Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
DANISH SUPERVISORY AUTHORITY: The Southern Denmark region has been sanctioned

DANISH SUPERVISORY AUTHORITY: The Southern Denmark region has been sanctioned

The Danish Data Protection Authority has established that the Syddanmark Region has not protected personal data from the involuntary publication on the region’s website.

The Personal Data Protection Authority has denounced the Syddanmark region to the police for having not established sufficient security measures. The region has not protected the involuntary publication of personal data on its website. For this reason, the Personal Data Protection Authority has imposed a sanction of 500.000 danish crown (67.233 euros).

On the 9th of March 2020, the Personal Data Protection Authority received a personal data breach notification by the Syddanmark region. The notification was affirming that a PowerPoint presentation, which has been prepared for educational purposes at the Odense University Hospital with graphs including personal data – including health and personal social security number information of 3.915 patients – was available on the website of the Southern Denmark region since May 2011.

The Denmark region has used a screening instrument in order to regularly scan the involuntary publication of social security numbers on its website. Anyway, the screening instrument used shall not scan personal data included into the PowerPoint publication and this was the reason why the region has not complied with the requirements of an adequate security level pursuant to the General Data Protection Regulation (GDPR).

In this context, the Authority has revealed that the Southern Denmark region has not established adequate security measures in order to permit the region carrying out quality checks on the content of these published documents.

Inadequate security measures

In the context faced by the Authority, the Southern Denmark region has declared that, since March 2013, it was using the above-mentioned screening instrument in order to analyze document on the website for social security numbers which have been involuntary published. The screening instrument has not scanned other types of information, including, for example, heath information.

The Southern Denmark region has discovered, only when the Odense University Hospital has been contacted by a citizen with regard to the PowerPoint presentation in February 2020, that the screening instrument was not able to find out social security numbers included into the PowerPoint presentation.

Some authorities regularly unintentionally publish information about citizens on websites. When publishing documents that could potentially contain personal data, authorities should always consider the relevance of prior and subsequent checks. In a case like this, where the region handles large amounts of sensitive information on many citizens, the requirements for risk considerations to be made by the region are increased, as are the requirements for the measures actually implemented.

Overall, the DPA found that the South Denmark Region did not have sufficient knowledge of the functionality of the screening tool. Moreover, the region had not carried out adequate continuous screening of files for personal data that had been unintentionally disclosed. The region had also not tested the effectiveness of the security measures related to the screening of files published on the region’s website on a continuous basis.

The Authority also considered that the South Denmark region should have put in place measures – technical or organizational – that would allow the region to screen the region’s website for other types of data, including, for instance, health data.

Why complain it to the police?

The Authority always makes a specific assessment of the seriousness of the case under Article 83(2) of the General Data Protection Regulation (GDPR) when considering what sanction, it considers appropriate.

In assessing whether a fine should be imposed, the Authority took into account the fact that the Syddanmark Region processes large amounts of personal data, including health data – which is of a sensitive nature – and personal identity number data.

The Authority also emphasized that the region has a greater obligation to protect this information from accidental disclosure or dissemination and that, in this context, it is particularly incumbent on regions that publish many documents and large amounts of information to carry out adequate checks on the documents and information published.

SOURCE: DANISH DATA PROTECTION AUTHORITY 

Recommended to you

Advanced Research