Communication of a personal data breach in the Danish Ministry of Immigration and Integration
Communication regarding a personal data breach in one of the Danish Ministry of Immigration and Integration’s case processing systems. The personal data breach concerns the risk of unauthorized internal access to personal data in three folders on the Ministry of Immigration and Integration’s internal network drive. The Danish Data Protection Agency has been notified of the breach.
The personal data breach was discovered after an enquiry from the Danish Immigration Service. Subsequent investigations showed that there were a number of folders without adequate restrictions on access in the Ministry’s internal net-work drive. The folders contained personal data, including confidential data, as well as special categories of personal data. The error that caused the personal data breach was the result of a transition from an old case processing system to a new case processing system at the end of January 2020. The folders in question have now been given the correct restrictions on access so only relevant em-ployees in the Ministry can access the folders. The personal data breach has therefore been stopped.
The probability of employees having gained unauthorized access to the personal data is low, since access to the folders required specific knowledge of the location and the names of the folders. The access to the folders has not been displayed to the Ministry’s employees. However, all of the Ministry’s employees have had access to the folders. The folders have at no point been available to persons outside the Ministry.
The Danish Ministry of Immigration and Integration has no indications that the personal data in question has been exploited, but cannot rule this out. There has only been access to the information in the folders and not a general access to the information in the associated case processing system. It has therefore not been possible to carry out a broad search on for example a full name or CPR-number in order to find personal data on a specific person.
Notification to the Danish Data Protection Agency and communication of a personal data breach to registered persons
The Danish Immigration Service made an enquiry to the Danish Ministry of Immigration and Integration’s IT department on the 19th of October 2020 regarding a possible data breach. The personal data breach was subsequently confirmed. The system provider was informed of the error and began investigations regarding the restrictions on access to the folders.
The Danish Ministry of Immigration and Integration notified the Danish Data Protection Agency of the personal data breach on the 22nd of October 2020. The notification was thus made within the 72-hour limit.
Access to the files on the internal network drive was restricted on the 23rd and 27th of October 2020, and all access was conclusively terminated on the 2nd of November 2020.
Furthermore, a number of investigations were carried out in order to determine the extent of the personal data breach as well as to devise a plan for the restriction of access to the folders. It has, however, not been possible for the Danish Ministry of Immigration and Integration to ascertain the exact number of data subjects or the specific amount of personal data affected by the personal data breach. Such a clarification would result in an unsuitably large data pool, that subsequently must be analyzed, which would require a disproportionate effort.
Nevertheless, the risk of a personal data breach is evaluated as low, since access to the information required prior knowledge and active search for the correct path to the files. The Danish Ministry of Immigration and Integration is therefore carrying out a public communication whereby all persons that are potentially affected by the personal data breach are informed.
This includes all persons that are registered in the Ministry’s case processing systems, as the folders on the internal network drive are tied to the IT system in question. The IT system in question is the central case processing system of the immigration authorities and is used to process cases concerning foreign nationals access to and residence in Denmark. This, among other things, includes cases concerning family reunification, permanent residence, and residence permits concerning work, study, au pair and internship.
The folders in question on the Danish Ministry of Immigration and Integration’s internal network drive contained personal data in the form of CPR numbers, personal ID-numbers as well as personal data concerning ethnicity and work.
Possible consequences for the citizens
If an employee of the Danish Ministry of Immigration and Integration accessed the personal data without reason and subsequently exploited the personal data, the possible consequences for the data subject could include the loss of control of one’s personal data and possible identity theft.
The Danish Ministry of Immigration and Integration therefore urges all data sub-jects to be aware of the possible misuse of their personal data. This pertains to persons that have been registered regarding an immigration case or that have been a reference regarding an immigration case since January 2020. The misuse of personal data may include being contacted by persons who have information about your immigration case or status. If this happens, you must immediately contact the Danish Ministry of Immigration and Integration and the police.
The Ministry notes that all employees in the public sector are governed by duty of confidentiality cf. the Public Administration Act section 27. If an employee has misused the access to the folders and violated their duty of confidentiality, the employee can be punished.
If you have any questions
Contact information on the Danish Ministry of Immigration and Integration’s DPO
You can also contact the Danish Ministry of Immigration and Integration’s DPO through email@example.com