GDPR Violations Lead To $66,000 Fine for Swedish University

Jan. 11, 2021, 8:54 p.m.

TL;DR

A research group at the Umeå University stored sensitive personal information in the cloud without any sufficient security measures, which resulted in the university being fined SEK550,000 (or $66,000). The fine has been levied for violating the General Data Protection Regulation (GDPR). The data related to a research study on male sexual health was scanned and stored in a US cloud storage service, despite the research group being warned against such negligence.

The scanned files were stored in a US-based cloud storage service without sufficient protection

Key Facts

1
A research group at the Umeå University of Sweden, conducting a study on male sexual health got access, on request, to some preliminary reports on police investigation of cases of male rape. These files were scanned and stored in an unsecured US cloud storage service.
2
The reports contained sensitive personal information such as suspicion of crime, name, personal identity number, and contact details of people, among other things.
3
The research group also sent requests to the police for more information, attaching some of these scanned reports for reference, through unencrypted emails. This was done by the researchers despite the police asking them not to send sensitive material through such unsecured modes.
4
The Swedish Data Protection Authority conducted an audit and concluded that the University has been in violation of the GDPR and issued a fine of SEK 550,000 which amounts to $66,000.

Details

With the rising numbers of cyberattacks and data breaches, even a little negligence can prove to be very costly. Educational institutions, healthcare facilities, and financial institutions seem to be primary targets in such events. The Umeå University of Sweden has had to pay heavily for the negligence of one of its research groups.

The research group collected sensitive personal information on male rape cases from the police to aid their study on male sexual health. The preliminary police reports contained crucial and highly sensitive information. Despite repeated warnings from the university and the police, the research group continued to ignore data security protocols. The scanned files were stored in a US-based cloud storage service without sufficient protection. They were also shared with the police through unencrypted emails, for reference during further communication.

This is seen as serious neglect and the University has been fined $66,000. The Swedish Data Protection Authority, through investigation, arrived at the conclusion that the University has “violated the General Data Protection Regulation by processing special categories of personal data without applying appropriate technical and organizational measures to protect the data”, mentions the press release published on Swedish Data Protection Authority’s news site.

The official report adds that “The Swedish Data Protection Authority also criticizes the university for failing to report the incident as a personal data breach.”