2,400 local authority workers in a Danish municipality had access to documents containing personal data in 400,000 cases

The Danish Data Protection Agency (DPA) has expressed serious criticism in a case where the Danish Municipality of Kolding, since 2012, has been processing documents containing personal data in about 400,000 cases without taking appropriate technical and organisational measures. The municipality has been using an electronic system for document handling (ESDH) for a number of years. In connection with an upgrade of the system, the municipality’s supplier changed the rights management to the underlying file structure without the municipality being informed of such change. The documents, which under normal conditions could only be accessed through the ESDH system, were made available to 2,400 of the municipality’s employees if the document file was accessed directly. This direct access to the documents was not logged.

The Municipality of Kolding had had annual audits performed of a number of the IT systems they were using. From the audit reports it appeared that the municipality’s overall management of IT security in the accounting area was satisfactory. The audits did not include a general review of the technical and organisational security measures nor of the procedures for such. The audits carried out in the period 2016-2018 had generally not considered personal data protection nor errors in the configuration of access rights, and no other control measures for such were made. In view of this and considering the specific lack of security on the document drive and access to documents bypassing any logging, no appropriate technical and organisational measures had been taken. It may have been a mitigating circumstance that the Municipality of Kolding in future, among other things, will perform scans for open drives on the network as part of their GDPR annual wheel.

Read the decision here (in Danish).