 34 of the Act, provide students with emotional or social difficulties with special educational support. It is also referred to the unregistered principle that public bodies record important issues to be tried in their activities.

In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 Regulation (EU) 2016/679. It provides, inter alia, for personal data to be processed in a legitimate, fair and transparent manner towards the data subject; that they are derived for clearly stated, legitimate and objective purposes and not further processed for other and incompatible purposes; that they are preserved in the form that it is not possible to identify registered persons for longer than necessary for the purpose of processing; and that they should be processed in such a way as to ensure the proper security of personal information.

According to Art. Act no. 90/2018, cf. Article 24 Regulation (EU) 2016/679, the guarantor shall take appropriate technical and organizational measures that take into account the nature, scope, context and purpose of the processing and the risks to the rights and freedoms of registered persons to ensure and demonstrate that the processing of personal data complies with the regulatory requirements. Appears in Article 24. of the Act, cf. Article 25 of the Regulation, that these measures should ensure that privacy is integrated and standard. The second paragraph of Art. Article 24 of the regulation, where it is in proportion to the average proportionality of the processing activities, the measures must include, inter alia, the responsible party implementing appropriate privacy policies. Such policies were not in place for the said security breach. Regarding the measures that need to be taken for the processing of personal data, it is to be considered that they must, inter alia, ensure that personal data is not made available to unauthorized parties and thus an unlimited number of people, cf. Paragraph 2 Article 25 Regulation.

The above rules of Act no. 90/2018 and Regulation (EU) 2016/679 are highlighted in the first paragraph. Article 27 the Act, which states that the controller and processor must take appropriate technical and organizational measures to ensure the adequate security of personal information, taking into account the latest technology, cost, implementation, nature, scope, context and purpose of the processing and the risks, misconduct and misconduct, the freedom of individuals in accordance with further instructions of Art. of the Regulation, but that article will be considered its main provisions on information security. Says in the second paragraph. the article states that in assessing whether the appropriate security is present, in particular, the risks involved in the processing must be taken into account, inter alia, in the manner in which personal data is transmitted, stored or otherwise processed, the risk of being lost, change, be published or granted access to them without permission.

From the evidence of the case, it is clear that information on students' physical and mental health, as well as other information on their personal personal interests, was sent to unauthorized parties.

In light of the cases and the requirements laid down in Act no. 90/2018 and Regulation (EU) 2016/679 safeguard the processing of sensitive personal information, it is the Privacy Act's assessment that FB did not adequately ensure that information about the illness and other circumstances of the students of the school were not available to unauthorized parties. Therefore, the appropriate security of the information was not ensured as required by item 6. Paragraph 1 Articles 8, 23, 24 and 27 Act no. 90/2018, cf. paragraph 1 (f) Articles 5, 24, 25 and 32 Regulation (EU) 2016/679. Therefore, the Data Protection Authority concludes that FB's processing of personal information about students has violated the above provisions of the Act and the Regulation.
3.
The point of view of the application of penalties

In view of the above, it is therefore considered whether FB should be subject to administrative fines for this purpose, cf. Article 46 Act no. 90/2018, cf. Article 83 Regulation (EU) 2016/679. In deciding this and the amount of the fine, paragraph 1 shall be considered. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 Regulation. These include items which may either be of interest to the beneficiary or to his detriment. The following issues are considered in this case:
Nature, scope and purpose of processing

According to point 1. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (a) Article 83 of Regulation (EU) 2016/679, should consider the nature, severity and duration of violations, with regard to the nature, scope and purpose of processing, as well as the number of registered individuals who suffered and the serious damage they suffered. It is clear that the security breach in question involved a significant reduction in the privacy rights of the students concerned in the light of the nature of the personal information in question. They were sent from their supervisor teachers from last winter to new students under his supervision, as well as their guardians, a total of 57 people. However, it is clear that this is not a long-term violation but a unique case. Then it is clear that this was not processing for unlawful purposes but human error.
A subjective attitude

According to paragraph 2. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (b) Article 83 of Regulation (EU) 2016/679, should consider whether a violation was committed intentionally or negligently. There is no evidence that this was intentional and it was clear that the security flaw was a human error.
Measures to reduce the loss of registered persons

According to paragraph 3. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (c) Article 83 Regulation (EU) 2016/679, should take into account the measures taken to reduce the loss of registered persons. In this connection, it is important that almost immediately after the security breach was sent the teacher in question send a message to all recipients, that they should delete the data they had received incorrectly. It is also important to the guardians of the students whose information was reported to be missing. It appears that this was done both by e-mail and by telephone and that the guardians of all students, except two, were reached by telephone.
Scope of responsibility with regard to technical and organizational measures

According to paragraph 4. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (d) Article 83 Regulation (EU) 2016/679, should take into account the level of responsibility of the guarantor or processor with regard to technical and organizational measures. This is explained in more detail in Article 32. of the Regulation, in the light of the latest technology, the cost and the nature, the scope, the context and the purpose of the processing and the risks, the different and the less serious, for the rights and freedoms of individuals, the responsible party and the processor shall take appropriate technical and organizational measures acceptable safety against the risk. Therefore, there should have been measures in place that would have prevented the security breach in question. However, from the evidence of the case it will be assumed that they were not present.
Important previous violations

According to point 5. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (e) Article 83 Regulation (EU) 2016/679, if relevant, should be considered by previous offenders or relevant processors. There are no findings that FB violated privacy laws before the security breach occurred.

However, after it became, the Data Protection Authority received two other notifications of security breach from FB, dated. August 22, 2019 (Case No. [...]) and January 27, 2020 (Case No. [...]). These security flaws did not consider the nature of special measures to be taken by the Data Protection Authority and the school's response was considered satisfactory.
Extent of cooperation with the Data Protection Authority

According to paragraph 6. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (f) Article 83 Regulation (EU) 2016/679, should consider the extent of cooperation with the Data Protection Authority to rectify violations and reduce its harmful effects. It is clear that FB reported the security breach immediately after it emerged. The school has also responded well to the Privacy Policy's requests for clarification and information within the time limits that have been granted.
Categories of personal information

According to point 7. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (g) Article 83 of Regulation (EU) 2016/679, the types of personal data breaches should be considered. As described above, this was information about the well-being, learning outcomes and social conditions of 18 undergraduate students. To a large extent, the information related to something that was lacking in them and in one case that the child welfare authorities had interfered with the person concerned. This included health information, but according to point 3 (b). Article 3 Act no. 90/2018, such information, both in terms of physical and mental health, is considered to be sensitive.
The manner in which the supervisory authority was made aware of the violation

According to paragraph 8. Paragraph 1 Article 47 Act no. 90/2018, cf. Paragraph 2 (h) Article 83 Regulation (EU) 2016/679, should consider the manner in which the supervisory authority was notified of a violation. As mentioned earlier, the Breiðholt Multilingual School announced the Security Failure on the same day it was discovered. The school has also responded well to the Privacy Policy's requests for clarification and information within the time limits that have been granted.
Other burdensome or mitigating factors

According to paragraph 11. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (k) Article 83 Regulation (EU) 2016/679, should consider other burdensome or mitigating factors than those mentioned earlier in the provision, such as profits or losses that were directly or indirectly avoided due to a violation. In this connection, it can be mentioned, as a mitigating factor, that FB employees have been educated about information security and that a written information security policy has been prepared with procedures for the handling of personal information.
4.
Conclusion on penalties

As discussed in Section II.2. on the legitimacy of processing it is clear that FB's processing violated point 6. Paragraph 1 Articles 8, 23, 24 and 27 Act no. 90/2018, cf. paragraph 1 (f) Articles 5, 24, 25 and 32 Regulation (EU) 2016/679. Article 46 Act no. 90/2018, cf. Article 83 of the Regulation, that a violation of paragraph 1 (f) Article 5 and Article 32. the regulation may involve administrative fines.

In view of the foregoing considerations regarding the imposition of penalties and in the case of a legal service provider who does not work for a financial purpose, an administrative fine seems to be a reasonable amount of ISK 1,300,000.

In response:

The processing of the Multicultural School in Breiðholt, Austurbergi 5, Reykjavik, on personal information about students broke against item 6. Paragraph 1 Articles 8, 23, 24 and 27 Act no. 90/2018, cf. paragraph 1 (f) Articles 5, 24, 25 and 32 Regulation (EU) 2016/679.

An administrative fine of ISK 1,300,000 is imposed on the Breiðholt Multicultural School. The penalty shall be paid to the State Treasury within two months from the date of the decision