Over the past few weeks, the issue of ‘data breaches’ was a hot topic in Dutch newspapers and other media, with the problems at communal health services, the so-called GGD scandal, taking centre stage in The Netherlands. Meanwhile, the European Data Protection Board has issued a new set of (draft) guidelines for consultation. So, let’s talk about this concept of data breaches for a bit. What exactly is a data breach and what does the GDPR have to say on the subject?
According to the GDPR, a data breach involves the destruction, loss, alteration of or unauthorised access to personal data as a result of a breach of security which, in turn, may be caused by systems being hacked or by the loss or theft of data carriers such as memory sticks. In the case of the Dutch GGD scandal mentioned above, personal data from corona test result databases were offered for sale on the internet, a clear instance of what is known as illegal data trading.
The vast majority of data breaches, however, are the result of incidents. Someone sends an email to the wrong address or a sales rep leaves his laptop in the office of a customer. In the high-profile case of the Haga Hospital in the Dutch city of The Hague, to name another recent example, a (former) employee used a printed page of patient names and medical records as the paper for his grocery list, which later, at the supermarket, he left in a shopping cart.
Data breaches can happen in any organisation. The mere occurrence of a data breach, in other words, does not necessarily imply a verdict of unreliability for the organisation in question. Under the GDPR, however, organisations are very explicitly required to take appropriate measures for the prevention of data breaches. Which the Haga Hospital had failed to do, as the DPA established after an investigation into the background and circumstances of the issues. For instance, dozens of employees who should never have been able to do so, had encountered no problem whatsoever in accessing the medical record of local reality tv star ‘Barbie’. The hospital, in the DPA’s assessment, had shown serious negligence in protecting its medical information by failing to regularly check who was accessing which files and by not having implemented appropriate technical security mechanisms, like two-factor authentication. All that was needed for employees to log into the hospital’s databases, was a username and password. No scanning of unique personnel passes was involved in the process. In the end, the hospital was fined the significant amount of 460,000 Euros.
In the case of the communal health services as well, security – or rather, the lack thereof – was at the root of the problem. It was far too easy for employees, many temporary workers among them, to access personal data in the corona systems, as such access was not governed by any restrictions of professional necessity. It is not necessary, for example, for persons working in one regional branch of the service, to be able to access systems used in another part of the country, as it appeared they could freely do. To make matters worse access to data was hardly being monitored. Meanwhile, the Dutch DPA is demanding clarification.
Obligation to report
On January 19 2021, the EDPB published, for consultation, a new set of (draft) guidelines on the obligation to report data breaches. In the current situation, controllers are required to report a data breach within 72 hours of having become aware of its occurrence. In The Netherlands, organisations can report data breaches to the Meldloket datalekken Autoriteit Persoonsgegevens, the Reporting Counter of the Data Protection Authority. An exemption to this obligation to report applies if a particular data breach is not likely to result in risks to the rights and freedoms of the data subjects. The final guidelines, once agreement on their content has been reached, are intended to assist controllers in deciding how to handle data breaches and what factors to take into account in assessing the level of risk. In the case of the Dutch GGD data breach, with very large volumes of personal data being compromised, including contact details, citizen service numbers and the results of medical examinations, the risk of identity fraud was obviously high. Which means that the obligation to report to the DPA clearly applies. In its preliminary guidelines, the EDPB mentions no less than 18 practical examples. In view of the subject matter’s significance, we strongly advise interested parties to exercise their right to react to the draft guidelines, which will remain open to comment until March 2 2021.