The Danish Data Protection Agency has fined the Region of Southern Denmark for failing to secure itself against unintentional publication of personal data on the region’s website. 

On 9 March 2020, the Datatilsynet received a report of a breach of personal data security from the Region of Southern Denmark.

The report stated that a PowerPoint presentation prepared for educational purposes at Odense University Hospital containing personal information, belonging to 3,915 patients, had been available on the Region of Southern Denmark’s website since May 2011. 

The Region of Southern Denmark utilised a screening tool to check regularly whether social security numbers were accidentally published on the region’s website, However, the tool could not scan the underlying data in PowerPoint presentations and this was the reason why the region had not complied with the requirements of an appropriate level of security in the Data Protection Regulation.

“Unfortunately, we regularly see that authorities inadvertently publish information about citizens on websites. When publishing documents that could potentially contain personal data, it is our opinion that the authority must always consider the relevance of prior and subsequent control measures. In a case such as the present, where the region processes large amounts of sensitive information about many citizens, the requirements for the risk considerations that the region must carry out are increased, just as the requirements for the measures actually implemented are tightened, ”says office manager Frederik Viksøe Siegumfeldt.

Subsequently, the Datatilsynet found that the Region of Southern Denmark did not have sufficient knowledge of the functionality of the screening tool, and did not continuously conduct appropriate screening of files for personal data that had been published inadvertently.