Sweden: DPA fines Umeå University (~53,000 EUR)

Very interesting case involving sensitive personal data that

  • was shared via unencrypted email (which was pointed out to the university, but was not reported as an incident)
  • stored on box.com, protected only by username/password, despite the fact that the University’s risk assessment didn’t support this – and in violation to internal published policies

(I hope I read the documents correctly..)

Press release:
https://www.datainspektionen.se/nyheter/universitet-brast-i-skyddet-av-kansliga-personuppgifter/

Details:
https://www.datainspektionen.se/globalassets/dokument/beslut/2020-12-10-beslut-tillsyn-umea-universitet.pdf/a>