Security incident and AEPD decisions

1. Key points about the incident

The sanction, imposed on Nuestra Señora de la Caridad del Cobre School as the data controller, stems from a personal data breach that took place on March 21, 2023, when the laptop of the head of teaching was stolen from the school's facilities. She had stepped out of her office, leaving the door closed but unlocked.

The security incident affected a total of 450 people (150 of whom were minors), with personal data and information related to students' academic records, including health data, whose security was compromised. Therefore, the incident was reported to the AEPD on March 24 of the same year, classified by the school as low risk and it was indicated that it was not deemed necessary to notify the affected individuals.

The school justifies its conclusion by arguing that, prior to the incident, it had implemented preventive security measures designed to both prevent unauthorized access to devices (such as automatic locking after 10 minutes of inactivity) and to control physical and logical access to information.

After the incident, the school adopted a series of corrective measures, changing the passwords of the employee's email and access accounts, as well as measures aimed at strengthening the access control system with the intention of continuously improving its procedures, including sending a circular to employees, providing specific training on the matter, and reviewing the security measures of computer devices.

However, the AEPD deemed that the breach posed a high risk to the rights and freedoms of individuals, especially considering the nature of the data involved (including health data) and the presence of minors; consequently, on April 4, 2023, it expressly ordered the school to notify the affected individuals of the breach in accordance with Article 34 of the GDPR. This notification was not made until May 3, 2023.

Once the relevant investigation was concluded, on March 22, 2024, the AEPD decided to initiate sanctioning proceedings against the educational institution.

2. GDPR non-compliance

Based on the facts described, the AEPD sanctioned the educational institution for the following infringements of the General Data Protection Regulation (GDPR):

1. Article 32 – Lack of due diligence: the authority considers that the measures implemented both preventively and in response to the incident are insufficient. To this end, it points out that security measures must be adequate and effective, not merely formal. In particular, it deemed the lack of encryption of the data contained on the laptop as insufficient, which poses a significant risk to the confidentiality of information in the event of unauthorized access, and the lack of physical access control measures at the school that could have prevented the theft of the device.
2. Article 34 – Notification of a personal data breach to the affected individuals: the school failed to fulfill its obligation to notify the affected individuals of the breach without undue delay, as it delayed this notification until one month after the supervisory authority expressly required it. In this regard, the AEPD points out that the school acted contrary to the regulation, which requires that notification be made 'without undue delay', given that the incident posed a high risk to the rights of the affected individuals, as data relating to minors and health data could have been affected.

3. Conclusions

Once again, the AEPD emphasizes the importance of complying with data protection regulations when it comes to personal data of minors, and the need to establish and diligently implement technical and organizational measures to mitigate the risks that processing may pose to the affected individuals.

It highlights that this obligation is not fulfilled by adopting any set of measures, but rather that those that can be considered adequate and sufficient to achieve the desired outcome must be implemented, namely, ensuring the security of the processing; furthermore, in addition to their establishment and implementation, it is necessary to supervise the correct usage and appropriate application, in accordance with the criteria established in jurisprudence in various rulings (for example, Ruling 90/2014 of the National High Court or Ruling 7359/2020 of the Supreme Court).

Moreover, although the sanction imposed for failing to notify the affected individuals was archived due to expiration of the period, emphasis is placed on the obligation to inform the affected individuals without undue delay of information security incidents that pose a high risk to their rights and freedoms, as it is crucial to act swiftly and transparently to mitigate risks.

Informative note from the Data Protection Department of ECIJA Madrid.