A university fined for the lack of data breach notifications
The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 25 000 on the Medical University of Silesia, as there was a data protection breach at the university, of which the controller should notify not only the supervisory authority but also the persons affected by the incident.
Besides the imposed fine, the supervisory authority also ordered the university to notify the persons affected by the breach that occurred in connection with the examinations conducted in the form of videoconference on the special e-learning platform.
Signals that a data protection breach had occurred at the Medical University of Silesia reached the UODO in early June 2020. The information and the description of the complaint allowed to conclude that students were identified during the examinations held at the end of May 2020 in the form of a video conference. After the end of the examination, the recordings were available not only to the examined people but also to others who had access to the system. Moreover, by using a direct link, any third party could have access to the examination recordings, and the examined students' personal data presented during identification.
Because the information indicated that there could have occurred a high risk to the rights and freedoms of the persons who took the examination, the UODO asked the data controller to clarify the situation. In reply to the letter, the controller argued that it was not necessary to notify the Office in connection with the breach, as in its opinion the risk to the rights or freedoms of the persons affected by the incident was low. Furthermore, after this incident, the system was modified so that files with the recorded course of examinations were not shared by mistake. The controller also indicated that it had identified the persons who downloaded the examination file and notified them of responsibility for using these data.
However, the university has still not notified a data breach and has not notified the persons affected by this incident. It did not do so, despite another letter from the UODO that indicated the situations in which a data breach should be notified to the supervisory authority and the affected persons should also be notified of the incident. Therefore, an administrative proceeding was instituted. In its course, it was established that the breach occurred, because one of the employees, after the completed examination on the e-learning platform, did not close the access to the virtual room, in which the test was held. As a result, the examination recordings could be downloaded. Since the students, before the examination, were identified based on their identity cards or student IDs, a number of their personal data was recorded on the recordings. Depending on the type of identity card or student ID they used, there was a different scope of data in case of individual affected persons. However, in some cases, they were, e.g. an image, a PESEL number (personal identification number), an identity document number or album number, a name and surname, an address of residence. Also, due to the breach, unauthorized persons could view other data such as a year of study, a group, a field of study, information about the subject being taken or the answers given during the examination.
The Office found that the data breach had occurred, and that the controller had failed to comply with its obligations to notify about this fact both the supervisory authority and the persons affected by the breach. Such obligations arise when, due to the breach, there is a high risk to the rights or freedoms of the persons affected (e.g. the danger of incurring various obligations on someone's data). The controller had, therefore, incorrectly assessed the risk involved.
In its decision, UODO has also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by 26 persons. Since there is no certainty that it will not be made available further to unauthorized persons.
In the Office's opinion, the responsibility for these data lies with the controller, and not with the persons who downloaded the file with the course of the examination after it had finished. It was due to the controller's negligence that a breach occurred, resulting in a high risk for students' rights and freedoms.
The supervisory authority welcomed the implemented changes on the e-learning platform, which prevent students from downloading files with examinations. They will allow avoiding similar situations in the future.
The President of the Office, while imposing the fine for not notifying the supervisory authority and not informing the persons whom the incident concerned, took into account, among others, the duration of the breach (from the breach to the issuing of the decision several months passed), the intentional action of the controller, who decided not to notify a breach and not to inform the students about it, the unsatisfactory cooperation of the controller with the authority (the controller did not notify a breach despite the letters sent and the proceedings initiated).
The imposed fine will fulfil not only a repressive but also a preventive function, as it shows that one cannot neglect the obligations that arise in connection with the personal data protection breach. Especially, that an inappropriate approach to the obligations imposed by the GDPR may lead to adverse effects for the persons affected by the breaches.
The full decision in Polish is available at: https://uodo.gov.pl/decyzje/DKN.5131.6.2020.