EN
Technology

Unfortunate software update gave thousands of employees access to job applications

logo
Legal news
calendar 16 June 2022
globus Denmark

A software update in a university’s HR-system reset the rights management system. This meant that the university’s thousands of employees could see over 400 job applications in the system. The software update had not been tested before it was taken into use, which the Danish Data Protection Authority found inadequate. The mistake was a breach of the duty to secure an appropriate level of security under the data protection rules.

At a university, one of the functions of the internal HR-system was that the employees were assigned a “role” to get access to job applications. The role assigned and to whom varied from each hiring process.

The rights management system was reset by mistake with the update of the HR-system. That meant that the previous assigned roles in the system were deleted with the update. The consequence was that 7011 employees at the university theoretically could see all job application, which earlier required a certain role to be accessed. There was not any log in the system, so it was impossible to see if any files had been accessed.

The university had not tested the update before, because nothing suggested that the update would change the rights management system. The software supplier, who was also responsible for the implementation of it, had not given the sufficient information. Therefore, there had not been a 14-day test, which had been the usual practice.

No excuse to blame the software supplier

The episode was a breach on the data protection security, in violation of the rules on data protection. The university had lived up to their duty on securing a sufficient security level.

The university should have identified the risk the development and adaptation of the IT-solution could have. For example, the solution should had been tested first, to check if it included any problems that could cause for example loss, changes, unauthorized forwarding, or access to personal data in the system. It was the university’s own responsibility to investigate the potential consequences of the update, no matter what information the software supplier had given beforehand.

The university should have assessed the processing the changes could cause. For example, the university should have considered the risk of reset or changes in the rights management system, even though the risk had not been announced beforehand.

The missing tests in advance of the update triggered serious criticism from the Danish Data Protection Authority. They underlined, that it weighed a lot that there was not any log on who had seen the files, that there was many employees and comprehensive application material that contained person numbers and health information. The data breach was especially bad for the internal applicants.

IUNO’s opinion

This is not the first time that the Danish Data Protection Authority underlines that the role as data controller incorporates that the company has the full responsibility of the security level and that it among other things incorporates that all system updates etc. are a 100 percent secure and that all potential risks are analyzed before the update is implemented.

IUNO recommends that companies have fixed guidelines in place, that among other things secures secure and extensive procedures for tests of updates, before they are introduced. The guidelines should establish a process where all likely mistake scenarios are tested in relation with the development, update and change of software, where personal data is treated before a sufficient security level is in place.

[The Danish Data Protection Authority’s ruling of 12 May 2022 in case nr. 2021-442-13989]

At a university, one of the functions of the internal HR-system was that the employees were assigned a “role” to get access to job applications. The role assigned and to whom varied from each hiring process.

The rights management system was reset by mistake with the update of the HR-system. That meant that the previous assigned roles in the system were deleted with the update. The consequence was that 7011 employees at the university theoretically could see all job application, which earlier required a certain role to be accessed. There was not any log in the system, so it was impossible to see if any files had been accessed.

The university had not tested the update before, because nothing suggested that the update would change the rights management system. The software supplier, who was also responsible for the implementation of it, had not given the sufficient information. Therefore, there had not been a 14-day test, which had been the usual practice.

No excuse to blame the software supplier

The episode was a breach on the data protection security, in violation of the rules on data protection. The university had lived up to their duty on securing a sufficient security level.

The university should have identified the risk the development and adaptation of the IT-solution could have. For example, the solution should had been tested first, to check if it included any problems that could cause for example loss, changes, unauthorized forwarding, or access to personal data in the system. It was the university’s own responsibility to investigate the potential consequences of the update, no matter what information the software supplier had given beforehand.

The university should have assessed the processing the changes could cause. For example, the university should have considered the risk of reset or changes in the rights management system, even though the risk had not been announced beforehand.

The missing tests in advance of the update triggered serious criticism from the Danish Data Protection Authority. They underlined, that it weighed a lot that there was not any log on who had seen the files, that there was many employees and comprehensive application material that contained person numbers and health information. The data breach was especially bad for the internal applicants.

IUNO’s opinion

This is not the first time that the Danish Data Protection Authority underlines that the role as data controller incorporates that the company has the full responsibility of the security level and that it among other things incorporates that all system updates etc. are a 100 percent secure and that all potential risks are analyzed before the update is implemented.

IUNO recommends that companies have fixed guidelines in place, that among other things secures secure and extensive procedures for tests of updates, before they are introduced. The guidelines should establish a process where all likely mistake scenarios are tested in relation with the development, update and change of software, where personal data is treated before a sufficient security level is in place.

[The Danish Data Protection Authority’s ruling of 12 May 2022 in case nr. 2021-442-13989]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

2 June 2022

Failure to inform shareholder breached the data protection rules

logo
Technology

28 April 2022

First fine to a public authority for breach of the data protection rules

logo
Technology

31 March 2022

New guidelines clarify when processing is an international data transfer

logo
Technology

31 March 2022

24/7 CCTV monitoring at the workplace was a breach of the data protection rules

logo
Technology

24 February 2022

No unconditional right of access under whistleblower schemes

logo
Technology HR-legal Corporate

2 November 2021

Joint whistleblower schemes for multinationals

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate