Communication of a personal data breach in the Danish Immigration Service
The Danish Immigration Service has become aware of a Personal data breach in the Adgangs- og Meldepligt system AMS (formerly the SALTO-system) and hereby notify the public and potential data subjects about the breach.
The Danish Data Protection Agency have in a decision dated 10 August 2021, found the Danish Immigration Service’s processing to be in contravention of article 32, 33 and 34 of the GDPR and have filed a report to the police in this regard.
The Danish Immigration Service has, based on the Danish Data Protection Agency’s decision, decided to re-evaluate the question in regards to notifying the data subjects regarding the data breaches in the AMS for the periods from 9-10 June, 2-3 July and 17 July 2020.
Therefor the Danish Immigration Service hereby notify the data subjects in regards to the above-mentioned data breaches.
Course of events
During the summer of 2020, the Danish Immigration Service became aware that due to different factors there had been some unscheduled interruptions in the system.
The AMS collects data for cases regarding a foreign national’s compliance with his or her obligation to notify and stay at a specified accommodation facility, cf. the Danish Aliens (Consolidated) Act, paragraph 42 a.
The Danish Immigration Service decided together with other authorities to initiate a thorough examination of the AMS and was able to determine multiple breaches in the AMS do to unscheduled interruptions of the system.
The interruptions of the system caused a loss of personal data. This was determined at a later stage and not when the interruptions was identified.
The periods where a partial loss of data occurred is 9-10 June, 2-3 July and 17 July 2020.
The interruptions and the failure to identify the loss of personal data is due to multiple factors - among them human error and insufficient backup frequency.
Personal data that was subject to the breach
Information regarding entering and exiting Return Centre Kærshovedgård has to some extend been lost for the periods 9-10 June, 2-3 July and 17 July 2020. The same applies for Return Centre Sjælsmark for the periods 2-3 July and 17 July 2020.
The information registered in the AMS was information identifying the residents at the centre, and information whether the residents’ access card had been scanned at the entry point at Return Centre Kærshovedgård or Return Centre Sjælsmark
The consequence of this is that a resident could be registered as absent from the return centre in the periods 9-10 June, 2-3 July and 17 July 2020.
Data subjects who can be subjects to the breach
Rejected foreign nationals residing at Return Centre Kærshovedgård in one or more of the periods 9-10 June, 2-3 July and 17 July 2020, or Return Centre Sjæls-mark for the periods 2-3 July and 17 July 2020, and who by the Danish Immigration Service was subject to an obligation to notify and stay at a centre, could be af-fected by the breach.
Possible consequences for the Data subjects
The consequence of the breach of personal data is that a data subject could be listed as absent from the Return Centre Kærshovedgård or Return Centre Sjælsmark.
The effects of this could amongst other things be that cases regarding lowering of benefits for rejected foreign nationals could have been initiated, and that a police report could have been filed for a rejected foreign national’s violation of his or her obligation to notify and stay at a centre in the specified periods even though the rejected foreign national in question had been present at the centre.
Consequences from this is a loss of reputation from being reported to the police. Likewise, the incorrect data could have had influence on future violations, repetitions and similar legal assessments.
Handling of the data breaches
The Danish Immigration authorities have abstained from filing police reports for violations in the abovementioned periods and have recalled police reports that has already been filed. Likewise, The Danish Immigration Service have notified the public prosecutor’s office that they cannot use data from those dates. The Danish Immigration Service has also disregarded the periods in questions when calculating benefits.
The Danish Immigration Service therefor finds that the data breaches has been handled and effectively been contained in relation to all the rejected foreign nationals who resided at the centres in question in the above mentioned periods.
With the knowledge the Danish Immigration Service have at this point in time it is assessed that no one had benefits lowered or revoked on faulty premises in the period 2-3 July and 17 July 2020. Furthermore, it is the assessment that no one was unjustly sanctioned for violating his or her obligations
The immigrations authorities have also:
- Repeated our data guidelines to our suppliers.
- Enacted further technical measures among others tightening system monitoring, increased back-up frequency and extension of logging period
On 1 August 2020, the Danish Return Agency took over the responsibility of ensur-ing compliance with the obligation to notify and reside at a specified accommodation facility for rejected foreign nationals, and the duty to report from the Danish police, as well as reporting such violations to the Danish police. In December 2020, the Director of Public Prosecutions suspended the use of data from the AMS for processing criminal cases after which the processing of the cases has been based on manually registered data.
In January 2021, the Danish Ministry for Immigration and Integration initiated an external investigation of the AMS. The Danish Return Agency have continuously tightened the control procedures in case processing.
What do you have to do?
The Danish Immigration Service assess that you do not need to take any actions if you are a data subject, since the data breaches have been stopped and the consequences mitigated.
If you have questions?
If you have questions, or you think you are one of the data subjects included in the breach, you can contact the Danish Immigration Service's Data Protection Officer via our contact form or via email email@example.com