Resources

Inquiry into Maynooth University

(IN-19-9-3)

Date of Decision: 22 November 2024

This decision arises from an own-volition inquiry that the DPC commenced in July 2019. The inquiry related a personal data breach notified by Maynooth University in November 2018.

The breach affected the email accounts of university employees and allowed unauthorised persons to gain control of up to six accounts. The unauthorised persons used their control of one account to create email rules that concealed messages received from certain addresses. By means of this, the unauthorised persons perpetrated a fraud, leading to a financial loss by one person whose email account had been affected. That person was subsequently compensated by Maynooth University for that loss. The DPC assessed Maynooth University’s technical and organisational measures for ensuring the security of personal data that it processed, and also examined compliance with the controller’s obligation to notify breaches promptly.

Technical and organisational measures for security

The DPC determined that the email system was used for a broad range of purposes affecting the general scope of activities carried out in Maynooth University including HR and related matters. The types of personal data processed included detailed identification, financial and contact information, as well as health and other sensitive categories of personal data. The processing affected the personal data of a large number of individuals, so the DPC determined that the risks to be addressed in Maynooth University’s technical and organisational measures for security were high. The DPC’s inquiry found that, while Maynooth University had implemented a number of appropriate security measures, some significant failings and omissions were evident:

  • Technical measures found by the DPC to be inadequate included failure to employ multi-factor authentication (‘MFA’) in appropriate situations, a lack of control of email configuration rules and inadequate measures to keep systems updated and prevent malware.
  • Organisational measures found to be inadequate included policies and staff training on email security and data protection, supervision of email use, password policy, and policies regarding the control and management of personal data breaches.

The DPC’s decision finds that Maynooth University’s technical and organisational measures did not properly address the risks posed by its processing, taking account of the nature of the personal data, the purposes for which it was used, and the numbers of persons affected. While Maynooth University subsequently adopted measures to remediate deficiencies identified during the inquiry, and compensated the victim of the financial fraud, the DPC determined that Maynooth University had infringed Articles 5(1)(f) and 32 GDPR by failing to ensure appropriate security for the personal data that it processed, and to implement appropriate technical and organisational measures to ensure such security.

Prompt notification of personal data breach

Article 33 GDPR requires data controllers to notify their supervisory authority of every personal data breach that is likely to pose a risk to rights and freedoms of persons. The notification must be made ’without undue delay, and where feasible, not later than 72 hours after having become aware of it’.

The DPC’s inquiry established that, while Maynooth University was aware at an early stage of all facts showing that a personal data breach had occurred which posed risks to persons’ rights and freedoms, it did not report the breach to the DPC until more than 3 weeks later. Instead, after discovering the breach, Maynooth University commissioned an external IT security advisor to report on it and the surrounding circumstances. The report confirmed that the breach should be notified to the DPC, but that step was not taken until 4 days after delivery of the report. The DPC noted that the purpose of requiring prompt notification of breaches includes enabling the supervisory authority to advise and direct action to protect persons from the considerable risks that can be posed by breaches. It followed that, by unnecessarily delaying notification of this breach, Maynooth University had infringed Article 33(1) GDPR.

Corrective measures

The DPC’s decisions on corrective measures took account of all required factors including the risks posed by the processing, the types of personal data and numbers of persons affected, as well as the remedial steps taken by Maynooth University. The DPC also had regard to section 141(4) of the Data Protection Act 2018, which sets a maximum of €1,000,000 for administrative fines that may be imposed on ‘public authorities’, a category that includes bodies such as Maynooth University.

Corrective measures taken by the DPC were:

  • a reprimand to Maynooth University in respect of the infringements identified,
  • an administrative fine of €25,000 in respect of the infringement of Article 5(1)f and 32(1) GDPR
  • an administrative fine of €15,000 in respect of the infringement of Article 33(1) GDPR,
  • an order to Maynooth University to bring its processing into compliance with the GDPR’s security requirements and to report to the DPC on the steps taken .

The full decision can be downloaded at this link: Inquiry into Maynooth University November 2024 - (PDF, 1.3MB)