Datatilsynet, Denmark’s DPA, has ordered the Southern Denmark regional authority to pay DKK500,000 ($79,200, €67,200) for failing to have appropriate safeguards to protect sensitive health information. The DPA is also referring the council to the police.
The case arose last year when a parent complained about the way the region processed their child’s personal data.
The DPA found that for more than 1½ years, the council had failed to properly secure a database used for research and clinical purposes.
The lapse meant anyone with a login could access personal data of other people registered in the system by changing the URL. The database included a questionnaire containing health information about more than 30,000 children with psychiatric problems.
In announcing the result of its investigation, Datatilysnet said the regional council’s log showed no information had been accessed by any unauthorised person.
However, the DPA added it takes the view handling health information of a particularly exposed group of minors places greater demands on an authority when processing personal data.
Missed PrivSec Global’s livestream experience?
No problem, simply CLICK HERE to access the sessions on demand