Lack of appropriate technical and organisational measures may cause problems
The President of the Personal Data Protection Office has imposed fines of PLN 15,000 and PLN 20,000 on two municipal institutions in Kutno for, among other things, failure to implement appropriate technical and organisational measures resulting in a personal data breach. An unencrypted pendrive with the personal data of approximately 1,500 people was lost. A fine of more than PLN 24,000 was also received by the company servicing these institutions, in terms of changing the HR and payroll programme.
All three institutions had procedures for data safeguarding, but in the course of the work to transfer the data to the new HR and payroll system of the Municipal Social Welfare Centre (MOPS) and the Municipal Sports and Recreation Centre (MOSiR), the data was not effectively safeguarded. For the procedure itself to change the HR and payroll system at MOSiR and MOPS, there was also no risk analysis for personal data carried out.
An MOPS' employee also working for MOSiR shared the data with an employee of the company carrying out the transfer of the data. They were ripped onto a pendrive, which, however, was not encrypted. The company employee then ripped some of the data onto the company laptop. After this operation, the pendrive was not wiped, as stipulated by that company's procedure.
An employee of the company went to another city and lost this pendrive there. The person who found it first gave an announcement in the local media, and as this did not yield results, this person opened the carrier. Based on the names of the folders, the person guessed that it contained information concerning MOPS and MOSiR from Kutno and contacted them.
Thus, these institutions realised that the pendrive containing personal data had been lost. They notified it to the President of the Personal Data Protection Office. The pendrive contained the data of approximately 1,000 former and current employees and collaborators of MOSiR and the data of 549 employees, pensioners and former employees, contractors and participants of MOPS intervention works.
The scope of the data of the two institutions was different, but in total, data such as first names, surnames, parents' first names, dates of birth, bank account numbers, residence or domicile addresses, PESEL identification numbers, e-mail addresses, data on earnings and/or possessions, mother's family names, ID card series and numbers, telephone numbers, data on holidays, sick leaves, data on completed schools, employment history, children's names and their dates of birth could be found on the carrier.
The President of the Personal Data Protection Office has investigated the case and found that if a risk analysis had been carried out for the process of replacing the HR and payroll system, there would not have been a personal data breach. By its absence, no one controlled the process and no one checked whether the procedures of the company carrying out the change of the HR and payroll system were adequate.
The obligations of those involved in the processing of personal data should not end with a two-step process, i.e.
- carrying out a risk analysis
- and implementing appropriate technical and organisational measures to ensure the security of the personal data processed.
Both MOPS, MOSiR and the company changing the HR and payroll system should have verified that the personal data was shared in a way that took into account the risk of loss of its carrier and that it was adequately protected against unauthorised access (e.g. by using the password required to open all files or folders of files containing personal data). If this had been done, a personal data breach could have been prevented.