Datainspektionen - DI-2019-3840: Difference between revisions
(Keep DPA’s old logo on old decisions) |
|||
(4 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
|Jurisdiction=Sweden | |Jurisdiction=Sweden | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo=LogoSE.png | |DPAlogo=LogoSE-Datainspektionen.png | ||
|DPA_Abbrevation=Datainspektionen | |DPA_Abbrevation=Datainspektionen | ||
|DPA_With_Country=Datainspektionen (Sweden) | |DPA_With_Country=Datainspektionen (Sweden) | ||
Line 68: | Line 68: | ||
}} | }} | ||
Swedish DPA (Datainspektionen) | The Swedish DPA (Datainspektionen) fined a university hospital approximately €34 000 for giving its staff wider access to medical records than they needed to do their jobs. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
In April 2019, the DPA | In April 2019, the DPA conducted an on-site inspection at Sahlgrenska University Hospital (Sahlgrenska universitetssjukhuset). The hospital is part of the Västra Götaland region. Four years earlier, the DPA had issued a supervisory decision concluding that the hospital had failed to carry out a necessity and risk analysis in accordance with the legal requirements. | ||
The hospital | The hospital maintains the medical records of about 900 000 patients. There are about 25 000 user accounts with access to the medical records system, although the hospital has only about 18000 employees. The hospital cooperates with other branches of the Västra Götaland region and assumes that the employees in the departments with which it cooperates have a legitimate need for direct access to the medical records. For the purposes of [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/patientdatalag-2008355_sfs-2008-355#K4P1 Chapter 4(1) of the Swedish Patient Data Act], the hospital considers this information to be lawfully shared within the same inner private zone (inre sekretess zon). | ||
All health care workers, including medical secretaries, have general access to all medical records, including those outside their department. If the patient has restricted access to his or her | All health care workers, including medical secretaries, have general access to all medical records, including those outside their department. If the patient has restricted access to his or her record, only those who work in that department can see the record. Doctors and nurses have general and emergency access. This means that they can access restricted medical records outside their department in a situation where the patient is unable to give consent. | ||
The hospital also | The hospital also maintains a log when a medical record is accessed. The log shall include the name of the health care professional, the portion of the record that was accessed, and the date and time of the last access. | ||
===Dispute=== | ===Dispute=== | ||
1. | 1. has the hospital taken appropriate technical and organizational measures to protect personal data in medical records? | ||
a. | a. Has the hospital conducted a proper necessity and risk analysis? | ||
b. Has the hospital | b. Has the hospital assigned authorizations correctly? | ||
c. Is the hospital a data controller | c. Is the hospital a data controller with respect to medical records maintained by other caregivers? | ||
d. Does the hospital maintain adequate records of access? | |||
2. sanction fee? | |||
===Holding=== | ===Holding=== | ||
Line 108: | Line 110: | ||
The DPA recalled that the risk and necessity analysis should determine how the caregiving institution assigns health care workers permission to access medical records. In this case, about 25 000 people had access to medical records, although the hospital only had about 18 000 employees. The hospital assigned permissions in such a way that health care workers, regardless of which department they worked in, could access the medical records of all departments within the hospital, except one. On this basis, the DPA concluded that the majority of the hospital's employees had access to more medical records than they needed to do their jobs. The DPA did not take a positive view of the fact that the hospital gave direct access to medical records to persons working in other governmental branches of the region of Västra Götaland. | The DPA recalled that the risk and necessity analysis should determine how the caregiving institution assigns health care workers permission to access medical records. In this case, about 25 000 people had access to medical records, although the hospital only had about 18 000 employees. The hospital assigned permissions in such a way that health care workers, regardless of which department they worked in, could access the medical records of all departments within the hospital, except one. On this basis, the DPA concluded that the majority of the hospital's employees had access to more medical records than they needed to do their jobs. The DPA did not take a positive view of the fact that the hospital gave direct access to medical records to persons working in other governmental branches of the region of Västra Götaland. | ||
=====Is the hospital a data controller | =====Is the hospital a data controller regarding medical records it retrieves from other caregivers?===== | ||
The [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/patientdatalag-2008355_sfs-2008-355 Swedish Patient Data Act] states that a caregiver is the data controller for the medical records that it creates. The hospital therefore did not consider itself a data controller of medical records that are retrieved from other caregivers through the coherent medical record system. However, the DPA considered that the hospital is a data controller for the specific data it retrieves in relation to an individual patient from a medical file kept by another caregiver. | The [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/patientdatalag-2008355_sfs-2008-355 Swedish Patient Data Act] states that a caregiver is the data controller for the medical records that it creates. The hospital therefore did not consider itself a data controller of medical records that are retrieved from other caregivers through the coherent medical record system. However, the DPA considered that the hospital is a data controller for the specific data it retrieves in relation to an individual patient from a medical file kept by another caregiver. | ||
Line 117: | Line 119: | ||
====Sanction fee==== | ====Sanction fee==== | ||
The Swedish | The [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2018218-med-kompletterande-bestammelser_sfs-2018-218 Swedish Data Protection Act] (implementing the GDPR) provides that public bodies that violate the GDPR can be fined up to SEK 10 million. The DPA imposed a sanction fee of SEK 3.5 million on the hospital. | ||
Firstly, the hospital processes a large amount of sensitive personal data of many affected patients (approximately 900 000). | Firstly, the hospital processes a large amount of sensitive personal data of many affected patients (approximately 900 000). |
Latest revision as of 11:43, 7 April 2022
Datainspektionen - DI-2019-3840 | |
---|---|
Authority: | Datainspektionen (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24 GDPR Article 32(1) GDPR Article 32(2) GDPR Article 58(2) GDPR Article 83 GDPR Chapter 4, 2 § of the Patient Data Act Chapter 6, 7 § of the Patient Data Act Chapter 4, 2 § of HSLF-FS 2016:40 Chapter 4, 9 § of HSLF-FS 2016:40 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 02.12.2020 |
Published: | 03.12.2020 |
Fine: | 3500000 SEK |
Parties: | Sahlgrenska University Hospital, Board of directors |
National Case Number/Name: | DI-2019-3840 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Swedish |
Original Source: | Datainspektionen (in SV) |
Initial Contributor: | Kave Noori |
The Swedish DPA (Datainspektionen) fined a university hospital approximately €34 000 for giving its staff wider access to medical records than they needed to do their jobs.
English Summary
Facts
In April 2019, the DPA conducted an on-site inspection at Sahlgrenska University Hospital (Sahlgrenska universitetssjukhuset). The hospital is part of the Västra Götaland region. Four years earlier, the DPA had issued a supervisory decision concluding that the hospital had failed to carry out a necessity and risk analysis in accordance with the legal requirements.
The hospital maintains the medical records of about 900 000 patients. There are about 25 000 user accounts with access to the medical records system, although the hospital has only about 18000 employees. The hospital cooperates with other branches of the Västra Götaland region and assumes that the employees in the departments with which it cooperates have a legitimate need for direct access to the medical records. For the purposes of Chapter 4(1) of the Swedish Patient Data Act, the hospital considers this information to be lawfully shared within the same inner private zone (inre sekretess zon).
All health care workers, including medical secretaries, have general access to all medical records, including those outside their department. If the patient has restricted access to his or her record, only those who work in that department can see the record. Doctors and nurses have general and emergency access. This means that they can access restricted medical records outside their department in a situation where the patient is unable to give consent.
The hospital also maintains a log when a medical record is accessed. The log shall include the name of the health care professional, the portion of the record that was accessed, and the date and time of the last access.
Dispute
1. has the hospital taken appropriate technical and organizational measures to protect personal data in medical records?
a. Has the hospital conducted a proper necessity and risk analysis?
b. Has the hospital assigned authorizations correctly?
c. Is the hospital a data controller with respect to medical records maintained by other caregivers?
d. Does the hospital maintain adequate records of access?
2. sanction fee?
Holding
Has the hospital broken the law by not taking sufficient technical and organizational measures?
The DPA considered that the hospital had failed to implement adequate organizational and technical measures to protect medical records
Lack of risk and necessity analysis
In Sweden, sector-specific legislation consists of the Patient Data Act and the National Board of Health and Welfare's rules and general guidelines on the keeping of medical records and the processing of personal data in the health care system (Socialstyrelsens föreskrifter och allmänna råd om journalföring och behandling av personuppgifter i hälso- och sjukvården, HSLF-FS 2016:40).
Chapter 4(2) HSLF-FS 2016:40 requires that the hospital, as a care institution, carries out a so-called risk and necessity analysis before giving its staff access to different parts of the system for keeping medical records. In addition, Chapter 4(2) of the Patient Data Act stipulates that the hospital (caregiver) must limit employee access to the extent necessary for the performance of their duties. The Patient Data Act also permits the so-called coherent keeping of medical records, which means that a caregiver has direct access to the medical records of another caregiver. Before the caregiver grants his or her employees access to a coherent medical record, it must carry out a risk and necessity analysis.
The DPA considered that the hospital's current risk and necessity analysis was fit for the purpose of IT - security with a focus on the employee - which is a different form of risk analysis from that required by HSLF-FS 2016:40. The DPA was looking for a risk analysis that would assess the risks to patients as data subjects. For example, if patients who are famous, have a protected identity, or have a special diagnosis, are at risk of harm if access authorization is too relaxed. In addition, the DPA held that the hospital had not properly evaluated how permissions should be defined so that employees only have access to the information they need to do their jobs.
Access rights to medical records were too extensive
The DPA recalled that the risk and necessity analysis should determine how the caregiving institution assigns health care workers permission to access medical records. In this case, about 25 000 people had access to medical records, although the hospital only had about 18 000 employees. The hospital assigned permissions in such a way that health care workers, regardless of which department they worked in, could access the medical records of all departments within the hospital, except one. On this basis, the DPA concluded that the majority of the hospital's employees had access to more medical records than they needed to do their jobs. The DPA did not take a positive view of the fact that the hospital gave direct access to medical records to persons working in other governmental branches of the region of Västra Götaland.
Is the hospital a data controller regarding medical records it retrieves from other caregivers?
The Swedish Patient Data Act states that a caregiver is the data controller for the medical records that it creates. The hospital therefore did not consider itself a data controller of medical records that are retrieved from other caregivers through the coherent medical record system. However, the DPA considered that the hospital is a data controller for the specific data it retrieves in relation to an individual patient from a medical file kept by another caregiver.
Based on this finding, the DPA concluded that the hospital had once again failed to conduct a risk and necessity analysis and had not properly limited the permissions regarding access to the system for coherent medical records
Access logs
The DPA considered the current level of logging when an employee accesses a medical record to be insufficient. The DPA clarified that the purpose of the logging is not only to check for unauthorized access to the medical record. The log is also used to trace which actions were performed in connection with access to the medical record, such as printing, copying, or deleting personal data.
Sanction fee
The Swedish Data Protection Act (implementing the GDPR) provides that public bodies that violate the GDPR can be fined up to SEK 10 million. The DPA imposed a sanction fee of SEK 3.5 million on the hospital.
Firstly, the hospital processes a large amount of sensitive personal data of many affected patients (approximately 900 000).
Secondly, the hospital did not have a sufficiently granular access control system: health care staff could easily access documents from other departments. Also, the hospital had granted direct access to medical records to a large number of people working in other governmental branches of the region of Västra Götaland (outside the health care system).
Thirdly, the DPA considered that the hospital had not carried out a proper needs and risk analysis, as required by the DPA decision of 27 March 2015. According to the DPA, the hospital had been aware for several years that it was not complying with the law and deliberately decided not to take corrective measures.
Commands for making changes
Finally, the DPA instructed the hospital to take the following measures:
- Properly analyze the risk to the patients and analyze what access each employee needs.
- Assign each employee an individual access tailored to what he or she needs to do his or her job.
- To extend the logging of access to medical records to include information on what actions an employee has taken in relation to access to them.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Page 1 Decision Diarienr 1 (34) 2020-12-02 DI-2019-3840 Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se Website: www.datainspektionen.se Phone: 08-657 61 00 The board of Sahlgrenska University Hospital Blue stripe 5 413 45 Gothenburg Supervision under the Data Protection Regulation and Patient Data Act - needs and risk analysis and questions about access in journal systems Page 2 The Data Inspectorate DI-2019-3840 2 (34) Content The Data Inspectorate's decision ................................................ ..................................... 3 Report on the supervisory matter ............................................... .......................... 4 Previous review of needs and risk analysis ........................................... ..... 5 What has emerged in the case ............................................. ....................... 5 Sahlgrenska University Hospital has mainly stated the following ........... 5 Personal data controller ................................................. .................................... 5 Journal system ................................................. .................................................. 6 Internal privacy ................................................ .................................................. 6 Needs and risk analysis .............................................. ........................................... 6 Authorization of access to personal data about patients .. 8 Active selections ................................................ .................................................. ......... 9 Needs and risk analysis .............................................. ........................................... 9 Authorization of access to personal data about patients .. 9 Grounds for the decision ............................................... ......................................... 10 Requirements for doing needs and risk analysis .......................................... ............... 14 The Data Inspectorate's assessment ................................................ .................... 16 Sahlgrenska University Hospital's process for needs and risk analysis ...... 19 Documentation of access (logs) ............................................ .............. 27 Choice of intervention ............................................... ............................................ 29 Legal regulation ................................................ ........................................... 29 Order ................................................. .................................................. 30 Penalty fee ................................................. ........................................... 31 Appendices: Appendix 1 - How to pay a penalty fee ......................................... ... 33 How to appeal............................................... ........................................... 34 Page 3 The Data Inspectorate DI-2019-3840 3 (34) The Data Inspectorate's decision During an inspection on 23 April 2019, the Data Inspectorate has established that The board of Sahlgrenska University Hospital (Sahlgrenska University Hospital) processes personal data in violation of Article 5 (1) (f) and 5.2 and Article 32 (1) and (2) of the Data Protection Regulation 1 by Sahlgrenska University Hospital in its capacity as personal data controller does not meet the requirement that it should have carried out a needs and risk analysis before allocating permissions are made in the journal systems Melior and Nationell patient overview in accordance with ch. 4 § 2 and ch. 6 § 7 the Patient Data Act (2008: 355) and ch. Section 2 of the National Board of Health and Welfare regulations and general guidelines (HSLF-FS 2016: 40) on record keeping and processing of personal data in health care. This means that Sahlgrenska University Hospital has not taken appropriate organizational measures to ensure and be able to show that the processing of personal data has a security that is appropriate in relation to the risks. 2. Sahlgrenska University Hospital does not restrict users authorizations for access to the Melior and National journal systems patient overview to what is only needed for the user to be able to fulfill their duties in health care according to ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act and Chapter 4 § 2 HSLF- FS 2016: 40. This means that Sahlgrenska University Hospital does not has taken steps to ensure and be able to show one appropriate security for personal data. 3. Sahlgrenska University Hospital does not have documentation in Melior of access (logs) where it is stated which measures have been taken with information about a patient according to ch. 4 Section 3 of the Patient Data Act and 4 Cape. § 9 (item 1) HSLF-FS 2016: 40. This means that Sahlgrenska 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection for natural persons with regard to the processing of personal data and on the free flow of such information and repealing Directive 95/46 / EC (General Data Protection Regulation). Page 4 The Data Inspectorate DI-2019-3840 4 (34) The University Hospital has not taken appropriate organizational measures measures to be able to ensure and be able to show that the treatment of the personal data has a security that is appropriate in relation to the risks. The Data Inspectorate decides on the basis of Articles 58 (2) and 83 of the the Protection Ordinance and Chapter 6 § 2 of the law (2018: 218) with additional provisions to the EU Data Protection Regulation that Sahlgrenska University Hospital, for violation of Article 5 (1) (f) and 5.2 and Article 32 (1) and (2) of the Data Protection Regulation, shall pay a administrative penalty fee of 3,500,000 (three million five hundred thousand crowns. The Data Inspectorate submits pursuant to Article 58 (2) (d) data protection ordinance Sahlgrenska University Hospital that 1. ensure that the required needs and risk analysis is carried out and documented for the journal systems Melior and Nationell patient overview and that thereafter, with the support of needs and risk analysis, each user is assigned individual authority for access to personal data limited to what is needed for the individual to be able to fulfill his or her duties in healthcare, in accordance with Article 5 (1) (f) and Article 32.1 and 32.2 of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7 the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40. 2. document in the journal system Melior's logs so that it appears there what measures have been taken with personal data about a patient, i in accordance with Article 32 of the Data Protection Ordinance, Chapter 4 § 3 the Patient Data Act and Chapter 4 § 9 (item 1) HSLF-FS 2016: 40. Report on the supervisory matter The Data Inspectorate initiated supervision by letter on 22 March 2019 and has on site on 23 April 2019 reviewed the Board of Directors of Sahlgrenska University Hospital (hereinafter referred to as Sahlgrenska University Hospital) decisions on the allocation of authorizations have been preceded by a need and risk analysis. The review has also included how Sahlgrenska Page 5 The Data Inspectorate DI-2019-3840 5 (34) The University Hospital has been granted authorizations for access to the main journal system Melior and NPÖ, and what access possibilities they have granted the privileges provide within the framework of internal confidentiality according to ch. 4 the Patient Data Act, as the coherent record keeping according to Chapter 6 patient data law. In addition to this, the Data Inspectorate has examined which one documentation of access (logs) contained in the journal systems. The Data Inspectorate has only examined users' access to the journal system, i.e. what care documentation the user can actually take part of and read. The supervision has not included which functions were included in the competence, ie. what the user can actually do in the journal system (eg issuing prescriptions, writing referrals, etc.). Previous review of needs and risk analysis The Data Inspectorate has previously carried out an inspection regarding Sahlgrenska The University Hospital had carried out a documented needs and risk analysis according to ch. Section 6, second paragraph, second sentence of the National Board of Health and Welfare regulations Information management and record keeping in health care (SOSFS 2008: 14). Of the Data Inspectorate's decision with registration number 1607-2013, announced on March 27, 2015, it appears that Sahlgrenska University Hospital did not meet the requirement to carry out a needs and risk analysis according to said regulations, and was therefore ordered to implement such a the main journal system. What has emerged in the case Sahlgrenska University Hospital has mainly stated the following. Personal data manager Sahlgrenska University Hospital has stated that the Board of Sahlgrenska The University Hospital is responsible for the processing of personal data personal data that Sahlgrenska University Hospital performs in the main journal system Melior. Sahlgrenska University Hospital also has stated that the National Patient Overview (NPÖ) is only a reading view that presents information from connected systems, and that no information stored in NPÖ. Sahlgrenska University Hospital is not personal data controller for information displayed in NPÖ. Page 6 The Data Inspectorate DI-2019-3840 6 (34) Journal system Sahlgrenska University Hospital has stated that they have been using since 1998 of the main journal system Melior within the framework of internal confidentiality. Everything is seen as internal secrecy within the framework of the Västra Götaland region. Since May 6, 2014, Melior in the Västra Götaland region consists of one single database (GEM), instead of the previous 27. It used to be possible access other units' care documentation but it was significantly more cumbersome, which meant that employees were reluctant to read records of other units. The current division of units is the same as before but now it is easier to access others units records. According to data provided by Sahlgrenska University Hospital 896,401 patients recorded in Melior at Sahlgrenska University Hospital. The number of employees at Sahlgrenska The University Hospital is 16,731, and the number of active accounts in Melior is 24 638 st. Sahlgrenska University Hospital has stated that the reason for that the number of active accounts is greater than the number of employees is that Västra The Götaland region is an internal privacy zone, and that Sahlgrenska The University Hospital collaborates with other administrations within Västra The Götaland region, where employees need access to patient information at Sahlgrenska University Hospital. Sahlgrenska University Hospital is not part of a cohesive system record keeping through Melior, but is included in cohesive record keeping through the NPÖ system. Internal secrecy Needs and risk analysis At the time of the inspection, Sahlgrenska University Hospital stated in essentially the following. When a new employee is hired, a needs analysis is first made, consisting of one assessment of which systems the employee needs access to. The assessment is made in two steps: 1) which assignment the person has and 2) which systems the person needs to have access to in order to perform their work / assignment. Due to a limitation in the system no one is done Page 7 The Data Inspectorate DI-2019-3840 7 (34) assessment of which tasks in Melior the employee should be able to take part in of. Then a risk analysis is made which consists of an assessment at the individual level of if the person to be assigned eligibility will follow the guidelines for to take part in information in Melior. If this is not the case, the person should not normally employed. At the time of inspection, Sahlgrenska University Hospital cannot present an analysis for people who are employed and it is unclear whether it is documented. Sahlgrenska University Hospital has comments on the inspection report that was received by the Swedish Data Inspectorate on 27 June 2019 stated that Sahlgrenska University Hospital in September 2011 carried out a comprehensive risk analysis, Availability of the operation of the electronic the patient record Melior, regarding patient safety, information security and technical safety. The starting point for the risk analysis at that time was that simplify access to patient data between the different devices within the hospital when the National Board of Health and Welfare considered the division into different databases which was present at the time entailed a patient safety risk. 27 databases merged into a hospital-wide database and the general role which is assigned to all staff in need of access to the patient record was introduced. Previous review of needs and risk analysis Due to the Data Inspectorate's previous review, Sahlgrenska has The University Hospital has submitted a number of documents, including a risk and vulnerability analysis and a so-called simplified needs and risk analysis with the title Needs and risk analysis when allocating individual eligibility to journal systems , which are said to have been developed in the spring of 2019, to show how Sahlgrenska University Hospital has acted after the inspection earlier decision. On 13 September 2019, Sahlgrenska University Hospital was also included the document Needs and risk analysis when allocating authorization , of which it states that “In healthcare, the patient's life and health are more important than integrity which means that accessibility and accuracy outweigh confidentiality from a patient safety perspective. IN the patient record system (Melior), the employee must make an active choice for Page 8 The Data Inspectorate DI-2019-3840 8 (34) to be able to access patient information from other care units / processes. We makes the assessment that that function is sufficient to satisfy the requirement of confidentiality. We believe it is in accordance with HSLF-FS 2016: 40. Sahlgrenska University Hospital accepts the risk of confidentiality is not as high a priority as accuracy and availability until Sahlgrenska University Hospital has a technical or organizational opportunity to prioritize confidentiality ”. Authorization of access to personal data about patients Sahlgrenska University Hospital has mainly stated the following. There are two different roles when it comes to assigning reading permissions to Melior; a general role assigned to all health and medical staff healthcare, and a so-called operational role. When it comes to the general role, there are two different variants; a "general" and a "general including emergency access". All employees within health care has been assigned a general role - with or without emergency access. The difference between the different variants is that the variant “generally inclusive emergency access ”is assigned to physicians and nurses, and involves the user have the opportunity to open blocked journals outside their own the activity, in the event that the patient is unable to give his consent. The "general" variant is assigned to other care staff and secretaries, if desired say the users who are not doctors or nurses but who should have eligibility for Melior. With the general role, the employee has access to all units care documentation, with the exception of the clinical genetics unit which is not included in the general authorizations. There are no more restrictions on access in Melior, apart from healthcare documentation such as the patient himself has blocked. The business role provides access to blocked information regarding a certain unit. An employee must have an assignment to be assigned the business role and can only be assigned that role regarding that unit Page 9 The Data Inspectorate DI-2019-3840 9 (34) to which the employee belongs. Every business has such a business role and in total the number of such operational roles amounts to about 60-70. Active choices During the inspection, Sahlgrenska University Hospital has shown how the permissions appear in the system, and stated, among other things, the following. When an employee logs in to Melior, he is directed to the unit that the employee belongs to. When the employee is logged in, there are six tabs in it the right edge that gives access to different parts of the journal that the employee has chosen to take part in. As a starting point, only the journal is displayed at the device that has been selected at login, but through active selections can the employee has access to other units' records. If an employee is logged in as a nurse, it is initially only visible nurses' medical records. However, the employee can get access to other professional categories' journal entries by checking boxes for different occupational categories. There is also the opportunity to check a single box covering all occupational categories, thereby gaining a share of journal entries of all occupational categories. Coherent record keeping Sahlgrenska University Hospital participates in systems for cohesion record keeping through NPÖ, and has mainly stated the following. Needs and risk analysis Sahlgrenska University Hospital has not done any needs and risk analysis before granting authorization in NPÖ. Authorization of access to personal data about patients The patient must be enrolled at Sahlgrenska University Hospital in Melior so that the employee can use NPÖ. Access to NPÖ is given to healthcare professionals, especially doctors and nurses, and an employee assignment is required to obtain such authorization. As In principle, only doctors and nurses have access to NPÖ, but other categories can be accessed upon their own application competence. In such cases, the employee may apply for an employee assignment coherent record keeping. The allocation of the authorizations is based on Page 10 The Data Inspectorate DI-2019-3840 1 0 (34) needs and fewer employees have access to NPÖ than to Melior. For example assistant nurses need to be able to note in the journal in Melior but they does not need to have access to NPÖ. Those who are eligible for NPÖ can see all care documentation available there, but active choices are required. Documentation of access (logs) Sahlgrenska University Hospital has stated the following. The documentation that is displayed when removing the access logs in Melior is information about the patient, which user has opened the record, which part of the journal that has been opened and the time and date of the most recent the opening. It is not clear at which care unit the measures were taken or which measures which the user has specifically taken. Sahlgrenska University Hospital has stated that information about which unit the user is employed on can controlled by a search on where the user is employed. Different logs must then be combined with each other. Grounds for the decision Applicable rules The Data Protection Regulation is the primary source of law The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and is the primary legal regulation in the processing of personal data. This also applies to health care. The basic principles for the processing of personal data are set out in Article 5 of the Data Protection Regulation. A basic principle is the requirement security pursuant to Article 5 (1) (f), which states that personal data shall be processed in a way that ensures adequate security for personal data, including protection against unauthorized or unauthorized treatment and against loss, destruction or damage by accident, using appropriate technical or organizational measures. Page 11 The Data Inspectorate DI-2019-3840 1 1 (34) Article 5 (2) states the so-called liability, ie. that it personal data controllers must be responsible for and be able to show that the basic the principles set out in paragraph 1 are complied with. Article 24 deals with the responsibility of the controller. Of Article 24 (1) it appears that the person responsible for personal data is responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that the processing is performed in accordance with the Data Protection Regulation. The measures shall carried out taking into account the nature, scope, context of the treatment and purposes and the risks, of varying degrees of probability and severity, for freedoms and rights of natural persons. The measures must be reviewed and updated if necessary. Article 32 regulates the security associated with the processing. According to paragraph 1 the personal data controller and the personal data assistant shall take into account of the latest developments, implementation costs and treatment nature, scope, context and purpose as well as the risks, of varying probability and seriousness, for the rights and freedoms of natural persons take appropriate technical and organizational measures to ensure a level of safety appropriate to the risk (…). According to paragraph 2, when assessing the appropriate level of safety, special consideration is given to the risks which the treatment entails, in particular from accidental or unlawful destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to the personal data transferred, stored or otherwise processed. Recital 75 states that in assessing the risk to natural persons rights and freedoms, various factors must be taken into account. Among other things mentioned personal data covered by professional secrecy, health data or sexual life, if the processing of personal data concerning vulnerable physical persons takes place persons, especially children, or if the treatment involves a large number personal data and applies to a large number of registered persons. Furthermore, it follows from recital 76 that the probable and serious risk of it data subjects' rights and freedoms should be determined on the basis of processing nature, scope, context and purpose. The risk should be evaluated on on the basis of an objective assessment, which determines whether the data processing involves a risk or a high risk. Page 12 The Data Inspectorate DI-2019-3840 1 2 (34) Recitals 39 and 83 also contain writings that provide guidance on it the meaning of the Data Protection Regulation's requirements for security in Processing of personal data. The Data Protection Regulation and the relationship with complementary national provisions According to Article 5 (1) (a) of the Data Protection Regulation, personal data must: treated in a lawful manner. In order for the treatment to be considered legal, it is required legal basis by fulfilling at least one of the conditions of Article 6 (1). The provision of health care is one such task of general interest referred to in Article 6 (1) (e). In health care, the legal bases can also be legal obligation in Article 6 (1) (c) and the exercise of authority under Article 6 (1) (e) updated. When it comes to the legal bases legal obligation, in general interest or exercise of authority by the Member States, in accordance with Article 6.2, maintain or introduce more specific provisions to adapt the application of the provisions of the Regulation to national circumstances. National law may specify specific requirements for the processing of data and other measures to ensure legal and fair treatment. But there is not only one possibility to introduce national rules but also one duty; Article 6 (3) states that the basis for the treatment referred to in paragraph 1 (c) and (e) shall be determined in accordance with Union law or national law of the Member States. The legal basis may also include specific provision to adapt the application of the provisions of the Data Protection Regulation. Union law or the national law of the Member States law must fulfill an objective of general interest and be proportionate to it legitimate goals pursued. Article 9 states that the treatment of specific categories of personal data ( so-called sensitive personal data) is prohibited. Sensitive personal data includes data on health. Article 9 (2) states except when sensitive personal data may still be processed. Article 9 (2) (h) states that the processing of sensitive personal data may be repeated the treatment is necessary for reasons related to, among other things the provision of health care on the basis of Union law or Page 13 The Data Inspectorate DI-2019-3840 1 3 (34) national law of the Member States or in accordance with agreements with professionals in the field of health and provided that the conditions and protective measures referred to in paragraph 3 are met. Article 9 (3) requires regulated secrecy. This means that both the legal bases of general interest, exercise of authority and legal obligation in the treatment of the vulnerable personal data under the exemption in Article 9 (2) (h) supplementary rules. Supplementary national regulations In the case of Sweden, both the basis for the treatment and those special conditions for the processing of personal data in the field of health and healthcare regulated in the Patient Data Act (2008: 355), and the Patient Data Ordinance (2008: 360). I 1 kap. Section 4 of the Patient Data Act states that the law complements the data protection regulation. The purpose of the Patient Data Act is to provide information in health and healthcare must be organized so as to meet patient safety and good quality and promotes cost efficiency. Its purpose is also to personal data shall be designed and otherwise processed so that patients and the privacy of other data subjects is respected. In addition, must be documented personal data is handled and stored so that unauthorized persons do not have access to it them (Chapter 1, Section 2 of the Patient Data Act). According to ch. Section 6 of the Patient Data Act is a care provider responsible for personal data for the processing of personal data carried out by the care provider. In a region and one municipality is each authority that conducts health and medical care personal data controller for the processing of personal data that the authority performs. The supplementary provisions in the Patient Data Act aim to: take care of both privacy protection and patient safety. The legislator has thus through the regulation made a balance as to how the information must be processed to meet both the requirements for patient safety as the right to privacy in the processing of personal data. The National Board of Health and Welfare has, with the support of the Patient Data Ordinance, issued regulations and general advice on record keeping and processing of personal data in health care (HSLF-FS 2016: 40). The regulations constitute such Page 14 The Data Inspectorate DI-2019-3840 1 4 (34) supplementary rules, to be applied in the care provider's treatment of personal data in health care. National provisions supplementing the requirements of the Data Protection Regulation safety can be found in Chapters 4 and 6. the Patient Data Act and Chapters 3 and 4 HSLF-FS 2016: 40. Requirement to do needs and risk analysis According to ch. 4, the care provider must § 2 HSLF-FS 2016: 40 make a needs and risk analysis, before the allocation of authorizations in the system takes place. That the analysis requires both the needs and the risks is clear from the preparatory work to the Patient Data Act, prop. 2007/08: 126 pp. 148-149, as follows. Authorization for staff's electronic access to patient information shall be limited to what the executive needs to be able to perform his duties in health and healthcare. This includes that authorizations must be followed up and changed or restricted accordingly hand as changes in the tasks of the individual executive give rise to it. The provision corresponds in principle to section 8 of the Health Care Register Act. The purpose of the provision is to imprint the obligation of the responsible caregiver to make active and individual eligibility assignments based on analyzes of which details are different staff categories and different types of activities need. But it's not just needed needs analyzes. Risk analyzes must also be done where different types of risks are taken into account, such as may be associated with an overly availability of certain types of information. Protected personal data that is classified, information about publicly known persons, data from certain clinics or medical specialties are examples of categories such as may require special risk assessments. In general, it can be said that the more comprehensive an information system is, the greater the amount there must be different levels of authorization. Decisive for decisions on eligibility for e.g. various categories of healthcare professionals for electronic access to data in patient records should be that the authority should be limited to what the executive needs for the purpose a good and safe patient care. A more extensive or coarse-meshed competence allocation should - even if it has points from the point of view of efficiency - is considered an unjustified dissemination of journal information within a business and should as such not accepted. Furthermore, data should be stored in different layers so that more sensitive data require active choices or otherwise not as easily accessible to staff as less sensitive tasks. When it applies to personnel who work with business follow-up, statistics production, central financial administration and similar activities that are not individual-oriented, it should be most executives suffice with access to information that can only be indirectly derived to individual patients. Electronic access to code keys, social security numbers and others data that directly point out individual patients should be able to be strong in this area limited to individuals. Page 15 The Data Inspectorate DI-2019-3840 1 5 (34) Internal secrecy The provisions in ch. 4 The Patient Data Act concerns internal confidentiality, ie. regulates how privacy protection is to be handled within a care provider's business and especially employees' opportunities to prepare for personal data that is electronically available in a healthcare provider organisation. It appears from ch. Section 2 of the Patient Data Act stipulates that the care provider must decide conditions for granting access to such data patients who are fully or partially automated. Such authorization shall limited to what is needed for the individual to be able to fulfill theirs tasks in health care. According to ch. 4 § 2 HSLF-FS 2016: 40, the care provider shall be responsible for each users are assigned an individual privilege to access personal data. The caregiver's decision on the allocation of eligibility shall preceded by a needs and risk analysis. Coherent record keeping The provisions in ch. 6 the Patient Data Act concerns cohesive record keeping, which means that a care provider - under the conditions specified in § 2 of the same chapter - may have direct access to personal data processed by others caregivers for purposes related to care documentation. The access to information is provided by a healthcare provider making the information about a patient which the care provider registers if the patient is available to other care providers who participate in the coherent record keeping (see Bill 2007/08: 126 p. 247). Of ch. 6 Section 7 of the Patient Data Act follows that the provisions in Chapter 4 § 2 also applies to authorization allocation for unified record keeping. The requirement of that the care provider must perform a needs and risk analysis before allocating permissions in the system take place, also applies in systems for cohesion record keeping. Documentation of access (logs) Of ch. 4 Section 3 of the Patient Data Act states that a care provider must ensure that access to such data on patients kept in whole or in part automatically documented and systematically checked. According to ch. 4 Section 9 HSLF-FS 2016: 40, the care provider shall be responsible for that Page 16 The Data Inspectorate DI-2019-3840 1 6 (34) 1. it appears from the documentation of the access (logs) which measures taken with information on a patient, 2. it appears from the logs at which care unit or care process measures have been taken, 3. the logs indicate the time at which the measures were taken; 4. the identity of the user and the patient is stated in the logs. The Data Inspectorate's assessment Personal data controller's responsibility for security As described above, the National Board of Health and Welfare's regulations give the caregiver one responsibility for information management in healthcare, such as that carry out a needs and risk analysis before assigning authorizations in the system happens. In public health care does not coincide always the concept of caregiver with the personal data controller. Of both the basic principles of Article 5 and Article 24 (1) the Data Protection Ordinance, it appears that it is the person responsible for personal data which shall implement appropriate technical and organizational measures to: ensure and be able to demonstrate that the treatment is carried out in accordance with the Data Protection Regulation. The Data Inspectorate can state that the Data Protection Ordinance in its capacity as EU regulation is directly applicable in Swedish law and that in the regulation indicates when supplementary regulation is or may be introduced nationally. There is for example, space to nationally regulate who is data controller in accordance with Article 4 of the Data Protection Regulation. It is however, it is not possible to give deviating regulation regarding it the personal data controller's responsibility to take appropriate technical and organizational measures to ensure an appropriate level of security in relation to the risk. This means that the National Board of Health and Welfare's regulations state that it is the caregiver who must take certain measures, does not change that the responsibility to take appropriate security measures rests with it personal data controller according to the Data Protection Regulation. The Data Inspectorate can state that Sahlgrenska University Hospital, in its capacity as responsible for personal data, is responsible for taking these measures. As previously described, Article 24 (1) of the Data Protection Regulation provides a general requirement for the personal data controller to take appropriate technical Page 17 The Data Inspectorate DI-2019-3840 1 7 (34) and organizational measures. The requirement is partly to ensure that the processing of personal data is carried out in accordance with the Data Protection Ordinance, and that the data controller must be able to demonstrate that the processing of personal data is carried out in accordance with the Data Protection Regulation. The safety associated with the treatment is regulated more specifically in the articles 5.1 f and 32 of the Data Protection Regulation. Article 32 (1) states that the appropriate measures shall be both technical and organizational and they must ensure a level of security that is appropriate in in relation to the risks to the rights and freedoms of natural persons which the treatment entails. It is therefore necessary to identify the possible ones the risks to the data subjects' rights and freedoms and assess the probability of the risks occurring and the severity if they occur. What is appropriate varies not only in relation to the risks but also based on the nature, scope, context and purpose of the treatment. It has thus the significance of what personal data is processed, how many data, it is a question of how many people process the data, etc. The health service has a great need for information in its operations. The It is therefore natural that the possibilities of digitalisation are utilized as much as possible in healthcare. Since the Patient Data Act was introduced, a lot extensive digitization has taken place in healthcare. Both the data collections size as the number of people sharing information with each other has increased substantially. At the same time, this increase means that the demands on it increase personal data controller, as the assessment of what is an appropriate safety is affected by the extent of the treatment. It is also a question of sensitive personal data. The information concerns people who are in a situation of dependence when they are in need of care. It is also often a question of a lot of personal information about each of these people and the data may over time be processed by very many people in healthcare. All in all, this places great demands on it personal data controllers. The data processed must be protected from outside actors as well the business as against unauthorized access from within the business. It appears of Article 32 (2) that the data controller, in assessing the appropriate Page 18 The Data Inspectorate DI-2019-3840 1 8 (34) level of safety, in particular shall take into account the risks of unintentional or illegal destruction, loss or unauthorized disclosure or unauthorized access. In order to be able to know what is an unauthorized access it must personal data controllers must be clear about what is an authorized access. Needs and risk analysis I 4 kap. Section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016: 40) which supplement In the Patient Data Act, it is stated that the care provider must make a needs and risk analysis before the allocation of authorizations in the system takes place. This means that national law prescribes requirements for an appropriate organizational measure that shall: taken before the allocation of authorizations to journal systems takes place. A needs and risk analysis must include an analysis of the needs and a analysis of the risks from an integrity perspective that may be associated with an overly allotment of access to personal data about patients. Both the needs and the risks must be assessed on the basis of them tasks that need to be processed in the business, what processes it is the question of whether and what risks to the privacy of the individual exist. The assessments of the risks need to be made on the basis of organizational level, there for example, a certain business part or task may be more privacy sensitive than another, but also based on the individual level, if it is the issue of special circumstances that need to be taken into account, such as that it is a question of protected personal data, publicly known persons or otherwise particularly vulnerable persons. The size of the system also affects the risk assessment. The preparatory work for the Patient Data Act shows that the more comprehensive an information system is, the greater the variety eligibility levels must exist. (Prop. 2007/08: 126 p. 149). It is thus the question of a strategic analysis at the strategic level, which should provide one authorization structure that is adapted to the business and this must be maintained updated. In summary, the regulation requires that the risk analysis identifies • different categories of data (eg health data), Categories of data subjects (eg vulnerable natural persons and children), or • the scope (eg number of personal data and registered) Page 19 The Data Inspectorate DI-2019-3840 1 9 (34) • negative consequences for data subjects (eg injuries, significant social or economic disadvantage, deprivation of rights and freedoms), and how they affect the risk to the rights and freedoms of natural persons Processing of personal data. This applies both within internal secrecy as in coherent record keeping. The risk analysis must also include special risk assessments, for example based on whether there is protected personal data that is classified, information on public figures, information from certain clinics or medical specialties (Bill 2007/08: 126 p. 148- 149). The risk analysis must also include an assessment of how probable and serious the risk to the data subjects' rights and freedoms is and in any case determined whether it is a risk or a high risk (recital 76). It is thus through the needs and risk analysis that it personal data controller finds out who needs access, which information the accessibility shall include, at what times and at what context access is needed, while analyzing the risks to it the freedoms and rights of the individual that the treatment may lead to. The result should then lead to the technical and organizational measures needed to ensure that no access other than that of need and the risk analysis shows that it should be justified. When a needs and risk analysis is missing prior to the allocation of qualifications in system, lacks the basis for the personal data controller on a legal be able to assign their users a correct authorization. The the data controller is responsible for, and shall have control over, the personal data processing that takes place within the framework of the business. To assign users one upon access to journal system, without this being founded on a performed needs and risk analysis, means that the person responsible for personal data does not have sufficient control over the personal data processing that takes place in the journal system and also can not show that he has the control that required. Page 20 The Data Inspectorate DI-2019-3840 2 0 (34) Sahlgrenska University Hospital's process for needs and risk analysis Sahlgrenska University Hospital has within the framework of the supervisory matter referred to three different processes or documents that are said to constitute one needs and risk analysis. Regarding the process that Sahlgrenska The university hospital referred to at the time of the inspection passed this partly in an assessment of which assignments the person has and which systems the person needs to have access to, partly in an assessment at the individual level of whether the employee to be hired seemed inclined to take part in tasks in the medical record system in violation of current guidelines. The Data Inspectorate can state that Sahlgrenska University Hospital does not has carried out an analysis concerning the business, various processes and staff categories' need to process data. What is described is instead, only an assessment of what systems an employee needs to have access to. The risk analysis described by Sahlgrenska University Hospital is about one risk assessment other than that referred to in the National Board of Health and Welfare's regulations. IN the needs and risk analysis, risks to the individual's integrity must be identified. As is clear from the preparatory work for the Patient Data Act, certain information may be required special risk assessment and protected personal data are given as examples which are classified, information about publicly known persons, information from certain clinics or medical specialties. So it is not the assessment of the employee referred to in this context. On the contrary have the legislator emphasizes precisely that even if health care should be able to have large trust in their employees, it is not in itself sufficient protection, The ethical principle of confidentiality in health care is deeply rooted information that emerges in the contact between healthcare professionals and patients is of course a strong counterforce to gossiping about patients or otherwise spreading information in an unacceptable way among co-workers. The same is true of the propensity to find out information about patients who are cared for in the workplace but who do not have one themselves professional relationship with. Given the scope of health care and the big picture the number of employed health and medical staff, about 300,000 people in the municipalities alone and the county council's health and medical care, however, it cannot be assumed that this is not the case at all occurs. The trend towards common widely available electronic journal systems within the large ones At the same time, the care providers' operations entail increased risks of invasion of privacy. If it increased potential availability of medical records is not handled well so that patients can feel confident that sensitive information is not read by unauthorized persons, there is a high risk of that patients choose to stay out of electronic access systems. Page 21 The Data Inspectorate DI-2019-3840 2 1 (34) A mixture of preventive and reactive measures is needed to prevent patient data shall be handled in an unacceptable manner (Bill 2007/08: 126 pp. 147-147). The process that Sahlgrenska described at the time of the inspection is thus not a needs and risk analysis according to ch. 2 § HSLF-FS 2016: 40. The document Availability for operation of the electronic patient record Melior Sahlgrenska University Hospital has in supplementary information that received by the Swedish Data Inspectorate on 27 June 2019 stated that the document Accessibility to the operation of the electronic patient record Melior constitutes one needs and risk analysis. The document is stated to have been prepared in 2011 and to have as starting point to simplify access to patient data between the different the units within the hospital. However, it can be stated that by the document states that it aims to carry out a risk analysis regarding operation of the Melior medical record system. In the section “Risk identification and underlying causes "the identified risks are either attributed to" Part 1: Patient safety and operational perspective ”or“ Part 2: Technical safety with regard to availability for operation ”. Regarding the needs analysis, the document does not contain an analysis of which ones tasks employees need to be able to perform their tasks. Regarding the risk analysis, examples of risks such as identified in Part 1: Patient safety and operational perspective that “All IT related anomalies that may affect patient safety are not reported ", or "Wrong patient is dictated on the wrong dictation". Risks identified in Part 2: Technical safety with regard to availability for operation, is for example “unauthorized access to journal information ”, caused by“ transmission via open networks ”. There are risks from an information security perspective, however the document does not contain an analysis of the risks that may be associated with one too wide availability regarding different types of personal data. The document is thus an analysis from a business perspective and fulfills not the requirements for a needs and risk analysis from an integrity perspective according to 4 Cape. 2 § HSLF-FS 2016: 40. The document risk and vulnerability analysis Sahlgrenska University Hospital also has due to The Data Inspectorate's inquiry as to what measures have been taken after Page 22 The Data Inspectorate DI-2019-3840 2 2 (34) the authority's decision 1607-2013, in which Sahlgrenska University Hospital was instructed to produce a documented needs and risk analysis, stated that In the spring of 2019, a needs and risk analysis was carried out. Sahlgrenska The University Hospital has submitted three different documents, a risk and vulnerability analysis, a so-called simplified needs and risk analysis with the title Needs and risk analysis when allocating individual eligibility to journal system, and a document entitled Needs and risk analysis at authorization allocation which can be said to constitute a brief account of how the other two documents are used in the business. Initially, it can It is stated that the documents were not produced until four years after the Data Inspectorate order. In addition, none of the documents submitted constitutes a need and risk analysis from an integrity perspective. Regarding the risk and vulnerability analysis, it is an analysis that must be performed according to the legislation on heightened preparedness and crisis preparedness 2 . Such a thing happens for other purposes and is not the same as a needs and risk analysis according to in ch. 4 2 § HSLF-FS 2016: 40. It appears from the risk and vulnerability analysis that a measure to deal with one too at the level of eligibility should be to implement a simplified needs and risk analysis when allocating eligibility. The document thus states that a needs and risk analysis must be done, but does not in itself constitute one. The document does not contain an analysis of what tasks the employees have need in the journal system to be able to perform their tasks. The there are parts that concern the risk to the individual's integrity, but the so-called identified consequences do not constitute an analysis of risks in the current case the case but rather a statement of facts, such as that of a consequence that the internal area of confidentiality is extensive is that “VGR has many employee which can lead to the permissions becoming too wide, which gives employees more competence than they need ”. In some parts contains the document identified risks which, however, do not aim at the protection of the integrity of the individual; for example, it is found that a consequence of that employees do not know what applies when accessing patient data is that “patients when requesting a log extract can see that an unauthorized person has looked in journal, bad will for SU ”. 2 Act (2006: 544) on municipalities 'and county councils' measures before and during extraordinary events in peacetime and heightened preparedness , ordinance (2015: 1052) on crisis preparedness and measures by the authorities responsible for surveillance in the event of heightened preparedness. Page 23 The Data Inspectorate DI-2019-3840 2 3 (34) In summary, the Data Inspectorate can state that the document does not contains analyzes of the need for access to personal data or the risks for the integrity of the individual arising from an excessively wide authorization, and thus does not meet the requirements of a needs and risk analysis from an integrity perspective according to ch. 2 § HSLF-FS 2016: 40. The simplified needs and risk analysis Regarding the simplified needs and risk analysis that Sahlgrenska in risk and the vulnerability analysis determines to be done when authorization is granted it is initially stated that it is not compatible with in ch. § 2 HSLF- FS 2016: 40 to only perform a simplified needs and risk analysis. Further the document consists of a list of 14 questions to be answered with yes or no, such as “the employee knows that the computer must not be left unlocked, without supervision? ”. The Data Inspectorate can state that this is rather a question of a document to be used to create the conditions for a good information security at the individual level. It is an organizational measure to ensure an appropriate level of security, but it is not an analysis of the need for access to personal data or the risks to the privacy of the individual arises through an overly authoritative control. Thus does not meet nor does this document require a needs and risk analysis from one integrity perspective according to ch. 4 2 § HSLF-FS 2016: 40. The document Needs and risk analysis when allocating eligibility Sahlgrenska University Hospital has also submitted a document in which the work with needs and risk analysis is briefly described. The document briefly describes how the risk and vulnerability analysis and the simplified one the needs and risk analysis is used in the business, and how Sahlgrenska The University Hospital prioritises accuracy and accessibility over confidentiality. The document does not contain any analyzes of the need for access to personal data or the risks to the privacy of the individual that arises through an overly allocation of competencies, and meets thus not the requirements for a needs and risk analysis according to ch. § 2 HSLF-FS 2016: 40. Instead, the document shows that Sahlgrenska University Hospital consciously prioritizes the requirement of confidentiality. The Swedish Data Inspectorate's summary assessment Page 24 The Data Inspectorate DI-2019-3840 2 4 (34) As stated above, in a needs and risk analysis, both the needs and the risks are assessed on the basis of the data that need to be processed in the business, what processes are involved and what are the risks for it individual integrity that exists on both organizational and individual level. It is thus a question of a strategic analysis at a strategic level, which shall provide an authorization structure that is adapted to the business. It should result in authorization assignments but it is not the instructions to the person who assigns the permissions that are the analysis. At the Data Inspectorate's review, Sahlgrenska University Hospital could not present any needs and risk analysis within the framework of internal secrecy or within the framework of the cohesive record keeping. Sahlgrenska University Hospital's document lacks it basic inventory of users' access and analysis needs of risks, nor has any balance been made between needs and those actual privacy risks that the processing of personal data gives rise to. In summary, the Data Inspectorate can state that the documents that have not been reported individually or together meet the requirements on a needs and risk analysis and that Sahlgrenska University Hospital does not have been able to show that they have carried out a needs and risk analysis in that sense referred to in ch. 4 § 2 HSLF-FS 2016: 40, neither within the framework of the internal confidentiality or within the framework of the unified record keeping, according to 4 respectively 6 chap. patient data law. This means that Sahlgrenska The University Hospital has not taken appropriate organizational measures in in accordance with Article 5 (1) (f) and Article 31 (1) and (2) in order to ensure and, in accordance with Article 5 (2), be able to demonstrate that the processing of personal data have a security that is appropriate in relation to the risks. Authorization of access to personal data about patients As reported above, a caregiver may have a legitimate interest in having a comprehensive processing of data on the health of individuals. Notwithstanding this shall access to personal data about patients may be limited to what is needed for the individual to be able to fulfill his or her duties. With regard to the allocation of authorization for electronic access according to ch. § 2 and ch. 6 Section 7 of the Patient Data Act states that in the preparatory work, Bill. 2007/08: 126 pp. 148-149, i.a. that there should be different eligibility categories in the journal system and that the permissions should be limited to what the user Page 25 The Data Inspectorate DI-2019-3840 2 5 (34) need to provide the patient with good and safe care. It also appears that “a more extensive or coarse-grained eligibility should be considered as one unjustified dissemination of medical records within a business and should as such is not accepted. " In health care, it is the person who needs the information in their work who may be authorized to access them. This applies both within a caregivers as between caregivers. It is, as already mentioned, through the needs and risk analysis that the person responsible for personal data finds out who who need access, what information the access should include, at which times and in which contexts access is needed, and at the same time analyzes the risks to the individual's freedoms and rights the treatment can lead to. The result should then lead to the technical and organizational measures needed to ensure no allocation of eligibility provides further access opportunities than the one that needs and the risk analysis shows is justified. An important organizational measure is to provide instruction to those who have the authority to assign authorizations on how this should go to and what should be considered so that it, with the needs and risk analysis as a basis, becomes a correct authorization allocation in each individual case. As emerged in the case, about 900,000 patients are registered in Melior at Sahlgrenska University Hospital and the number of active accounts in Melior are almost 25,000, which exceeds the number of employees at Sahlgrenska The University Hospital, which at the time of the inspection was close to 18,000. Sahlgrenska University Hospital has assigned the employees who work with health care a general eligibility role - with or without emergency access - which provides access to all units' care documentation, with the exception of the clinical genetics unit which is not included in the general competences. Thus, the majority of users have actually had access to most of this information. This means that Sahlgrenska University Hospital does not sufficiently have restricted users' access to personal data about patients in the Melior medical record system. In addition, it can be stated that Sahlgrenska University Hospital has given direct access to personal data about patients at Sahlgrenska The University Hospital for employees at other administrations within Västra Götaland region. Page 26 The Data Inspectorate DI-2019-3840 2 6 (34) Access to personal data in Melior presupposes that the user is active choice. Sahlgrenska University Hospital has stated that they assess that the active selection function is sufficient to meet the requirement of confidentiality and that it is in accordance with HSLF-FS 2016: 40. The Data Inspectorate can however, note that the Patient Data Act requires both limitation of competencies and active choices. The active selection function is therefore not a measure to compensate for a lack of access restriction. That Sahlgrenska The University Hospital uses the above active choices is one privacy enhancing measure, but does not constitute such a restriction of competence referred to in ch. 4 Section 2 of the Patient Data Act. This provision requires that the authority be limited to what is needed for it individuals must be able to fulfill their duties in health care, i.e. only those who need the information should have access to them. Of the preparatory work for the Patient Data Act, Bill. 2007/08: 126, p. 149, it appears that the purpose of the provisions is to imprint the obligation on the person responsible the care provider to make active and individual eligibility allocations from outside analyzes of which details information different staff categories and different kind of activities need. Because different users have different tasks in different work areas, users need access to the data in Melior are limited to reflect this. Of the preparatory work it also appears that data should be stored in different layers so that more sensitive tasks require active choices or are otherwise not as easily accessible staff as less sensitive tasks. That the allocation of authorizations has not been preceded by a need and risk analysis means that Sahlgrenska University Hospital has not analyzed users' need for access to the data, the risks of this access can entail and thus also not identified which access is justified to users on the basis of such an analysis. Sahlgrenska The University Hospital has thus not used appropriate measures, in in accordance with Article 32, to restrict users' access to patients' data in the medical record system. Regarding the processing of personal data by Sahlgrenska The University Hospital performs within the framework of the cohesive record keeping in the NPÖ system, it can initially be stated that Page 27 The Data Inspectorate DI-2019-3840 2 7 (34) Sahlgrenska University Hospital has stated that Sahlgrenska The University Hospital is not responsible for that information shown in NPÖ. The Data Inspectorate does not share this view. According to 2 Cape. Section 6 of the Patient Data Act is in one region each authority that conducts and healthcare personal data controller for the processing of personal data carried out by the authority. According to the second paragraph of the provision covers personal data liability also such processing of personal data as the care provider, or the authority in a region or municipality that is personal data controller, performs when the care provider or authority through direct access in an individual case prepares access to personal data about a patient with another care provider or other authority in the same region or municipality. Sahlgrenska University Hospital is thus personal data controller for the processing of personal data that takes place when the employees take part in tasks in NPÖ. With regard to access to personal data within the framework of it cohesive record keeping in the NPÖ system has about 7,000 users Sahlgrenska University Hospital access. The Data Inspectorate can note that a limit has been placed on the number of users in compared to the approximately 25,000 who have eligibility in Melior, but do not any restriction has been made as to what documentation these are users can take part in the NPÖ system. This in turn has meant that there has been a risk of unauthorized access and unjustified dissemination of personal data partly within the framework of the internal secrecy, partly within the framework of the coherent record keeping. In the light of the above, the Data Inspectorate can state that Sahlgrenska University Hospital has processed personal data in violation of Article 5 (1) (f) and Article 32 (1) and (2) of the Data Protection Regulation by Sahlgrenska University Hospital has not restricted users permissions for accessing the Melior journal system to what only is needed for the user to be able to fulfill his tasks within health care according to ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act and 4 Cape. 2 § HSLF-FS 2016: 40. This means that Sahlgrenska The University Hospital has not taken any measures to ensure and, in accordance with Article 5 (2) of the Data Protection Regulation, be able to demonstrate an appropriate security of personal data. Page 28 The Data Inspectorate DI-2019-3840 2 8 (34) Documentation of access (logs) The Data Inspectorate can state that the logs showing access in Melior contains information about the user's name and role, patients' identities, which part of the journal has been opened (eg journal, referrals, certificate - someone of the "six tabs") and the date and time the measures were taken. It is not clear at which care unit the measure was taken or which actions specifically taken by the user. Sahlgrenska has stated that information about which care unit the user is employed at can be checked through a search on where the user is employed. Sahlgrenska therefore means that by combining different logs, you can find out at which care unit as the measure has been taken. Each log entry in the logs constitutes the action “open journal". In addition, it is not clear what actions the user has taken with information about a patient. Sahlgrenska University Hospital has in an opinion received The Data Inspectorate on 17 March 2020 stated that the measures set out in the logs are if an employee has opened the journal, about access to information occurred through active selection and if the employee from the journal has made one outlets to other care units. Sahlgrenska University Hospital states further that the documentation in the logs creates conditions for perform access controls in an appropriate manner, and that the logs meets the requirement to log which measures have been taken with information about a patient. It appears from the National Board of Health and Welfare's Handbook when applying The National Board of Health and Welfare's regulations and general guidelines (HSLF-FS 2016: 40) that “The caregiver is responsible, among other things, for the documentation of the access (logs) shows the measures that have been taken with information about a patient. An active choice to access information about a patient is an example of an action to be logged ”. The Data Inspectorate states that the purpose of the requirement that action be taken documented in the logs is not just to check if an employee prepared access to the journal, but also what measures have been taken information about a patient. The action documented in the logs “open journal ”is an example of an action that should be logged, and in addition should also other measures taken with information about a patient are documented in the logs. Other such measures may include the creation of personal data, copied, transferred, blocked, shredded or printed. the purpose with Page 29 The Data Inspectorate DI-2019-3840 2 9 (34) The security measure logs are to answer the question of who did what, it wants say who took what action, with what personal information and when. This constitutes an important part for the personal data controller to fulfill the requirement for appropriate security measures to control personal data; and how they are treated. The purpose of the access control security measure is to ensure that users do not misuse their permissions through to read, change or delete information that they should not process. To Sahlgrenska University Hospital only introduced documentation of the measure "Open journal", is thus not sufficient to meet the requirement in ch. § 9 (point 1) HSLF-FS 2016: 40 that the documentation of the access shall state what measures have been taken with information about a patient. Sahlgrenska University Hospital has thus treated and is treating personal data in violation of ch. 4 Section 3 of the Patient Data Act and Chapter 4 § 9 (point 1) HSLF-FS 2016: 40. This means that Sahlgrenska University Hospital does not has taken appropriate technical and organizational measures in relation to the risk. Sahlgrenska University Hospital thus fulfills not the requirement to ensure adequate security for the treatment of personal data, in accordance with Article 32 of the Data Protection Regulation. Choice of intervention Legal regulation If there has been a violation of the Data Protection Regulation The Data Inspectorate a number of corrective powers available under the article 58.2 a – ji of the Data Protection Regulation. The supervisory authority can, among other things instruct the data controller to ensure that the processing takes place in in accordance with the Regulation and if required in a specific way and within a specific period. It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate in in accordance with Article 83 shall impose penalty charges in addition to or in lieu of other corrective measures referred to in Article 58 (2), the circumstances of each individual case. For the purposes of Article 83 (7) of the Data Protection Regulation, national authorities may: rules state that administrative sanctions may be imposed on authorities. According to ch. 6 Section 2 of the Data Protection Act allows for penalty fees to be decided authorities, but to a maximum of SEK 5,000,000 or SEK 10,000,000 Page 30 The Data Inspectorate DI-2019-3840 3 0 (34) depending on whether the infringement concerns articles covered by Article 83 (4) or 83.5 of the Data Protection Regulation. Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account for to decide whether to impose an administrative penalty fee, but also what is to affect the size of the penalty fee. Of central importance to the assessment of the gravity of the infringement is its nature, severity and duration. In the case of a minor infringement may the regulatory authority, in accordance with recital 148 of the Data Protection Regulation, issue a reprimand instead of imposing a penalty fee. Order As mentioned, the health service has a great need for information in its business and in recent years has a very extensive digitization occurred in healthcare. Both the data collections size and how many sharing information with each other has increased significantly. This increases the demands on the personal data controller, as the assessment of what is appropriate safety is affected by the extent of the treatment. In health care, this means that a great deal of responsibility rests on it personal data controller to protect the data from unauthorized access, among other things by having an authorization allocation that is even more comminuted. It is therefore essential that there is a real analysis of the needs based on different activities and different executives. Equally important is that there is an actual analysis of the risks from an integrity perspective may occur in the event of an override of access rights. From this analysis must then be restricted to the individual executive. This authority must then be followed up and changed or restricted accordingly hand that changes in the tasks of the individual executive provide reason for it. The Data Inspectorate's inspection has shown that Sahlgrenska University Hospital have not taken appropriate security measures to provide protection to the personal data in the record system by Sahlgrenska University hospital in its capacity as data controller did not comply with the requirements which is set in the Patient Data Act and the National Board of Health and Welfare's regulations. Sahlgrenska The University Hospital has thereby failed to comply with the requirements in Article 5 (1) (f) and Article 32 (1) and (2) of the Data Protection Regulation. The omission includes Page 31 The Data Inspectorate DI-2019-3840 3 1 (34) both the internal secrecy according to ch. the Patient Data Act as it coherent record keeping according to ch. 6 patient data law. The Data Inspectorate therefore submits on the basis of Article 58 (2) (d) data protection ordinance Sahlgrenska University Hospital to ensure that required needs and risk analysis is performed and documented for the medical systems Melior and National Patient Overview and that thereafter, with support of the needs and risk analysis, each user is assigned individually authorization for access to personal data limited to what only necessary for the individual to be able to fulfill his duties within health care, in accordance with Article 5 (1) (f) and Article 32 (1) and (2) (i) the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 Section 7 of the Patient Data Act and 4 Cape. 2 § HSLF-FS 2016: 40. Sahlgrenska University Hospital has also failed to include in the logs in Melior indicate what measures have been taken with information about a patient, a requirement which appears from ch. 4 Section 3 of the Patient Data Act and Chapter 4 § 9 (item 1) HSLF-FS 2016: 40. The Data Inspectorate therefore submits Sahlgrenska University Hospital to introduce documentation in the logs in Melior where it shall state what measures have been taken with personal data about a patient according to ch. 4 Section 3 of the Patient Data Act and Chapter 4 § 9 (item 1) HSLF-FS 2016: 40. Penalty fee The Data Inspectorate can state that the violations are basically related Sahlgrenska University Hospital's obligation to take appropriate security measures to provide protection of personal data according to the Data Protection Regulation. In this case, it is a matter of large data collections with sensitive personal data and extensive powers. The caregiver needs to be involved necessity to have a comprehensive processing of data on the health of individuals. However, it must not be unrestricted but should be based on what individual employees need to be able to perform their tasks. The Data Inspectorate notes that this is information that includes direct identification by the individual by name, contact information and social security number, information about health, but that it may also be about other private information about, for example, family relationships, sexual life and lifestyle. Patients is dependent on receiving care and is thus in a vulnerable situation. The data Page 32 The Data Inspectorate DI-2019-3840 3 2 (34) character, scope and patients' dependence position give caregivers a special responsibility to ensure patients' right to adequate protection for their personal data. Additional aggravating circumstances are the treatment of personal data about patients in the main medical record system belongs to the core of a the activities of caregivers, that the treatment covers many patients and that the possibility of access not only refers to a large proportion of employees but to Sahlgrenska University Hospital has also given access to a large number employees at other administrations within the Västra Götaland region. In this In this case, there are around 900,000 patients within the internal framework confidentiality, close to 18,000 employees and 25,000 active accounts. There is only one unit, the Clinical Genetics Unit, where the data is not accessible for users outside these devices because the device is excluded from the general competencies. The Data Inspectorate can also state that Sahlgrenska The University Hospital has not complied with the Data Inspectorate's decision of 27 March 2015. In the decision, Sahlgrenska University Hospital was instructed to carry out a documented needs and risk analysis according to the then requirement 2 chap. § 6 second paragraph second sentence SOSFS 2008: 14, which corresponds to the current provision in ch. 4 2 § HSLF-FS 2016: 40. This is a aggravating circumstance, according to Article 83 (2) (e) of the Data Protection Regulation. The shortcomings that have now been established have thus been known to Sahlgrenska the university hospital for several years, which means that the action took place intentionally and thus is considered more serious. The Data Inspectorate also states that Sahlgrenska University Hospital in information received in the case has stated that the care provider accepts the risk that confidentiality is not given as high a priority as accuracy and availability. As the Data Inspectorate understands, Sahlgrenska has The university hospital has actively taken a position on giving priority to taking measures to protect the privacy of the individual, which makes the action more serious. Taken together, these factors mean that the infringements are not to be assessed as minor violations without violations that should lead to a administrative penalty fee. Page 33 The Data Inspectorate DI-2019-3840 3 3 (34) The Data Inspectorate considers that the violations are closely related to each other. That assessment is based on the need and risk analysis form the basis for the allocation of the authorizations. The Data Inspectorate therefore considers that these infringements are so closely linked that they constitute interconnected data processing within the meaning of Article 83 (3) (i) the Data Protection Regulation. The Data Inspectorate therefore decides on a joint penalty fee for the infringements. Regarding the shortcomings in the logs, the Data Inspectorate can state that not all the information that should be included in the logs does so, but that logging essentially contains the information required by the National Board of Health and Welfare's regulations. The Data Inspectorate therefore considers it sufficient that Sahlgrenska The university hospital is ordered to rectify the shortcoming and therefore does not decide any special penalty fee for this infringement. The administrative penalty fee shall be effective, proportionate and deterrent. This means that the amount must be determined so that it the administrative penalty fee leads to correction, that it provides a preventive effect and that it is also proportional in relation to both current violations as to the ability of the supervised entity to pay. The maximum amount for the penalty fee in this case is SEK 10 million according to ch. 6 Section 2 of the Act (2018: 218) with supplementary provisions to the EU data protection regulation. In view of the seriousness of the infringements and that the administrative the penalty fee must be effective, proportionate and dissuasive the Data Inspectorate determines the administrative sanction fee for Sahlgrenska University Hospital to 3,500,000 (three million five hundred thousand crowns. _______________________________________ This decision was made by Director General Lena Lindgren Schelin after presentation by the IT security specialist Magnus Bergström. At the final The case is handled by Hans-Olof Lindblom, General Counsel, and the Heads of Unit Malin Blixt and Katarina Tullstedt participated. Page 34 The Data Inspectorate DI-2019-3840 3 4 (34) Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature) Appendices: Appendix 1 - How to pay a penalty fee Copy for information to: Data Protection Officer How to appeal If you want to appeal the decision, you must write to the Data Inspectorate. Enter i the letter which decision you are appealing and the change you are requesting. The appeal must have been received by the Data Inspectorate no later than three weeks from on the day the decision was announced. If the appeal has been received in due time the Data Inspectorate forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Data Inspectorate if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision.