Rules Navigator

IMY fines Swedish Equality Ombudsman over data security failures

Young woman using laptop while looking through window at cafe.
Photo: Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The Swedish Government Agency failed to keep sensitive data contained in a web form fully secure.

Integrationsmyndigheten (IMY), the Swedish Authority for Privacy Protection, has find the Swedish Equality Ombudsman (Diskrimineringsombudsmannen) SKr 100,000 ($10,396) for failing to keep personal data secure.

The Equality Ombudsman self-reported the incident to IMY in 2021, which concerned data collection on a web form for the collecting of tips and complaints about discrimination that was hosted on its website.

IMY’s investigation found that the Equality Ombudsman did in fact have measures to protect personal data in the form, but that this was not adequate and did not fully work. As a result of the faults, some of the data was inadvertently disclosed to a data processor that conducts analysis for the Equality Ombudsman.

The breach happened between September 1, 2020, and September 17, 2021, and affected approximately 500 tips and complaints.

Form included sensitive information

The web form had mandatory answer forms where individuals had to mark certain options, which were of a sensitive nature. The mandatory options included:

  • ethnicity;
  • disability;
  • gender identity and expression;
  • religion or other belief; and
  • sexual orientation.

Those using the form also needed to mark the pre-selected options on whether the issue in question concerned harassment, sexual harassment, or retaliation.

“The insufficient level of security led to the unauthorized disclosure of personal data that could be sensitive or subject to confidentiality.”

IMY

The Equality Ombudsman first became aware of the issue after an individual pointed out that there could be security problem with the form. The agency shut it down immediately, and after an investigation found that the problem was not with the form itself, but with a security setting that did not mask text as intended.

“The incident lasted for a year and shows the importance of having continuous and systematic security work in order to be able to catch inadequate security measures earlier,” said Petter Flink, IT and information security specialist at IMY.

In a statement, the agency said neither the personal data processor nor anyone else actually accessed the personal data that was transferred. The Equality Ombudsman also made sure that the processor ceased processing the personal data.

GDPR violations

Even though IMY called the failures “an accidental transfer of personal data”, it still found that Equality Ombudsman violated EU GDPR Article 32(1) by not having implemented proper technical and organizational measures to ensure a suitable security level for personal data when using the online form for tips and complaints about discrimination.

“The breach occurred because [the Equality Ombudsman] processed personal data for over a year with an insufficient level of security. The insufficient level of security led to the unauthorized disclosure of personal data that could be sensitive or subject to confidentiality. During this time, [the Equality Ombudsman] lacked the ability to detect the ongoing disclosure of the personal data,” IMY concluded.

, , , , , , ,

You may also like