#1275990: #privacy: UN entities “not subject to the GDPR” UNICEF media chief explains after data breach

Description: UNICEF, the United Nations children’s agency has said it may have caused a data breach to reveal the private information of thousands of online learners through the Agora platform.

The Agora website gives UNICEF staff and public members the chance to go through free training courses that teach on children’s rights, humanitarian action, research and data.

An email holding the private data of 8,253 users enrolled onto courses on immunisation went out to around 20,000 Agora users in late August of this year.

When quizzed about the leak, UNICEF’s media chief, Najwa Mekki told the Devex website:

“This was an inadvertent data leak caused by an error when an internal user ran a report … The personal information accidentally leaked may include the names, email addresses, duty stations, gender, organization, name of supervisor and contract type of individuals who had enrolled in one of these courses, to the extent that these details were included in their Agora user’s profile.”

“Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments. These measures will prevent such an incident from reoccurring, Mekki continued.

This week, Agora members were sent a message describing how they may have had an email sent to them on August 26th which held “a spreadsheet that included the basic personal information of some of our users.”

The users were requested to “permanently delete the email and all copies of the file from your mailing system and download folder, as well as from [their] recycle bin.”

The message also held an apology issued by UNICEF, and an explanation about the launching of “an internal assessment and review…as soon as the issue was reported.”

“The problem was quickly addressed to ensure that it does not happen again,” the email continued.

Managing director of CyberSMART, Clare Sullivan, explained to Devex that UN agencies are probably “exempt from the EU’s General Data Protection Regulation (GDPR), a reality that is yet to be tested in a lawsuit. If a UNICEF data breach were to be the concern of the GDPR, then the organisation would have to notify relevant data protection authorities within 72 hours of the leak having been discovered.

The case was not reported to any further authorities, Mekki explained, stating: “UN entities are not subject to GDPR.”
More info: https://gdpr.report/news/2019/09/10/privacy-un-entities-not-subject-to-the-gdpr-unicef-media-chief-explains-after-data-breach/

Date added Sept. 11, 2019, 6:57 p.m.
Source gdpr
  • GDPR / EU General Data Protection Regulation / Article 29 Working Party
  • Latest Global Security News