Persónuvernd - 2020010628

From GDPRhub
Persónuvernd - 2020010628
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 6(1)(c) GDPR
Article 9(1) GDPR
Article 9(2)(b) GDPR
Article 9(2) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 29.09.2020
Published: 22.10.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010628
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) held that while a public institution had lawfully collected a data subject's health information and disseminated it to a municipality, the municipality did not act lawfully in publishing the information on its website.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject complained to the DPA about the processing of his sensitive data by an institution and a municipality. More specifically, the complainant's health and sick leave information was disclosed in the minutes of the institution's board meeting on at least two occasions. The institution then communicated the minutes to multiple municipalities, one of which published the minutes on its website without removing the health data.

The complainant argued that the board of the institution should have recorded his health information as confidential, and refrained from making it available to anyone other than the board and its director. Furthermore, the municipality notified the DPA about publishing the information on its website and considered it to be a data breach which resulted from a mistake.

Dispute[edit | edit source]

Were the recording of the personal data by the institution, the communication to the municipality, and the publishing on the municipality's website in line with the GDPR?

Holding[edit | edit source]

First, the Persónuvernd held that the public institution in question acted lawfully (in line with Articles 6(1)(c) and 9(2)(b) GDPR) as it communicated the personal data of the complainant to the municipality.

Second, the DPA held that the municipality breached the GDPR (especially Articles 5 and 32) by publishing the health data on its website, as it did not properly review the minutes before their publication.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Ruling on the processing of sensitive personal information by a public institution and a municipality
Case no. 2020010628
22.10.2020
The Data Protection Authority has ruled on the processing of personal information about an individual's health and sick leave by a public institution and a municipality. The Data Protection Authority considered that the institution had been authorized to record the information in question in the minutes and disseminate it to the municipality, in addition to which the processing was considered to meet the conditions for the processing of sensitive personal information. Finally, the Data Protection Authority considered that the processing had complied with the principles of the law. The conclusion of the Data Protection Authority was therefore that the processing in question of the institution had been in accordance with Act no. 90/2018, on personal protection and processing of personal information.

On the other hand, the Data Protection Authority considered that the municipality had lacked the authority to publish the personal information in question on its website. The ruling also states that it must be considered that the responsible party has a duty to review data containing personal information prior to its publication. The conclusion of the Data Protection Authority was therefore that the processing in question of the municipality had not complied with Act no. 90/2018.

Ruling

On September 29, 2020, the Data Protection Authority issued a ruling in case no. 2020010628 (formerly 2019050922):


I.
Procedure

1.
Complaint and procedure
On May 3, 2019, the Data Protection Authority received a complaint from [A] (hereinafter […] complainant) about the processing of personal data [complainant] by [public institution X] and the town council [municipality Y]. More specifically, it was complained that information on [the complainant's health and sick leave] had been disclosed in at least two minutes of the board [Agency X] that had been communicated to the Agency's member municipalities, including [municipality Y], which had published the minutes on its website in connection with the publication of minutes of town council meetings. The complaint was accompanied by nine accompanying documents which shed light on the circumstances of the case.

By letters dated On 30 September 2019, [institution X] and the town council [municipality Y] were notified of the above complaint and given an opportunity to comment on it. The response from [municipality Y] was in a letter dated. 17 October, together with supporting documents, and on behalf of [Agency X] by letter dated 22. cm, together with supporting documents. By letter dated 19 November this year, reiterated by letter dated On 8 April 2020, the complainant was invited to comment on the counterparties' answers. On the 19th of May s.á. The complainant confirmed by telephone to an employee of the Data Protection Authority that [the complainant] did not intend to submit any further comments but requested the Agency's resolution on the subject of the complaint.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.

The handling of this case has been delayed due to extensive work by the Data Protection Authority.


2.
The complainant's views
The complaint states that information on [the complainant's health and sick leave] had been recorded in at least two minutes of the board [institution X], but the complainant [held a confidential position with the institution]. The minutes have also been distributed to the municipalities that are members of the institution, including [municipality Y].

The complainant considers that the board of [Agency X] should have recorded health information […] as confidential and that the information should not have been made available to anyone other than the board of the agency and its director. The information in question, however, was published on the website of [municipality Y] as attachments to the minutes of the town council.

The complaint further states that one of the minutes has been removed from the municipality's website but that the other is still being published.

3.
Perspectives [Agency X]
In the aforementioned letter [from institution X] to the Data Protection Authority, dated 22 October 2019, states that following the writing of certain minutes of the institution's board, it was sent to member municipalities for information, but it can be deduced from the letter that the minutes contained personal information about the complainant's sick leave. Following this, the minutes were taken up at the town council meeting of [municipality Y] and published on [its] website with the minutes of that meeting. [Subsequently, municipality Y and agency X] reported a security breach to the Data Protection Authority, but the Data Protection Authority informed [agency X] that the agency did not consider it necessary to take further action.

It will also be inferred from the letter that [institution X] considers that the processing of personal data covered by the complaint constituted a breach of security with regard to the distribution of minutes containing information on the complainant's sick leave, which also [kept the complainant's name]. Now, however, such information is kept in a confidential book, in addition to which further measures have been taken to ensure information security.

Finally, the letter states that it must be borne in mind that the nature of the complainant's illness was not specified in the minutes and that it was only communicated to the municipalities that are members of [institution X], which have a legitimate interest in receiving information about the institution's work. . In addition, the institution is obliged by law to provide its member municipalities with such information, cf. [provisions of special legislation that apply to the activities, stating that member municipalities are responsible for the operation of the institution], but wage costs are the largest cost item of the institution and costs for paid absences and replacements have a significant effect on its finances.

4.
Perspectives [municipality Y]
In the aforementioned letter [Y] to the Data Protection Authority, dated October 17, 2019, states that [the municipality] is one of the member municipalities [of institution X]. The board of the institution has sent minutes to member municipalities regarding the activities, but the local government has taken them up and published them on the municipality's website. Due to a mistake by the board [agency X], the complainant's sensitive personal information was recorded in the agency's minutes, but the information was then published on the municipality's website as the employees did not realize that the minutes in question contained sensitive personal information.

The letter also states that [municipality Y] first included a letter from the Data Protection Authority, dated 30 September 2019, received information that more minutes with the complainant's sensitive personal information had been published on the municipality's website and that they had already been removed from publication.

Finally, the letter sets out the measures taken by [municipality Y] in order to limit the damage caused by the processing in question and to prevent similar incidents, which include instructions to [institution X] to record sensitive personal information in a confidential book. instead of minutes.

5.
Security breach notifications
The Data Protection Authority received a notification from [Agency X] about a security breach, dated. March 13, 2019, sbr. case no. 2019030673 at the Data Protection Authority. The announcement was that the lack of organizational measures had led to the sensitive personal information about the complainant being recorded in the minutes. The minutes had then been sent to the member municipalities of the institution, including [municipality Y], which had published them on its website. It was also stated that measures would be taken to mitigate the harmful effects of the security breach, which consisted of reviewing last year's minutes, removing information that could not have been registered there according to Act no. 90/2018 and enter them in a confidential book, revoke previous minutes from member municipalities that had contained sensitive personal information and send the municipalities updated minutes.

The Data Protection Authority also received a notification from [municipality Y] about a security breach, dated. March 12, 2019, sbr. case no. 2019030662 at the Data Protection Authority. The announcement was based on the fact that human error had led to the publication on the municipality's website of the minutes of the board [institution X], which had stored sensitive personal information about the complainant. It was also stated that action had been taken to mitigate the harmful effects of the security breach, ie. that the minutes had been removed from publication. The announcement also stated that [agency X] would be instructed not to include sensitive personal information in minutes and to share it with others.

By letters dated On 14 March 2019, the Data Protection Authority informed [agency X] and [municipality Y] that the agency did not consider it necessary to take action based on the information provided in the notifications. The letters also stated that cases could be reopened, in whole or in part, if new information came to light or new reports of security breaches were received.

II.
Assumptions and conclusion

1.
Scope - Guarantors
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an operation or series of operations in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns the registration and dissemination of information about an individual's absence due to illness in the minutes, as well as the publication of that information on the Internet. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, [institution X] is considered to be responsible for the registration and dissemination of the information in question, while [municipality Y] is considered to be responsible for the publication of the information on its website.

2.
Legal environment and conclusion
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act and point c of the first paragraph. Article 6 of the Regulation.

In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 11 of the Act, cf. Paragraphs 1 and 2 Article 9 of the Regulation. According to point b of point 3. Article 3 of the Act, health information is sensitive, but it can be deduced from the complaint that information has been processed about the complainant's illness and absences related to it.

As is the case here, point 2 comes into consideration in particular. Paragraph 1 Article 11 of the Act, cf. paragraph 2 (b) Article 9 of the Regulation, to the effect that the processing of sensitive personal data is permitted, if it is necessary for the responsible party or the data subject to be able to fulfill his obligations and exercise certain rights under labor and social security and social protection legislation and be carried out on the basis of applicable and specific measures to protect the fundamental rights and interests of the data subject.

In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1 of the first paragraph of Article 8 of the Act); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); and that they shall be prepared in such a way as to ensure their appropriate safety (point 6).

The security of personal information is further discussed in Article 27. Act no. 90/2018. In the first paragraph. of the provision states that the responsible party shall take appropriate technical and organizational measures to ensure adequate security of personal information in the light of the latest technology, costs of implementation, nature, scope, context and purpose of processing and risks, less likely and less serious, for the rights and freedoms of individuals. Article 32 of Regulation (EBS) 2016/679. According to para. of the provision of the Regulation shall, in assessing adequate security, take into account the risk that the processing of personal data entails in respect of the loss, change, publication or access to it without permission.

2.1.
Processing [Agency X]
From the information available in this case, as well as the aforementioned notification by [Agency X] of a security breach to the Data Protection Authority, it can be deduced that [Agency X] regards the processing under discussion here as a security breach within the meaning of Act no. 90/2018. It has not been claimed by [Agency X] that the processing was authorized in accordance with Article 9. Act no. 90/2018, Coll. Article 6 of Regulation (EU) 2016/679, nor that the conditions of Article 11 have been met. the same Act for the processing of sensitive personal information, cf. Article 9 of the Regulation. The Agency has, however, stated that its member municipalities had a legitimate interest in obtaining information about the Agency's activities and that according to [special legislation applicable to the activities], the Agency was required to provide them with such information.

[Agency X] operates in accordance with [further specified special laws, which state, among other things, that member municipalities are responsible for its activities and operations, in addition to which they are responsible for the appointment of the agency's board. The Board of Directors discusses, among other things, the financial affairs of the institution and the appointment to the position held by the complainant.]

It should also be noted that according to para. Article 28 Local Government Act no. 138/2011, every member of the local government has the right to familiarize himself with data and information that is available in the municipal administration and concerns issues that may be discussed in the local government. In the second paragraph. The same article states that a local councilor shall have normal access to the municipality's office and institutions for the purpose of getting to know the municipality's activities and operations.

In view of the above legal provisions, it must be assumed that [institution X] has a legal obligation to provide local councilors of the municipalities that are members of the institution with access to data regarding its operation and activities, including the illness of employees who hold positions of trust at institution and can have a significant impact on the operation of the institution. In this connection, the statutory responsibility of the municipalities for the operation of [agency X] should be emphasized, but in light of this, the municipalities may be obliged to provide the agency with funds to meet unforeseen expenses and thus enable it to meet its financial obligations, incl. towards staff.

In view of all the above, the Data Protection Authority considers that it must be assumed that [institution X] has been authorized in accordance with point 3. Article 9 Act no. 90/2018, Coll. paragraph 1 (c) Article 6 Regulation (EU) 2016/679, to disseminate information on the complainant's sick leave to the town council [municipality Y]. The Data Protection Authority also considers that the conditions of point 2 have been met. Paragraph 1 Article 11 the same law for the processing, cf. paragraph 2 (b) Article 9 of the Regulation.

It will then be examined whether point 6 has been observed. Paragraph 1 Article 8 and Article 27. Act no. 90/2018, Coll. paragraph 1 (f) Article 5 and the second paragraph. Article 32 of Regulation (EU) 2016/679, during the processing discussed here. As previously stated, the Data Protection Authority is of the opinion that the processing in question is authorized and that at the same time the legal requirements for it have been met. In view of this, the Data Protection Authority does not consider it possible to allege that the cited legal provisions have been violated by the dissemination of information about the complainant to [municipality Y] by [institution X]. It will also not be considered that the processing has violated other principles of the Act, cf. 1-5. tölul. Paragraph 1 Article 8 and point ae of the first paragraph. Article 5 Regulation (EU) 2016/679.

In view of the above, it is the conclusion of the Data Protection Authority that the processing [of institution X] with the complainant's personal information under discussion here was in accordance with Act no. 90/2018.

2.2.
Processing [municipality Y]
According to the information available in this case, the publication of the personal information about the complainant in question by [municipality Y] was the result of a mistake. It has also been stated in this case, as well as in the aforementioned notification [from municipality Y] about a security breach to the Data Protection Authority, that the municipality regards the processing as a security breach within the meaning of Act no. 90/2018. Finally, it has not been claimed by the municipality that the processing was authorized according to Article 9. Act no. 90/2018, Coll. Article 6 of Regulation (EU) 2016/679, nor that the conditions of Article 11 have been met. of the same Act, cf. Article 9 of the Regulation, for the processing of sensitive personal data.

It must be considered that the responsible party has a duty to review data containing personal information before it is published and to ensure that the publication complies with law, cf. Paragraph 2 Article 8 Act no. 90/2018 and the second paragraph. Article 5 of Regulation (EU) 2016/679, cf. including the ruling of the Data Protection Authority from 27 August 2020 in case no. 2020010584.

In view of the above, it is the conclusion of the Data Protection Authority that there was no authorization for the publication [of municipality Y] of the complainant's personal information. The publication was therefore not in accordance with Act no. 90/2018.

With reference to what has been stated about the response of [municipality Y] in the case, it is the opinion of the Data Protection Authority that there is no need to direct special instructions to the municipality due to the processing that is being discussed here.



Ú r s k u r ð a r o r ð:

The processing of [institution X]'s personal data on [A] complied with Act no. 90/2018, on personal protection and processing of personal information.

The processing of [municipality Y] of personal information about [A] was not in accordance with Act no. 90/2018, on personal protection and processing of personal information.



In Privacy, September 29, 2020




Helga Þórisdóttir Helga Sigríður Þórhallsdóttir