In a recent decision, the Data Protection Agency criticised a municipality's control of the data security based on unauthorised persons' access to sensitive personal data stored on an employee's private IT equipment.

The reason for the case was that minutes of conversations from April 2013 to March 2015 between a number of employees with a municipality and the municipality's psychologist had been stored on an employee's private server after the employee had transferred a number of documents from the municipality's network to a USB device and from there to the employee's private server. The municipality claimed that it was due to a mistake that the employee took the data home. The data was then made available to unauthorised persons as the private server was hacked by an anonymous person according to the municipality. The anonymous person contacted the employee directly and recommended that the employee deleted the data, which the employee did right away.

The Data Protection Agency criticised that the sensitive data for which the municipality was responsible had been stored on an employee's private IT equipment where the municipality was not in control of the data security.  It was the Data Protection Agency's opinion that the municipality had not met the requirements of the Personal Data Act for necessary security measures.

Instruction of the employees as to the guidelines

In the decision, the Data Protection Agency recommends that the municipality lays down guidelines as to whether and in connection with which security measures data from the municipality's systems may be copied to USB devices.  The Data Protection Agency further recommends that the municipality intensifies its efforts to ensure that all employees are familiar with and comply with the municipality's guidelines stipulating that personal data for which the municipality is responsible may not be processed on the employees' private IT equipment.

Review the guidelines concerning security at least once a year

The Data Protection Agency further found reason to emphasise that the municipality's handbook on data security must be reviewed at least once a year to ensure that the rules are sufficient and reflect the actual circumstances. In this connection, the Data Protection Agency also emphasised that it appears from the Executive Order on Security that the municipality must lay down guidelines for the municipality's own supervision of the compliance with the security measures, and that the municipality must provide any necessary instruction to the employees processing personal data.