University failed to sufficiently protect sensitive personal data

Swedish Authority for Privacy Protection has now completed an audit of Umeå University, concluding that the University has violated the General Data Protection Regulation by processing special categories of personal data without applying appropriate technical and organisational measures to protect the data.

A research group at the University had requested from the police preliminary investigation reports concerning cases of male rape and, upon receiving such reports, proceeded to scanning and storing them digitally. The reports contained information on, among other things, suspicion of crime, name, personal identity number and contact details, as well as sensitive data about sexual life and health.

Swedish Authority for Privacy Protection’s investigation shows that the research group stored over a hundred scanned preliminary investigation reports in an American cloud service, despite the University having informed via its intranet that special categories of data should not be stored in the cloud service in question.

—The cloud service and the way the university uses it does not provide sufficient protection for this type of personal data, says Linda Hamidi, who led Swedish Authority for Privacy Protection’s audit.

When the research group sent an e-mail to the police requesting further information, one of the scanned reports was attached as a reference, a practice that the research group later repeated despite the fact that the police pointed out the inappropriateness in sending sensitive material in unencrypted e-mails.

— These events show that the University has not taken necessary measures to ensure a level of security appropriate in relation to the risk.

Swedish Authority for Privacy Protection also criticises the University for failing to report the incident as a personal data breach. Since 25 May 2018, organisations are obliged to report personal data breaches to Swedish Authority for Privacy Protection.

— The controller is obliged to notify the DPA of data breaches and furthermore to present to us what has been done to mitigate the effects of the incident and to prevent similar incidents from happening in the future.

The overall assessment of concluded infringements led to Swedish Authority for Privacy Protection issuing an administrative fine of SEK 550,000 against the University.

Read Swedish Authority for Privacy Protection’s decision in pdf format (Swedish only) (pdf, 333 kB)

For further information, please contact:
Legal advisor Linda Hamidi, phone +46-8-657 61 81
IT security specialist Johan Ma, phone +46-8-657 61 67
Press office, phone +46-8-515 15 415