In 2021, 5800 incidents regarding personal data were reported to IMY, the Swedish Department responsible for this area. It is an increase of 25% versus earlier year. Compared to other countries in EU this number is average, but compared to most mature countries in EU like Netherlands, Denmark, Ireland were the awareness and easiness to report incidents is higher, this number is low. We can therefore expect the number of reported incidents involving personal data to increase the years ahead in Sweden.
Most common reasons
The most common reason for incidents to happen is the human error. Many mistakes are done by persons when handling personal data and that means personal data, and often sensitive personal data, is shared to persons or organisation that should not have access to it. The most common issue is that personal data is sent in letters, sms and mails and lands in the wrong hands. The second largest issue is the access rights. People that should not have access to personal data has it.
Most common organisations
The majority (or 66%) of the incidents happens in the public sector and more specifically in the Healthcare area. It can for instance be information about diagnosis or illness that is send to the wrong persons or organisation. In the private sector, antagonistic attacks are second largest reason for incidents.
Recommendations from IMY, to companies and organisations
1. Protect your organisation towards unauthorized access and antagonist attacks though:
- Build in data protections work from the beginning and integrate it into way of working and technology.
- Work pro-actively and learn from mistakes.
- Work systematically with information security and data protection. No ad-hoc work!
- Strengthen your ability to be pro-active, discover and handle incidents so personal data is protected. Be prepared!
- Secure a good handling of passwords. You have heard it before, but it is still not handled well in may organisations!
- Prevent incidents with good handling and management of accesses to personal data.
- Have good routines for handling personal data when persons end their employment
- Have regular training’s and information’s about handling of personal data. Persons need to be reminded!