A registered charity in Ireland, that focuses on domestic violence, including the management and delivery of the Choices Programme (a group work intervention programme for participants to discuss with a facilitator their behaviour and attitudes in relation to domestic violence), has been fined €1,500 by the DPC . The fine has been issued as a result of the loss of SD Cards potentially containing recordings of group sessions related to the programme. The recordings potentially contain the personal data of between 80 to 120-male participants, including the disclosure of their behaviour, feelings, and attitudes towards current or former partners, family members and friends, some of whom who may have been named during the course of the sessions. This article aims to provide some relevant and practical aspects to consider when dealing with DPC inquiries and investigations.
The Irish charity became aware that a number of SD Cards were unaccounted for on 16 December 2019, and proceeded to conduct an internal audit to locate all SD Cards across the organisation. The result of the audit determined that 18 out of a total of 44 SD cards were missing. On 03 February 2020, the Irish charity notified the DPC of the personal data breach.
The inquiry and the views of the DPC
In August of 2020, the DPC notified the organisation that it had commenced an Inquiry regarding the breach. The scope of the inquiry was focused on the steps taken by the Charity to comply with the principle of integrity and confidentiality (Art. 5(1)(f) of the GDPR) and the technical and organisational measures taken to ensure security of processing (Art. 32(1) of the GDPR). During the course of the investigation, the charity provided the policies and procedures in place at the time of the breach, including but not limited to, those in relation to data protection governance (i.e., Retention and Destruction Policy, Record Keeping, and GDPR-training and awareness). The DPC also sought the standard operating procedure guidelines followed by the facilitators around the use and management of the SD Cards. These revealed that each facilitator had responsibility for handling their own recordings of group sessions, uploading these recordings to One Drive, and erasing the recordings from each SD Card following each upload.
The DPC determined that the personal data concerned in this breach was at the higher end of the scale of sensitivity. The data involved in the breach potentially included special categories of personal data (Art.9 of the GDPR), including, data concerning sex life and data relating to criminal convictions and offences relating to some of the participants (Art. 10 of the GDPR). The DPC further determined that, the charity failed in assessing the risks related to the use the SD Cards for temporary storage. Another outcome was the lack of oversight of the technical and organisational measures, such as processes and procedures and training and awareness within the organisation. The duration of the infringements was assessed as commencing on 25 May 2018 (since the GDPR came into effect) and lasting until the date the personal data breach occurred (16 December 2019).
In light of the above, it is recommended that organisations ensure they:
- adopt an appropriate level of security by developing a consistent process to assess and mitigate the risks presented to the rights and freedoms of natural persons in their processing activities;
- implement effective technical and organisational measures, which should be coordinated with the outcomes of the risk assessment to include Policies, Procedures, Training and Awareness and Oversight
- continuously test, assess, and evaluate the activities (which applies to both technical and organisational measures) as this is a key point of the program.
Trilateral’s Data Governance and Cyber Risk Team has extensive experience supporting organisations undertaking complex projects to comply with their data protection obligations. We offer a range of data governance services, including compliance support and updates regarding opinions published by the Data Protection Supervisory Authorities. Please feel free to contact our advisors, who would be more than happy to help.