Garante per la protezione dei dati personali (Italy) - 10027595: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10027595 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10027595 |Original_Source_Language_1=It...") |
|||
| Line 83: | Line 83: | ||
=== Holding === | === Holding === | ||
Firstly, the DPA focused on the accesses made with the purpose of | Firstly, the DPA focused on the accesses made with the purpose of providing better treatment to a new patient who presented the same health issues as the data subject. The DPA reminded that the processing of health data contained in the dossier is aimed at providing a better healthcare to the data subject. The DPA pointed out the processing of that data for further purposes, like finding a cure for other patients or managing medical bills, would need an autonomous legal basis. Moreover, these other purposes were not stated in the privacy policy given to the data subject. Therefore, the DPA found a violation of Articles 5(1)(a), 5(1)(c), 9 and 25 GDPR. | ||
Secondly, the DPA analysed the fact that also administrative staff were allowed to access the dossier. According to the controller, they needed to access the health dossier in order to comply with the judiciary power’s requests or for other accounting and administrative reasons. | Secondly, the DPA analysed the fact that also administrative staff were allowed to access the dossier. According to the controller, they needed to access the health dossier in order to comply with the judiciary power’s requests or for other accounting and administrative reasons. | ||
Revision as of 15:03, 21 June 2024
| Garante per la protezione dei dati personali - 10027595 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 9 GDPR Article 25 GDPR Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 09.05.2024 |
| Published: | |
| Fine: | 75,000 EUR |
| Parties: | Azienda Ospedale - Università Padova |
| National Case Number/Name: | 10027595 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | fb |
The DPA fined a University Hospital €75,000 after it failed to ensure the health dossiers of patients were protected from unlawful consultations. Moreover, their personal data was used for processing not related with the healthcare one.
English Summary
Facts
The DPA started its investigation after a complaint of a data subject and 4 data breach notifications made by the controller. The controller, a University Hospital, implemented a health dossier system which contained its patients’ health data.
The data breach notifications revealed, firstly, that the dossiers of several data subjects were accessed by employees who were not taking care of that patient during that timeframe. As for this topic, the controller argued that the accesses were made for “follow-up purposes” or to improve the caring process of other patients that presented the same issues as the data subjects.
Moreover, the complainant, who is both a patient and an employee of the hospital, argued that after the unauthorised access regarding her, rumours about her health conditions spread among her colleagues. As far as this second episode is concerned, the access was made not by a health professional but by an administrative clerk. The controller argued that administrative staff need to access the dossier in order to carry out different tasks, such as transferring the medical records to the judiciary power when required or managing medical bills.
Finally, some unauthorised accesses occurred because the owner of the login credentials had left their computer unattended.
Holding
Firstly, the DPA focused on the accesses made with the purpose of providing better treatment to a new patient who presented the same health issues as the data subject. The DPA reminded that the processing of health data contained in the dossier is aimed at providing a better healthcare to the data subject. The DPA pointed out the processing of that data for further purposes, like finding a cure for other patients or managing medical bills, would need an autonomous legal basis. Moreover, these other purposes were not stated in the privacy policy given to the data subject. Therefore, the DPA found a violation of Articles 5(1)(a), 5(1)(c), 9 and 25 GDPR.
Secondly, the DPA analysed the fact that also administrative staff were allowed to access the dossier. According to the controller, they needed to access the health dossier in order to comply with the judiciary power’s requests or for other accounting and administrative reasons. The DPA remarked the difference between the “health dossier” and the “medical record". On the one hand, the latter is a document which officially certifies the health condition of a person during their hospitalisation, and therefore does not need consent. On the other hand, the former has the only function of improving the patient’s healthcare. As a consequence, it requires consent. A patient could also decide to remove some documents from it or even not give consent at all. Therefore, the DPA found that the dossier could contain only partial and incomplete information about the data subject’s health. In the DPA’s opinion, using the dossier to provide information to the judiciary power would result in a paradoxical situation: some information, relevant for an investigation, would not be provided because the data subject removed them from the dossier. More generally, the DPA pointed out that this constitutes a violation of the principle of accuracy. The DPA held that granting access to administrative staff was not necessary and, therefore, found a violation of Articles 5(1)(a), 5(1)(c), 9 and 25 GDPR.
Thirdly, the DPA observed that the controller had not implemented sufficient measures to prevent unauthorised accesses. More specifically, it did not implement a system which could send an alert if several accesses were made from the same account. Moreover, the inactivity time, after which a login session would expire, was too long (30 minutes). Therefore, the DPA found a violation of Article 5(1)(f), 25 and 32(1) GDPR.
On these grounds, the DPA issued a fine of €75,000 and ordered the controller to limit the possibility of access to dossiers by staff who is not directly taking care of the data subject.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 10027595]
Provision of 9 May 2024
Register of measures
n. 295 of 9 May 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the Councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);
GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n.9107633 (hereinafter “Guarantor Regulation n. 1/2019”);
HAVING SEEN the documentation in the documents;
GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n.1098801;
Speaker: Prof. Ginevra Cerrina Feroni;
GIVEN
1. Complaints, violations of personal data and preliminary investigations
The Authority received between the month of XX and the month of XX a complaint and four notifications of violation regarding the processing of personal data carried out through the health dossier of the Padua University Hospital Company (hereinafter the Company).
In relation to the notification of violation of XX, from the documentation in the documents, it emerges that there were four accesses to the health dossier of an interested party, between the month of February and the month of XX, by three subjects who "carried out the access without respecting the indications of the Company Management for access to the DSE". Such accesses "do not appear to have been made for diagnosis and treatment purposes even if they were carried out by healthcare professionals who had previously treated the interested party or were carried out for a clinical comparison". In this regard, with note dated XX, the Company, in highlighting that it has sent a "report of violation of personal data, for the relevant measures" towards the subjects who have carried out "improper access to the DSE", has represented that "the purposes of accessing the DSE were (...) clinical review of the treatment path relating to the subject concerned and related verification of the outcome of the same; analysis carried out by professionals belonging to the same operational unit/departmental area in which the interested party had previously been taken care of, for the sole purpose of verifying the effectiveness of this diagnosis and treatment process, and the possible application of the same path to cases concerning the same pathology". It was also specified that "From the checks carried out, it cannot be said that it was a clinical research activity but rather a verification of the outcomes of previous clinical cases useful for the management of similar cases".
With the notification of violation dated XX, the Company then stated that there had been a further four accesses to the dossier of the same interested party referred to in the accesses notified dated XX by some healthcare workers, including one of those who had already carried out the accesses subject to previous notification "which had previously had the interested party under treatment or were made for the purposes of retrospective study". According to what is stated in the documents, this is the same case as in the previous violation notification, but refers to accesses that occurred immediately following the first report made by the interested party. Also in this case, the Company, with the aforementioned note of the XX, in highlighting that it has sent a "report of violation of Personal data, for the relevant measures" towards the subjects who have carried out "improper access to the DSE”, represented that “the purposes of accessing the DSE were (…) clinical review of the treatment path relating to the interested subject and related verification of the outcome of the same; analysis carried out by professionals belonging to the same operational unit/departmental area in which the interested party had previously been taken care of, for the sole purpose of verifying the effectiveness of this diagnosis and treatment process, and the possible application of the same path to cases concerning the same pathology". Also in relation to this case, it was also specified that from "the checks carried out it cannot be said that it was a clinical research activity but rather a verification of the outcomes of previous clinical cases useful for the management of similar cases";
With the notification of violation of the XX, the Company represented that there had been eight accesses to the health dossier of an interested party who was both assisted and employed by the same Company, "without any connection with the diagnosis and treatment activity provided to the interested party. Thus, word spread about his health conditions." In this regard, it was stated that "the violation was reported to the University as the employer of the operator whose credentials were used for the unauthorized access", that "from the checks carried out, the accesses to the DSE do not appear to have had the purpose documented and justified", that the author of the same is "an administrator" ("administrative profile with the sole possibility of consulting the documents") "employee of the University" and that the facts in question have been reported to the Public Prosecutor's Office Republic.
In the month of XX, Mrs. XX submitted a complaint to the Guarantor complaining of four accesses to her health dossier, in which 13 health documents were consulted. In relation to this case, the Company presented a violation notification on XX in which it was highlighted that the accesses were caused by "the behavior of three operators consisting in not having manned the computer station during the opening of the session , effectively allowing others (unidentifiable) to access the data subject's dossier. The three operators acted without respecting the precautions repeatedly prescribed by the Company Management for access to the DSE". In this regard, the Company also represented that the following reasons were used for the aforementioned accesses: ""Check for follow up", "Urgent check", "Consultation of medical records"" and that "in order to minimize the risks , is proceeding with the review of the authorizations, limiting them to what is strictly necessary".
With regard to the aforementioned notifications of violation and the aforementioned complaint, the Office has made multiple requests for information (notes of the XX, protocol no. XX, of the XX, protocol no. XX and of the XX, protocol no. XX) to to which the Company responded (notes of the XX, prot. n. XX, of the XX, prot. n. XX) representing, in particular, that:
“Through the company health dossier, this company pursues diagnosis and treatment purposes”;
“The rules for accessing the health file have been reviewed and communicated to all staff”;
“The Company became aware of the aforementioned anomalous accesses following a request for access to the logs to the DSE of the interested parties”;
“An “alert” system has been developed, the functions of which are being verified and refined for future activation”;
"as regards both the qualification procedure and the levels of access to the health dossier, in force at the time of the facts covered by the notifications", a document entitled "Method for issuing and managing the username and password of the S.S.II company IT programs" has been attached. . and GALILEO" from which it can be seen that both the health and administrative areas of the Company can access the health dossier (e.g. mobility office; information point, check-in office, cash register operators, management control; insurance/agreements office) . According to what was declared in the documents, this document is "in an advanced stage of revision". The document sent during the investigation still provided for access to the dossier by the administrative area of the Company (e.g. information point, reception office, cashier operators, management control; insurance/agreements office);
“In any case, you must be authorized to access the health file and each access is logged. If access occurs outside the time of care of the interested party, it is necessary to justify the reasons for the consultation, choosing, in the procedure, one of the codified reasons among those predefined by the Company (drop-down menu)";
"the administrative staff of this Company (employee or university in agreement) accesses the health file to consult only the information essential to carry out administrative functions"" for example "verifies the completeness of the DEA Emergency Room folder, printing any consultations provided; checks/requests any payments due; supports the Director of the UOC in verifying any exemptions due to pathology; manages inmate service charges; prints the test results for filing in the medical record; delivers reports to patients; downloads and prints the medical record of the discharged patient from the management system; download and print the documentation to prepare the pre-admission file; finds and prints the documentation upon request of the Judicial Authority; acquires paper documentation, external reports, etc. into the system; organizes post-hospital outpatient services”;
“A timely review of users is underway, in order to limit access to the Electronic Health Record only to personnel involved in the treatment process, including therein, as required by the 2015 Data Protection Authority Guidelines , the administrative staff, authorized to access the DSE, to consult the information essential to carry out the administrative functions for which they are responsible";
“university staff under agreement carry out the same functions and use the same means as hospital staff and are appointed as authorized, similarly to what happens for employed staff”;
“On 30/05 last. the alert function on the use of the "enable patient access" function has been activated. Every time an operator presses the button called "Enable Patient Access" from the Galileo front-end (a function that allows you to expand the display of the health documentation to the DSE of a patient not in care), a record is written in the Galileo DB, at inside the RELEASE_TRACE table, with a series of information including: date and time when the operation occurred, user ID who performed the operation, patient ID on which the operation was performed etc.. Once per day (currently at 3.29 pm) a specific job is started which performs a count of users who have used the "Enable Patient Access" function more than 10 times in the previous 24 hours. (…). The random checks have already been carried out and will be implemented with a frequency of 2/3 times a week in order to better define the types of access and evaluate their real need. If, following the outcome of the checks, the Medical Management should identify improper access to the DSE, it will report the event as a possible Data Breach to the Disciplinary Procedures Office or to another competent Authority, for the consequent obligations";
“The number of health files currently present in the Company is 154,728”.
In relation to the investigations described above, the Office, with reference to the authorization profiles for access to the company dossier, the alert systems and the guarantees adopted by the Company to ensure the integrity and confidentiality of the data, with a note from the XX (prot. n. XX) ordered the meeting of the preliminary proceedings and notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in article 58, par. 2 of the Regulation, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981).
Following the aforementioned notification, the Company sent its defense briefs with note dated XX (prot. n. XX), requesting to be heard and representing, in particular, that:
in two of the cases under investigation (notifications of the XX and your password, in violation of the aforementioned Regulations and operating instructions given by the owner, effectively allowing unknown persons to acquire patient health data contained in the DSE, during the short period of time that elapses until the automatic closure of the session";
"in the other cases (notifications of violation of the XX and the same data, or from other doctors who were trying to verify the outcome of previous clinical cases, a useful assessment for the management of the same rare pathology in patients they were caring for (sometimes improperly classified as a "retrospective study")";
the events under investigation concerned "a small number of people" and that the "number of documents viewed is decidedly limited";
the Company took prompt action also by initiating "disciplinary proceedings against the operators for having contravened precise company instructions given by the Owner and the rules established to govern access to the computerized archive of patient health data" and reporting the conduct of the authors to professional associations and in one case to the Public Prosecutor's Office;
the training opportunities for the subjects authorized for processing have been intensified and "the verification, which has always been carried out, of the correct attribution of the authorization profiles for access to the DSE has been accentuated, in consideration of the tasks carried out by the staff, taking into account the number high level of staff and staff turnover", to achieve "complete elimination of qualified administrative profiles";
“The Qualification Procedure is still being revised, the reformulation of which on the basis of the requirements provided by the Authority involves an in-depth analysis of the complex company organization and the evaluation, taking into account the context in which the Company finds itself operating, of the adoption of alternative technological measures and systems for carrying out administrative accounting activities to satisfy information obligations required by law. In particular, it is highlighted that the revision of the Procedure in question is also related to the new Operating System (SIO) which will be adopted by all companies of the Regional Health Service".
During the hearing, held remotely on XX, the Company further illustrated the actions implemented in relation to the cases under investigation (e.g. disclaimer - activated on XX - which warns the operator of the limits and responsibilities associated access; alerts for anomalous accesses introduced on XX; implementation of training activities) and described the configuration of the company health file application in force starting from the month of XX.
During the hearing, the Company reiterated what was stated in the defense briefs regarding the intention to eliminate all administrative profiles authorized to access the health dossier and communicated that it would send documentation in this regard, as well as regarding the configuration of the dossier at the moment of the facts under investigation, to the logic envisaged currently and at the time of the facts in question to determine the subjects authorized to access, the different depths of access to the dossier, the reasons for access to the dossier by personnel not involved in the treatment path, with particular reference to the item "consultation of medical records", the times foreseen for blocking the workstation in case of inactivity and the reasons connected to these choices.
On the basis of what was declared during the hearing, the Company integrated the documentation in the documents with the note of the XX in which it was represented, in particular, that:
"both at the time of the facts examined and today, the qualifications are made by choice of the Director/Head of the Operational Unit or his delegate";
regarding the different depths of access to the dossier, "consistent with the operational needs of each profile (for example the medical profile) has no limitations in the functions that can be used while the nurse profile cannot modify the medical history, physical examination, discharge letter, therapy prescription). To differentiate the depth of access to the electronic health record, the "Galileo" management system currently allows, following the evolutionary interventions carried out, the following configurations, attributable to the different professional figures who contribute to the patient's care path: exclusive access to the episode of current care (hospitalization) without the possibility of accessing the patient's medical history; access to the patient's DSE exclusively in the case of ongoing events (hospitalization and outpatient) without the possibility of accessing the DSE in the case of non-current events; access to the patient's DSE both in the case of ongoing events (hospitalization and outpatient) and in the case of events which, although involving contact with the patient (e.g. telephone consultation, reporting by the interested party of adverse events, etc. ) cannot be automatically codified from an IT point of view as ongoing episodes, with the clarification that such access can only take place after specific justification of the same through reasons codified and further detailed in a free text";
"on the reasons provided currently and at the time of the facts in question for access to the dossier by personnel not involved in the treatment process, with particular reference to the item "consultation of medical records": at the time of the facts the motivation "consultation medical records" was inserted as a particular declination of the "Check for follow up" reason to specify the type of documentation to which access was made; currently this category has been eliminated as it is referred to the aforementioned item";
“both at the time of the facts and currently the expected downtime after which the workstation will be blocked is equal to 30 minutes. This timing was determined in agreement with the operational unit directors as the best balance between the needs of protecting the safety of access to the workstation, on the one hand, and guaranteeing the effectiveness of care activities on the other. The topic is the subject of a re-evaluation in relation to the specific needs connected to the different operational areas, with the aim of reducing the latency time to a minimum, also differentiating it without however compromising the requirement of effectiveness of the assistance path";
"finally, it is considered necessary to consider that, with a view to minimizing risk, a reorganization of pre- and post-health care administrative support activities is underway which, so far, has led to a significant decrease in the number of access authorizations for personnel administrative role at the DSE. This activity, already underway, is proceeding rapidly and will be completed by the twentieth, the deadline for the deactivation of all workstations available to such personnel, even if used for activities complementary to patient care";
regarding control activities/improvement actions, "access to the DSE of a patient not currently under the care of the operational unit generates a disclaimer which notifies the healthcare worker that such access will be tracked and monitored and if necessary sanctioned. The disclaimer lists the cases for which this access is legitimate and can be carried out, asking the operator to justify the reasons for his action; An alert and control system is active, via e-mail forwarded to the Medical Directorate in the case of multiple accesses to the DSE by a single professional on the same day. On the basis of these reports, the Medical Directorate proceeds with the control, contacting the operators and verifying with them the reasons for the accesses; The workstations are equipped with a password-protected screen saver which comes into operation and blocks access to the PC after a short period of inactivity".
2. Outcome of the preliminary investigation.
At the outset, it is stated that the processing of personal data must take place in compliance with the applicable legislation on the protection of personal data and, in particular, with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”) and Legislative Decree no. 196 of 30 June 2003 (Code regarding the protection of personal data - hereinafter, the "Code").
With particular reference to the issue in question, it is highlighted that personal data must be "processed in a lawful, correct and transparent manner" (principle of "lawfulness, correctness and transparency" and "in a manner that guarantees adequate security (...), including the protection, through adequate technical and organizational measures, from unauthorized or illicit processing (principle of “integrity and confidentiality”)” (art. 5, par. 1, letters a) and f) of the Regulation).
Furthermore, the data must be adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed (data minimization principle) (art. 5, par. 1, letter c) of the Regulation).
The Regulation then requires the data controller to implement "adequate technical and organizational measures to guarantee a level of security appropriate to the risk", taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (art. 32 of the Regulation).
With reference to the treatments covered by this provision, the Guarantor has adopted the "Guidelines on health records - 4 June 2015" (Provision dated 4.6.2015, published in Official Journal 164 of 17 July 2015, available on www.gpdp.it web doc no. 4084632), which, like the other provisions of the Authority, continue to apply even after the full application of the Regulation, as they are compatible with it (art. 22, paragraph 4, Legislative Decree no. 101/ 2018). In the Guidelines on health records, a first framework of precautions has been identified, in order to outline specific guarantees and responsibilities, as well as necessary and appropriate measures and precautions to be put in place to guarantee citizens, in relation to the processing of health data concerning them.
In the aforementioned Guidelines, the Guarantor, in order to avoid the risk of access to the information processed through the health file by unauthorized parties or communication of health data to third parties by persons authorized to do so, specifically asked the owner of the processing to pay particular attention in the identification of the authorization profiles and in the training of authorized subjects, access to the dossier must be limited only to healthcare personnel who intervene in the patient care process and technical methods of authentication of the dossier must be adopted which reflect the cases of access to this tool specific to each healthcare facility. To this end, in the aforementioned Guidelines, the Guarantor has indicated to the data controllers to carry out monitoring of the cases in which the relevant healthcare personnel may need to consult the healthcare dossier, for purposes of treatment of the interested party and, based on this reconnaissance, identify the different access authorization profiles.
Access to the dossier must therefore be limited only to healthcare personnel who intervene over time in the patient care process and only at the time in which the same is structured, without prejudice to the possibility of accessing the dossier again if this becomes necessary. regarding the type of medical treatment to be provided to the interested party.
As already represented by the Authority in the aforementioned Guidelines and in other provisions, taking into account the right of obscuring exercised by the interested party to the data accessible through the health dossier and therefore the possible incompleteness of this information tool, the owner must identify, in relation to the different functions to which the staff is assigned, technical organizational solutions that allow the administrative bodies, even in the event of feedback to the judicial authority, to access, within the limits of the powers established by law, a more complete information base than that present in the company health file.
Similarly, follow-up activities or consultation of medical records cannot be carried out through the health dossier, given that such treatments require, in compliance with sector regulations, a complete information base and have not, moreover, been indicated in the information provided. to the interested party who has not been put in a position to express his or her consent where required.
Also with regard to the accessibility of the dossier by administrative profiles to respond, for example, to requests from the judicial authorities or for the recovery of debts relating to unpaid healthcare expenses, it is highlighted that the potential non-completeness of the dossier and the optional nature of the same make this information base unsuitable for the pursuit of the aforementioned purposes as relevant data or documents may have been obscured or even no health dossier of the interested party may be present as the interested party has not given his/her consent to its establishment. Thus, we would arrive at the paradox, for example, of providing partial information to the judicial authority because it has been obscured by the interested party or even of not being able to provide it in the absence of the interested party's consent to the creation of the dossier. This observation is the basis of the approach followed in the aforementioned Guidelines, according to which only clinicians involved in the treatment process of the interested party can access the health dossier and must in any case be informed about the potential incompleteness of this information tool.
In the aforementioned Guidelines, the Guarantor has in fact highlighted that access to the dossier must be excluded for experts, insurance companies, employers, scientific associations or organisations, administrative bodies also operating in the healthcare sector, as well as medical personnel in the exercise of medico-legal activity (e.g. visits to verify suitability for work or to issue certifications necessary for the granting of permits or qualifications) (see point 6 of the aforementioned Guidelines).
Finally, it is noted that in the aforementioned Guidelines the Authority considered that "the data controller must implement systems to control access also to the database and for the detection of any anomalies that may constitute illicit processing, through the use of anomaly indicators (so-called alerts) useful for guiding subsequent audit interventions. The owner must therefore foresee the activation of specific alerts that identify anomalous or risky behavior relating to the operations carried out by those in charge of processing (e.g. relating to the number of accesses performed, the type or time frame of the same)" (see point 7 of the aforementioned Guidelines).
Having said this, having taken note of what is represented by the Company in the defense briefs relating to the proceedings indicated in the previous points and in the documentation subsequently transmitted, it is noted that:
1. Authorization profiles for access to the dossier.
The configuration of the health dossier present at the time in which the facts covered by the complaint and the violation notifications occurred allowed access to this information tool also to the company administrative bodies for purposes distinct from those of caring for the health of the interested party. Although the Company has declared that it pursues through the health dossier exclusively the treatment of the interested party, from the documentation in the documents and the results of the aforementioned violation notifications, it emerges that it has also pursued administrative, accounting and related purposes through the health dossier. the fulfillment of specific regulatory obligations (e.g.: verification of the completeness of the emergency room record; verification/reminder of any payments due or of any exemptions due to pathology; delivery of reports to patients; printing of the medical record of the discharged patient; download and printing of documentation to prepare the pre-hospitalization file; recovery and printing of documentation upon request of the Judicial Authority; system acquisition of paper documentation, external reports, etc.; organization of post-hospital outpatient services).
The Company has also recently declared that access to the dossier of healthcare personnel not involved in the treatment process of the interested party can currently also take place in the case of "Follow-up verification", or to "verify the outcome of previous cases clinical findings, useful assessment for the management of the same rare pathology in patients they were dealing with". With reference to these purposes, as highlighted above, the completeness and accuracy of the personal data processed is essential to ensure correct management of the administrative and clinical process. , as well as compliance with the principles of quality and accuracy of the data referred to in art. 5 of the Regulation. The use of an incomplete health dossier, due to the exercise of the right of obscuring by the interested party (exercised in the cases in question). in question), or the absence of the dossier itself in the event that the interested party does not give consent to its creation, determines incorrect processing of the data with possible administrative consequences. It is also highlighted that in the case of access to the dossier for "Follow-up verification", as indicated in the documents, the aim is not always to better treat the interested party, but to consult his dossier (potentially incomplete) as an outcome of previous clinical cases useful for managing similar cases relating to other patients.
With reference to what is declared in the documents regarding the possibility of managing the "charges for services to prisoners" through the dossier, in addition to the aspects highlighted above, it is noted that the health dossier cannot be used for the purposes of treating subjects detained in prison facilities belonging to the Company, but only of patients who turn to its clinics and departments (see provision of 26 May 2022, web doc. no. 9791909).
Regarding the possibility of accessing the dossier to consult the medical records, please note that there is a substantial difference between the dossier and the medical record; while the latter documents what happened in the context of a hospitalization up to the point of being accused of falsehood, the dossier does not take on the nature of a public document as it does not certify the state of health of an individual, but rather provides, in a potentially incomplete manner, the information health care held by the owner who can facilitate the treatment process. In fact, under current legislation, while consent to the compilation of the medical record is not required, the interested party is granted the right not to consent to the use of the dossier for treatment purposes. Similarly, it is not possible to request the redaction of the data included in the medical record, while it is foreseen that the interested party can still decide not to make certain data and documents available for consultation through the dossier (right of redaction). This highlights the already reiterated potential non-completeness of the dossier and its optionality for its use for treatment purposes.
Having said all this, it is noted that the aforementioned configuration of the dossier has in fact allowed and without the knowledge of the interested parties:
the. eight accesses to the health file of an interested party, by healthcare personnel who were not treating him to verify the outcome of previous clinical cases (notifications of violation of XX and XX);
ii. eight accesses to the health dossier of an interested party, whether assisted or employed by the Company, by unknown persons, through the use of the authentication credentials of administrative personnel who had left their workstation open or without worrying about keeping their password ( notification of violation of XX);
iii. four accesses to the complainant's health file by unknown persons, through the use of the authentication credentials of healthcare and administrative personnel who had left their workstation open or without bothering to keep their password, citing reasons also linked to the verification of the outcome of previous clinical cases (notification of violation of XX and complaint).
In addition to violating the principle of lawfulness, such processing also occurred in violation of the principles of transparency, correctness and data minimization since the company file was set up in such a way that it could be used for purposes not known to the interested parties and, specifically, by non-healthcare personnel for administrative purposes and by healthcare personnel who are not treating the interested party for the purposes of treating third parties (art. 5, par. 1, letters a) and c) of the Regulation).
Therefore, the configuration of the dossier resulting at the time of the facts under investigation made it possible that personnel working at the Company could access, even for purposes other than those of treatment, the health dossier of patients who were not - at the time of admission 'access - being treated by them in violation of the basic principles of processing referred to in the articles. 5, par. 1, letter. a), c) and f) and 9 of the Regulation, as well as the principles of data protection from design (privacy by design) and by default (privacy by default) referred to in art. 25 of the Regulation.
The changes that the Company declared to have made to the health dossier only partially overcome the critical issues noted above, since, if on the one hand it was stated that "all the available workstations" of the administrative staff "even if employed for activities complementary to patient care", on the other hand there is still the possibility for company staff to access the health dossier of patients not being treated with the reason "follow up verification" and "consultation of medical records ”.
It is also noted that no assurance was finally provided regarding the exceeding of the provision according to which the health dossier could also be accessed to manage "charges for services to prisoners".
2. Alert for anomalous access to the health file and guarantees for the integrity and confidentiality of the data
At the time the facts under investigation occurred, the Company had not adopted, as required by the aforementioned Guidelines, a system for the detection of any anomalies that could constitute illicit processing, or the use of anomaly indicators (so-called alert) aimed at identifying anomalous or risky behavior relating to the operations carried out by the subjects authorized to process (e.g. number of accesses performed, type or temporal scope of the same), useful for orienting subsequent audit interventions in violation of the principles of integrity and confidentiality of personal data (art. 5, par. 1, letter f), and 32 of the Regulation).
Starting from the XX, only following the start of the investigation by the Guarantor, the Company activated automatic alerts regarding the number of accesses carried out by authorized personnel.
It is also noted that the absence of technical measures aimed at automatically and promptly blocking the devices in the event of user inactivity allowed unidentified subjects to access the dossier of the aforementioned complainant and of another interested party (violation notifications of the XX and the twentieth).
Added to this is that the Company has declared that "both at the time of the facts and currently the expected downtime after which the workstation is blocked is equal to 30 minutes", that "this timing was determined in agreement with the operational unit directors as the best balance between the needs of protecting the safety of access to the workstation, on the one hand, and guaranteeing the effectiveness of care activities on the other" and that this choice was the subject "of a re-evaluation in relation to the specific needs connected to the different operational areas, with the aim of reducing the latency time to a minimum, also differentiating it without however compromising the effectiveness requirement of the assistance path". Although the Company has considered the need to review the expected downtime beyond which the workstation will be blocked, in the communications recently sent it limited itself to stating that "the workstations are equipped with a protected screen saver with a password that comes into operation and blocks access to the PC after a short period of inactivity".
In relation to these aspects, it is therefore believed that the Company, with reference to the health dossier, has adopted technical and organizational measures which have proven not to comply with the provisions of the art. 5, par. 1, letter. f), and art. 32, par. 1, of the Regulation. The preventive adoption of such measures, also in light of the principles of data protection by design (privacy by design) and by default (privacy by default) contemplated in the art. 25 of the Regulation, could have prevented or at least limited the aforementioned unauthorized access to company health files.
3. Conclusions.
In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ it is stated that the elements provided by the data controller in the defense briefs relating to the aforementioned proceedings do not allow the findings to be completely overcome notified by the Office with the act of initiating the procedure for the adoption of corrective and sanctioning measures, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
For these reasons, the illicit nature of the processing of personal data carried out by the Company is noted with reference to the aforementioned proceedings initiated following the notifications of violation and the complaint, in the terms set out in the motivation, in particular, for having processed personal data in violation of the articles 5, par. 1, letter. a), c) and f), 9, 25 and 32 of the Regulation
In this context, considering the above, it is deemed necessary to order the aforementioned Company, pursuant to art. 58, par. 2, letter. d), of the Regulation, as a corrective measure to be adopted within 90 days of the adoption of this provision, the removal, among the reasons that allow authorized subjects to access the health records of patients who are not under their care, the "verification follow up” and “consultation of medical records”.
It is also considered necessary, pursuant to art. 157 of the Code, ask the Company to provide, within 30 days of the adoption of this provision, information regarding:
upon removal, among the reasons that allow authorized subjects to access the health records of patients who are not under their care, that relating to "charges for services to prisoners";
to the quantification of the "period of inactivity" that has been foreseen in the "different operational areas" after which "a password-protected screen saver" comes into operation which "blocks access to the PC", taking care to provide specific and documented assessments in order "to the specific needs connected" to the identification of such periods.
4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).
The violation of the articles. 5, par. 2, letter. a), c) and f), 9, 25 and 32 of the Regulation, caused by the conduct of the Company, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par.4 and 5, of the Regulation.
In consideration of the fact that the aforementioned proceedings concern the same owner, similar processing of personal data, which occurred in the same time frame and that the Company in the defense briefs relating to the aforementioned proceedings has provided the same defensive elements, it is considered appropriate to adopt the respective sanctions administrative in a single provision (articles 10, paragraph 4, and 19 of the Guarantor's Regulation no. 1/2019). In this regard, it is noted that in the cases referred to in the notifications of violation of XX and XX, as stated in the documents, it concerns the same case with the difference that the second notification refers to accesses which occurred at a time immediately following the first report made by the interested party.
Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1, of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which for both procedures it is observed that:
- the Authority became aware of the event following four infringement notifications and a complaint (art. 83, par. 2, letter h) of the Regulation);
- in particular, there were: eight accesses to the health dossier of an interested party, by healthcare personnel who were not treating him to verify the outcome of previous clinical cases (violation notifications of XX and XX); eight accesses to the health dossier of an interested party, whether assisted or employed by the Company, by unknown persons, through the use of the authentication credentials of administrative personnel who had left their workstation open or without worrying about keeping their password ( notification of violation of XX); four accesses to the complainant's health file by unknown persons, through the use of the authentication credentials of healthcare and administrative personnel who had left their workstation open or without bothering to keep their password, citing reasons also linked to the verification of the outcome of previous clinical cases (notification of violation of the XX and complaint) (art. 83, par. 2, letter a), b) and g) of the Regulation);
- with reference to all the events subject to notification and complaint, the illicit access concerned the health dossier of three patients by unknown persons, administrative and healthcare professionals who were not involved in the treatment process of the same and for whom it is disciplinary proceedings have been initiated, a report has been made to the competent orders and, in one case, a complaint has been made to the Public Prosecutor's Office (art. 83, par. 2, letters a), b) and g) of the Regulation);
- the aforementioned accesses were possible because the measures in place with reference to data processing suitable for collecting health information carried out through the company health dossier were not fully proportionate in order to guarantee adequate security and integrity of personal data and to avoid unauthorized access, although the Authority had already intervened in this regard with the 2015 Guidelines (art. 83, par. 2, letters d) and e) of the Regulation);
- the Company has modified the methods and circumstances of access to the company health file following the start of the investigation by the Authority, as well as introduced alert systems, cooperating with the Authority to this end (art. 83, par. 2, letters c) and f) of the Regulation);
- the critical elements relating to the processing of personal data carried out through the company health file, detected by the Office and described in the justification, were only partially overcome during the investigation and concern all the Company's health files which were itself estimated at over 154,000 (art. 83, par. 2, letters a) and g) of the Regulation).
On the basis of the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a) of the Regulation, for the violation of the articles. 5, par. 1, letter. a), c) and f), 9, 25 and 32 of the Regulation to the extent:
- of 25,000 (twenty-five thousand) for the proceedings initiated following the notifications of violation of the XX and XX, which, according to what was declared in the documents, concern the same case differed only by the time period of the accesses; And
- of 25,000 (twenty-five thousand) for the proceedings initiated following the notification of violation of the XX; And
- of 25,000 (twenty-five thousand) for the proceedings initiated following the complaint presented by Mrs. XX and the notification of violation XX;
which administrative pecuniary sanctions are deemed to be, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.
It is also believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied with reference to all the procedures examined. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL THIS CONSIDERING THE GUARANTOR
declares the unlawfulness of the processing of personal data carried out, in both procedures described, by the University Hospital of Padua, for the violation of the art. 5, par. 1, letter. a), c) and f), 9, 25 and 32 of the Regulation within the terms set out in the justification.
ORDER
pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the University Hospital of Padua, tax code/VAT number no. 00349040287, to pay:
the sum of 25,000 (twenty-five thousand) euros as a pecuniary administrative sanction for the violations detected with the violation notifications of XX and XX, which, according to what is declared in the documents, concern the same case differed only by the time period of the accesses;
the sum of 25,000 (twenty-five thousand) euros as a pecuniary administrative sanction for the violations detected in the proceedings initiated following the notification of violation of the XX;
the sum of 25,000 (twenty-five thousand) euros as a pecuniary administrative sanction for the violations detected with the violation notification of XX and with the complaint presented by Mrs. XX, indicated in this provision;
according to the methods indicated in the attachment, within 30 days of the notification in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanctions imposed.
ORDERS
to the aforementioned Company:
1. in case of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sums of 25,000 (twenty-five thousand), 25,000 (twenty-five thousand) and 25,000 (twenty-five thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of consequent executive acts pursuant to art. 27 of law no. 689/1981;
2. pursuant to art. 58, par. 2, letter. d), of the Regulation, within 90 days of notification of this provision, to remove the "follow up verification" and the “consultation of medical records”;
3. regarding the previous point 2, to communicate what initiatives have been undertaken in order to implement the above enjoined by this provision and to provide adequately documented feedback, pursuant to art. 157 of the Code, within 20 days of the expiry of the deadline indicated above; any failure to respond may lead to the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation;
4. to provide information, pursuant to art. 157 of the Code, within 30 days of the adoption of this provision, regarding:
to. the removal of "charges for services to prisoners" among the reasons that allow authorized subjects to access the health records of patients not under treatment;
b. to the quantification of the "period of inactivity" that has been established in the "different operational areas" after which "a password-protected screen saver" comes into operation which "blocks access to the PC", taking care to provide specific and documented assessments in order "to the specific needs connected" to the identification of such periods.
HAS
pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor;
pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 9 May 2024
PRESIDENT
Stantion
THE SPEAKER
Cerrina Feroni
THE GENERAL SECRETARY
Mattei
[doc. web no. 10027595]
Provision of 9 May 2024
Register of measures
n. 295 of 9 May 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the Councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);
GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n.9107633 (hereinafter “Guarantor Regulation n. 1/2019”);
HAVING SEEN the documentation in the documents;
GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n.1098801;
Speaker: Prof. Ginevra Cerrina Feroni;
GIVEN
1. Complaints, violations of personal data and preliminary investigations
The Authority received between the month of XX and the month of XX a complaint and four notifications of violation regarding the processing of personal data carried out through the health dossier of the Padua University Hospital Company (hereinafter the Company).
In relation to the notification of violation of XX, from the documentation in the documents, it emerges that there were four accesses to the health dossier of an interested party, between the month of February and the month of XX, by three subjects who "carried out the access without respecting the indications of the Company Management for access to the DSE". Such accesses "do not appear to have been made for diagnosis and treatment purposes even if they were carried out by healthcare professionals who had previously treated the interested party or were carried out for a clinical comparison". In this regard, with note dated XX, the Company, in highlighting that it has sent a "report of violation of personal data, for the relevant measures" towards the subjects who have carried out "improper access to the DSE", has represented that "the purposes of accessing the DSE were (...) clinical review of the treatment path relating to the subject concerned and related verification of the outcome of the same; analysis carried out by professionals belonging to the same operational unit/departmental area in which the interested party had previously been taken care of, for the sole purpose of verifying the effectiveness of this diagnosis and treatment process, and the possible application of the same path to cases concerning the same pathology". It was also specified that "From the checks carried out, it cannot be said that it was a clinical research activity but rather a verification of the outcomes of previous clinical cases useful for the management of similar cases".
With the notification of violation dated XX, the Company then stated that there had been a further four accesses to the dossier of the same interested party referred to in the accesses notified dated XX by some healthcare workers, including one of those who had already carried out the accesses subject to previous notification "which had previously had the interested party under treatment or were made for the purposes of retrospective study". According to what is stated in the documents, this is the same case as in the previous violation notification, but refers to accesses that occurred immediately following the first report made by the interested party. Also in this case, the Company, with the aforementioned note of the XX, in highlighting that it has sent a "report of violation of Personal data, for the relevant measures" towards the subjects who have carried out "improper access to the DSE”, represented that “the purposes of accessing the DSE were (…) clinical review of the treatment path relating to the interested subject and related verification of the outcome of the same; analysis carried out by professionals belonging to the same operational unit/departmental area in which the interested party had previously been taken care of, for the sole purpose of verifying the effectiveness of this diagnosis and treatment process, and the possible application of the same path to cases concerning the same pathology". Also in relation to this case, it was also specified that from "the checks carried out it cannot be said that it was a clinical research activity but rather a verification of the outcomes of previous clinical cases useful for the management of similar cases";
With the notification of violation of the XX, the Company represented that there had been eight accesses to the health dossier of an interested party who was both assisted and employed by the same Company, "without any connection with the diagnosis and treatment activity provided to the interested party. Thus, word spread about his health conditions." In this regard, it was stated that "the violation was reported to the University as the employer of the operator whose credentials were used for the unauthorized access", that "from the checks carried out, the accesses to the DSE do not appear to have had the purpose documented and justified", that the author of the same is "an administrator" ("administrative profile with the sole possibility of consulting the documents") "employee of the University" and that the facts in question have been reported to the Public Prosecutor's Office Republic.
In the month of XX, Mrs. XX submitted a complaint to the Guarantor complaining of four accesses to her health dossier, in which 13 health documents were consulted. In relation to this case, the Company presented a violation notification on XX in which it was highlighted that the accesses were caused by "the behavior of three operators consisting in not having manned the computer station during the opening of the session , effectively allowing others (unidentifiable) to access the data subject's dossier. The three operators acted without respecting the precautions repeatedly prescribed by the Company Management for access to the DSE". In this regard, the Company also represented that the following reasons were used for the aforementioned accesses: ""Check for follow up", "Urgent check", "Consultation of medical records"" and that "in order to minimize the risks , is proceeding with the review of the authorizations, limiting them to what is strictly necessary".
With regard to the aforementioned notifications of violation and the aforementioned complaint, the Office has made multiple requests for information (notes of the XX, protocol no. XX, of the XX, protocol no. XX and of the XX, protocol no. XX) to to which the Company responded (notes of the XX, prot. n. XX, of the XX, prot. n. XX) representing, in particular, that:
“Through the company health dossier, this company pursues diagnosis and treatment purposes”;
“The rules for accessing the health file have been reviewed and communicated to all staff”;
“The Company became aware of the aforementioned anomalous accesses following a request for access to the logs to the DSE of the interested parties”;
“An “alert” system has been developed, the functions of which are being verified and refined for future activation”;
"as regards both the qualification procedure and the levels of access to the health dossier, in force at the time of the facts covered by the notifications", a document entitled "Method for issuing and managing the username and password of the S.S.II company IT programs" has been attached. . and GALILEO" from which it can be seen that both the health and administrative areas of the Company can access the health dossier (e.g. mobility office; information point, check-in office, cash register operators, management control; insurance/agreements office) . According to what was declared in the documents, this document is "in an advanced stage of revision". The document sent during the investigation still provided for access to the dossier by the administrative area of the Company (e.g. information point, reception office, cash register operators, management control, insurance/agreements office);
“In any case, you must be authorized to access the health file and each access is logged. If access occurs outside the time of care of the interested party, it is necessary to justify the reasons for the consultation, choosing, in the procedure, one of the codified reasons among those predefined by the Company (drop-down menu)";
“the administrative staff of this Company (employee or university in agreement) accesses the health file to consult only the information essential to carry out administrative functions”” for example “verifies the completeness of the DEA Emergency Room folder, printing any consultations provided; checks/requests any payments due; supports the Director of the UOC in verifying any exemptions due to pathology; manages inmate service charges; prints the test results for filing in the medical record; delivers reports to patients; downloads and prints the medical record of the discharged patient from the management system; download and print the documentation to prepare the pre-admission file; finds and prints the documentation upon request of the Judicial Authority; acquires paper documentation, external reports, etc. into the system; organizes post-hospital outpatient services”;
“A timely review of users is underway, in order to limit access to the Electronic Health Record only to personnel involved in the treatment process, including therein, as required by the 2015 Data Protection Authority Guidelines , the administrative staff, authorized to access the DSE, to consult the information essential to carry out the administrative functions for which they are responsible";
“university staff under agreement carry out the same functions and use the same means as hospital staff and are appointed as authorized, similarly to what happens for employed staff”;
“On 30/05 last. the alert function on the use of the "enable patient access" function has been activated. Every time an operator presses the button called "Enable Patient Access" from the Galileo front-end (a function that allows you to expand the display of the health documentation to the DSE of a patient who is not in care), a record is written in the Galileo DB, at inside the RELEASE_TRACE table, with a series of information including: date and time when the operation occurred, user ID who performed the operation, patient ID on which the operation was performed etc.. Once per day (currently at 3.29 pm) a specific job is started which performs a count of users who have used the "Enable Patient Access" function more than 10 times in the previous 24 hours. (…). The random checks have already been carried out and will be implemented with a frequency of 2/3 times a week in order to better define the types of access and evaluate their real need. If, following the outcome of the checks, the Medical Management should identify improper access to the DSE, it will report the event as a possible Data Breach to the Disciplinary Procedures Office or to another competent Authority, for the consequent obligations";
“The number of health files currently present in the Company is 154,728”.
In relation to the investigations described above, the Office, with reference to the authorization profiles for access to the company dossier, the alert systems and the guarantees adopted by the Company to ensure the integrity and confidentiality of the data, with a note from the XX (prot. n. XX) ordered the meeting of the preliminary proceedings and notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in article 58, par. 2 of the Regulation, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981).
Following the aforementioned notification, the Company sent its defense briefs with note dated XX (prot. n. XX), requesting to be heard and representing, in particular, that:
in two of the cases under investigation (notifications of the XX and your password, in violation of the aforementioned Regulations and operating instructions given by the owner, effectively allowing unknown persons to acquire patient health data contained in the DSE, during the short period of time that elapses until the automatic closure of the session";
"in the other cases (notifications of violation of the XX and the same data, or from other doctors who were trying to verify the outcome of previous clinical cases, a useful assessment for the management of the same rare pathology in patients they were caring for (sometimes improperly classified as a "retrospective study")";
the events under investigation concerned "a small number of people" and that the "number of documents viewed is decidedly limited";
the Company took prompt action also by initiating "disciplinary proceedings against the operators for having contravened precise company instructions given by the Owner and the rules established to govern access to the computerized archive of patient health data" and reporting the conduct of the authors to professional associations and in one case to the Public Prosecutor's Office;
the training opportunities for the subjects authorized for processing have been intensified and "the verification, which has always been carried out, of the correct attribution of the authorization profiles for access to the DSE has been accentuated, in consideration of the tasks carried out by the staff, taking into account the number high level of staff and staff turnover", to achieve "complete elimination of qualified administrative profiles";
“The Qualification Procedure is still being revised, the reformulation of which on the basis of the requirements provided by the Authority involves an in-depth analysis of the complex company organization and the evaluation, taking into account the context in which the Company finds itself operating, of the adoption of alternative technological measures and systems for carrying out administrative accounting activities to satisfy information obligations required by law. In particular, it is highlighted that the revision of the Procedure in question is also related to the new Operating System (SIO) which will be adopted by all companies of the Regional Health Service".
During the hearing, held remotely on XX, the Company further illustrated the actions implemented in relation to the cases under investigation (e.g. disclaimer - activated on XX - which warns the operator of the limits and responsibilities associated access; alerts for anomalous accesses introduced on XX; implementation of training activities) and described the configuration of the company health file application in force starting from the month of XX.
During the hearing, the Company reiterated what was stated in the defense briefs regarding the intention to eliminate all administrative profiles authorized to access the health dossier and communicated that it would send documentation in this regard, as well as regarding the configuration of the dossier at the moment of the facts under investigation, to the logic envisaged currently and at the time of the facts in question to determine the subjects authorized to access, the different depths of access to the dossier, the reasons for access to the dossier by personnel not involved in the treatment path, with particular reference to the item "consultation of medical records", the times foreseen for blocking the workstation in case of inactivity and the reasons connected to these choices.
On the basis of what was declared during the hearing, the Company integrated the documentation in the documents with the note of the XX in which it was represented, in particular, that:
"both at the time of the facts examined and today, the qualifications are made by choice of the Director/Head of the Operational Unit or his delegate";
regarding the different depths of access to the dossier, "consistent with the operational needs of each profile (for example the medical profile) has no limitations in the functions that can be used while the nurse profile cannot modify the medical history, physical examination, discharge letter, therapy prescription). To differentiate the depth of access to the electronic health record, the "Galileo" management system currently allows, following the evolutionary interventions carried out, the following configurations, attributable to the different professional figures who contribute to the patient's care path: exclusive access to the episode of current care (hospitalization) without the possibility of accessing the patient's medical history; access to the patient's DSE exclusively in the case of ongoing events (hospitalization and outpatient) without the possibility of accessing the DSE in the case of non-current events; access to the patient's DSE both in the case of ongoing events (hospitalization and outpatient) and in the case of events which, although involving contact with the patient (e.g. telephone consultation, reporting by the interested party of adverse events, etc. ) cannot be automatically codified from an IT point of view as ongoing episodes, with the clarification that such access can only take place following specific justification of the same through reasons codified and further detailed in a free text";
"on the reasons provided currently and at the time of the facts in question for access to the dossier by personnel not involved in the treatment process, with particular reference to the item "consultation of medical records": at the time of the facts the motivation "consultation medical records" was inserted as a particular declination of the "Check for follow up" reason to specify the type of documentation to which access was made; currently this category has been eliminated as it is referred to the aforementioned item";
“both at the time of the facts and currently the expected inactivity time after which the workstation will be blocked is equal to 30 minutes. This timing was determined in agreement with the operational unit directors as the best balance between the needs of protecting the safety of access to the workstation, on the one hand, and guaranteeing the effectiveness of care activities on the other. The topic is the subject of a re-evaluation in relation to the specific needs connected to the different operational areas, with the aim of reducing the latency time to a minimum, also differentiating it without however compromising the requirement of effectiveness of the assistance path";
"Finally, it is considered necessary to consider that, with a view to minimizing risk, a reorganization of pre- and post-health care administrative support activities is underway which, so far, has led to a significant decrease in the number of access authorizations for personnel administrative role at the DSE. This activity, already underway, is proceeding rapidly and will be completed by the twentieth, the deadline for the deactivation of all workstations available to such personnel, even if used for activities complementary to patient care";
regarding control activities/improvement actions, "access to the DSE of a patient not currently under the care of the operational unit generates a disclaimer which notifies the healthcare worker that such access will be tracked and monitored and if necessary sanctioned. The disclaimer lists the cases for which such access is legitimate and can be carried out, asking the operator to justify the reasons for his action; An alert and control system is active, via e-mail forwarded to the Medical Directorate in the case of multiple accesses to the DSE by a single professional on the same day. On the basis of these reports, the Medical Management proceeds with the control, contacting the operators and verifying with them the reasons for the accesses; The workstations are equipped with a password-protected screen saver which comes into operation and blocks access to the PC after a short period of inactivity".
2. Outcome of the preliminary investigation.
At the outset, it is stated that the processing of personal data must take place in compliance with the applicable legislation on the protection of personal data and, in particular, with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”) and Legislative Decree no. 196 of 30 June 2003 (Code regarding the protection of personal data - hereinafter, the "Code").
With particular reference to the issue in question, it is highlighted that personal data must be "processed in a lawful, correct and transparent manner" (principle of "lawfulness, correctness and transparency" and "in a manner that guarantees adequate security (...), including the protection, through adequate technical and organizational measures, from unauthorized or illicit processing (principle of “integrity and confidentiality”)” (art. 5, par. 1, letters a) and f) of the Regulation).
Furthermore, the data must be adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed (data minimization principle) (art. 5, par. 1, letter c) of the Regulation).
The Regulation then requires the data controller to implement "adequate technical and organizational measures to guarantee a level of security appropriate to the risk", taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (art. 32 of the Regulation).
With reference to the treatments covered by this provision, the Guarantor has adopted the "Guidelines on health records - 4 June 2015" (Provision dated 4.6.2015, published in Official Journal 164 of 17 July 2015, available on www.gpdp.it web doc no. 4084632), which, like the other provisions of the Authority, continue to apply even after the full application of the Regulation, as they are compatible with it (art. 22, paragraph 4, Legislative Decree no. 101/ 2018). In the Guidelines on health records, a first framework of precautions has been identified, in order to outline specific guarantees and responsibilities, as well as necessary and appropriate measures and precautions to be put in place to guarantee citizens, in relation to the processing of health data concerning them.
In the aforementioned Guidelines, the Guarantor, in order to avoid the risk of access to the information processed through the health file by unauthorized parties or communication of health data to third parties by persons authorized to do so, specifically asked the owner of the processing to pay particular attention in the identification of the authorization profiles and in the training of authorized subjects, access to the dossier must be limited only to healthcare personnel who intervene in the patient care process and technical methods of authentication of the dossier must be adopted which reflect the cases of access to this tool specific to each healthcare facility. To this end, in the aforementioned Guidelines, the Guarantor has indicated to the data controllers to carry out monitoring of the cases in which the relevant healthcare personnel may need to consult the healthcare dossier, for purposes of treatment of the interested party and, based on this reconnaissance, identify the different access authorization profiles.
Access to the dossier must, therefore, be limited only to healthcare personnel who intervene over time in the patient care process and only at the time in which the same takes place, without prejudice to the possibility of accessing the dossier again if this becomes necessary. regarding the type of medical treatment to be provided to the interested party.
As already represented by the Authority in the aforementioned Guidelines and in other provisions, taking into account the right of obscuring exercised by the interested party to the data accessible through the health dossier and therefore the possible incompleteness of this information tool, the owner must identify, in relation to the different functions to which the staff is assigned, technical organizational solutions that allow the administrative bodies, even in the event of feedback to the judicial authority, to access, within the limits of the powers established by law, a more complete information base than that present in the company health file.
Similarly, follow-up activities or consultation of medical records cannot be carried out through the health dossier, given that such treatments require, in compliance with sector regulations, a complete information base and have not, moreover, been indicated in the information provided. to the interested party who has not been put in a position to express his or her consent where required.
Also with regard to the accessibility of the dossier by administrative profiles to respond, for example, to requests from the judicial authorities or for the recovery of debts relating to unpaid healthcare expenses, it is highlighted that the potential non-completeness of the dossier and the optional nature of the same make this information base unsuitable for the pursuit of the aforementioned purposes as relevant data or documents may have been obscured or even no health dossier of the interested party may be present as the interested party has not given his/her consent to its establishment. Thus, we would arrive at the paradox, for example, of providing partial information to the judicial authority because it has been obscured by the interested party or even of not being able to provide it in the absence of the interested party's consent to the creation of the dossier. This observation is the basis of the approach followed in the aforementioned Guidelines, according to which only clinicians involved in the treatment process of the interested party can access the health dossier and must in any case be informed about the potential incompleteness of this information tool.
In the aforementioned Guidelines, the Guarantor has in fact highlighted that access to the dossier must be excluded for experts, insurance companies, employers, scientific associations or organisations, administrative bodies also operating in the healthcare sector, as well as medical personnel in the exercise of medico-legal activity (e.g. visits to verify suitability for work or to issue certifications necessary for the granting of permits or qualifications) (see point 6 of the aforementioned Guidelines).
Finally, it is noted that in the aforementioned Guidelines the Authority considered that "the data controller must implement systems to control access also to the database and for the detection of any anomalies that may constitute illicit processing, through the use of anomaly indicators (so-called alerts) useful for guiding subsequent audit interventions. The owner must therefore foresee the activation of specific alerts that identify anomalous or risky behavior relating to the operations carried out by those in charge of processing (e.g. relating to the number of accesses performed, the type or time frame of the same)" (see point 7 of the aforementioned Guidelines).
Having said this, having taken note of what is represented by the Company in the defense briefs relating to the proceedings indicated in the previous points and in the documentation subsequently transmitted, it is noted that:
1. Authorization profiles for access to the dossier.
The configuration of the health dossier present at the time in which the facts covered by the complaint and the violation notifications occurred allowed access to this information tool also to the company administrative bodies for purposes distinct from those of caring for the health of the interested party. Although the Company has declared that it pursues through the health dossier exclusively the treatment of the interested party, from the documentation in the documents and the results of the aforementioned violation notifications, it emerges that it has also pursued administrative, accounting and related purposes through the health dossier. the fulfillment of specific regulatory obligations (e.g.: verification of the completeness of the emergency room record; verification/reminder of any payments due or of any exemptions due to pathology; delivery of reports to patients; printing of the medical record of the discharged patient; download and printing of documentation to prepare the pre-hospitalization file; recovery and printing of documentation upon request of the Judicial Authority; system acquisition of paper documentation, external reports, etc.; organization of post-hospital outpatient services).
The Company has also recently declared that access to the dossier of healthcare personnel not involved in the treatment process of the interested party can currently also take place in the case of "Follow-up verification", or to "verify the outcome of previous cases clinical findings, useful assessment for the management of the same rare pathology in patients they were dealing with". With reference to these purposes, as highlighted above, the completeness and accuracy of the personal data processed is essential to ensure correct management of the administrative and clinical process. , as well as compliance with the principles of quality and accuracy of the data referred to in art. 5 of the Regulation. The use of an incomplete health dossier, due to the exercise of the right of obscuring by the interested party (exercised in the cases in question). in question), or the absence of the dossier itself in the event that the interested party does not give consent to its creation, determines incorrect processing of the data with possible administrative consequences. It is also highlighted that in the case of access to the dossier for "Follow-up verification", as indicated in the documents, the aim is not always to better treat the interested party, but to consult his dossier (potentially incomplete) as an outcome of previous clinical cases useful for managing similar cases relating to other patients.
With reference to what is declared in the documents regarding the possibility of managing the "charges for services to prisoners" through the dossier, in addition to the aspects highlighted above, it is noted that the health dossier cannot be used for the purposes of treating subjects detained in prison facilities belonging to the Company, but only of patients who turn to its clinics and departments (see provision of 26 May 2022, web doc. no. 9791909).
Regarding the possibility of accessing the dossier to consult the medical records, please note that there is a substantial difference between the dossier and the medical record; while the latter documents what happened in the context of a hospitalization up to the point of being accused of falsehood, the dossier does not take on the nature of a public document as it does not certify the state of health of an individual, but rather provides, in a potentially incomplete manner, the information health care held by the owner who can facilitate the treatment process. In fact, under current legislation, while consent to the compilation of the medical record is not required, the interested party is granted the right not to consent to the use of the dossier for treatment purposes. Similarly, it is not possible to request the redaction of the data included in the medical record, while it is foreseen that the interested party can still decide not to make certain data and documents available for consultation through the dossier (right of redaction). This highlights the already reiterated potential non-completeness of the dossier and its optionality for its use for treatment purposes.
Having said all this, it is noted that the aforementioned configuration of the dossier has in fact allowed and without the knowledge of the interested parties:
the. eight accesses to the health file of an interested party, by healthcare personnel who were not treating him to verify the outcome of previous clinical cases (notifications of violation of XX and XX);
ii. eight accesses to the health file of an interested party, whether assisted or employed by the Company, by unknown persons, through the use of the authentication credentials of administrative personnel who had left their workstation open or without worrying about keeping their password ( notification of violation of XX);
iii. four accesses to the complainant's health file by unknown persons, through the use of the authentication credentials of healthcare and administrative personnel who had left their workstation open or without bothering to keep their password, citing reasons also linked to the verification of the outcome of previous clinical cases (notification of violation of XX and complaint).
In addition to violating the principle of lawfulness, such processing also occurred in violation of the principles of transparency, correctness and data minimization since the company file was set up in such a way that it could be used for purposes not known to the interested parties and, specifically, by non-healthcare personnel for administrative purposes and by healthcare personnel who are not treating the interested party for the purposes of treating third parties (art. 5, par. 1, letters a) and c) of the Regulation).
Therefore, the configuration of the dossier resulting at the time of the facts under investigation made it possible that personnel working at the Company could access, even for purposes other than those of treatment, the health dossier of patients who were not - at the time of admission 'access - being treated by them in violation of the basic principles of processing referred to in the articles. 5, par. 1, letter. a), c) and f) and 9 of the Regulation, as well as the principles of data protection from design (privacy by design) and by default (privacy by default) referred to in art. 25 of the Regulation.
The changes that the Company declared to have made to the health dossier only partially overcome the critical issues noted above, since, if on the one hand it was stated that "by the twentieth century" "all the available workstations" of the administrative staff "even if employed for activities complementary to patient care", on the other hand there is still the possibility for company staff to access the health dossier of patients not being treated with the reason "follow up verification" and "consultation of medical records ”.
It is also noted that no assurance was finally provided regarding the exceeding of the provision according to which the health dossier could also be accessed to manage "charges for services to prisoners".
2. Alert for anomalous access to the health file and guarantees for the integrity and confidentiality of the data
At the time the facts under investigation occurred, the Company had not adopted, as required by the aforementioned Guidelines, a system for the detection of any anomalies that could constitute illicit processing, or the use of anomaly indicators (so-called alert) aimed at identifying anomalous or risky behavior relating to the operations carried out by the subjects authorized to process (e.g. number of accesses performed, type or temporal scope of the same), useful for orienting subsequent audit interventions in violation of the principles of integrity and confidentiality of personal data (art. 5, par. 1, letter f), and 32 of the Regulation).
Starting from the XX, only following the start of the investigation by the Guarantor, the Company activated automatic alerts regarding the number of accesses carried out by authorized personnel.
It is also noted that the absence of technical measures aimed at automatically and promptly blocking the devices in the event of user inactivity allowed unidentified subjects to access the dossier of the aforementioned complainant and of another interested party (violation notifications of the XX and the twentieth).
Added to this is that the Company has declared that "both at the time of the facts and currently the expected downtime after which the workstation is blocked is equal to 30 minutes", that "this timing was determined in agreement with the operational unit directors as the best balance between the needs of protecting the safety of access to the workstation, on the one hand, and guaranteeing the effectiveness of care activities on the other" and that this choice was the subject "of a re-evaluation in relation to the specific needs connected to the different operational areas, with the aim of reducing the latency time to a minimum, also differentiating it without however compromising the effectiveness requirement of the assistance path". Although the Company has considered the need to review the expected downtime beyond which the workstation will be blocked, in the communications recently sent it limited itself to stating that "the workstations are equipped with a protected screen saver with a password that comes into operation and blocks access to the PC after a short period of inactivity".
In relation to these aspects, it is therefore believed that the Company, with reference to the health dossier, has adopted technical and organizational measures which have proven not to comply with the provisions of the art. 5, par. 1, letter. f), and art. 32, par. 1, of the Regulation. The preventive adoption of such measures, also in light of the principles of data protection by design (privacy by design) and by default (privacy by default) contemplated in the art. 25 of the Regulation, could have prevented or at least limited the aforementioned unauthorized access to company health files.
3. Conclusions.
In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ it is stated that the elements provided by the data controller in the defense briefs relating to the aforementioned proceedings do not allow the findings to be completely overcome notified by the Office with the act of initiating the procedure for the adoption of corrective and sanctioning measures, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
For these reasons, the illicit nature of the processing of personal data carried out by the Company is noted with reference to the aforementioned proceedings initiated following the notifications of violation and the complaint, in the terms set out in the motivation, in particular, for having processed personal data in violation of the articles 5, par. 1, letter. a), c) and f), 9, 25 and 32 of the Regulation
In this context, considering the above, it is deemed necessary to order the aforementioned Company, pursuant to art. 58, par. 2, letter. d), of the Regulation, as a corrective measure to be adopted within 90 days of the adoption of this provision, the removal, among the reasons that allow authorized subjects to access the health records of patients who are not under their care, the "verification follow up” and “consultation of medical records”.
It is also considered necessary, pursuant to art. 157 of the Code, ask the Company to provide, within 30 days of the adoption of this provision, information regarding:
upon removal, among the reasons that allow authorized subjects to access the health records of patients who are not under their care, that relating to "charges for services to prisoners";
to the quantification of the "period of inactivity" that has been foreseen in the "different operational areas" after which "a password-protected screen saver" comes into operation which "blocks access to the PC", taking care to provide specific and documented assessments in order "to the specific needs connected" to the identification of such periods.
4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).
The violation of the articles. 5, par. 2, letter. a), c) and f), 9, 25 and 32 of the Regulation, caused by the conduct of the Company, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par.4 and 5, of the Regulation.
In consideration of the fact that the aforementioned proceedings concern the same owner, similar processing of personal data, which occurred in the same time frame and that the Company in the defense briefs relating to the aforementioned proceedings has provided the same defensive elements, it is considered appropriate to adopt the respective sanctions administrative in a single provision (articles 10, paragraph 4, and 19 of the Guarantor's Regulation no. 1/2019). In this regard, it is noted that in the cases referred to in the notifications of violation of XX and XX, as stated in the documents, it concerns the same case with the difference that the second notification refers to accesses which occurred at a time immediately following the first report made by the interested party.
Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which for both procedures it is observed that:
- the Authority became aware of the event following four infringement notifications and a complaint (art. 83, par. 2, letter h) of the Regulation);
- in particular, there were: eight accesses to the health dossier of an interested party, by healthcare personnel who were not treating him to verify the outcome of previous clinical cases (violation notifications of XX and XX); eight accesses to the health dossier of an interested party, whether assisted or employed by the Company, by unknown persons, through the use of the authentication credentials of administrative personnel who had left their workstation open or without worrying about keeping their password ( notification of violation of XX); four accesses to the complainant's health file by unknown persons, through the use of the authentication credentials of healthcare and administrative personnel who had left their workstation open or without bothering to keep their password, citing reasons also linked to the verification of the outcome of previous clinical cases (notification of violation of the XX and complaint) (art. 83, par. 2, letter a), b) and g) of the Regulation);
- with reference to all the events subject to notification and complaint, the illicit access concerned the health dossier of three patients by unknown persons, administrative and healthcare professionals who were not involved in the treatment process of the same and for whom it is disciplinary proceedings have been initiated, a report has been made to the competent orders and, in one case, a complaint has been made to the Public Prosecutor's Office (art. 83, par. 2, letters a), b) and g) of the Regulation);
- the aforementioned accesses were possible because the measures in place with reference to data processing suitable for collecting health information carried out through the company health dossier were not fully proportionate in order to guarantee adequate security and integrity of personal data and to avoid unauthorized access, although the Authority had already intervened in this regard with the 2015 Guidelines (art. 83, par. 2, letters d) and e) of the Regulation);
- the Company has modified the methods and circumstances of access to the company health file following the start of the investigation by the Authority, as well as introduced alert systems, cooperating with the Authority to this end (art. 83, par. 2, letters c) and f) of the Regulation);
- the critical elements relating to the processing of personal data carried out through the company health file, detected by the Office and described in the justification, were only partially overcome during the investigation and concern all the Company's health files which were itself estimated at over 154,000 (art. 83, par. 2, letters a) and g) of the Regulation).
On the basis of the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a) of the Regulation, for the violation of the articles. 5, par. 1, letter. a), c) and f), 9, 25 and 32 of the Regulation to the extent:
- of 25,000 (twenty-five thousand) for the proceedings initiated following the notifications of violation of the XX and XX, which, according to what was declared in the documents, concern the same case differed only by the time period of the accesses; And
- of 25,000 (twenty-five thousand) for the proceedings initiated following the notification of violation of the XX; And
- of 25,000 (twenty-five thousand) for the proceedings initiated following the complaint presented by Mrs. XX and the notification of violation XX;
which administrative pecuniary sanctions are deemed to be, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.
It is also believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should apply with reference to all the procedures examined. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL THIS CONSIDERING THE GUARANTOR
declares the unlawfulness of the processing of personal data carried out, in both procedures described, by the University Hospital of Padua, for the violation of the art. 5, par. 1, letter. a), c) and f), 9, 25 and 32 of the Regulation within the terms set out in the justification.
ORDER
pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the University Hospital of Padua, tax code/VAT number no. 00349040287, to pay:
the sum of 25,000 (twenty-five thousand) euros as a pecuniary administrative sanction for the violations detected with the violation notifications of XX and XX, which, according to what is declared in the documents, concern the same case differed only by the time period of the accesses;
the sum of 25,000 (twenty-five thousand) euros as a pecuniary administrative sanction for the violations detected in the proceedings initiated following the notification of violation of the XX;
the sum of 25,000 (twenty-five thousand) euros as a pecuniary administrative sanction for the violations detected with the violation notification of XX and with the complaint presented by Mrs. XX, indicated in this provision;
according to the methods indicated in the attachment, within 30 days of the notification in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanctions imposed.
ORDERS
to the aforementioned Company:
1. in case of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sums of 25,000 (twenty-five thousand), 25,000 (twenty-five thousand) and 25,000 (twenty-five thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of consequent executive acts pursuant to art. 27 of law no. 689/1981;
2. pursuant to art. 58, par. 2, letter. d), of the Regulation, within 90 days of notification of this provision, to remove the "follow up verification" and the “consultation of medical records”;
3. regarding the previous point 2, to communicate what initiatives have been undertaken in order to implement the above enjoined by this provision and to provide adequately documented feedback, pursuant to art. 157 of the Code, within 20 days of the expiry of the deadline indicated above; any failure to respond may lead to the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation;
4. to provide information, pursuant to art. 157 of the Code, within 30 days of the adoption of this provision, regarding:
to. the removal of "charges for services to prisoners" among the reasons that allow authorized subjects to access the health records of patients not under treatment;
b. to the quantification of the "period of inactivity" that has been established in the "different operational areas" after which "a password-protected screen saver" comes into operation which "blocks access to the PC", taking care to provide specific and documented assessments in order "to the specific needs connected" to the identification of such periods.
HAS
pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor;
pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 9 May 2024
PRESIDENT
Stanzione
THE SPEAKER
Cerrina Feroni
THE GENERAL SECRETARY
Mattei
