Ireland: DPC fines Teaching Council €60,000 following a data breach
The Data Protection Commission ('DPC') announced on LinkedIn, on 12 January 2022, its decision for Decision No. IN-20-4-1, issued on 2 December 2021, in which it imposed a fine of €60,000 to the Teaching Council for violations of Articles 5(1), 32(1), and 33(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach.
Background to the case
In particular, the DPC noted that the inquiry had commenced on 9 March 2020, when the Council notified the DPC of a personal data breach. Moreover, the DPC highlighted that the personal data breach occurred when a phishing email was accessed by two staff members of the Council, allowing for the creation of an auto-forward rule from their email accounts to a malicious email account. As a result, the DPC confirmed that, between 17 February 2020 and 6 March 2020 when the auto-forward rule was discovered, 323 emails were forwarded to the unauthorised external email address. In addition, the DPC detailed that the emails contained the personal data of 9,735 data subjects and the sensitive personal data (i.e. details of the criminal conviction) of one data subject.
Findings of the DPC
In addition, the DPC noted that the scope of the inquiry was to examine whether or not the Council had discharged its obligations in connection with the subject matter of the personal data breach, and dto etermine whether or not any provisions of the Data Protection Act 2018 and/or the GDPR had been contravened by the Council in that context.
Furthermore, the DPC found that the Council infringed Articles 5(1) and 32(1) of the GDPR for failing to process personal data held in manual or electronic form in a manner that ensured the appropriate security of the personal data using adequate technical and organisational measures. Moreover, the DPC also confirmed that the Council was in violation of Article 33 of the GDPR by failing to notify the DPC of the personal data breaches when it ought to have been aware of them.
In addition, the DPC imposed corrective measures on the Council to bring its processing operations into compliance with Articles 5(1)(f) and 32(1) of the GDPR, requiring the Council to implement adequate technical and organisational measures to ensure a level of security appropriate to the risk. In coming to this decision, the DPC noted that a significant number of data subjects was affected by the aforementioned personal data breach, and that unauthorised access was achieved by way of two successful phishing attempts. Further to this, the DPC issued a reprimand to the Council in respect of its infringements of Articled 5(1), 32(1), and 33(1) of the GDPR, and noted that this is appropriate, necessary, and proportionate in view of ensuring compliance with the infringements, as the reprimand will act to formally recognise the serious nature of all of the infringements.
Further to its finding, the DPC found that an administrative fine is necessary to provide an effective, proportionate, and dissuasive response to the serious nature and gravity of the infringement, its negligent character, the sensitivity of the personal data, and the subject of the personal data breach. More specifically, the DPC confirmed that the Council's infringement of Articles 5(1), 32(1), and 33(1) of the GDPR posed a significant threat to the rights and freedoms of data subjects affected.
Finally, the DPC imposed a fine of €40,000 for the infringements of Articles 5(1) and 32(1) of the GDPR, as well as a fine of €20,000 for the infringement of Article 33(1) of the GDPR. Therefore, the DPC fined the Council with a cumulative fine of €60,000, together with imposing corrective measures on, and issuing a reprimand to the Council.