Datainspektionen - DI-2019-3839: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSK.png |DPA_Abbrevation=Datainspektionen |DPA_With_Country=Datainspektionen (Sweden) |Case_Number_Name=DI-2...") |
m (Corrected which DPA-logo that is displayed) |
||
| Line 3: | Line 3: | ||
|Jurisdiction=Sweden | |Jurisdiction=Sweden | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo= | |DPAlogo=LogoSE.png | ||
|DPA_Abbrevation=Datainspektionen | |DPA_Abbrevation=Datainspektionen | ||
|DPA_With_Country=Datainspektionen (Sweden) | |DPA_With_Country=Datainspektionen (Sweden) | ||
| Line 56: | Line 56: | ||
The Swedish DPA holds that access to medical records has to be restricted based on the individual care workers’ necessity to access it to perform his/her job under Article 32 GDPR. | The Swedish DPA holds that access to medical records has to be restricted based on the individual care workers’ necessity to access it to perform his/her job under Article 32 GDPR. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity. | The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity. | ||
=== Dispute === | ===Dispute=== | ||
Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR? | Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR? | ||
=== Holding === | ===Holding=== | ||
The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR. | The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR. | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details. | The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details. | ||
Revision as of 22:45, 13 December 2020
| Datainspektionen - DI-2019-3839 | |
|---|---|
 | |
| Authority: | Datainspektionen (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 02.12.2020 |
| Published: | 02.12.2020 |
| Fine: | 4000000 SEK |
| Parties: | Styrelsen för Karolinska Universitetssjukhuset |
| National Case Number/Name: | DI-2019-3839 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Swedish |
| Original Source: | Datainspektionen (in SV) |
| Initial Contributor: | Charlotte Godhe |
The Swedish DPA holds that access to medical records has to be restricted based on the individual care workers’ necessity to access it to perform his/her job under Article 32 GDPR.
English Summary
Facts
The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity.
Dispute
Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR?
Holding
The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
