Denmark: Datatilsynet expresses serious criticism of the Region of Southern Denmark's failure to conduct new IT system risk assessment, leading to unauthorised access of personal data
The Danish data protection authority ('Datatilsynet') issued, on 31 July 2020, its decision ('the Decision') expressing serious criticism of the Region of Southern Denmark for failing to conduct the necessary risk assessment and testing during the development of an IT system, which led to the unauthorised access of pregnant women's names, social security numbers, and information regarding the pregnancy in violation of Articles 32(1), 33(5), and 34(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Moreover, the Datatilsynet noted that the Region of Southern Denmark had reported a breach of personal data security, and that the Decision had been on the basis of a lack of risk assessment of processing, a lack of measures regarding development and testing, a lack of timely documentation of the circumstances of the breach, and deficiencies in the notification to data subjects.
In particular, the Datatilsynet highlighted that in the notification to the data subjects, the Region of Southern Denmark had only stated that names and social security numbers had been exposed, despite the fact that information on pregnancy could also be deduced from the exposed information and the context in which the information was included. Furthermore, the Datatilsynet noted that because the data controller must document data breaches, avoid similar breaches in the future, and possibly inform the affected data subjects, it is essential for GDPR compliance that the data controller has mechanisms that ensure knowledge of the incidents, and that it can recognise and document an understanding of the circumstances of the breach.