Unfortunate software update gave thousands of employees access to job applications
A software update in a university’s HR-system reset the rights management system. This meant that the university’s thousands of employees could see over 400 job applications in the system. The software update had not been tested before it was taken into use, which the Danish Data Protection Authority found inadequate. The mistake was a breach of the duty to secure an appropriate level of security under the data protection rules.
At a university, one of the functions of the internal HR-system was that the employees were assigned a “role” to get access to job applications. The role assigned and to whom varied from each hiring process.
The rights management system was reset by mistake with the update of the HR-system. That meant that the previous assigned roles in the system were deleted with the update. The consequence was that 7011 employees at the university theoretically could see all job application, which earlier required a certain role to be accessed. There was not any log in the system, so it was impossible to see if any files had been accessed.
The university had not tested the update before, because nothing suggested that the update would change the rights management system. The software supplier, who was also responsible for the implementation of it, had not given the sufficient information. Therefore, there had not been a 14-day test, which had been the usual practice.
No excuse to blame the software supplier
The episode was a breach on the data protection security, in violation of the rules on data protection. The university had lived up to their duty on securing a sufficient security level.
The university should have identified the risk the development and adaptation of the IT-solution could have. For example, the solution should had been tested first, to check if it included any problems that could cause for example loss, changes, unauthorized forwarding, or access to personal data in the system. It was the university’s own responsibility to investigate the potential consequences of the update, no matter what information the software supplier had given beforehand.
The university should have assessed the processing the changes could cause. For example, the university should have considered the risk of reset or changes in the rights management system, even though the risk had not been announced beforehand.
The missing tests in advance of the update triggered serious criticism from the Danish Data Protection Authority. They underlined, that it weighed a lot that there was not any log on who had seen the files, that there was many employees and comprehensive application material that contained person numbers and health information. The data breach was especially bad for the internal applicants.
IUNO’s opinion
This is not the first time that the Danish Data Protection Authority underlines that the role as data controller incorporates that the company has the full responsibility of the security level and that it among other things incorporates that all system updates etc. are a 100 percent secure and that all potential risks are analysed before the update is implemented.
IUNO recommends that companies have fixed guidelines in place, that among other things secures secure and extensive procedures for tests of updates, before they are introduced. The guidelines should establish a process where all likely mistake scenarios are tested in relation with the development, update and change of software, where personal data is treated before a sufficient security level is in place.
[The Danish Data Protection Authority’s ruling of 12 May 2022 in case nr. 2021-442-13989]
At a university, one of the functions of the internal HR-system was that the employees were assigned a “role” to get access to job applications. The role assigned and to whom varied from each hiring process.
The rights management system was reset by mistake with the update of the HR-system. That meant that the previous assigned roles in the system were deleted with the update. The consequence was that 7011 employees at the university theoretically could see all job application, which earlier required a certain role to be accessed. There was not any log in the system, so it was impossible to see if any files had been accessed.
The university had not tested the update before, because nothing suggested that the update would change the rights management system. The software supplier, who was also responsible for the implementation of it, had not given the sufficient information. Therefore, there had not been a 14-day test, which had been the usual practice.
No excuse to blame the software supplier
The episode was a breach on the data protection security, in violation of the rules on data protection. The university had lived up to their duty on securing a sufficient security level.
The university should have identified the risk the development and adaptation of the IT-solution could have. For example, the solution should had been tested first, to check if it included any problems that could cause for example loss, changes, unauthorized forwarding, or access to personal data in the system. It was the university’s own responsibility to investigate the potential consequences of the update, no matter what information the software supplier had given beforehand.
The university should have assessed the processing the changes could cause. For example, the university should have considered the risk of reset or changes in the rights management system, even though the risk had not been announced beforehand.
The missing tests in advance of the update triggered serious criticism from the Danish Data Protection Authority. They underlined, that it weighed a lot that there was not any log on who had seen the files, that there was many employees and comprehensive application material that contained person numbers and health information. The data breach was especially bad for the internal applicants.
IUNO’s opinion
This is not the first time that the Danish Data Protection Authority underlines that the role as data controller incorporates that the company has the full responsibility of the security level and that it among other things incorporates that all system updates etc. are a 100 percent secure and that all potential risks are analysed before the update is implemented.
IUNO recommends that companies have fixed guidelines in place, that among other things secures secure and extensive procedures for tests of updates, before they are introduced. The guidelines should establish a process where all likely mistake scenarios are tested in relation with the development, update and change of software, where personal data is treated before a sufficient security level is in place.
[The Danish Data Protection Authority’s ruling of 12 May 2022 in case nr. 2021-442-13989]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing