Protection of individuals’ personal data should be the basis for risk analysis

The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed a fine of PLN 66 500 on the L. Zamenhof University Children’s Clinical Hospital in Białystok (the Hospital) for failing to implement appropriate technical and organisational measures.

Case circumstances

The decision was issued in connection with a security incident which consisted of breaking down the security features of the Hospital’s IT infrastructure and infecting its malware with ransomware. As a result of the attack, access to the IT systems was blocked, resulting in a breach of the confidentiality and availability of personal data of about 2000 employees, including the possibility of unauthorised access. On the other hand, there was no seizure of the systems responsible for processing patients’ personal data.

Lack of reliable risk analysis

The definition of the controller’s obligations on the basis of the provisions of Regulation 2016/679 (GDPR) was based on a risk criterion. The design of the processing mechanisms should take place in a two-step process. It is first necessary for the controller to analyse the risks to the rights and freedoms of natural persons arising from the processing of their personal data. The next step is to determine which technical and organisational measures will be appropriate to ensure compliance with the provisions of Regulation 2016/679, including the level of security corresponding to those risks.

However, in the circumstances of the present case, the risk analysis was not carried out correctly.

Firstly, the analysis was carried out on the basis of a flawed procedure whereby the risk assessment of possible risks was carried out from the perspective of the Hospital, as an organisation, and not from the perspective of the protection of data subjects.

Secondly, the Hospital did not indicate which processing operations it analysed nor linked those operations to the identified risks, vulnerabilities and the final risk assessment. In order to ensure an adequate level of protection, it is not sufficient to give a very general indication of the potential risks and the likelihood of their occurrence, but it is necessary to link them to the nature, scope, context and purpose of the processing of personal data within the organisation concerned.

Thirdly, the description of the proposed risk management measures is also evidenced by an unreliable risk analysis carried out by the Hospital. The supervisory authority considered that the documents adopted by the Hospital to demonstrate that the risk analysis had been carried out were inconsistent, ambiguous and did not contain specific organisational and technical solutions correlated, as already indicated above, with adequately specific risks. 

Cybersecurity is not the same as protection of personal data

When explaining what technical means controller used to secure its IT systems, the controller referred to an audit carried out for compliance with the Act on the National Cybersecurity System. However, that act focuses primarily on ensuring a safe and unhindered system for the provision of services and not, as is the case with Regulation 2016/679, on the protection of the rights and freedoms of natural persons.

It is also important that the Hospital has not put in place an appropriate procedure for performing and documenting recovery tests, as well as adequate safeguards for backup copies, which may have had an impact on the fact that, following the incident, the Hospital could not fully recover the data lost as a result of the incident.

Regular testing and documentation

The lack of regular testing, measurement and evaluation of the effectiveness of the technical and organisational personal data security measures is another non-compliance with data protection rules found by the supervisory authority. In any event, the controller has not been able to demonstrate any documentation of the conduct of such security reviews, which is not only contrary to the accountability principle referred to in Article 5 (2) of Regulation 2016/679, but also excludes the transparency of remedial actions taken.

Decision in Polish: DKN.5131.48.2022