Deputy Data Protection Ombudsman: collection of location data should not be automatically switched on in employees’ computers without a reason
The Office of the Data Protection Ombudsman asked service providers in the public sector for a report on use of the location data function in computers used by employees in the municipal sector and in central government. The background for the report was a notification of a data security breach filed by the Hospital District of Northern Savo, according to which settings that allowed the collection of location data were switched on in employees’ Windows 10 workstations although there was no intention to collect the data. Laptop computers were used in remote work, for instance.
The Office of the Data Protection Ombudsman requested information about the matter from Istekki Oy, which provides ICT services for the Hospital District of Northern Savo. During the investigation, information about use of the location function was also requested from the Government ICT Centre Valtori. Both Istekki Oy and Valtori reported that collection of location data is by default switched on in the Windows 10 operating system, and that their customers had not given them other instructions.
Information was also requested from Kuntien Tiera Oy. The company says that the location data setting has been switched off in ICT environments it has provided to its customers.
An employer may only process personal data necessary for an employee’s employment relationship
The Deputy Data Protection Ombudsman finds that the hospital district did not have a need required by the law for processing employees’ location data, and the hospital district did not appropriately review what data it intended to collect. Since the employees’ location data were unnecessary for the employer and collected unintentionally, these data should not have been processed.
In order to ensure data protection by default, the hospital district should have reviewed the basic settings of the system and notice that the location function was switched on before deploying the workstations. The Deputy Data Protection Ombudsman observed that since the location function was switched on, employees’ personal data were delivered to Microsoft as well.
The Deputy Data Protection Ombudsman cautioned the hospital district for keeping the location data function switched on without a reason, and ordered it to erase any historical data, location logs and other personal data created during use of the location data function. The hospital district has reported that it deactivated the setting in employees’ workstations.
Collection of location data has broadly affected employees in the public sector
The Deputy Data Protection Ombudsman reminds that processors of personal data should, for their own best interest, ensure that they do not act on the basis of inadequate guidelines issued by a controller.
In order to stop automatic collection of location data, the service providers were ordered to ensure that the function is not automatically switched on in current customers’ workstations without a reason. The service providers must erase data that were created when the location data function was switched on by default. A time limit was imposed for implementation of these orders that was extended until 31 October.
The decisions of the Deputy Data Protection Ombudsman are estimated to apply to processing of location data of tens of thousands of employees in the public sector.
The Deputy Data Protection Ombudsman’s decision concerning the Hospital District of Northern Savo in Finlex (in Finnish)
The Deputy Data Protection Ombudsman’s decision concerning Istekki Oy in Finlex (in Finnish)
The Deputy Data Protection Ombudsman’s decision concerning Valtori in Finlex (in Finnish)
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. 029 566 6787