(CMR) A “Vaccine Challenge” held by the Ministry of Tourism and Transport to incentivize the public to get vaccinated against COVID-19 breached data protection policy, the Office of the Ombudsman has found.
This breach was highlighted by the Ombudsman as International Data Protection Day (28 January) is being celebrated.
The names of the winners in the “Vaccine Challenge” were published; that data was sensitive personal data under the Data Protection Act, as it revealed the vaccination status of the data subjects.
The Ombudsman conducted an own-motion investigation and found that the Ministry did not meet the requirements of the first data protection principle because it did not provide an adequate privacy notice explaining the purposes for processing the data.
The Ministry also did not have valid consent or another legal basis for the processing as required by law. In addition, the publication of the data was excessive in relation to the stated purposes, in breach of the third data protection principle, the Ombudsman stated.
Since the Ministry fully cooperated with the Ombudsman and ceased the publication of the sensitive personal data of the winners of the challenge, including its removal from all media and social media under its control, the case was closed.
The Ombudsman made recommendations for any similar initiative in the future that individuals should be provided with a compliant privacy notice, that a legal basis for processing should exist, and that more privacy-friendly options be found.