- 14 Oct 2016
- Jens Harkov
When employees take home work involving personal data, the employer must pay attention to data protection law. For the employer may be the one who will be blamed in case of any unauthorised access to the data.
Under the Danish Data Protection Act, employers must ensure in their capacity as data controllers that necessary technical and organisational security measures are implemented to prevent unauthorised access to personal data. If the employer is a public-sector employer, the specific requirements in this regard are detailed in the Executive Order on Data Security.
In the event of a security breach, according to the provision of the Data Protection Act on good processing practice it is for the data controller to determine whether and, if so, how the data subjects in question are to be informed.
Security breach at employee's home
The Danish Data Protection Agency became aware through the media that unauthorised persons had obtained access to various sensitive employee data held by a municipality. The Agency therefore asked the municipality for an explanation.
According to the municipality, the security breach had arisen when an employee transferred various work-related data to a USB stick and then saved the documents on his own private server. The data in question were sensitive personal data, including minutes of meetings between various employees and the municipality's work psychologist. An unauthorised person then hacked the private server, thus obtaining access to the sensitive data. However, the data were deleted immediately after the hacker attack – among other things, on the recommendation of the hacker himself.
The municipality further stated that it had considered whether to inform the data subjects involved. However, it did not believe that this was necessary, among other things because the data subjects were only identifiable by the municipality's work psychologist as the data had been partially anonymised.
Criticism from the Data Protection Agency
The municipality argued that it had been a mistake for the employee to take the data with him home, as this was contrary to municipal policy. However, the municipality also indicated that the matter had resulted in a decision to follow up on internal data security policies and procedures.
The Data Protection Agency held that the incident merited criticism. In the Agency's opinion, the municipality had breached the security provisions of the Data Protection Act because the employee had used his own private IT equipment to save data for which the municipality was the controller. In addition, the Agency requested the municipality to intensify its efforts with regard to ensuring employee awareness of and compliance with the municipality's data protection policies. The Agency further requested the municipality to adopt specific policy guidelines for the use of USB sticks.
The Agency agreed with the municipality's decision not to inform the data subjects, having regard among other things to the fact that the data subjects were identifiable only by the work psychologist.
Norrbom Vinding notes
- that the decision shows that public-sector employers must have clear policies in place with regard to data protection and use of IT equipment;
- that employers must ensure that employees actually know the policies and comply with them in practice;
- that, according to the provision of the Data Protection Act on good processing practice, it will come down to an assessment of the facts in each individual case whether the data subjects should be notified of any security breach; and
- that the Agency has also issued guidelines for teleworking employees which are generally relevant for employers to know and comply with.