Serious criticism for insufficient testing of a software update Summary The Danish Data Protection Agency’s In 2021, the University of Southern Denmark experienced decision a data breach after an update of an HR system, The Danish DPA seriously criticized the University of whereby the settings for rights management were Southern Denmark for not processing personal data in changed. Employees were assigned different roles in accordance with the rules in GDPR Article 32(1) (security the system which, depending on the employee’s work- of processing). related needs, would give them access to view content, including job applications, containing personal data. Our remarks Due to an error with the update, the existing • A controller’s responsibility to test updates that, management of rights was canceled, after which all for example, reset or change previously selected employees at the University of Southern Denmark, settings does not cease, even if the controller is i.e., 7011 employees, were given potential access to unaware of these features of the update. This applications from a total of 417 applicants. Of these, applies regardless of whether the lack of knowledge approximately 400 employees had an access-related is because the software vendor has not adequately need to access the applications. communicated this. The University of Southern Denmark had not tested the • Controllers should therefore seek knowledge about update on the test system before it came into force. The the consequences of updates themselves, even if university had a practice of 14 days of testing updates the software supplier may have provided adequate that lead to changes in roles and their associated information. functions, but this was not carried out in this specific case. This was due to the University’s lack of knowledge that the update would lead to changes of the nature in question. Published: 12-05-2022 Journal number: 2021-442-13989 Tags: 05 Data security 115
Complycloud EU GDPR Report Page 114 Page 116