Publicly Displaying Personal Data Under GDPR
When reading through enforcement cases across Europe, in relation to non-compliance with GDPR (General Data Protection Regulation), every now and then a few interesting themes emerge. Whether it is insufficient access controls, inadequate policies and procedures or staff unawareness of data protection obligations, enforcement cases shine a light on areas of the law where improvements can easily be made and on which businesses often neglect to focus. Such oversights are somewhat understandable when considering the multitude of competing demands facing a business and the capacity for data protection to ‘have its voice heard’.
One such area where no concessions should be given relates to the permissibility of publicly posting personal data onto notice boards and websites. Displaying such information in this manner, particularly if it is confidential, or sensitive in nature, raises a number of compliance alarm bells, especially in relation to the key principles, which lie at the heart of GDPR.
Several businesses have recently been at the receiving end of enforcement action (and in many cases fined as a result) for committing such a simple mistake. In Romania for example, an apartment building ‘Owners Association’ were fined €500 for extracting an image of a data subject, from its video surveillance system, and then posting the image publicly on the apartment building’s notice board. The Romanian Data Protection Authority found that the data controller not only breached the lawfulness principle of GDPR, but also did not adopt adequate technical and organisational security measures to protect the personal data being captured and viewed from the surveillance system. Similarly, in October 2020, the Spanish Data Protection Authority found that a data controller was in breach of the integrity and confidentiality principle (also commonly known as the security principle) of GDPR when it posted a data subject’s name and financial information on a public notice board. The data controller in this case justified its decision by stating that a more direct form of communication would have taken a greater amount of time to be effective. A warning sanction was duly issued as a result.
The Spanish Data Protection Authority has been the most active in administering fines and sanctions for incidents of a startlingly similar nature. Below is an overview of these cases: –
Credit Cooperative publishes personal data on bulletin board
A complaint was received against a credit cooperative for the publication of the complainant’s personal data on the cooperative’s bulletin board. The complainant stated that the bulletin board, where the information was published, was located in the cooperative’s cafeteria in their social centre, which is a public meeting point for local residents. The information published on the bulletin board made it possible for anyone reading it to identify the complainant as being part of a group of individuals expelled for having breached financial obligations with the cooperative. The Spanish Data Protection Authority found that this was a breach of the integrity and confidentiality principle and that consent should have been obtained from the complainant.
Outstanding debt owed to data controller
The complainant in this case had an outstanding debt with the data controller. After a number of attempts to notify the individual of the debt, the data controller published the complainant’s name, address, and amount owed on their public notice board. The Spanish Data Protection Authority found that this was an infringement of the principle of integrity and confidentiality and issued a fine against the data controller as a result.
City Council published census information online
A City Council published on their website and on their notice board, copies of a census which contained the name and ID number of the complainant. The City Council argued that the personal data were removed from the website and the notice board by the current mayor’s office immediately after becoming aware of the issue. It also argued that the previous mayor’s office were the party who had actually published the personal data. The Spanish Data Protection Authority found that the City Council had breached the principle of integrity and confidentiality and that compliance to this principle was incumbent on all those involved at any stage of the processing.
Data controller published personal data on community notice board
The complainant stated that the data controller had openly published their personal data on a community notice board. Whilst the data controller argued that access to the information was only to a select few and that mitigating measures were taken after being informed of the complaint, the Spanish Data Protection Authority nevertheless issued a warning after confirming that publishing the personal data in this way would be a breach of the integrity and confidentiality principle and that it is likely that the information would have potentially been available to friends, family members and third parties.
These cases illustrate that even if alleviating factors are considered, or a compelling reason is stated by the data controller for publicly displaying the information, the final decision almost always rules in the data subject’s favour. The interpretation of the integrity and confidentiality principle is also interesting. In all of the aforementioned cases, the absence of security measures was not the deciding factor. Instead, the mere breach of the data subject’s confidentiality (in the literal sense) and the unauthorised access to their personal data was enough to warrant corrective action on the part of the Spanish Data Protection Authority.
In Italy, two similar cases expanded the areas of non-compliance to not only include the principle of integrity and confidentiality, but also that of lawfulness, fairness and transparency as well as data minimisation. In July of 2020 for example, the Italian Data Protection Authority found that the processing an employee’s personal data, by posting their letter of dismissal on a company notice board, was a violation of the principle of data minimisation as less privacy-intrusive means for communicating this information were available. A €1,000 fine was issued as a result. Likewise, in another case involving a school that posted personal data on a front door, revealing the birthdays and addresses of its students, the Italian Data Protection Authority found that such processing lacked a proper lawful basis (i.e. consent). A €2,000 fine was issued for the infringement.
The simple mistake of publicly disclosing personal information can be easily avoided through proper training and awareness of the principles of data protection. Leveraging the UK National Health Service Caldicott Principles for sharing and disclosing personal confidential data, this type of information should only be accessible on a strict ‘need-to-know’ basis and only those who need access to personal data should have access to it.
If you require advice and support on how to comply with the principles for processing personal data under GDPR, please contact our Data Protection Team at Xcina Consulting. We provide our clients with pragmatic advice and thought leadership to ensure they achieve a robust and defensible position. For more information, please contact our team by clicking on the ‘Get in touch with us’ button below.