If you were attending a centre to take a test for COVID-19, how would you expect the responsible organisation to handle your personal data? How about via WhatsApp group conversations on personal mobiles accessible to its former employees? In this article, we consider how a lack of robust identity access management controls may result in breaches of the General Data Protection Regulation (GDPR).
The Medicals Nordic case
On 24 January 2021, the Danish newspaper B.T. reported that Charlottenlund Medical Hospital Medicals Nordic (Medicals Nordic) was instructing employees to use WhatsApp on personal mobiles for the transmission of personal data about individuals testing positive for COVID-19, including health data and social security numbers. B.T. estimated that between December 2020 and the time of publication, one WhatsApp group of 182 members shared 541 pictures of personal data relating to multiple individuals tested in just one centre.
On 25 January 2021, the Danish data protection authority, Datatilsynet, issued a statement that it would investigate the concerns raised by B.T. Medicals Nordic also announced that upon becoming aware that its use of WhatsApp may not comply with the GDPR, it had stopped using WhatsApp with immediate effect and instructed its employees to delete all data about individuals with positive results. Medicals Nordic further asserted that its employees were already subject to confidentiality clauses and instruction as to ongoing deletion of data in WhatsApp, that the transmission of data in WhatsApp was from its test centres to its administrative function and that WhatsApp is an end-to-end encrypted solution.
Datatilsynet ultimately found that Medicals Nordic had created a WhatsApp group for each of the four test centres that it operated. It also concluded that Medicals Nordic had not complied with the requirement to implement appropriate organisational and technical security measures under Articles 5(1)(f) and 32 of the GDPR, on the basis that Medicals Nordic:
- did not carry out appropriate risk assessments;
- permitted current employees who did not in fact need access to the relevant personal data to fulfil their job roles to have such access through their membership of the WhatsApp groups;
- did not remove former employees from the WhatsApp groups, who could then continue to access the personal data transmitted within those groups if they so wished; and
- intentionally contravened the GDPR in several instances.
On 9 July 2021, Datatilsynet set a fine of DKK 600,000 (approximately €80,640) and announced that it had also reported Medicals Nordic to the Danish Police Authority.
Recommendations
In light of the above, organisations should ensure that they:
- consider conducting a data protection impact assessment (DPIA) in respect of systems for processing personal data;
- implement role based access so that each of their employees has the minimum access to personal data that they strictly require in order to carry out their respective job roles; and
- enforce a clear starters, movers and leavers process to promptly grant, modify and / or revoke access privileges as appropriate, for example via a monthly list of confirmed leavers from HR to IT.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in conducting DPIAs, and implementing appropriate security measures in respect of personal data such as robust identity access management. For more information please feel free to contact our advisers, who would be more than happy to help.