IMY has now completed an investigation of a personal data breach at the Swedish Customs. A couple of employees at the Swedish Customs' law enforcement activities have used the cloud service Google Photo in their staff mobile phones. The officials had linked their private Google Photo accounts to their mobile phones, which automatically synced the photos and videos taken in their official duty to the cloud service. The Swedish Customs has stated that the use of Google Photos was not permitted within the authority.
“The fact that the use of the cloud service was unauthorized does not deprive the Swedish Customs of the responsibility that the authority has as data controller. The Swedish Customs has not taken appropriate technical and organizational measures to prevent what happened. Existing routines and technical barriers to prevent data from staff mobiles being copied and stored in a US cloud service were insufficient”, says Jonas Agnvall who led the investigation.
IMY's decision states, among other things, that there needs to be clear routines and guidelines for employees' use of company mobiles and that employees also need to receive training and information on how personal data may be processed on the mobile phones.
“There should also be technical restrictions for which apps that can be downloaded to the staff mobiles.”
However, IMY notes that there are also mitigating circumstances. There have only been a few employees who have used the cloud service without the authority's approval. Images and movies uploaded to the cloud service have been deleted. In addition, after the incident was discovered, the Swedish Customs has taken both technical and organizational measures to prevent similar incidents, among other things by clarifying guidelines and limiting the possibilities of downloading applications.
“We issue an administrative fine of SEK 300,000 against the Swedish Customs, which is a considerably lower amount than what would have been justified without the mitigating circumstances”, says Jonas Agnvall.