The Irish Data Protection Commission (DPC) has imposed a €70,000 fine on University College Dublin (UCD) for failure to implement appropriate security measures; storing data longer than necessary, and delaying in notifying the DPC of a data breach. This is the sixth GDPR fine imposed by the DPC. Previous GDPR fines included 3 fines on Tusla (the Child and Family Agency) amounting to a total of €200,000; a €450,000 fine on Twitter, and a €65,000 fine on the HSE. These fines similarly concerned failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data; delaying in notifying the DPC of the data breach; and failing to adequately document the breach.
The DPC launched an own volition inquiry into 7 breach notifications it received from UCD between August 2018-January 2019, and carried out a site inspection. The personal data breaches concerned unauthorised third parties accessing UCD email accounts, and login credentials for UCD email accounts being posted online.
The decision found that UCD had:
- failed to process personal data on its email service in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures (breaching Articles 5(1)(f) and 32(1) GDPR).
- stored certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the personal data were processed (breaching Article 5(1)(e) GDPR).
- failed to notify one of the personal data breaches to the DPC without undue delay. This breach was notified 13 days after UCD became aware of it (breaching Article 33(1) GDPR ).
The DPC imposed an administrative fine on UCD of €70,000 in respect of the infringements. It also ordered UCD to bring its processing operations concerning its email service into compliance with Articles 5(1)(f) and 32(1) of the GDPR, and issued UCD with a reprimand in respect of the infringements.