NAIH (Hungary) - NAIH-2894-3/2021: Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 56: | Line 56: | ||
}} | }} | ||
The Hungarian DPA | The Hungarian DPA (NAIH) held that transferring health data without password protection to general practitioners not authorised to access such data constitutes a personal data breach resulting in a high risk to the rights and freedoms of natural persons. The emergency situation caused by the Covid-19 pandemic does not exempt public authorities from taking appropriate data security measures and from lawfully processing personal data. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A public interest disclosure was made to the NAIH detailing a personal data breach. In the given case, the XI. District Office of Budapest Government Office (In Hungarian: "Budapest Főváros Kormányhivatala XI. kerületi Hivatala"; hereinafter referred to as "District Office") transferred by email (in an Excel sheet attached to the email) the data of 1153 patients to general practitioners (physician) in the XI, XII and XXII Districts of Budapest related to the COVID testing of patients. The Excel sheet was not protected by password or by other means. A person (who was not even a general practioner originally addressed by the District Office) forwarded the above referred Excel sheet and the District Office's related email to the NAIH in the form of a public interest disclosure. | A public interest disclosure was made to the Hungarian DPA (NAIH) detailing a personal data breach. In the given case, the XI. District Office of Budapest Government Office (In Hungarian: "Budapest Főváros Kormányhivatala XI. kerületi Hivatala"; hereinafter referred to as "District Office") transferred by email (in an Excel sheet attached to the email) the data of 1153 patients to general practitioners (physician) in the XI, XII and XXII Districts of Budapest related to the COVID testing of patients. The Excel sheet was not protected by password or by other means. A person (who was not even a general practioner originally addressed by the District Office) forwarded the above referred Excel sheet and the District Office's related email to the NAIH in the form of a public interest disclosure. | ||
The NAIH examined whether the transferring of patient data by the District Office constituted a personal data breach, the related risks to the rights and freedoms of natural persons, as well as the breach management of the District Office. | |||
The NAIH examined | |||
It is worth | It is worth noting that after the receipt of the NAIH's inquiry concerning the personal data breach, the District Office requested the opinion of the data protection officer of the Budapest Government Office. The data protection officer was of the opinion that the above transfer of patient data by email by the District Office constituted a personal data breach, but that the breach did not result in a risk to the rights and freedoms of natural persons since it was only received by general practitioners who are subject to professional secrecy. | ||
=== Holding === | === Holding === | ||
The NAIH decided that the | The NAIH decided that the transfer of patient data by email by the District Office constituted a data breach, since the personal data (involving sensitive data) was forwarded to general practitioners who did not have the right to access such data. This also means that the District Office should have only sent the data of patients to the competent general practitioners in the given district with password protection (by providing the password through a different channel) or should have chosen another way to transfer the data in a safe manner (e.g. through the Hungarian Electronic Health Service Space). | ||
With regard to the personal data breach, the NAIH also highlighted that it resulted in a high risk to the rights and freedoms of natural persons | With regard to the personal data breach, the NAIH also highlighted that it resulted in a high risk to the rights and freedoms of natural persons. A wide scope of sensitive data became accessible to unauthorized third parties, raising the chance of additional unauthorized persons having access to the related data and processing it unlawfully, (e.g. the person making the public interest disclosure to the NAIH or any person possibly sending direct marketing materials related to health services). | ||
NAIH further highlighted that the emergency situation caused by the Covid-19 outbreak did not exempt the District Office from complying with the appropriate data security standards. Bearing in mind that the District Office performs public tasks, processes health data as its core activity, it should therefore be expected to process the related data carefully and in a way that is appropriate from a data protection point of view and to assess the risks associated with data processing. | |||
== Comment == | == Comment == |
Latest revision as of 09:33, 28 July 2021
NAIH (Hungary) - NAIH-2894-3/2021 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 32(1)(a) GDPR Article 32(1)(b) GDPR Article 32(2) GDPR Article 33(1) GDPR Article 34(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 14.03.2021 |
Published: | |
Fine: | 10000000 HUF |
Parties: | Budapest Főváros Kormányhivatala XI. kerületi Hivatala |
National Case Number/Name: | NAIH-2894-3/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH webpage (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA (NAIH) held that transferring health data without password protection to general practitioners not authorised to access such data constitutes a personal data breach resulting in a high risk to the rights and freedoms of natural persons. The emergency situation caused by the Covid-19 pandemic does not exempt public authorities from taking appropriate data security measures and from lawfully processing personal data.
English Summary
Facts
A public interest disclosure was made to the Hungarian DPA (NAIH) detailing a personal data breach. In the given case, the XI. District Office of Budapest Government Office (In Hungarian: "Budapest Főváros Kormányhivatala XI. kerületi Hivatala"; hereinafter referred to as "District Office") transferred by email (in an Excel sheet attached to the email) the data of 1153 patients to general practitioners (physician) in the XI, XII and XXII Districts of Budapest related to the COVID testing of patients. The Excel sheet was not protected by password or by other means. A person (who was not even a general practioner originally addressed by the District Office) forwarded the above referred Excel sheet and the District Office's related email to the NAIH in the form of a public interest disclosure.
The NAIH examined whether the transferring of patient data by the District Office constituted a personal data breach, the related risks to the rights and freedoms of natural persons, as well as the breach management of the District Office.
It is worth noting that after the receipt of the NAIH's inquiry concerning the personal data breach, the District Office requested the opinion of the data protection officer of the Budapest Government Office. The data protection officer was of the opinion that the above transfer of patient data by email by the District Office constituted a personal data breach, but that the breach did not result in a risk to the rights and freedoms of natural persons since it was only received by general practitioners who are subject to professional secrecy.
Holding
The NAIH decided that the transfer of patient data by email by the District Office constituted a data breach, since the personal data (involving sensitive data) was forwarded to general practitioners who did not have the right to access such data. This also means that the District Office should have only sent the data of patients to the competent general practitioners in the given district with password protection (by providing the password through a different channel) or should have chosen another way to transfer the data in a safe manner (e.g. through the Hungarian Electronic Health Service Space).
With regard to the personal data breach, the NAIH also highlighted that it resulted in a high risk to the rights and freedoms of natural persons. A wide scope of sensitive data became accessible to unauthorized third parties, raising the chance of additional unauthorized persons having access to the related data and processing it unlawfully, (e.g. the person making the public interest disclosure to the NAIH or any person possibly sending direct marketing materials related to health services).
NAIH further highlighted that the emergency situation caused by the Covid-19 outbreak did not exempt the District Office from complying with the appropriate data security standards. Bearing in mind that the District Office performs public tasks, processes health data as its core activity, it should therefore be expected to process the related data carefully and in a way that is appropriate from a data protection point of view and to assess the risks associated with data processing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
BFKH XI. data protection incident and data security deficiencies affecting the health data at the District Office of the BFKH XI. data protection incident and data security deficiencies affecting health data at the District Office File size: 318.57 kBDate: 2021. March 24. NAIH-2894-3 / 2021