Reprimand to healthcare provider on the encryption of personal data on devices
Recent sanctions for data protection violations in Finland, an update offered by Lexia – the exclusive law firm member of PrivacyRules for the Finnish jurisdiction. Summary from Markus Myhrberg and Erika Leinonen.
The Finnish Deputy Data Protection Ombudsman has issued a decision in a case where a healthcare provider’s laptop, external hard drives and some paper documents had ended up in the hands of a third party in connection with the theft of a computer bag. The number of persons affected by the data security breach was estimated by the controller to be 3000 data subjects.
In the decision, the Deputy Data Protection Ombudsman assessed whether the controller had ensured an adequate level of protection of the personal data and whether the controller had acted in accordance with Article 32 of the GDPR (security of processing).
With regard to the paper documents, the decision states that paper documents should be handled in such a way that they are not accessible to outsiders and should not, for example, be taken outdoors without proper protection and surveillance. Health data should have been particularly well protected.
The computer was password-protected. The Deputy Data Protection Ombudsman found that password-protection alone was an inadequate means of protecting personal data stored on the computer, as physical access to the device may enable several ways to gain access to unencrypted data, even if the login password is strong.
Data on external hard drives is more easily accessible to a third party than on a computer, so it is important, especially when it comes to high-risk personal data, to ensure that the data is encrypted, for example by encrypting the entire hard drive. In this case, the external hard drives were not encrypted at all.
The Deputy Data Protection Ombudsman found that the controller had acted in violation of Article 32 of the GDPR and issued a reprimand to the data controller.
Further information: The decision of the Finnish Deputy Data Protection Ombudsman and The Office of the Finnish Data Protection Ombudsman
Additional decisions by the Finnish authority: