The Data Protection Authority has investigated on a security breach of personal data in the Dep. Of the Justice Ministry. The Authority has found that the Justice Ministry has not demonstrated that personal data were processed with the required security level. The Authority has emitted a serious critic and has ordered to the Ministry to inform the data subjects.
The Danish Data Protection Authority often see that the data controller takes a lot of time for explaining circumstances of a personal data breach. In addition, data controllers have frequently a lot of problems in assessing risks implemented by a breach – they typically not able to assess potential consequences for data subjects. At the end the Authority also see the data controllers focused on circumstances of breaches that appear “talking about downside of the risk”, but they are distorting the real framework of the breach risk.
This case illustrates a situation in which all these factors have led to wrong assessments by the data controller.
The case
The Justice Ministry has sent an email to the Bar Association with information on name, ID numbers, and, among other things, remind letters of 35 people on the transmission for the recovery of sanctions in SKAT.
The email was sent out of encrypted channel that are usually used and was not possible to document if the email was encrypted.
The Authority has seriously criticized the Justice Ministry for having acted by breaching the General Data Protection Regulation provisions, both in the sending of the email that in the managing of the breach.
It was particularly worrying that it took three months since the Ministry was informed by the potential breach until he has been investigated. This has brought to a delay in the notification to the Personal Data Protection Authority. And this has probably contributed to the fact that it was not possible to establish how the email was shared on the internet.
One of the criticisms was that after three months of investigations, the Justice Ministry has not decided if data subjects shall be informed of the breaches. The Ministry has subsequent declared to have decided to not notify, but without that this was based on new information on the case, the Authority has decided that the decision had to be taken before.
The Authority also rejected the Ministry of Justice’s assessment that notification should not take place. The Authority itself noted that the risk assessment had not addressed the potential loss of rights of the specific parties concerned but had only generally focused on the fact that the Ministry was not aware of any real consequences. Mainly, the focus was on the fact that the Ministry was not aware that unauthorized persons had access to e-mails; the possibility, for example, of a loss of reputation or future business was not part of the assessment.
The Authority is of the opinion that a data controller is often not the first to become aware of a possible misuse, and in cases where the consequences of unauthorized access may lie in the future, a concrete lack of knowledge of the consequences achieved is not necessarily something that can be given greater weight in the assessment of the risks that a breach poses to the persons concerned.
The Ministry of Justice was ordered to notify data subjects of the breach when the Data Protection Authority assessed the risk as high.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA DANIMARCA