Risk assessment and compliance with procedures ensure the security of personal data
The President of the Personal Data Protection Office has imposed an administrative fine of more than PLN 23,000 on the Disciplinary Officer of the Bar Association for breaching the provisions of the GDPR by failing to implement appropriate technical and organisational measures to ensure the security of the processed personal data.
In addition, the President of the Polish supervisory authority ordered that the processing operations should be made compliant with the provisions of the GDPR within six months from the date of delivery of the decision.
The reason for conducting administrative proceedings and issuing the decision was the notification of a personal data breach by the controller. The breach consisted of the receipt by the addressee of a damaged mail, which at the same time lacked a data carrier of the pendrive type - an attachment to the cover letter. This device contained a recording of a divorce hearing containing personal data of several persons. Both, the file on the device and the pendrive itself, were not encrypted.
It should be emphasised that the controller had internal regulations relating to security policy and the protection of personal data, which provided for the protection of such data carriers, which, as the proceedings showed, was not respected in practice.
Independent and correct assessment of the controller
The controller, being responsible for, among other, ensuring the security of the personal data processed, is also obliged to use technical and organisational measures that correspond to the risk to the rights and freedoms of natural persons.
Appropriate implementation of these measures means that the controller first determines the level of risk involved in the processing of personal data and then determines what measures will be appropriate to ensure the security of the processed data. The controller carries out by itself a detailed analysis of the data processing in progress and performs a risk assessment, and then has to apply such measures and procedures that are adequate to the assessed risk. The consequence of this approach is the necessity to independently select safeguards based on the risk analysis.
According to the Polish supervisory authority, the protection of data stored on external data carriers must focus on proper protection of the data stored on such a carrier against unauthorised access of third parties in the case of loss of such a carrier as a result of theft or its loss. The controller, on the other hand, has carried out a risk analysis and defined measures to mitigate the consequences of a breach only in the case of data carrier failure. Therefore, it should be considered that the risk assessment was carried out with incorrect values.
Procedures versus proceedings
In this case, it should also be noted that the staff of the Office of the Disciplinary Officer took steps to secure the data carrier, but these were not in accordance with the internal regulations adopted. The controller’s acknowledged procedure indicates that, when using and transmitting external data carriers containing personal data, they must be encrypted before being sent.
In addition, the procedure provides for the use of special envelopes, used to increase the security of the mail. In this case, this envelope was replaced by a plastic sleeve tightly sewn with staples, which was then attached to the cover letter and placed in a simple envelope. The effectiveness of the procedures put in place is questionable, therefore, due to the failure of the chancellery staff to apply their provisions when sending the external carrier, which led to personal data protection breach.
The implementation of internal regulations relating to personal data protection principles or the application of technical and organisational measures does not release the controller from the verification whether the adopted security measures are effective and whether they reduce or eliminate the risk related to the processing of personal data. The Polish supervisory authority has repeatedly pointed out that the implementation of appropriate technical and organisational measures is not a one-off activity, but an on-going process. As part of this verification, the controller reviews the adopted safeguards. In the present case, the verification of the procedures practised was not effective, contrary to the claims of the controller, since the employees of the law firm did not comply with the internal regulations when sending the external data carrier that went missing, which ultimately led to the breach.
Full text of the decision (in Polish)