Penalty of a reprimand for disclosure of the list of quarantined persons
The President of the Personal Data Protection Office, after having conducted ex officio proceedings relating to breach of personal data protection of persons subject to medical quarantine by making available to unauthorised recipients a list containing the addresses of persons in medical quarantine, imposed a penalty of a reprimand on the waste management company and ordered the company to communicate the breach to the data subjects.
Let us recall that the Personal Data Protection Office (UODO) received a letter from the State Poviat Sanitary Inspector in Gniezno (hereinafter referred to as ‘PPIS in Gniezno’) with information on the public disclosure of a list containing the addresses of persons who are in quarantine under the administrative decision of PPIS in Gniezno and the mandatory quarantine in connection with the crossing of the country’s border, as well as the address details of persons in home isolation in connection with diagnosed SARS-CoV-2 infection.
For more information (in Polish) please visit: https: //uodo.gov.pl/pl/138/1499.
UODO has undertaken activities to clarify the situation. The Office called on the controller to clarify whether, in determining the procedures related to the processing of personal data concerning the addresses of quarantined persons due to the threat of coronavirus, it carried out an analysis of the method of distribution of the above-mentioned data in electronic and paper versions, in terms of the risks associated with the loss of their confidentiality, and to inform about the outcome of this analysis.
The Company stated in the submitted explanations, inter alia, that it carried out the analysis taking into account the circumstances connected with the failure of the processors of the abovementioned lists to comply with procedures in force in the Company and the circumstances related to the stealing or taking away of data. In addition, the controller expressed the view that the lists received included only administrative (police) addresses and did not include names, surnames and other identifiable data.
Having examined all the material collected in this case, the Office stated that information concerning: the name of the locality, street name, building/apartment number, subjecting a person to medical quarantine, constitutes personal data within the meaning of the GDPR, and the fact that persons are in quarantine constitutes a special category of personal data concerning health. On the basis of the above personal data, it is possible to identify the data subjects and therefore the controller is subject to the obligations resulting from the GDPR. UODO also took into account that the confidentiality of the data processed had been breached during the performance of the employee duties of the person responsible for supervising the printed list, left on the desk without proper supervision. At that time another employee recorded the list in the form of a photograph and shared it with another person.
In the UODO’s view, the safeguards indicated in the risk analysis are formulated in general terms and do not relate to specific events related to the activities undertaken by authorised employees. The provisions in the risk analysis, which largely relate only to the signing of the relevant statements and documents by employees, are insufficient and inadequate to the risks associated with the processing of the special categories of data, namely the addresses of the quarantined persons.
Furthermore, in the risk analysis, the controller should take into account both the special character of the data processed and the human factor, i.e. recklessness, negligence or lack of due diligence, which is one of the sources of risk in the processing of personal data.
The supervisory authority also noted that a one-off and cursory analysis also meant that the controller did not take action aimed, inter alia, at regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.
Article 33(1) of the GDPR sets forth that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The company was obliged to report the breach to the President of the UODO, however it failed to do so.
Furthermore, in a situation of high risk to the rights or freedoms of natural persons resulting from a personal data breach, the controller is obliged to communicate the breach to the data subject without undue delay. The controller shall inform persons individually of breaches of their data, unless it would involve disproportionate effort. In such a case, the controller shall issue a public communication or implement a similar measure to inform the data subjects equally effectively.
Disclosure to unauthorised recipients of personal data concerning residence addresses and health data has undoubtedly resulted in a high risk to the rights or freedoms of persons in medical quarantine. Nevertheless, the Company did not communicate personal data breaches to the data subjects.
In connection with such findings, the President of the UODO, stating a breach of the provisions of the General Data Protection Regulation, issued a reprimand to the company and ordered it to communicate the personal data breach to the data subjects.
The fact of taking by the Company disciplinary action against employees who contributed to the breach and the fact that, despite the difficult epidemiological situation, the controller has committed to provide trainings on personal data protection for its employees, are considered to be attenuating circumstances for the final decision, but not affecting its content.
For details on the case please see the contents of the decision available (in Polish) at: https://uodo.gov.pl/decyzje/DKN.5101.25.2020.