The Danish DPA passes severe criticism due to incomplete risk assessment

The Danish DPA has severely criticised that the Danish National Agency for IT and Learning failed to implement measures appropriate to identify the level of risk of an IT program (“Den Digitale Prøvevagt”) designed to prevent cheating during exams. 

 In March 2019, a final test run of the IT program was made, at which 8,000 pupils chose to install and test the program. In that connection, personal data relating to these pupils were processed. 

The DPA assessed that during the test run, the Agency had not implemented measures appropriate for the subsequent identified level of risk. 

 Among others, the DPA stated that if production data are used in the stage of development, then there must be an assessment of the risk to data subjects’ rights, and according to such assessment, appropriate security must be established before any processing begins. If the risk is considered to be high, an analysis on consequences must be made, before the processing of personal data begins. 

 Meanwhile, the Agency put the development of the IT program on hold and decided, on the basis of the risk assessment, that a new separate risk assessment and analysis on consequences should be carried out before putting the IT program into operation. Therefore, the DPA had no basis for deciding on the processing of personal data in the event of using the program in future.