Umeå University receives a fine of €55 000, announces the Swedish DPA Datainspektionen.

A group of researchers at the university have scanned public criminal investigation protocols as PDFs and saved them in a US cloud service.

The protocols contained personal data and some of these were extra sensitive and concerned sexual life and health.

“The cloud service and the way the university uses it do not provide sufficient protection for this type of personal data,” says Linda Hamidi, who led the Datainspektionens investigation. “

Datainspektionen finds that the university has violated the GDPR when it has handled sensitive personal data without taking sufficient technical and organizational measures to protect the data.

Umeå University is a public authority where the maximum amount for the fine is limited to SEK 10 million. The fine therefore constitutes 5.5% of the maximum fine.

Some reflections:

– It is not because personal data is public that an organization can handle them in any way they want. Each organization must have its own legal basis for the processing, create relevant documentation for the processing and ensure that the data is properly protected.

– Even individual mistakes by an employee are a ground for fines, as the organization has a responsibility to ensure that both routines and technical solutions protect the personal integrity of data subjects.

– Umeå University lacks both documentation of its unstructured data and a technical solution with the ability to monitor the processing of personal data and call for action in the event of incorrect handling.

The amount of personal data in unstructured data, files and e-mails, is enormous and routines relying on manual handling are not enough to ensure adequate data protection. In addition, personal data in text, as an investigation protocol, is completely contextual and based on semantics. The technical solution therefore requires cognitive abilities, AI, which can understand both context and semantics.

With Aigine Inventory, contextual personal data is identified and the mandatory documentation is prepared for all personal data processing with AI, which enables monitoring and event-triggered deviation management. In addition, Aigine Inventory provides continuous data protection training of employees.

Something that would have had helped Umeå University.