Danish municipalities need to do more for processing security, report shows

The Danish Data Protection Authority inspected 48 municipalities.

There are still challenges around processing security among Danish municipalities, a new report from Datatilsynet shows.

Datatilsynet, the Danish Data Protection Authority, inspected 48 of Denmark’s 98 municipalities, and found that most of the areas that require more attention were the same as in the last inspection in 2022. The inspection, where the municipalities made a self-evaluation in relation to basic processing safety, showed that the top five areas where more focus is needed, included:

  • procedures for deletion;
  • measures to make sure that no personal data is accidentally shared in connection with outgoing emails;
  • rights management;
  • consequence analysis; and
  • domain security.

By supervising the municipalities’ maturity of ​​processing security, Datatilsynet says it provided both the authority and the municipalities an overview of “where the municipalities should concretely take action here and now in order to live up to the rules.”

Based on the results, the Authority has also created guidance to tackle the five areas that need more attention. All the municipalities have also received an individual report with specific recommendations to enhance processing security, including an additional collective overview of all the recommendations that were made out to all participants in the inspection.

Some of the provided recommendations and requirements relating to best practice of basic processing security includes current practice from Datatilsynet, and from guidelines, recommendations and standards from other bodies such as the Center for Cyber ​​Security, the Danish Agency for Digitalisation, NIST Cyber ​​Security Framework, and more.

Supervisory focus

In January, the Data Protection Authority announced its supervisory focus for 2024, where one part was a fundamental review of data processing security at municipalities and regions.

Datatilsynet has carried out inspections on basic processing security in many of the country’s municipalities and regions since 2020, which has increased the number of physical inspection visits, criticism and injunction decisions, and criminal proceedings. It has also resulted in new guidance initiatives.

This year, the Authority announced that the focus will be on following up in several areas where supervisory efforts had earlier uncovered problems with data processing security, including some instances where cases have been handed to the police – including the encryption of portable data media, the use of scanning tools and the preparation of impact analyses.

In total, 12 focus areas were outlined for 2024, with both new and recurring themes present.