Persónuvernd - 2020010591

From GDPRhub
Revision as of 16:32, 18 May 2020 by 196.52.2.16 (talk) (→‎Dispute: Edited typo "Islandic" to read "Icelandic")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020010591
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.03.2020
Published: 16.03.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010591
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA decided that the electronic complaint form on the webpage of the Citizens' Ombudsman violated Articles 5 (1)(f) and 32 GDPR. The use of HTTPS protocols must be used to minimise the risk of unauthorized access to information shared through websites.

English Summary

Facts

In Iceland, any person who feels unfairly treated by the authorities may lodge a complaint with the Ombudsman. The complainant in the concerned case states that the electronic submission for a complaint to the Ombudsman does not comply with the GDPR. The electronic form requests sensitive personal information about complainants, but the form was only accessible on the official website that supported the HTTP protocol and not the HTTPS protocol. The complainant said she had sent an ombudsman on this issue but had not responded to it until several months later.

The Ombudsman responded that the website has been updated and is now supported by HTTPS protocols.

Dispute

The Icelandic DPA had to decide whether an appropriate security of information on individuals could be ensured through an electronic complaint form on the Citizens' Ombudsman's website.

Holding

The Icelandic DPA assessed the requirements of the Articles 32, 5 (1)(f) GDPR. According to the provision laid down, appropriate security measures may include, inter alia, the use of artificial identifiers and encrypted personal information and the ability to ensure the continued confidentiality of processing systems. HTTP protocols are the rules for unencrypted data transfer between each user's hardware browser and a web server hosting e.g. website, through the Internet. HTTPS protocols are the rules for encrypted data transfer in such cases. The Icelandic DPA is of the opinion that when sharing personal information through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use HTTPS protocols. According to the above, the Icelandic DPA considered that the processing of personal data by means of the electronic complaint form was not compliant with the GDPR. However, the Citizens' Ombudsman website now supports HTTPS protocols. Therefore, the Icelandic DPA did not consider grounds for further action on the matter.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Opinion on inadequate security of personal information that could be disseminated through the Citizens' Ombudsman's website

03/16/2020

Privacy has given an opinion as to whether the Citizens' Ombudsman has provided appropriate security of information on individuals that could be disseminated through an electronic complaint form on the official website that supported the HTTP protocol. Among other things, the opinion states that when personal information is disseminated through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use encrypted communications. The Data Protection Authority considered that the processing of the citizen ombudsman did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.
opinion


On March 5, 2020, provided Privacy, with reference to point 2. Article 43 Act no. 90/2018, on privacy and processing of personal information, as follows: 2020010591 (formerly 2019020444):
I.
procedures

1.
Complaint and Procedure

On February 25, 2019, the Privacy Complaint received from [A] (hereinafter referred to as the complainant) an incomplete security measure on the website of the Office of the Citizens. Specifically, the complaint is that the Ombudsman's electronic complaint form was not available on a Web site that supported HTTPS protocols (which stands for HyperText Transfer Protocol Secure), but only HTTP protocols (which stands for HyperText Transfer Protocol). The complaint was followed by a screenshot of the Citizens' Ombudsman's website as well as a copy of a complainant's email communication with the staff of the bureau, which included information security on the bureau's website.

By letter, date. May 6, 2019, reiterated by letter, dated On June 14, the Citizens' Ombudsman was notified of the above complaint and given the opportunity to comment on it. A reply was sent by the Ombudsman by letter, dated. July 11th By letter, date. On August 28, the complainant was invited to comment on the citizen ombudsman's reply. The complainant replied by email on September 2nd.

All of the above data have been taken into account in resolving the case, although not all of them are specifically explained in the following opinion.
2.
Complainant's point of view

The complaint is based on the fact that the arrangement for electronic submission of complaints to the Ombudsman has violated the provisions of Act no. 90/2018, on Privacy and Processing of Personal Information, on Security in the Processing of Personal Information. The Office's electronic form requests sensitive personal information about complainants, but the form was only accessible on the official website that supported the HTTP protocol and not the HTTPS protocol. The complainant said she had sent an ombudsman on this issue but had not responded to it until several months later.

In addition, the alternate way in which the City Ombudsman instructs the complainant to send complaints to the office via e-mail is not secure as e-mail passes through various servers.
3.
The views of the city's ombudsman

The aforementioned Resident Ombudsman Response Letter states that the Office's website has been updated and is now supported by HTTPS protocols and that the Ombudsman now considers the Web site to meet all of the most stringent security requirements.
II.
Assumptions and conclusion

1.
Demarcation of case - membership

This case concerns whether the appropriate security of information on individuals, which could be disseminated through an electronic complaint form on the Citizens' Ombudsman website, was ensured.

According to the first sentence of Art. Paragraph 2 Article 39 Act no. 90/2018, any registered individual has the right to file a complaint with the Data Protection Authority if he / she considers that the processing of personal data about him / her violates Regulation (EU) 2016/679 or the provisions of the Act. The Privacy Statement then determines whether a violation has occurred.

The complaint does not state that the complainant filed a complaint with the Citizens' Citizen through the Office's Web site before the Office introduced additional security measures on its Web site. Accordingly, it cannot be seen that the complainant's personal information was processed in the manner that his complaint relates to. In addition, in order for a complainant to be involved in the Protection of Privacy, he must also fulfill the conditions of having direct, substantial, specific and legitimate interests, in accordance with the principles of administrative law. When very many people have similar interests in resolving a case, the interests are classified as general, rather than specific, and therefore not conducive to creating a party position in the case. In all of the above, the Data Protection Authority does not consider material to render a ruling on whether a violation has occurred in the processing of the complainant's personal information, cf. Paragraph 2 Article 39 Act no. 90/2018.

Nonetheless, it is clear that there is a question of whether it is sufficient that the government offers that personal information be sent to the government through electronic complaint forms on websites that use HTTP protocols. According to paragraph 2. Article 43 Act no. 90/2018, the Data Protection Authority may, on its own initiative or upon request, submit opinions to the government or other parties on any matter relating to the protection of personal data. The Data Protection Authority has decided to examine the above issues on the basis of a cited provision.
3.
Scope - Guarantor

Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of methods other than automatic processing of personal data that is or should be part of a file.

Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.

Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.

As previously stated, this issue is concerned with whether appropriate security of information on individuals could be ensured through an electronic complaint form on the Citizens' Ombudsman's website. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.

The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. Item 7 Article 4 Regulation. As is the case here, the Citizens' Ombudsman is considered responsible for the processing of the transfer of personal information, which is entered into an electronic complaint form to the office, through its website.
2.
Legal environment and opinion

The processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Among other things, it is stipulated that they should be processed in such a way as to ensure the appropriate security of personal information, cf. Item 6 provision. According to the first paragraph. Article 27 The Act requires the responsible party to take appropriate technical and organizational measures to ensure the adequate security of personal information, taking into account the latest technology, costs, nature, scope, context and purpose of the processing and the risks, misconduct and misrepresentation, for the rights and freedoms of individuals, Article 32 Regulation. In the first paragraph. the regulatory provision lays down that appropriate measures may include, inter alia, the use of artificial identifiers and encrypted personal information and the ability to ensure the continued confidentiality of processing systems. Then the second paragraph of Art. the provision that, when assessing acceptable security, should in particular take into account the risks involved in processing, in particular as regards, inter alia, the publication or access to personal information of unauthorized persons. Furthermore, paragraph 39 of the preamble to the Regulation states that the processing of personal data should be such as to ensure appropriate security and confidentiality of information, including: to prevent unauthorized access or use of personal information and the equipment used in the processing.

HTTP protocols are the rules for unencrypted data transfer between each user's hardware browser and a web server hosting e.g. website, through the Internet. HTTPS protocols are the rules for encrypted data transfer in such cases.

Privacy is of the opinion that when sharing personal information through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use HTTPS protocols, but then encryption is encrypted. Furthermore, the sponsors are rather slow to make websites so that they support HTTPS protocols without much cost.

According to the above, the Privacy Policy considers that the processing of the Citizens' Ombudsman, which involved the provision of personal information, in connection with complaints to the Office, through an electronic complaint form on a website supported by HTTP protocols, was not compliant with the law no. 90/2018 and Regulation (EU) 2016/679. However, the Citizens' Ombudsman website now supports HTTPS protocols. In all respects, Privacy does not consider grounds for further action on the matter.

At l i t s o rð:

Processing of the Citizens' Ombudsman for personal data, which consisted of transferring them, through a website that was supported by HTTP protocols, did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.

In Privacy, March 5, 2020

Björg Thorarensen
chairman

Adalsteinn Jónasson Ólafur Garðarsson

Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson