- 18 Aug 2015
- Jens Harkov
A trade union's IT system was designed in a way that allowed employees of the trade union and an unemployment fund to access members' data. This practice was criticised by the Danish Data Protection Agency.
Data processors must protect the personal data, among other things to prevent unauthorised disclosure. This principle is laid down in the Danish Data Protection Act and it means, for one thing, that no access must be allowed for unauthorised persons.
A local trade union shared its premises with an unemployment fund. The way in which the trade union's IT system was designed meant that the employees of the unemployment fund had access to the trade union's files and records in the same way as the employees of the trade union. After being contacted by citizens and local media, the Danish Data Protection Agency decided to look into the matter.
Extensive access to data
The general access for the employees of the unemployment fund to the trade union's records and files was unacceptable, the Danish Data Protection Agency said in its opinion. The Agency gave weight to the fact that the employees of the unemployment fund had full access to all data, including also files and records on accidents at work, which may contain sensitive personal data.
The trade union had given no particular reason and no statutory justification for allowing the data to be shared with the unemployment fund. Accordingly, the Agency concluded that the technical measures did not meet the requirements of the Danish Data Protection Act, while also noting that the trade union had changed the system so as to only provide access for the trade union's employees.
Norrbom Vinding notes
- that the opinion issued by the Danish Data Protection Agency illustrates that the data processor is required to implement technical measures to protect the personal data, including in order to prevent unauthorised disclosure of data; and
- that, as a general rule, an IT system containing personal data which is designed in a way that generally allows access to third parties will be a clear violation of the Danish Data Protection Act.