Penalty for sharing passwords at work

Penalty for sharing passwords at work

The Data Controller has the obligation to train its employees in data protection and digital rights, not only because it is considered a legal obligation, deriving from Article 24.1 and 39.1 of the RGPD, as well as 88.3 of the LOPDGDD, but also because it is a fundamental part of the good health of any company.

Who has never left their computer unlocked when they had to leave their place of work? Or who has never lent their access codes to a co-worker to check some information?

Economic risks and loss of confidentiality

But these practices, which may seem everyday and unimportant, can pose a high risk for data controllers, both financially, due to the risk of penalties, as we shall see, and because of the danger to the confidentiality of the information processed by the company.

And as an example of this, we bring up Resolution PS 13/2024 issued by l’Autoritat Catalana de Protecció de Dades(APDCAT), in which an employee of a City Council was involved in the following situation was immersed in the following situation:

City Hall personnel verbally requested the employee to provide a new employee with her personal access codes to certain platforms, which were necessary for the performance of her duties.

It should be noted that the City did not generate personalized access codes for the new employee from the beginning of the provision of her professional services, but only at a later time.

In this situation, the employee provided her personal access codes to the new employee.

The Catalan supervisory authority notes the following in its resolution:

Consent was not free

As regards the employee’s consent for a third party to use her personal access codes, it is considered that the employee of the City Council did not give her consent to the use of her codes in a free and voluntary manner, taking into account the employment relationship existing between her and the local corporation.

On the other hand, if the employee had refused to provide her personal access codes to the external person who was performing support tasks, being necessary the use of such codes for the performance of her assigned functions, it could generate some negative consequence for the employee of the City Council on the part of the latter.

The City Council is responsible for this situation

With regard to the sharing of access credentials between the two workers, the City Council must be held responsible for its failure to provide the new worker with the necessary tools for the performance of the assigned functions, as in this case, the use of certain platforms that she had to access with a personal password. Therefore, the unlawful processing of this personal data is the responsibility of the City Council, and not of the workers.

In the case under analysis, the Catalan supervisory authority stated that there had been an infringement of art. 5.1 a) RGPD, constituting a very serious infringement, according to art. 83.5 of the RGPD and art. 72.1 a) LOPDGDD.

Recommendations

If you are a worker, and to carry out your daily work you need to use users, passwords, PIN’s or any other access key that is considered personal, you cannot share it with anyone, because it is considered a processing of personal data and there is no legal basis of art. 6 RGPD that justifies it.

Companies cannot lose sight of the fact that legal entities are liable for the actions of their employees or workers, as stated by the Supreme Court(Judgment No. 543/2022 (ECLI:ES:TS:2022:543):

Finally, it should be recalled that legal entities are liable for the actions of their employees or workers. In this sense STC 246/1991, of December 19, f.j 2. cannot be excused in its diligent performance, separately from the performance of its employees, but it is the “guilty” performance of these, consequence of the violation of the existing safety measures, which is the basis for the liability of the company in the sanctioning scope for “own” acts of its employees or positions, not those of third parties”.

In addition to what has been said so far, the most important thing is that all employees know their functions and that they are carried out applying at all times the provisions of the data protection regulations, obtaining basic training on cybersecurity to know how to react to events such as this and others such as security breaches and prevention of cybercrime, as well as training in data protection and digital rights, is very important to create or strengthen a culture in this area, avoiding sanction or reputational risks. Training is an investment.

Business Adapter® at your service

If you need training or advice, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!