University failed to sufficiently protect sensitive personal data

Dec 10, 2020

Source: European Data Protection Board

Umeå University has processed special categories of personal data concerning sexual life and health through, amongst other, storage in a cloud service, without sufficiently protecting the data. The Swedish Data Protection Authority is therefore issuing a fine of SEK 550,000 against the university.

The Swedish Data Protection Authority has now completed an audit of Umeå University, concluding that the University has violated the General Data Protection Regulation by processing special categories of personal data without applying appropriate technical and organisational measures to protect the data.

A research group at the University had requested from the police preliminary investigation reports concerning cases of male rape and, upon receiving such reports, proceeded to scanning and storing them digitally. The reports contained information on, among other things, suspicion of crime, name, personal identity number and contact details, as well as sensitive data about sexual life and health.

The Swedish Data Protection Authority’s investigation shows that the research group stored over a hundred scanned preliminary investigation reports in an American cloud service, despite the University having informed via its intranet that special categories of data should not be stored in the cloud service in question.

— The cloud service and the way the university uses it does not provide sufficient protection for this type of personal data, says Linda Hamidi, who led the Swedish Data Protection Authority’s audit.

When the research group sent an e-mail to the police requesting further information, one of the scanned reports was attached as a reference, a practice that the research group later repeated despite the fact that the police pointed out the inappropriateness in sending sensitive material in unencrypted e-mails.

— These events show that the University has not taken necessary measures to ensure a level of security appropriate in relation to the risk.

The Swedish Data Protection Authority also criticises the University for failing to report the incident as a personal data breach. Since 25 May 2018, organisations are obliged to report personal data breaches to the Swedish Data Protection Authority.

— The controller is obliged to notify the DPA of data breaches and furthermore to present to us what has been done to mitigate the effects of the incident and to prevent similar incidents from happening in the future.

The overall assessment of concluded infringements led to the Swedish Data Protection Authority issuing an administrative fine of SEK 550,000 against the University.

To read the original press release in Swedish, click here

For further information, please contact the Swedish SA:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news