Tietosuojavaltuutetun toimisto (Finland) - 4022/171/22

From GDPRhub
Tietosuojavaltuutetun toimisto - 4022/171/22
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started: 10.05.2022
Decided: 15.11.2022
Published: 21.12.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 4022/171/22
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The Finnish DPA found a healthcare provider to have breached Article 32(1) GDPR and Article 32(2) GDPR for not implementing appropriate technical and organisational measures, such as encryption, to prevent unauthorised access to personal data.

English Summary

Facts

A healthcare provider (the controller) had submitted a data breach notification to the Finnish DPA, according to which the CEO had left their bag outside without supervision and the bag had been stolen. Inside the bag was a laptop, external hard drives and paper documents containing, among other things, patients' health data.

The controller stated that the laptop was turned off and the login was protected with a password, but the laptop's mass storage or the personal data it contained had not been encrypted. The external hard drives contained backups of the controller's system, which were likely encrypted.

Holding

On the basis of the information provided by the controller, the DPA considered that the password protection used by the controller had been a clearly inadequate method to protect the personal data stored on the laptop. If a third party gains a physical access to the device, the password does not prevent transferring the mass storage to another device and reading the content of the unencrypted mass storage on this other device.

The DPA emphasised that accessing data on external hard drives may be even easier, for example by connecting the drive to a third-party device and viewing its contents. For this reason, especially high-risk personal data must be adequately protected and the devices containing that data must be stored carefully.

The DPA stated that when paper documents end up in the possession of a third party, it has direct access to the information contained in the documents. Paper documents must be handled in such a way that they are not accessible to third parties, and they must not be taken outside without proper protection and supervision.

On the basis of the information gathered, the DPA held that the controller had violated Article 32(1) GDPR and Article 32(2) GDPR by failing to comply with its obligation to implement appropriate technical and organisational measures, such as encryption, to prevent unauthorised access to personal data. The personal data could have been encrypted with various encryption software, the use of which would not have required disproportionate effort or resources from the controller. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Deputy Data Protection Commissioner in the matter concerning the security of personal data processing
Thing

Access to a healthcare provider's laptop and external hard drives
Information security breach notification by the data controller and investigation of the matter
Information security breach notification

On May 10, 2022, the controller filed a data security breach notification with the data protection commissioner's office regarding the stolen computer bag. According to the information security breach notice, the bag contained the registrar's laptop and two external hard drives. The computer was closed, and according to the registrar, login was done with a password. The bag contained a paper patient's visit report, the company's occupational health report, the company's financial statements for February, and the CEO's personal health information papers.

The data controller has estimated the number of persons subject to a data security breach to be 3,000. The registrants have been informed of the incident, and information about the data security breach has also been placed on the website of the registrant and published in the newspaper, according to the data controller. The relevant other healthcare providers have also been notified.
Additional explanation

The Office of the Data Protection Commissioner has requested additional clarification from the data controller with a clarification request dated May 30, 2022. On June 14, 2022, the registrar has issued a written statement on the matter.

According to the investigation, one of the external hard drives in the computer bag had backups of the Aurigal Noah program installed on Liiketila's computer in NHA format. According to the registrar, the program is logged in with usernames and passwords, and the data in NHA format is probably encrypted. According to the registrar, the external hard drives contained the following customer information: name, date of birth (or date of birth and social security number), address, phone number, email address, noise injury, customer's insurance company, claim number and date of claim.

According to the registrar, the computer bag was stolen when the CEO had come to visit a person in his family circle. The car was parked on the side of the street, and when the bags were carried inside, a computer bag was taken from the side of the car.
Notification of another healthcare provider to the data protection commissioner's office

On May 13, 2022, the Office of the Data Protection Commissioner received a notification about the same data security breach situation from another health care operator (identification number 4125/171/22). The health care operator has said that he inquired about data encryption from the registrar and received the answer that the computer/hard drives were not encrypted.
On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) has been applied since May 25, 2018. The general data protection regulation is specified by the national data protection act (1050/2018), which has been applied since January 1, 2019.

Article 32 of the General Data Protection Regulation provides for the security of processing. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as risks to the rights and freedoms of natural persons, which vary in probability and severity, the controller and personal data processor must implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk, such as personal data encryption. According to paragraph 2 of the article, when assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data.
A legal question

The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The Deputy Data Protection Commissioner must decide whether the data controller has taken care of the protection of the personal data contained in the stolen computer bag, on the laptop and external hard drives and in the form of paper documents in an appropriate manner, and whether the data controller's procedure was in accordance with Article 32 of the General Data Protection Regulation (security of processing).
Decision of the Deputy Data Protection Commissioner
Decision

The data controller has not complied with Article 32, paragraphs 1 and 2 of the General Data Protection Regulation in its operations, and the data controller's procedure regarding the protection of the personal data contained in the stolen computer bag, which was on a laptop computer, external hard drives and in the form of paper documents, has not been in accordance with the General Data Protection Regulation.

The data controller is given a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation regarding personal data processing actions contrary to the provisions of the General Data Protection Regulation regarding the insufficient protection of personal data contained in a stolen computer bag, on a laptop computer, external hard drives and in the form of paper documents.
Reasoning

In the case currently being assessed, the data controller has left a computer bag outside unattended, and the bag has been stolen. Inside the laptop bag was a laptop and two external hard drives. The bag has also contained paper documents containing personal information, such as the patient's visit report.

Regarding the protection of personal data, it can first be stated that when an outsider gets possession of paper documents, he has direct access to the information contained in the documents. Paper documents should be handled in such a way that they are not accessible to outsiders, and they should not, for example, be taken outside without proper protection and supervision. In the case being evaluated now, it has been about health data belonging to special personal data groups, which the data controller should have protected particularly well.

Regarding the protection of personal data on the computer, the data controller has told the data protection commissioner's office that the computer was closed at the time of the theft, and login was possible with a password. Based on the report obtained in the case, neither the mass memory of the computer nor the personal data contained in it have been encrypted. According to the registrar, one of the external hard drives in the computer bag had backups of the Noah program on Liiketila's desktop in NHA format.

The Deputy Data Protection Commissioner draws the data controller's attention to the fact that even a strong login password alone does not prevent access to data if an outsider gains physical access to a computer whose data is not encrypted. Physical access to the device can enable several different ways to access unencrypted data, and an outsider can, for example, start the computer with a separate boot media and read the contents of the unencrypted mass memory. With the help of separate boot media and commonly available software, it is also possible to reset the Windows user's password and then log into Windows normally. Alternatively, the mass memory can be transferred to another device and the data can be read on this second device. Thus, the simple password protection used by the data controller has been a clearly inadequate means of protecting the personal data of registered users stored on the computer.

In the case of external hard drives, it is even easier for an outsider to access the data, i.e. by connecting the disk to the outsider's own computer and viewing its contents. For this reason, especially with high-risk personal data, it is important to take care of data encryption, for example by encrypting the entire disk. In the case being evaluated now, the data controller has not encrypted external hard drives, and the protection of personal data has thus been clearly deficient in this respect as well.

It should be noted that the information in the backup of the Noah program is "probably encrypted", according to the report obtained in the case, but according to the opinion of the Data Protection Commissioner, the Noah program does not encrypt the database or its backups by default, but the encryption must be enabled separately. The manufacturer of the program has also explicitly instructed to encrypt the laptop disks in case of theft.

In the case being evaluated, the procedure of the controller has been in violation of Article 32, Sections 1 and 2 (security of processing) of the General Data Protection Regulation. According to Article 32 of the General Data Protection Regulation, in order to ensure a level of security corresponding to the risk, the controller must implement appropriate technical and organizational measures, such as encryption of personal data, among other things to prevent unauthorized access to personal data. The registrar has now, to an estimated extent, not fulfilled this obligation, and the personal data belonging to special personal data groups has ended up being available to an outsider. The data controller would have had several alternative software available for encryption, and the implementation of encryption would not have required unreasonable effort or resources from the data controller.