The Swedish Authority for Privacy Protection (IMY) recently issued a reprimand to the insurance company ”If” and a fine to Region Dalarna for failing to adequately protect sensitive personal data when sending it through mail and email. ”If” sent sensitive personal data via email and encrypted the message, however the encryption only applied up until the recipient’s email server and not from the server to the final recipient. Region Dalarna mailed notices to patients in windowed envelopes, clearly showing the healthcare facility the notice pertained to. As a result, both ”If” and Region Dalarna were found to have processed personal data in violation of the General Data Protection Regulation (GDPR).

It is crucial for all businesses to safeguard personal data, particularly such data classified as sensitive, in a sufficient and secure manner. The purpose is to prevent anyone other than the intended recipient from accessing the information. Have you identified and organized the sensitive personal data you process? Does your organization have established procedures for how to send messages including personal data through mail, email or any other way? Are your encryption solutions sufficiently secure?

For more information regarding the protection of personal data, please contact our senior associate Kerstin Eifrém.