Risk analysis is necessary – reprimands for the President and Director of the Court

At the District Court Lublin-West, no risk analysis of data processing had been carried out for a long time, and when it was finally conducted, it was done improperly. For a long period, no data protection policy compliant with the provisions of the General Data Protection Regulation was implemented, due to the lack of regular testing, assessing, and evaluating of measures intended to ensure the security of processing. The irregularities were revealed in connection with a personal data breach that occurred during the exercise of the right of access to public information, when the court disclosed excessive personal data by sending the applicant a spreadsheet file.

The President of the Personal Data Protection Office Mirosław Wróblewski issued reprimands to the President and the Director of the Court and ordered them to implement appropriate technical and organisational measures to minimise the risks associated with the processing of personal data.

The President of the Court and the Director of the court notified to the President of the Personal Data Protection Office a personal data breach that occurred in connection with the processing of a request for access to public information. The request concerned the disclosure of data of judges together with data of doctors and psychologists who authorised the judges to perform their profession. The court provided public information by sending the applicant a spreadsheet file containing personal data exceeding the scope of the request, as the file included additional sheets with data of a broader scope. The excessive disclosure of data, and thus the breach of their protection, consisted of sending information on: the designation of the division in which the judge works, PESEL numbers (personal identifiction numbers), residential or stay addresses of judges, as well as their dates of birth and dates of appointment.

The notification of the personal data breach prompted the President of the Personal Data Protection Office to examine how the court complies with data protection regulations. For this purpose, an inspection was carried out at the court on the instruction of President of the Personal Data Protection Office M. Wróblewski, as a result of which administrative proceedings were initiated due to the irregularities identified during the inspection regarding compliance with the provisions of the General Data Protection Regulation. During the inspection and the proceedings, the President of the Personal Data Protection Office established that the court had not conducted regular testing, assessing, and evaluating of security measures for processing. As a result, the court had long lacked a data protection policy compliant with current legal requirements, i.e. the provisions of the General Regulation, including procedures for responding to requests for access to public information and anonymising such information. Although the court had implemented a policy concerning accounting and human resources, it did not cover the principles of personal data protection in relation to the overall activities of the court, including the provision of public information. The implementation of a data protection policy compliant with current legal requirements occurred only shortly before the President of the Personal Data Protection Office issued the final decision.

During the inspection by the President of the Personal Data Protection Office, and subsequently during the administrative proceedings, it also emerged that the court had long failed to conduct a risk analysis related to data processing, and when such an analysis was eventually carried out, it did not meet the requirements of the General Data Protection Regulation (GDPR).

In this situation, the President of the Personal Data Protection Office ordered, in the decision, that the President and the Director of the Court bring the processing operations into compliance with the General Data Protection Regulation by regularly testing, assessing, and evaluating the measures ensuring the security of processing, as well as by properly conducting a risk analysis for data processing in the court.

The President of the Personal Data Protection Office also found in the decision that, in view of the efforts made by the President and the Director of the Court in implementing the data protection policy, as well as the actions taken to conduct the risk analysis, issuing reprimands to the President and the Director of the Court constitutes a sufficient sanction.