16/01/'21 - Last week the news programme Nieuwsuur discovered a personal data breach at a commercial testcentre which sparked much controversy. The organization tests civilians and companies’ employees on payment. In doing so, the organization processes sensitive personal data, which include but are not limited to, social security numbers, passport numbers, bank statements and health data, such as test results and other medical data. Research demonstrates that the client databases of the test center were insufficiently secured and that the personal data was shared amongst staff of the organization in a WhatsApp groupchat. The affected group is substantial: it involves tens of thousands of people. In this blog we will zoom in on the lessons learned as a result of this case.
A few lessons could be learned from this data breach. It is evident that due to the insufficient security, the test center made itself vulnerable for data breaches and cyberattacks. Also, the organization shared the personal data of the data subjects with too many employees and did not handle the sensitive personal data in accordance with the GDPR. In addition, the question could be posed whether a messaging service like WhatsApp is an ‘appropriate’ means of communication for sharing such sensitive personal data. Finally, a clear data breach procedure appears to be absent. Below we will address several issues.
According to the GDPR, organizations must secure the personal data they process in an ‘appropriate’ manner. Whether measures are appropriate depends on, among other things, the sensitivity of the processed personal data and the context in which the personal data is processed. Appropriate security measures could consist of two-factor-authentication (TFA) and the limitation of access to personal data. Other examples include the use of pseudonymization, anonymization or encryption of personal data.
In short, the more sensitive the data, the higher the necessary cybersecurity level must be. The processing of highly privacy sensitive personal data, such as social security numbers and test results require severe security.
Authorization and dataminimization
In response to the personal data breach, the corona test center explained that every member of the WhatsApp groupchat was an actual employee of the organization and were therefore authorized to access and share the data. However, not all 300 employees in fact require access to all personal data of every individual tested at the center. An alternative could be that employees contact each other one-on-one via secured messaging or are only authorized to access a specific file when actively working on that file. Also, one could pose the question whether it is necessary to share all personal data amongst the employees or that it is possible to achieve the same purpose with less intrusive means (data minimization).
Data breach procedure
When a breach occurs on the confidentiality of personal data, there could be a personal data breach. Organizations must report a personal data breach to the data protection authority without undue delay and within 72 hours after becoming aware of the breach at the latest, unless there are no privacy risks for the affected data subjects. There is also an obligation to notify the affected data subjects when there is a potentially high privacy risk. In the present case a high privacy risk clearly exists, due to the sensitivity of the personal data. In addition, organizations must include a personal data breach in an internal register as well as periodically evaluate previous personal data breaches.