The President of the Office for Personal Data Protection issued another decision imposing a financial penalty for failure to comply with the provisions of the Board of Directors - this time the penalty was imposed on the Warsaw School of Life Sciences (SGGW). The decision imposing a penalty is the result of an inspection carried out at the university after reporting a personal data protection breach. The application concerned a stolen laptop of an employee of the university, on which the data of tens of thousands of candidates for studies from the period of 5 years were stored.
What kind of violations has been sanctioned?
During the audit, the following breaches of personal data protection were identified:
- the University did not properly assess the effectiveness of technical and organisational measures to ensure the security of the candidates' personal data being processed,
- the University did not take sufficient account of the accountability principle when using the system for the processing of candidates' personal data,
- the University did not include in the register of processing activities all the required information in relation to the processing of personal data in recruitment,
- the Data Protection Officer fulfilled his or her tasks without due consideration of the risks related to the processing operations.
SGGW collected the candidates' personal data by means of an IT system which enabled uncontrolled export of these data without any recording of this fact. In the opinion of the President of UODO, for this reason, the university did not meet the accountability principle - it was not able to show who has access to and downloads the data. The confidentiality of data was also breached.
The issue of the possibility of retrieving personal data from the system without recording events was also not included in the risk analysis for this processing. As a result, the level of risk has not been properly established and the technical and organisational measures taken by the university have proved to be insufficient to ensure the security of personal data processed.
Moreover, the President of UODO pointed out to SGGW that the Data Protection Officer was not involved in matters related to the system functionality. He also pointed out that when describing the process in the register of processing activities, information about the processor in the form of a subcontractor being an IT system supplier was omitted.
In the opinion of the President of UODO, the university has not implemented appropriate mechanisms to monitor the processing of candidates' personal data and the risks related to this processing, since personal data were collected in this way for a period of 5 years (although the retention period accepted for them by the university was 3 months).
The President of UODO reminded that the personal factor is one of the main sources of data processing risk. Despite the fact that SGGW has implemented a policy on the use of mobile computers and trained employees in the protection of personal data, an infringement has occurred, which has resulted in the imposition of a penalty. An employee of the university acted outside the scope of his authorisation and against the applicable data processing rules, however, SGGW, as the administrator, did not detect this circumstance for many years, did not foresee it by analysing the processing risk and did not apply appropriate measures to minimise it.
Amount of the administrative penalty
The financial penalty imposed on the university was PLN 50,000, i.e. half of the maximum financial penalty that can be imposed on public entities, pursuant to the Personal Data Protection Act.
The President of UODO pointed out that when determining the amount of the penalty, he took into account the circumstances that were imposed on the administrator, i.e. - duration and scope of the infringement (the data was collected for 5 years, covered a large group of people and a wide range of data contained in the recruitment documents) and a high degree of responsibility of the university for the infringement.
Attenuating circumstances were also taken into account, including good cooperation between the controlled entity and the authority and a number of actions taken by universities to rectify the infringement.
The University may appeal the decision to the provincial administrative court.