The Danish Data Protection Agency criticises the fact that the municipality of Randers has failed to comply with the obligation of appropriate security measures in relation to the unintentional disclosure of information. The Authority also criticises the fact that the municipality did not report the security breach to the Authority and that the municipality did not notify the complainant of the breach without undue delay.
On the basis of a complaint, the Danish Data Protection Agency expressed criticism that Randers Municipality by sending an intentional dismissal to the wrong employee did not comply with the requirement for appropriate security measures. The proposed resolution contained information about the complainant’s health and trade union affiliation.
Furthermore, on the basis of the complaint, the Danish Data Protection Agency expressed criticism that Randers Municipality had not reported the security breach to the Authority and that the municipality had not notified complaints about the breach without undue delay.
As a reason for not reporting the breach, Randers Municipality had stated that in the municipality’s opinion the breach should be considered as an internal shipment sent to the wrong employee and that all employees of the municipality are subject to confidentiality.
The Danish Data Protection Agency’s guidelines on the handling of personal data security breaches mention an example of a breach where a human resources employee inadvertently sends pay slips and employment contracts to the wrong employee in the company and it is agreed that the employee in question should delete the documents received. the same after realising the error.
In this respect, the example shows that in such a case the breach does not necessarily have to be reported to the Danish Data Protection Agency and that the company can assess that the breach does not involve a risk for the person concerned, since it is a breach and the company has great confidence in the employee in question.
In this case, however, the Danish Data Protection Agency found that there was a breach of security that was subject to notification, as in the Authority’s view the breach involved a risk of complaint.
In this respect, the Danish Data Protection Agency pointed out that, in view of the confidential nature of the document and the fact that the document contained information on the complainants’ health and trade union affiliation, there was a particular risk of loss of reputation and confidentiality for complainants in relation to the dismissal being sent to another employee in the workplace.
In the Authority’s assessment, the specific breach of security differed from the example of the guidelines because, in the Authority’s view, an intentional termination is more personal in nature than the employment contracts and payroll, on which the example of the guidelines is based.
On the occasion of the resolution, it appears that it is the opinion of the Data Inspectorate that, in relation to the assessment of the possible need to report violations of “internal” security to the Authority, importance should be given to what information is in question and to which employee has received it.
In the specific case, where the breach includes information on intentional dismissal as well as information on health and trade union affiliation, it is the Authority’s assessment that the breach should in principle be reported to the Authority, except in special circumstances. Special circumstances would include that the recipient of the information might be a particularly trusted employee who is used to handling such information about employees of the municipality.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA DANIMARCA