Data protection: We haven’t learned enough from mistakes and glitches

Marit Hansen, the state commissioner for data protection in Schleswig-Holstein, has presented its activity report for 2021. The report addresses numerous data protection and freedom of information issues that the Independent State Center for Data Protection (ULD) has been dealing with over the past year. Recurring problems: Misuse of existing data, breaches of law through carelessness and many data breaches.

Hansen looks back on an eventful year: “As in the previous year, our work in 2021 was shaped by the pandemic: Corona and data protection, Corona and freedom of information – but we also received inquiries and complaints on a wide range of topics, in all possible forms the processing of data.” The ULD received 1,464 complaints about alleged data protection violations, and a further 712 requests for advice were processed. This is roughly in line with the figures for 2020. A 50% increase was recorded in the area of ​​freedom of information, where the ULD was involved in 78 cases – and was often able to get more information out. Hansen sees this as an incentive to improve the situation in the state, because: “Even after 22 years of freedom of information in Schleswig-Holstein, not everything is running smoothly. However, the traceability of the actions of the authorities has gained in importance, especially in times of a pandemic.”

There is also noticeable growth in another area, as Hansen reports: “Compared to the previous year, the number of data breach reports rose by around 60%. Nevertheless, our audits show that there are still cases in which those responsible have not complied with their reporting obligation.” The obligation to report personal data breaches – in short: data breaches – is a legal requirement and must be implemented by those responsible. However, Hansen’s office also promotes the fact that this obligation is seen as an opportunity so that everyone involved can learn from the mistakes. “You’re always smarter afterwards” only applies if those responsible determine what went wrong and if they take measures derived from this so that the data protection violations do not repeat themselves. The activity report of the State Commissioner for Data Protection contains many examples of data breaches. Hansen: “Our report also serves to ensure that everyone can learn from mistakes that have happened. These examples can help to assess the risk associated with the processing of personal data in one’s own company or authority and to take appropriate countermeasures.”

QR codes

The cover of this year’s activity report shows a labyrinth whose walls are plastered with black and white QR codes – a symbol of the complexity of our lives with rules that are often difficult to understand and in which many find it difficult to find their way around. The world of technology is just as complex with the dynamically changing interaction of various hardware and software components. Technology can help, but technology also brings new risks. Even the simple example of the QR code illustrates the problem of understanding, because people cannot directly see what data is contained in it, but first have to scan the pattern with their smartphone. And: Anyone who shows such a QR code as proof of vaccination at an admission control does not know whether it is only being read during scanning and its validity checked, or whether the code is being copied and the information read out is being saved.

The ever-changing Corona regulations have also led to uncertainty in data processing in the pandemic year 2021: How should contact data be handled? What should be considered from a data protection perspective when checking vaccination, recovery and test certificates? The ULD received many complaints when those responsible requested personal data, for example from guests or employees, which was not necessary, or when there was a risk that unauthorized access to sensitive data could take place.

“I didn’t do my homework”

Some of the data breaches that occurred related to processing related to vaccination or testing. Others were related to working from home, e.g. B. the cases in which files or data carriers were lost during transport between the place of work and home. Open e-mail distribution lists, incorrect addresses or lost unencrypted USB sticks are among the constant themes in data breach reports. However, the large increase in the number of reports resulted from several waves of attacks via the Internet on servers of companies and authorities, in which personal data were affected.

Hansen comments: “I am concerned about information security. On the one hand, many organizations still haven’t done their homework to eliminate known vulnerabilities in IT systems – the data breach reports show us how such security gaps are repeatedly exploited and how data can often leak. On the other hand, attacks on IT systems that cannot be controlled with updates are also increasing. Some actors have an interest in cultivating security gaps instead of closing them – this then makes it possible to secretly infiltrate smartphones and spy on people with surveillance software such as ‘Pegasus’, which is used in many countries Violation of the fundamental right to guarantee the confidentiality and integrity of information technology systems. Hansen demands: “Data protection and security must be a matter of course when processing personal data.”

For those responsible, this means that their own processes must be designed in accordance with data protection. When selecting products and service providers, they must proceed carefully and demand data protection compliance. Important contacts are the data protection officers in the company or in the authority.

The deliberate misuse of personal data and the intentional violation of the law by those responsible and their service providers are found comparatively rarely in the daily work of the ULD, whose area of ​​responsibility is limited to Schleswig-Holstein. Cases in which those responsible were careless or grossly negligently ignored the data protection requirements are much more common. One of the most requested areas is video surveillance (179 complaints, 36 requests for advice). Errors in data protection when designing the website – for example through the inadmissible integration of problematic tracking technology – have meanwhile become more of a focus, for example in the context of the transnational industry audit in the media sector. The legal requirements and information on correct implementation can be found in the orientation aids, guidelines and information brochures, which are available on the websites of the supervisory authorities and are regularly updated when laws change (in 2021 with the introduction of the Telecommunications Telemedia Data Protection Act) or judicial decisions on the facts become final.