APD/GBA (Belgium) - 103/2023: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 67: | Line 67: | ||
}} | }} | ||
The Belgian DPA issued a warning to a | The Belgian DPA issued a warning to a hospital group for non-compliance of Article 32 GDPR and Article 24 GDPR, as the hospital group had failed to implement the appropriate internal data security measures. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Following a sexual assualt, the data subject visited and was treated by Centre 'Z'. Centre 'Z' is a part of the hospital group against which the complaint was filed. Several months later, the data subject visited a psychologist employed by the hospital group who manages Centre 'Z'. However, the psychologist did not work at Centre 'Z' and the visit was unrelated to the data subject's sexual assault. During the psychological consultation, the data subject was asked questions relating to her sexual assault, this indicated to her that the psychologist had access to her medical data held by Centre 'Z', despite not working at Centre 'Z'. | |||
The | The data subject contacted Centre 'Z' regarding their internal data access policy. She was informed that all of the hospital group's employees could access her records, regardless of whether they worked at Centre 'Z' or not. She requested that the Centre restrict access to her data to only staff working at Centre 'Z'. The Centre responded that this was not possible, but did note that the hospital group was in the process of updating its policy on this matter. | ||
=== Holding === | === Holding === | ||
The Belgian DPA | The Belgian DPA found that the hospital group's internal data security measures were in violation of Article 32 GDPR and Article 24 GDPR. | ||
These Articles impose a duty upon controllers and processors to implement the ''"appropriate technical and organisational measures"'' to ensure compliance with the GDPR, and to ensure a level of security appropriate to the risk of processing. The Belgian DPA interpretted the meaning of ''"appropriate technical and organisational measures"'' in a healthcare context to mean that measures should be implemented to ''"ensure that healthcare providers and other professionals who use [an] information exchange system only have access to data from a patient file which is necessary for their respective services."'' In reaching this conclusion, the Belgian DPA explicitly affirmed the position taken by the Committee of Ministers of the Council of Europe in CM/ Rec (2019) 2. | |||
As the hospital group allowed all of its employees to access patient data, and not simply those who were treating a particular patient, the DPA found that the hospital group had not implemented the ''"appropriate technical and organisational measures"'' for the purposes of Article 32 GDPR and Article 24 GDPR. Given that the hospitasl group was in the process of updating its policies and practices, the Belgian DPA issued a warning. | |||
== Comment == | == Comment == |
Revision as of 11:47, 10 August 2023
APD/GBA - 103/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(2) GDPR Article 9(1) GDPR Article 24 GDPR Article 32 GDPR Article 458 Code Penal |
Type: | Complaint |
Outcome: | Upheld |
Started: | 03.09.2022 |
Decided: | 26.07.2023 |
Published: | 03.08.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 103/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autoritée de protection des données (in FR) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA issued a warning to a hospital group for non-compliance of Article 32 GDPR and Article 24 GDPR, as the hospital group had failed to implement the appropriate internal data security measures.
English Summary
Facts
Following a sexual assualt, the data subject visited and was treated by Centre 'Z'. Centre 'Z' is a part of the hospital group against which the complaint was filed. Several months later, the data subject visited a psychologist employed by the hospital group who manages Centre 'Z'. However, the psychologist did not work at Centre 'Z' and the visit was unrelated to the data subject's sexual assault. During the psychological consultation, the data subject was asked questions relating to her sexual assault, this indicated to her that the psychologist had access to her medical data held by Centre 'Z', despite not working at Centre 'Z'.
The data subject contacted Centre 'Z' regarding their internal data access policy. She was informed that all of the hospital group's employees could access her records, regardless of whether they worked at Centre 'Z' or not. She requested that the Centre restrict access to her data to only staff working at Centre 'Z'. The Centre responded that this was not possible, but did note that the hospital group was in the process of updating its policy on this matter.
Holding
The Belgian DPA found that the hospital group's internal data security measures were in violation of Article 32 GDPR and Article 24 GDPR.
These Articles impose a duty upon controllers and processors to implement the "appropriate technical and organisational measures" to ensure compliance with the GDPR, and to ensure a level of security appropriate to the risk of processing. The Belgian DPA interpretted the meaning of "appropriate technical and organisational measures" in a healthcare context to mean that measures should be implemented to "ensure that healthcare providers and other professionals who use [an] information exchange system only have access to data from a patient file which is necessary for their respective services." In reaching this conclusion, the Belgian DPA explicitly affirmed the position taken by the Committee of Ministers of the Council of Europe in CM/ Rec (2019) 2.
As the hospital group allowed all of its employees to access patient data, and not simply those who were treating a particular patient, the DPA found that the hospital group had not implemented the "appropriate technical and organisational measures" for the purposes of Article 32 GDPR and Article 24 GDPR. Given that the hospitasl group was in the process of updating its policies and practices, the Belgian DPA issued a warning.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision 103/2023 of July 26, 2023 File number: DOS-2022-03592 Subject: Complaint relating to the accessibility of data concerning the health of a patient at all hospital staff The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter “ACL”; Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: Mrs. X, hereinafter “the complainant”; . . . The defendant: Center Hospitalier Y, hereinafter: “the defendant”. Decision 103/2023 – 2/9 I. Facts and procedure 1. The subject of the complaint concerns access to the complainant's data by members of the defendant's staff other than those who took care of the complainant during his initial visit to a specialized center of the defendant. 2. On September 3, 2022 the complainant lodged a complaint with the Protection Authority data (APD) against the defendant. 3. On September 5, 2022, the complaint was declared admissible by the Front Line Service (SPL) of the DPA on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Litigation Division pursuant to Article 62, § 1 of the LCA. 2 4. The complainant stated that following a sexual assault, she was in September/October 3 2021 returned to Center Z, a specialized center of the defendant. 5. The Complainant also specifies that approximately 8 months later, on April 19, 2022, she went to a psychological consultation with the defendant. This consultation has took place in the context of her pregnancy and preparation for the upcoming delivery, without link she exhibits with the sexual violence experienced. The complainant indicates that during this consultation, the psychologist asked him a number of questions about the assault sexual activity of which she had been the victim. The complainant indicates that she deduced from this that, Obviously, the psychologist had had access to the information held by the center Z to following its passage in September/October 2021 (point 4). The complainant reports having concerned about this situation and the fact that a large number of people (members of the defendant’s staff, doctors, etc. thus seemed to be able to access data very delicate and sensitive about her. 6. The complainant further states that the same day, she orally contacted center Z which indicated that all of the defendant's medical personnel could access the summary of her consultation at center Z (hereafter understood according to the complainant in detail of the sexual assault of which she had been the victim). The complainant says that she requested that only the center has access to said information. She reports that she was told that it was then not possible but that a procedure was in progress to make this type of data less accessible and that in the long term, only the data relating to the exemption from one or the other medicine, for example, would be accessible and no longer the entire file. There 1Under article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been declared admissible. 2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following this complaint, the file was forwarded to him. 3[……]: reference to the website of the defendant's specialized center Z. Decision 103/2023 – 3/9 complainant adds that she was not told whether this new regime would apply to folders already open (such as his) or not. 7. The complainant produced in support of her complaint the email which she then received, two months later, either June 20, 2022, written to the Data Protection Officer (DPO) of the defendant under which it relates the foregoing (points 5 and 6) and raises the question of the time limit in which the new regime will apply and whether it will cover cases such as his. Of Generally speaking, the complainant expresses that she feels that this broad accessibility “(…) goes against my rights to privacy, precisely when it affects matters sensitive data such as the description of a sexual assault”. 8. By way of correction, the complainant on the same day (June 20, 2022) informed center Z of the approach she had made to the DPO of the defendant, sending him a copy of the email sent. She also checked with the Z center that the comments she made told the DPO following the conversation she had had with the center reflected the reality. This e-mail is also produced in the file. 9. On June 21, 2022, a member of the Z center confirmed to the complainant that the report of the situation she had exposed was indeed faithful to reality. It has moreover been clarified to the complainant on the one hand that the modification of the Center Z files should be carried out in the course of 2022 at the latest within 6 months, the process requiring time and investment and on the other hand that it would be, if necessary informed of new useful information concerning it. This email is on file. 10. On the other hand, the DPO of the defendant indicated by return email of June 20 to the complainant that a meeting was scheduled in the coming weeks with Center Z to analyze its situation and that following this meeting, a letter would be sent to him concerning access to her data related to the sexual assault of which she was the victim. Specifically, the DPO writes the following to the complainant: “A meeting is scheduled for this … with … [centre Z] in order to to analyze your situation. Following this meeting, a letter will be sent to you concerning 4 access to your data related to the assault (blocking access to the details of the facts)”. 11. When filing a complaint with the DPA on September 3, 2022, the complainant indicated that she did not to have received follow-up from (the DPO) of the defendant. II. Motivation 12. The Litigation Chamber concludes that the data relating to the sexual assault whose complainantreports having been victimshave personal data concerning him within the meaning of Article 4.1. of the GDPR. Some of them are, in all likelihood, 4It is the Litigation Chamber which underlines. Decision 103/2023 – 4/9 relating to his health within the meaning of Article 9.1. of the GDPR and recital 43 thereof. more factual data, linked to the description of the acts of aggression for example, are not potentially not sensitive within the meaning of Article 9.1. of the GDPR. The Litigation Chamber is nonetheless of the opinion that these data are, in the context of sexual violence of which the complainant was the victim of "highly personal data" in the sense that 5 gives the European Data Protection Board (EDPB) to this notion. Most Great vigilance regarding compliance with the GDPR must be required in their regard. 13. The Litigation Chamber notes that it also appears from the complaint and the exhibits produced by the complainant that there is indeed "processing" of data within the meaning of Article 4.2. of GDPR, the complainant's personal data being retained and accessible electronically. 6 14. On the basis of the confidentiality policy of the defendant, the Litigation Chamber considers, prima facie, that the defendant is the presumed controller of the processing of the complainant's data, including those carried out by Center Z . 15. Any data controller is required to comply with Article 24 of the GDPR which implies that taking into account the nature, scope, context and purposes of the processing as well as risks, of varying likelihood and severity, to the rights and freedoms of natural persons, the data controller implements measures appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR. All responsible for processing must also be able to demonstrate this (article 5.2. of the GDPR). 16. The data controller is also subject to the security obligation provided for in GDPR Article 32. 17. Article 32 of the GDPR specifies the following: “1. Taking into account the state of the knowledge, the costs of implementation and the nature of the scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the data processor contractor shall implement the appropriate technical and organizational measures in order to guaranteeahighlevelofsecurityappropriatetotherisk,includingamongother thingsasrequired : (...) b) the means to guarantee the confidentiality, integrity, availability and ongoing resilience of processing systems and services. (…)”. 7 5 Article 29 Group, Guidelines on Data Protection Impact Assessment (DPIA) and Data Protection how to determine whether the processing is “likely to create a high risk” for the purposes of Regulation (EU) 2016/679, WP 248. At its inaugural meeting the European Data Protection Board endorsed these guidelines: https://ec.europa.eu/newsroom/article29/items/611236 6 [ …………………….. ]: reference to the defendant's privacy policy available on its website. 7Emphasis added by the Litigation Chamber. Decision 103/2023 – 5/9 18. Confidentiality is the property of information that can only be accessed by authorized persons, entities or processes and may only be disclosed to persons,entitiesorauthorizedprocesses.Thisabilitytograntselectiveaccess information must be ensured throughout the life of this information, in particular during their collection, storage, processing and communications. In practice, the only persons authorized to access the data to be personal character are persons whose function or professional activities 8 justify this access. 19. It therefore follows from Article 32 of the GDPR read in conjunction with Article 24 of the GDPR that the defendant was and remains required to implement all technical measures and organizational measures to ensure that healthcare providers and other professionals who use its information exchange system only have access to the only data from the patient file necessary for their respective services and this, in compliance with all of the applicable legal framework including, but not exclusively, the GDPR. 9 10 20. In its recommendation CM/Rec(2019)2 , the Committee of Ministers of the Council of Europe recommends in the same way the following: “the exchange and sharing of data relating to health between health professionals should be limited to information strictly necessary for the coordination or continuity of care, prevention or medical follow-up social and social of the person. Each health professional cannot, in this case, transmit or receive only data that falls within the scope of its missions, in depending on his authorisations. Appropriate measures should be taken in order to guarantee data security. The use of an electronic medical record and messaging electronically capable of enabling the sharing and exchange of health-related data should respect these principles. 21. In general, access to data hosted on a server such as that of a hospital must take into account several determining criteria and conditions such as the identity and the quality of the access requester, the type of data concerned, the degree of confidentiality of these, the purpose of the request and the duration of the access. The server should 8 See. in this regard, the information security note of the APD https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-securite-des-donnees-a-caractere-personnel.pdf 9https://search.coe.int/cm/pages/result_details.aspx?ObjectId=090000168093b26b. The Litigation Chamber considers that the content of this note (drafted at a time when the GDPR was not yet in force) remains relevant with regard to the safety principles it sets out. 10 The Council of Europe’s data protection reference framework is certainly not the GDPR but rather the Convention 108 (Convention for the protection of individuals with regard to automatic processing of personal data staff (ETS No. 108): https://rm.coe.int/1680078b39 ) and soon, once in force, Convention 108+ (Protocol amendment to the Convention for the protection of individuals with regard to automatic processing of personal data personal character – ETS 223: https://www.coe.int/fr/web/conventions/full-list?module=treaty-detail&treatynum=223). These texts nevertheless contain comparable principles in terms of data protection and security. those of the GDPR and are so many sources of inspiration as to the measures to be put in place by a data controller in a situation such as that of the complaint. Decision 103/2023 – 6/9 integrate these different factors so that access is filtered and reserved for those who are authorized to do so in compliance with the GDPR and other standards to which first-time buyers are respectively required . 11 22. The Litigation Chamber notes in this regard that the complainant titled the subject of the emails that it produces in addition to the complaint form filed as follows: “secret professional shared in the context of sexual violence “. 23. The Litigation Chamber is certainly not competent to sanction a possible violation of Article 458 of the Criminal Code (professional secrecy) as such or for assess compliance with the conditions of shared professional secrecy. She is, however to verify that the information exchange system set up by the defendant guarantees access to patients' personal data in compliance with the principle of security as recalled above, including confidentiality to which respect for secrecy professional participates without being confused with him. 24. The Litigation Chamber recalls here that on several occasions the European Court of Human Rights rights insisted on the importance of respecting professional secrecy not only for the privacy of patients but also more generally for the right to 12 health . 11See.also by way of example, the Rules approved by the Management Committee of the eHealth platform on September 10 2019 and the Information Security Committee on April 7, 2020 as well as the deliberation of the Information Security Committee (Deliberation 19/166 of October 1, 2019, amended on July 6, 2021) – circles of trust: https://www.ehealth.fgov.be/ehealthplatform/file/view/AW0kmXp0gwvToiwBkkgH?filename=R%C3%A8glement%20COT %20-%2005032021%20-%20v2.pdf 12From the Niemietz v. Germany of 16 December 1992, it could thus be deduced that the European Court of Human Rights the man (Runner.D.H.) had, albeit implicitly, highlighted a dual function of professional secrecy (in this case of the lawyer): (1) the confidentiality of the relationship between professionals subject to professional secrecy (the lawyer) and his client protects the subjective rights deduced from article 8 (privacy) but (2) also guarantees the proper functioning justice (social foundation). In Z. v. Finland, the Eur. D.H. addresses, for the first time, at least 12 directly, the issue of medical secrecy. medical by the Court. It indicates that it will take into account the fundamental role played by the protection of personal data. personal character – medical information not being the least – for the exercise of the right to respect for life private and family life guaranteed by Article 8 of the European Convention on Human Rights (ECHR). Respect for confidentiality of health information is an essential principle of the legal system of all Contracting PartiestotheECHR.Itiscapitalnotonlytoprotecttheprivacyofpatientsbutalsoto preserve their confidence in the medical profession and health services in general . The Court is innovative terminological by requiring, for any possible justification for the breach of professional secrecy, the defense “of an aspect of the public interest” (§96) and declaring that it will exercise “the most rigorous control” (§96) in this matter. In other words, professional secrecy is intended to protect the confidentiality of the exchange between the patient and the health care professional subject to secrecy to whom it is addressed - by not disclosing its contents to third parties not authorized – not only in the interest of the confidant but also in that of society as a whole. Decision 103/2023 – 7/9 25. As the Commission for the Protection of Privacy (CPVP) stated in its note relating to security (see note 6), “Security is certainly first and foremost a matter of direction” in that the development and implementation of an effective security process requires the full awareness of management and the various managers, including the data controller, of the essential role that security plays within the entity concerned as well as their total adherence to the security objectives sought and their active cooperation. 26. Still as underlined in the said note, “Security is then everyone’s business”: everyone the members of the organization, whoever they are, are all part, at one time or another, of the security chain and therefore risk becoming its weakest link one day. aware and empowered of their own role in this chain, and must be prepared, sensitized and trained accordingly. This awareness must be put in place by the data controller with the assistance of its data protection officer (DPO). 27. With regard to the present case, the Litigation Division notes that it seems to emerge from exchanges of e-mails produced by the complainant that all the staff of the defendant potentially has access to the personal data concerning him, at all less those which she mentions in relation to the sexual assault of which she was the victim. He is not for the Litigation Chamber to conclude that the access operated by the psychologist to the complainant's data (point 4) was or was necessary for her services professionals. On the other hand, if the defendant did not have a policy access to medical records data that is GDPR compliant and more particularly to the principle of security read in combination with the principle of accountability, the defendant would be guilty of violation of these provisions. 28. Given what emerges from the exhibits produced by the complainant that the defendant seems to be engaged in a process of adapting its access policy, the Litigation Division considers that issuing a warning to it is the measure corrective action most appropriate to the case in point. The implementation of this access policy compliance with the GDPR should, according to the Litigation Chamber, also apply to files already opened with the defendant and this, as quickly as possible, agreeing account of the high sensitivity of the complainant's data. 29. In conclusion, the Litigation Chamber considers that on the basis of the aforementioned facts, there reason to conclude that the defendant may have committed a violation of the provisions of the GDPR, which justifies that in this case, the Litigation Chamber proceeds to take a decision in accordance with Article 95, § 1, 4° of the LCA, i.e. more specifically the adoption of a warning decision. Decision 103/2023 – 8/9 30. This decision is a prima facie decision taken by the Litigation Chamber pursuant to Article 95 of the LCA on the basis of the complaint submitted by the complainant, within the framework of the “procedure prior to the substantive decision” 13 . It is not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA. 31. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order inside the DPA, a copy of the file may be requested by the parties. If one of parties wishes to make use of the possibility of consulting this file, it is required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. 32. The purpose of this prima facie decision is to inform the defendant, presumed responsible for the processing, of the fact that it may have committed a breach of the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 33. If, however, the defendant should not agree with the content of this prima facie decision and had to believe that it can put forward arguments of fact and/or legal issues which could lead to another decision, it may address to the Chamber Litigation a request for processing on the merits of the case via the address litigationchamber@apd-gba.be, within 30 days of notification of the this decision. If necessary, the execution of this decision will be suspended. during the aforementioned period. 34. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and to attach to the file all the documents they deem useful. If applicable, this decision will be permanently suspended. 35. In the interests of transparency, the Litigation Chamber finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL .4 13Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive). 14 st Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data ; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; Decision 103/2023 – 9/9 III. Publication of the decision 36. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the APD. However, it is not it is not necessary for this purpose that the identification data of the parties be directly mentioned. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with to articles 98 e.s. of the ACL: - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 4° of the LCA, to send a warning to the defendant. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 16 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sé). Hielke H IJMANS President of the Litigation Chamber 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 15The application contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 16 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.