Report on the government’s processing of confidential data on persons and companies Read full summary in English
Rigsrevisionen has examined how eight government institutions process confidential data on persons and companies in 11 selected IT systems. The report is based on IT audits carried out in connection with the annual audit in the spring 2014. The purpose of the audit was to assess whether confidential data on persons and companies are adequately protected by the government institutions.
- The government institutions in the study have to a wide extent not updated their internal guidance, checked user access, logged staff’s searches and subsequently erased them, followed up on agreements made with external data processers or supervised compliance with internal security measures.
- For example, Statistics Denmark handles data on all Danish citizens, but searches performed by the its staff are not logged as prescribed by the Executive Order on Security.
- Neither the examined systems of government institutions that are used to handling large amounts of confidential data like the Police, Statistics Denmark and SKAT (the Danish Customs and Tax Administration), meet all the requirements of the Executive Order on Security.
- In practice, this means that Statistics Denmark is unable to trace whether a member of its staff has made unauthorised searches if, for instance, information on a person’s prior sentences has leaked.
- In July 2014, the Danish Data Protection Agency concluded that the logging requirement also applies to Statistics Denmark. The Data Protection Agency and Statistics Denmark are still in dialogue on the issue
- Confidential data on companies is not sufficiently protected and officialy regulated.
- Contrary to the protection of confidential data on persons, the protection of confidential data on companies is not regulated by special legislation.