Well it seems that another government authority in Sweden has been fined 120 000 kr (circa €12k) by the Swedish Data Protection authority. The region (county) of Örebro, and it was the heath authority, and it was sensitive data.
What is important in this case, is that although they had procedures, they were not documented, it was word of mouth… oopps, and this is not good enough. Where is the evidence?
Clearly processing of sensitive data means that extra care must be taken, but what is key here outside of this is that Article 5.2 of the GDPR requires accountability, which means there must be evidence that 5.1 is being adhered to.
The ruling is in Swedish, but to summarise the school was using facial recognition on its students. Facial recognition is biometric data, hence sensitive (special categories of data in the GDPR). They used consent as the legal basis but this was considered as unlawful due to the imbalance of relationship between the controller (school) and the data subject (student of 16+ yrs). Basically the student had no choice.
But there is more. The Swedish data protection authority based their decision on the following:
Art 5 – personal data collected was intrusive and more was collected that was needed for the purpose
Art 9 – the school did not have a legal exception to handle sensitive data. It is forbidden to collect sensitive data unless this is the case.
Art 35-36 – seems that a DPIA was not done.
What does this mean to other schools or even any public or private entity looking to use intrusive biometrics? Do a data protection impact assessment (DPIA), from here you will be able to get a clean picture on the potential risk of harm to the rights and freedoms of the data subject.
For me personally and professionally, I’m just happy that China’s big brother approach has been nipped in the bud here in Sweden 🙂
I love this “A UK privacy authority has fined the solicitor behind ACS:Law £1,000 for failing to keep the personal data of at least 6,000 people secure.” Although the fine was pretty pathetic, it is still good to see numbers appearing against cost of lost personal and sensitive data as this helps us justify why we are needed! Read more at ZDNet.
What is more important is the loss to his reputation for his lax security, I can imagine that ACS business cost will be just a little bit more than £1,000 😉