Resolutions, opinions and reports search tool

The person in charge of the treatment must implement the appropriate measures to ensure that the conversations held between their staff and the patients cannot be heard by unauthorized third parties. It is necessary to carry out a risk analysis to determine the applicable security measures.

The CTTI, in its capacity as processor, did not implement adequate security measures to guarantee the personal data it processed on behalf of the controller (Dept EDU). This allowed a student, when making a telematic pre-enrolment at a given training, to display the data of a third party on screen.

The complainant's complaint about the alleged loss of an excellent document containing the computation of the extra hours performed by PHPT workers is shelved, since the Department of Justice reports that it still retains the file in which workers' overtime is collected, and that these, moreover, since 2017, have been included in the computer system used for personnel management (SIPC).

The complainant complained about several issues relating to the processing of his request for dependency:

Infraction of security measures within the framework of an internal audit conducted by the Foundation: 1) in the process of assigning new passwords, it was not guaranteed that credentials were under the exclusive control of users, as in the first entry the system did not force change by the user. 2) This also meant that it could not be guaranteed to know in an undoubted way what, who and when he performed a certain amount of work in the computer system. This lack of security was particularly apparent when auditors created new "ex novo" credentials for the system technician, and with these new credentials they accessed their work team in order to avoid risks in the system.

Resolution is issued, directly as they have not filed any allegations against the IIA. Security measures are imputed, an authentication mechanism due to access to patient data through several hospital URLs only by introducing the DNI without any other access control measures. They claimed that they had erroneously published a 'test environment' and that they have already unpublished these URLs.

Security measures must be determined by taking into account the risks arising from the loss or unauthorised access to data (among others). In the present case, it has been proven that the person responsible for the processing of the data concerned did not take appropriate technical and organisational measures to ensure their safety (thinking to prevent unauthorised persons from accessing these data).

On the one hand, by means of the digital certificate linked to a worker in the entity - which allowed him to access the HC3 file of the Department of Health - an unidentified person or persons who had access to the HC3 of the complainants, all of them workers in the entity; which is considered constitutive of a violation of the principle of application linked to the improper treatment of special categories of data. On the other hand, the digital certificate linked to one of the working people of the FSFA, which as mentioned allowed access to the HC3 file, was installed on several computers to which different people also workers in the entity had access. Thus, to the extent that all these people could use the same certificate to access the HC3 database, the identification of the person who actually accessed it could not be guaranteed unequivocally and customarily, nor, consequently, the justification of these accesses could be analysed. This is considered to be a breach of security measures.

The City Council did not have an information system to ensure the traceability of the actions it carried out in relation to the information contained in a digital folder. This meant that it was not possible to verify which users had accessed it, at what time, and what actions they had carried out.

Vulnerabilities detected in the platform set up for the public to request a vaccination appointment, and which allowed access to data from third parties. Lack of risk analysis.