The Polish DPA has fined a university for neglecting to notify the authority as well as affected persons after a data breach.
In June of 2020, the Polish DPA was notified of a data breach at a medical university. According to the complaint received, during the university’s examinations held towards the end of May 2020, students were identified via videoconference. Following the examinations, these recordings were available not only to the students being examined, but also to others who had access to the system. In addition, any third party could have access to the examination recordings, and by extension, the examined students’ personal data presented during the identification process, by using a direct link.
While information in the complaint indicated a high risk to the rights and freedoms of those persons affected, the data controller disagreed.
The information contained in the complaint indicated that the incident may have presented a high risk to the rights and freedoms of those persons who took the examination. UODO wrote to the university for further clarification, however, the data controller replied in writing, arguing that the incident presented a very low risk to the rights and freedoms of the affected persons and therefore it was not necessary to notify the authority in connection with this data breach. The university also indicated that the system was modified after the incident, to ensure that the recorded examinations were not mistakenly shared. In addition, the controller indicated that it had identified the persons who downloaded the examination file and informed them of their responsibility in having access to this data.
While the Polish DPA acknowledged the efforts made by the controller to secure the data moving forward, the authority maintains that notifications were necessary.
The UODO has taken the stance that the university, as the data controller in this situation is responsible for the data, and not the individuals who downloaded the files, and that due to this controller’s negligence, this breach occurred, posing a high threat to the rights and freedoms of the affected students. While the authority acknowledged that the modifications to the e-learning platform being used for the examinations will serve to protect students’ data, by preventing these files from being downloaded, the UODO believes that notification still should have been made to the authority as well as the students affected.
The UODO believes that the controller has inaccurately assessed the risk associated with this data breach, and as a result failed to meet its obligations.
The Polish DPA found that after the data breach had occurred, the controller failed to meet its obligations to notify both the supervisory authority and the persons affected by the breach. These notifications become necessary when, due to the breach, there is a high risk to the rights or freedoms of the persons affected. The authority believes that the controller had incorrectly assessed the risk involved. In its decision, UODO has also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by a limited number of persons, as there really is no assurance that it will not eventually be made available further to unauthorized persons.
The Polish DPA fined the University over EUR 5 850 for neglecting their obligation for notification over several months.
The University has incurred a fine of almost 6,000 Euros. The President of the Office took into account, not only neglecting to notify the DPA and the affected students, but also the duration of the breach (from the breach to the issuing of the decision several months passed), the deliberate inaction of the controller after being informed that notifications were necessary, and the lack of cooperation on the part of the controller with the authority, despite the letters sent and the proceedings initiated. The imposition of this should also serve as a preventive function, as it shows that one cannot neglect their obligations as controllers in connection with a personal data protection breach.
Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.