The Danish Data Protection Authority has made an assessment on a rapid test provider who has not implemented adequate security measures during the processing of reserved information and health information compared with COVID-19 tests.
The Danish Data Protection Authority has reported to the police Charlottenlund Lægehus Medicals Nordic I/S (“Medicals Nordic”) for having processed confidential and health information on citizens in relation to COVID-19 tests, without that the society has established the necessary safety for the information processing. The Danish Data Protection Authority has established a sanction of 600.000 DKK.
The Authority takes the question seriously because it refers to sensitive information. When it is entrusted the information processing on health of citizens, there is the responsibility to take care of them, and this was not carried out in this case.
In January 2021, the Danish Data Protection Authority becomes aware that Medicals Nordic has used the app WhatsApp for sharing confidential information and health information on citizen who were tested in company’s centers.
On this basis, the Danish Data Protection Authority has started a case of its own operation, which, for example, shall clarify if Medicals Nordic has implemented adequate security measures and health information of citizens.
In this regard, the Danish Data Protection Authority has considered that Medicals Nordic has not assessed the adequate security measures in a series of cases.
Employees of Medicals Nordic has used their private phones for sharing confidential information on citizens to the central admirations by the company with the app WhatsApp. In this regard, Medical Nordic has created a WhatsApp group for each center of test managed by the company.
All the employees that have worked in a center of tests were invited to the WhatsApp group part of the test center. Member of WhatsApp group have received all the messages hat all the employees have shared to other groups.
This means that the employees, that, according to the Danish Data Protection Authority, have not the labor need to process information – which others employees shall share to the central administration – they received it all the information, as for example the social security number and health information on citizens.
An adequate control of the access to groups has meant that employees who were not compromised were removed from WhatsApp groups, in order that they still can have he access to information shared in groups.
Why it is important to complain all to the police?
The Danish Data Protection Authority has carried out always an assessment of the seriousness of the case according to the article 83, paragraph 1, of the GDPR, in assessing which sanction is, under the Authority’s opinion, the best one.
In assessing the implementation of a sanction, the Danish Data Protection Agency has underlined that confidential information and health information connected to a great number of citizens were processed in a uncertain way and shared to unauthorized people, including employees who had not the possibility to received information. In addition, there are also employees which were not anymore employees of the company.
In addition, the Danish Data Protection Agency has underlined that breaches in different cases, upon the opinion of the Authority, intentionally took place, because Medicals Nordic, among the other thing, have not implemented the necessary risks assessment connected to the processing.