Datainspektionen - DI-2019-3844: Difference between revisions
No edit summary |
(Keep DPA’s old logo on old decisions) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
|Jurisdiction=Sweden | |Jurisdiction=Sweden | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo= | |DPAlogo=LogoSE-Datainspektionen.png | ||
|DPA_Abbrevation=Datainspektionen | |DPA_Abbrevation=Datainspektionen | ||
|DPA_With_Country=Datainspektionen (Sweden) | |DPA_With_Country=Datainspektionen (Sweden) | ||
Line 56: | Line 56: | ||
}} | }} | ||
The Swedish DPA (Datainspektionen) imposed a €1.466 million (approximately) fine on the healthcare provider "Aleris Sjukvård AB" for not carrying out the risk assessments required by the Patient Data Act and for granting access to all personal data in the patients' journal system in breach of Article 32 GDPR. | The Swedish DPA (Datainspektionen) imposed a €1.466 million (approximately) fine on the healthcare provider "Aleris Sjukvård AB" for not carrying out the risk assessments required by the Patient Data Act and for granting their employees access to all personal data in the patients' journal system in breach of Article 32 GDPR. | ||
==English Summary== | ==English Summary== | ||
Line 67: | Line 67: | ||
===Holding=== | ===Holding=== | ||
The DPA found that Aleris Sjukvård AB did not carry out these assessments and it has granted access to patients' journal to all employees apart from the technicians. By doing so, Aleris Sjukvård AB breached the obligation to apply appropriate technical and organisational measures to ensure the security of the personal data, imposed to controllers by Article 32 | The DPA found that Aleris Sjukvård AB did not carry out these assessments and it has granted access to patients' journal to all employees apart from the technicians. By doing so, Aleris Sjukvård AB breached the obligation to apply appropriate technical and organisational measures to ensure the security of the personal data, imposed to controllers by Article 32 GDPR. | ||
The DPA imposed a fine of 15 millions SEK (approximately €1466000). | |||
==Comment== | ==Comment== |
Latest revision as of 11:43, 7 April 2022
Datainspektionen - DI-2019-3844 | |
---|---|
Authority: | Datainspektionen (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 32(1) GDPR Article 32(2) GDPR Patientdatalagen (2008:355) |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 02.12.2020 |
Published: | 02.12.2020 |
Fine: | 15000000 SEK |
Parties: | Aleris Sjukvård AB |
National Case Number/Name: | DI-2019-3844 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | Datainspektionen (in SV) |
Initial Contributor: | Elisavet Dravalou |
The Swedish DPA (Datainspektionen) imposed a €1.466 million (approximately) fine on the healthcare provider "Aleris Sjukvård AB" for not carrying out the risk assessments required by the Patient Data Act and for granting their employees access to all personal data in the patients' journal system in breach of Article 32 GDPR.
English Summary
Facts
The audit to Aleris Sjukvård AB from the Swedish DPA was initiated in May 2019. Aleris is a healthcare provider and uses a system named "TakeCare" as the main journal keeping system where they store and maintain the patients' journals. According to the Patient Data Act, a caregiver must conduct a needs and risk analysis before allocating access rights in the patients' journals.
Dispute
Holding
The DPA found that Aleris Sjukvård AB did not carry out these assessments and it has granted access to patients' journal to all employees apart from the technicians. By doing so, Aleris Sjukvård AB breached the obligation to apply appropriate technical and organisational measures to ensure the security of the personal data, imposed to controllers by Article 32 GDPR.
The DPA imposed a fine of 15 millions SEK (approximately €1466000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Decision Diary No. 1 (30) 2020-12-02 DI-2019-3844 Aleris Sjukvård AB c / o Aleris Specialist Care Sabbatsberg Box 6401 113 82 Stockholm Stockholm County Supervision under the Data Protection Regulation and Patient Data Act- needs and risk analysis and questions about access in journal systems Table of Contents The Data Inspectorate's decision ................................................ ..................................... 2 Report on the supervisory matter ............................................... .............................. 3 What has emerged in the case ............................................. .......................... 3 Internal privacy ................................................ .................................................. ... 5 Consolidated record keeping ................................................ ............................ 8 Documentation of access (logs) ............................................ ............... 9 Aleris opinion on the Data Inspectorate's letter .......................................... 9 Motivation for decision ............................................... ............................................. 10 Applicable rules................................................ ........................................... 10 The Data Inspectorate's assessment ................................................ ....................... 15 Choice of intervention ............................................... .............................................. 23 Appendix ................................................. .................................................. ............. 29 Copy for knowledge of .............................................. ................................... 29 How to appeal............................................... ........................................... 29 Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se Website: www.datainspektionen.se Phone: 08-657 61 00 Page 1 of 30Datainspektionen DI-2019-3844 2 (30) The Data Inspectorate's decision During a review on April 8, 2019, the Data Inspectorate has established that Aleris Sjukvård AB processes personal data in violation of Article 5 (1) (f) and (2) and Article 32 (1) and (2) of the Data Protection Regulation by 1. Aleris Sjukvård AB has not carried out a needs and risk analysis before the allocation of permissions takes place in the journal system TakeCare, i in accordance with ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act (2008: 355) and ch. 4 Section 2 The National Board of Health and Welfare's regulations and general advice on record keeping and processing of personal data in health and healthcare (HSLF-FS 2016: 40). This means that Aleris Sjukvård AB have not taken appropriate organizational measures to be able to ensure and be able to show that the processing of personal data has a security that is appropriate in relation to the risks. 2. Aleris Sjukvård AB does not limit users' permissions for access to the TakeCare journal system for what is only needed for that the user should be able to fulfill his tasks in the health and healthcare according to ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act and 4 Cape. 2 § HSLF-FS 2016: 40. This means that Aleris Sjukvård AB does not have taken measures to be able to ensure and be able to show a suitable security of personal data. The Data Inspectorate decides on the basis of Articles 58 (2) and 83 i the Data Protection Ordinance to Aleris Sjukvård AB, for violation of Article 5 (1) (f) and (2) and Article 32 (1) and (2) of the Data Protection Regulation; shall pay an administrative penalty fee of 15,000,000 (fifteen million). The Data Inspectorate submits pursuant to Article 58 (2) (d) i data protection ordinance Aleris Sjukvård AB to implement and document required needs and risk analysis for the TakeCare medical record system and that then, based on the needs and risk analysis, assign each user 1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on that free flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). Page 2 of 30Datainspektionen DI-2019-3844 3 (30) individual access to personal data restricted to only what is needed for the individual to be able to fulfill his duties in health care, in accordance with Article 5 (1) (f) and Article 32 (1) and (2) of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7 the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40. Report on the supervisory matter The Data Inspectorate's inspection began with an inspection letter on 22 March 2019 and has taken place both in writing and through on-site inspection on April 8 2019. The audit has been intended to control whether Aleris Sjukvård AB's (hereinafter referred to as Aleris) decision on the allocation of authorizations has been preceded by a need and risk analysis. The supervision has also included how Aleris has granted authorizations for access to the TakeCare master journal system, and which access opportunities the granted privileges provide within both the framework of the internal secrecy according to ch. the Patient Data Act, as the cohesive one record keeping according to ch. 6 patient data law. In addition to this has The Data Inspectorate examined which documentation of access (logs) as is in the journal system. The Data Inspectorate has only examined the user's access to the journal system, i.e. what care documentation the user can actually take part of and read. The supervision has not included which functions were included in the competence, ie. what the user can actually do in the journal system (eg issuing prescriptions, writing referrals, etc.). The inspection is one of several inspections within the framework of a self-initiated supervisory project at the Swedish Data Inspectorate, where i.a. Karolinska The university hospital has been included. Due to what has emerged about Aleri's view on the technical possibilities to limit readability for its users in TakeCare, Aleris was asked in particular comment on an opinion from Karolinska University Hospital, which also uses TakeCare, where the technical possibilities regarding TakeCare was described. What has emerged in the case Aleris has essentially stated the following. Page 3 of 30Datainspektionen DI-2019-3844 4 (30) Personal data responsibility Aleris is the care provider and personal data manager. The business Aleri's ownership structure has changed after the Data Inspectorate's review initiated. Aleris 'new ownership structure is shown in Aleris' supplement from 16 November 2020. The supplement states, among other things, the following. Aleris has been part of the newly formed Group Parent Company since October 1, 2019, Aleris Group AB (corporate identity number 559210-7550), and is a subsidiary of Aleris Healthcare AB (org.nr. 556598–6782). Aleris Group AB is owned by Triton. Group sales for Aleris Group AB amounted to SEK 1,215,385,000 between October 1, 2019 and December 31, 2019. Since Aleris Group AB was formed in connection with the change of ownership when Aleris Healthcare AB joined subsidiaries were acquired, only turnover figures are available for this period. The annual turnover for Aleris Healthcare AB amounted to SEK 30,223,866 during 2019. Journal system Aleris has been using TakeCare as its main record system since 28 May 2012 for internal secrecy and within the framework of the cohesive record keeping. Federation Collaboration TakeCare (FSTC) is the customer of the medical record system TakeCare and CompuGroup Medical (CGM) are suppliers of the medical record system and is responsible for the functions that the system has to control permissions. All functions in the journal system are created by CGM, but it is Aleris who chooses which functions a certain staff category should have access to among the functions that are entered. Aleris has no technical possibilities to do changes in TakeCare because Aleris has no control over the journal system. Aleris is only a user of the system. Aleris has not been able to make any demands on CGM in the procurement of the journal system. The company has, for example, pointed out that there have been problems with the record system consisting of, as far as the allocation of competences is concerned, that Page 4 of 30Datainspektionen DI-2019-3844 5 (30) the system cannot separate read and print permissions for a read function. CGM has not been interested in changing this despite comments from Aleris. It is FSTC that can order changes to the functions and that is then up to CGM if they want to make the changes or not. Aleris has one representative in FSTC who can express Aleri's wishes. However, Aleris has not received some hearing for the company's views. Number of patients and employees Aleris had 796,350 unique patients in TakeCare as of May 20, 2019. How however, many of those who died could not be retrieved. In May 2019, there were 1,058 active users, 807 active accounts and 63 units in the journal system TakeCare. The number of active users (ie employees and consultants who may have access to TakeCare) have been calculated by calculate the number of active AD accounts at relevant cost centers. Internal secrecy Aleris has essentially stated the following. Needs and risk analysis Aleris has stated that needs and risk analyzes aimed at TakeCare are performed by a designated risk analysis team for the purpose of reviewing the applicable authorization allocation and possibly determine new conditions for granting eligibility. Permissions is always limited to what is needed for the employee to be able to perform their work and contribute to safe care. The need versus the risk of improperness access is always weighed against each other before permissions are granted. General authorization profiles are available, specific authorizations are assigned if necessary. The later examined in particular in the subsequent analysis of the designated risk analysis team. What What is especially considered are the risks that can arise if an employee has too broad eligibility versus too low eligibility and thus not access to relevant patient information. The result from the needs and risk analysis is then the basis for selecting the authorization profile used in the assignment of competencies within Aleris. Eligibility for TakeCare is ordered by the responsible manager, as stated in the document, “TakeCare Authorization Management”. The document also states that the competence is personal and that its scope is based on Page 5 of 30Datainspektionen DI-2019-3844 6 (30) the user's professional role and organizational domicile. Furthermore, it appears that the care provider must ensure that the authority for access to patient data limited to what a user needs to be able to perform their tasks in health care. Aleris has a document called "Needs and Risk Analysis-TakeCare". The document has looked like it does today since May 28, 2012 when TakeCare was introduced and applies both to internal secrecy and within its framework coherent record keeping. The document shows the different profiles, so-called authority groups. The document shows, among other things the reading rights and the writing rights for each authority group. All profiles except technicians have been granted read access to the data in TakeCare. The eligibility for each group has been justified. The doctors are going to examples be able to perform their duties and are responsible for patient information, while the system administrator must be able to troubleshoot, manage and set up users, systems and local administrators. Under the heading "Risk of restricted access" it is stated that the user "cannot perform their duties in full ”. This justification is stated for all profiles (except for the local administrators where the motivation is “Can not manage permissions and implement corrective actions ”). During The heading “Risk of extensive access” states, among other things, that “There is one risk of disclosure of patient information '. Similar justification is given for everyone profiles. Authorization of access to personal data about patients Aleris has stated that it is the system administrator who has the highest the level of competence, ie full authorization, in TakeCare. The local the administrator has access to his own device and is the one who assigns permissions within the device. What privileges an administrator imposes a user depends on the business to which the user belongs and on the user's tasks. All users get the “minimum they should have to cope ”in terms of accessibility. Access can, however expanded if necessary. There are basic profiles for, for example, assistant nurses, who are given the qualifications needed to carry out their duties tasks. If the manager considers that the assistant nurses need one extended privileges, local administrators ensure that privileges "Hangs up" the basic profile. If the extended authorization is not needed, it can be taken away from the basic profile. Page 6 of 30Datainspektionen DI-2019-3844 7 (30) Aleris has stated that all accounts within Aleris are individual and that authorizations are granted on the basis of the document, ‘Needs and risk analysis TakeCare ”. As previously mentioned, it appears from the document that everyone professional profiles in addition to technicians have been granted reading access to the data in TakeCare. However, Aleris has stated that all users have different read permissions in the journal system based on which system functions they have access to Aleris. According to Aleris, it is possible to steer away access opportunities to TakeCare by giving different staff access to different functions. Each staff category only gets access to the functions they need for to be able to perform their work. Technicians, for example, have limited qualifications depending on what they are going to do in the system. They only get reading permission if they need it in their work. Another example concerns users who only will be at the checkout and thus do not need a reading license. There is no staff that only has the task of managing the cash register the current situation. By choosing different functions for different users, a difference is made in what different users can do in the system, e.g. as regards verify, sign, etc. In total, there are 640 different system functions that you can choose to provide authority to. Among these features, Aleris has selected the features that different staff categories need to have access to in order to operate safely patient work. The document "Profiles and permissions" shows the different ones permissions that each category of staff has been assigned in TakeCare, e.g. dictate audio files, read activities, sign, read emergency information, read journal text, vidimering, read referral, administer drug prescription, read scanned documents and approve care sessions. The document states, among other things that all profiles ie. doctors, nurses, assistant nurses, paramedics, secretaries, "administrative", students and "Receptionist Rehab "has the authority to" read journal text "and that everyone except "Receptionist Rehab" is authorized to "read scanned documents" in TakeCare. It also appears that only doctors are authorized to “read emergency tasks ”and that all profiles except assistant nurse and "Administrative" can "read diagnoses" in TakeCare. Aleris has stated that the starting point is that one user on one device only has read access to the patient records available on the device. One users who need to read journal entries from another device must Page 7 of 30Datainspektionen DI-2019-3844 8 (30) make an active choice in the system. By active choices is meant that the user is allowed to do a number of "clicks" and select the current device (this function is called journal filter). Authorization to be able to use the journal filter is given to them users who need this to be able to perform their work. The user can never accidentally read one patient record from another unit. Aleris has stated that there are features in TakeCare to a caregiver should be able to "isolate" one care unit and thereby "shut out" others caregivers 'and care units' access possibilities to the unit's care documentation, so-called protected units. However, Aleris does not operate any activity that requires protected devices and has therefore not used of this function. Coherent record keeping Aleris has essentially stated the following. Needs and risk analysis The document “Needs and risk analysis - TakeCare” also applies to the system for coherent record keeping. Authorization of access to personal data about patients The allocation of authority takes place in the same way as within the framework of the internal secrecy. Within the framework of coherent record keeping in TakeCare, users can take part of all care documentation with other care providers included in the system. The user can initially see if a patient is current with other care providers, but not which. To be able to see who these caregivers are, the user must click on in the system, ie. make active choices. The user must then click in the box "consent" or "emergency access" to access it specific caregiver records. Aleris has stated the following due to Karolinska The University Hospital in a statement has stated that there are opportunities to restrict access in TakeCare. There is a function to "isolate" a care unit and thereby close access to other care providers and care units (so-called Page 8 of 30Datainspektionen DI-2019-3844 9 (30) protected devices). A care provider can thus from a technical perspective restrict other care providers' access to their own care documentation. However, Aleris has assessed that the company does not conduct any business as need to be blocked and that it is more patient safe to let the patient information at Aleri's units be available to other care providers. According to Aleris, it is moreover, not allowed to implement such restrictions if one caregivers use the TakeCare medical record system and at the same time are part of coherent record keeping. This following a decision from the Stockholm Region. The means that all users of Aleris have access to all patient data at the other care providers in TakeCare, except when patients have requested to get their information blocked (a so-called caregiver block). According to Aleris, from a patient safety perspective, this is not practically possible to opt out of individual care providers' access to their own care documentation in TakeCare (except for protected devices). Either is the caregiver included in the system for coherent record keeping or not. It is not possible to restrict access for competent persons to the information of other care providers and at the same time in a meaningful way participate in coherent record keeping. According to Aleris, it is not possible to determine in advance which data are in one certain cases may be important for patient-safe care. Aleris has therefore decided not to actively block other caregivers' records. However, such as mentioned, a caregiver himself blocks other caregivers' access to TakeCare there these have made the assessment that their patients' medical records should not be available to other caregivers. These devices are marked in TakeCare with an asterisk. In this way, a selection of care units has already been made Aleri's staff do not have access to. Documentation of access (logs) Aleri's log documentation states, among other things: the user's and patient's identity, care unit, date, time, information to the user has documented in the journal during the last 18 months as well as information that the patient has had contact with the care unit during the last 18 months. Aleris has the ability to perform targeted log checks. That means Aleris can see exactly what a user has done in the system. About the patient or Aleris suspects data breaches, Aleris can also perform an in-depth log check. Page 9 of 30Data Inspectorate DI-2019-3844 1 0 (30) Also all activities that take place within the framework of coherent record keeping logged in the system. It also means that all active selections are logged in the system. If the user, for example, has selected "consent" or "emergency access" to be able to take part of a patient's information to another care provider, this will be appear from the log documentation. Aleri's opinion on the Data Inspectorate's letter Aleris has in comments on the letter Final communication before decision as received by the Swedish Data Inspectorate on 20 March 2020 stated the following, among other things. The Data Inspectorate should take into account the figures for the economic unit where they The alleged shortcomings have taken place, ie Aleris Sjukvård AB. Aleris has actively worked to continuously strengthen the interior and exterior confidentiality, including the functionality of TakeCare. When Aleris took over adequate measures to strengthen, through FSTC, the integrity of TakeCare actual deficiencies in TakeCare should not be considered to be Aleris' fault. Justification of decision Applicable rules The Data Protection Regulation is the primary source of law The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and is the primary legal regulation in the processing of personal data. This also applies to health care. The basic principles for the processing of personal data are set out in Article 5 of the Data Protection Regulation. A basic principle is the requirement security pursuant to Article 5 (1) (f), which states that personal data shall be processed in a way that ensures adequate security for personal data, including protection against unauthorized or unauthorized treatment and against loss, destruction or damage by accident, using appropriate technical or organizational measures. Article 5 (2) states the so-called liability, ie. that it “Personal data controllers must be responsible for and be able to show that they the basic principles of paragraph 1 are complied with ". Page 10 of 30Datainspektionen DI-2019-3844 1 1 (30) Article 24 deals with the responsibility of the controller. Of Article 24 (1) it appears that the person responsible for personal data is responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that the processing is performed in accordance with the Data Protection Regulation. The measures shall carried out taking into account the nature, scope, context of the treatment and purposes and the risks, of varying degrees of probability and severity, for freedoms and rights of natural persons. The measures must be reviewed and updated if necessary. Article 32 regulates the security associated with the processing. According to paragraph 1 the personal data controller and the personal data assistant shall take into account of the latest developments, implementation costs and treatment nature, scope, context and purpose as well as the risks, of varying probability and seriousness, for the rights and freedoms of natural persons shall the personal data controller and the personal data assistant take appropriate technical and organizational measures to ensure a level of security which is appropriate in relation to the risk (…). According to paragraph 2, at the assessment of the appropriate level of safety, special consideration shall be given to the risks involved the treatment entails, in particular from accidental or unlawful destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to the personal data transferred, stored or otherwise processed. Recital 75 states that in assessing the risk to natural persons rights and freedoms, various factors must be taken into account. Among other things mentioned personal data covered by professional secrecy, health data or sexual life, if the processing of personal data concerning vulnerable physical persons takes place persons, especially children, or if the treatment involves a large number personal data and applies to a large number of registered persons. Furthermore, it follows from recital 76 that the probable and serious risk of it data subjects' rights and freedoms should be determined on the basis of processing nature, scope, context and purpose. The risk should be evaluated on on the basis of an objective assessment, which determines whether the data processing involves a risk or a high risk. Recitals 39 and 83 also contain writings that provide guidance on it the meaning of the data protection regulation's requirements for security in Processing of personal data. Page 11 of 30Datainspektionen DI-2019-3844 1 2 (30) The Data Protection Regulation and the relationship with complementary national provisions According to Article 5 (1). a in the Data Protection Regulation, the personal data shall treated in a lawful manner. In order for the treatment to be considered legal, it is required legal basis by fulfilling at least one of the conditions of Article 6 (1). The provision of health care is one such task of general interest referred to in Article 6 (1) (e). In health care, the legal bases can also be legal obligation pursuant to Article 6 (1) (c) and exercise of authority under Article 6 (1) (e) updated. When it comes to the legal bases legal obligation, in general interest or exercise of authority by the Member States, in accordance with Article 6.2, maintain or introduce more specific provisions for adaptation the application of the provisions of the Regulation to national circumstances. National law may specify specific requirements for the processing of data and other measures to ensure legal and equitable treatment. But there is not only one possibility to introduce national rules but also one duty; Article 6 (3) states that the basis for the treatment referred to in paragraph 1 (c) and (e) shall be determined in accordance with Union law or national law of the Member States. The legal basis may also include specific provisions to adapt the application of the provisions of the Data Protection Regulation. Union law or the national law of the Member States law must fulfill an objective of general interest and be proportionate to it legitimate goals pursued. Article 9 states that the treatment of specific categories of personal data (so-called sensitive personal data) is prohibited. Sensitive personal data includes data on health. Article 9 (2) states except when sensitive personal data may still be processed. Article 9 (2) (h) states that the processing of sensitive personal data may be repeated the treatment is necessary for reasons related to, among other things the provision of health care on the basis of Union law or national law of the Member States or in accordance with agreements with professionals in the field of health and provided that the conditions and protective measures provided for in referred to in paragraph 3 are met. Article 9 (3) imposes a regulated duty of confidentiality. Page 12 of 30Datainspektionen DI-2019-3844 1 3 (30) This means that both the legal bases of general interest, exercise of authority and legal obligation in the treatment of the vulnerable personal data under the exemption in Article 9 (2) (h) supplementary rules. Supplementary national regulations In the case of Sweden, both the basis for the treatment and those special conditions for the processing of personal data in the field of health and healthcare regulated in the Patient Data Act (2008: 355) and the Patient Data Ordinance (2008: 360). I 1 kap. Section 4 of the Patient Data Act states that the law complements the data protection regulation. The purpose of the Patient Data Act is to provide information in health and healthcare must be organized so as to meet patient safety and good quality and promotes cost efficiency. Its purpose is also to personal data shall be designed and otherwise processed so that patients and the privacy of other data subjects is respected. In addition, must be documented personal data is handled and stored so that unauthorized persons do not have access to it them (Chapter 1, Section 2 of the Patient Data Act). The supplementary provisions in the Patient Data Act aim to: take care of both privacy protection and patient safety. The legislator has thus through the regulation made a balance as to how the information must be processed to meet both the requirements for patient safety as the right to privacy in the processing of personal data. The National Board of Health and Welfare has, with the support of the Patient Data Ordinance, issued regulations and general advice on record keeping and processing of personal data in health care (HSLF-FS 2016: 40). The regulations constitute such supplementary rules, which shall be applied in the care provider's treatment of personal data in health care, see chap. Section 1 of the Patient Data Act. National provisions supplementing the requirements of the Data Protection Regulation safety can be found in Chapters 4 and 6. the Patient Data Act and Chapters 3 and 4 HSLF-FS 2016: 40. Requirement to make a needs and risk analysis Page 13 of 30Datainspektionen DI-2019-3844 1 4 (30) According to ch. 4, the care provider must § 2 HSLF-FS 2016: 40 make a needs and risk analysis, before the allocation of authorizations in the system takes place. That the analysis requires both the needs and the risks is clear from the preparatory work to the Patient Data Act, prop. 2007/08: 126 pp. 148-149, as follows. Authorization for staff's electronic access to patient information shall be restricted to what the executive needs to be able to perform his duties in health and healthcare. This includes that authorizations must be followed up and changed or restricted accordingly hand as changes in the tasks of the individual executive give rise to it. The provision corresponds in principle to section 8 of the Health Care Register Act. The purpose of the provision is to imprint the obligation of the responsible caregiver to make active and individual eligibility assignments based on analyzes of which details are different staff categories and different types of activities need. But it's not just needed needs analyzes. Risk analyzes must also be done where different types of risks are taken into account, such as may be associated with an overly availability of certain types of information. Protected personal data that is classified, information about publicly known persons, data from certain clinics or medical specialties are examples of categories such as may require special risk assessments. In general, it can be said that the more comprehensive an information system is, the greater the amount there must be different levels of authorization. Decisive for decisions on eligibility for e.g. various categories of healthcare professionals for electronic access to data in patient records should be that the authority should be limited to what the executive needs for the purpose a good and safe patient care. A more extensive or coarse-meshed competence allocation should - even if it has points from the point of view of efficiency - is considered an unjustified dissemination of journal information within a business and should as such not accepted. Furthermore, data should be stored in different layers so that more sensitive data require active choices or otherwise not as easily accessible to staff as less sensitive tasks. When it applies to personnel who work with business follow-up, statistics production, central financial administration and similar activities that are not individual-oriented, it should be most executives have enough access to information that can only be indirectly derived to individual patients. Electronic access to code keys, social security numbers and others data that directly point out individual patients should be able to be strong in this area limited to individuals. Internal secrecy The provisions in ch. 4 The Patient Data Act concerns internal confidentiality, ie. regulates how privacy protection is to be handled within a care provider's business and in particular employees' opportunities to prepare for access to personal data that is electronically available in a healthcare provider organisation. Page 14 of 30Datainspektionen DI-2019-3844 1 5 (30) It appears from ch. Section 2 of the Patient Data Act, that the care provider shall decide conditions for granting access to such data patients who are fully or partially automated. Such authorization shall limited to what is needed for the individual to be able to fulfill theirs tasks in health care. Of ch. 4 § 2 HSLF-FS 2016: 40 follows that the care provider shall be responsible for each users are assigned an individual privilege to access personal data. The caregiver's decision on the allocation of eligibility shall preceded by a needs and risk analysis. Coherent record keeping The provisions in ch. 6 the Patient Data Act concerns cohesive record keeping, which means that a care provider - under the conditions specified in § 2 the same chapter of that law - may have direct access to personal data that is processed by other care providers for purposes related to care documentation. The access to information is provided by a healthcare provider making the information about a patient which the care provider registers if the patient is available to other care providers which participates in the cohesive record keeping system (see Bill 2007/08: 126 p. 247). Of ch. 6 Section 7 of the Patient Data Act follows that the provisions in Chapter 4 §§ 2 and 3 - also applies to authorization allocation and access control at cohesion record keeping. The requirement that the care provider must perform a needs and risk analysis before the allocation of permissions in the system takes place, thus also applies in systems for coherent record keeping. Documentation of access (logs) Of ch. 4 Section 3 of the Patient Data Act states that a care provider must ensure that access to such data on patients who are kept in whole or in part automatically documented and systematically checked. According to ch. 4 Section 9 HSLF-FS 2016: 40, the care provider shall be responsible for that 1. it appears from the documentation of the access (logs) which measures taken with information on a patient, 2. it appears from the logs at which care unit or care process measures have been taken, 3. the logs indicate the time at which the measures were taken; 4. the identity of the user and the patient is stated in the logs. Page 15 of 30Datainspektionen DI-2019-3844 1 6 (30) The Data Inspectorate's assessment Personal data controller's responsibility for security As previously described, Article 24 (1) of the Data Protection Regulation provides a general requirement for the personal data controller to take appropriate technical and organizational measures. The requirement is partly to ensure that the processing of personal data is carried out in accordance with the Data Protection Ordinance, and that the data controller must be able to demonstrate that the processing of personal data is carried out in accordance with the Data Protection Regulation. The safety associated with the treatment is regulated more specifically in the articles 5.1 f and 32 of the Data Protection Regulation. Article 32 (1) states that the appropriate measures shall be both technical and organizational and they must ensure a level of security that is appropriate in in relation to the risks to the rights and freedoms of natural persons which the treatment entails. It is therefore necessary to identify the possible ones the risks to the data subjects' rights and freedoms and assess the probability of the risks occurring and the severity if they occur. What is appropriate varies not only in relation to the risks but also based on the nature, scope, context and purpose of the treatment. It has thus the significance of what personal data is processed, how many data, it is a question of how many people process the data, etc. The health service has a great need for information in its operations. It is therefore natural that the possibilities of digitalisation are utilized so much as possible in healthcare. Since the Patient Data Act was written, one has a lot extensive digitization has taken place in healthcare. Both the data collections size as the number of people sharing information with each other has increased substantially. At the same time, this increase means that the demands on it increase personal data controller, as the assessment of what is an appropriate safety is affected by the extent of the treatment. It is also a question of sensitive personal data and the data concerns people who are in a situation of dependence when they are in need of care. It is also often a question of a lot of personal information about each of these people and that the data over time may be processed by very Page 16 of 30Datainspektionen DI-2019-3844 1 7 (30) many people in healthcare. All in all, this places great demands on it personal data controllers. The data processed must be protected from outside actors as well the business as against unauthorized access from within the business. It can It should be noted that Article 32 (2) states that the controller, at assessment of the appropriate level of safety, in particular taking into account the risks of unintentional or unlawful destruction, loss or unauthorized disclosure or unauthorized access. To be able to know what is an unauthorized access must the data controller must be clear about what an authorized access is. Needs and risk analysis I 4 kap. Section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016: 40), which supplement the Patient Data Act, it is stated that the care provider must make a needs and risk analysis before the allocation of authorizations in the system takes place. This means that national law prescribes requirements for an appropriate organizational measure that shall: taken before the allocation of authorizations to journal systems takes place. A needs and risk analysis must include an analysis of the needs and a analysis of the risks from an integrity perspective that may be associated with an overly allotment of access to personal data about patients. Both the needs and the risks must be assessed on the basis of them tasks that need to be processed in the business, what processes it is the question of whether and what risks to the privacy of the individual exist. The assessments of the risks need to be made on the basis of organizational level, there for example, a certain business part or task may be more privacy sensitive than another, but also based on the individual level, if it is the issue of special circumstances that need to be taken into account, such as that it is a question of protected personal data, publicly known persons or otherwise particularly vulnerable persons. The size of the system also affects the risk assessment. The preparatory work for the Patient Data Act shows that the more comprehensive an information system is, the greater the variety eligibility levels must exist (Bill 2007/08: 126 p. 149). It is thus the question of a strategic analysis at the strategic level, which should provide one authorization structure that is adapted to the business and this must be maintained updated. In summary, the regulation requires that the risk analysis identifies different categories of tasks, Page 17 of 30Datainspektionen DI-2019-3844 1 8 (30) Categories of data subjects (eg vulnerable natural persons and children), or the scope (eg number of personal data and registered) negative consequences for data subjects (eg injuries, significant social or economic disadvantage, deprivation of rights and freedoms), and how they affect the risk to the rights and freedoms of natural persons Processing of personal data. This applies both within internal secrecy as in coherent record keeping. The risk analysis must also include special risk assessments, for example based on whether there is protected personal data that is classified, information on public figures, information from certain clinics or medical specialties (Bill 2007/08: 126 p. 148- 149). The risk analysis must also include an assessment of how probable and serious the risk to the data subjects' rights and freedoms is based on the nature, scope, context and purpose of the treatment (recital 76). It is thus through the needs and risk analysis that it personal data controller finds out who needs access, which information the accessibility shall include, at what times and at what context access is needed, while analyzing the risks to it the freedoms and rights of the individual that the treatment may lead to. The result should then lead to the technical and organizational measures needed to ensure that no one other than the one who needs and the risk analysis shows that it should be justified. When a needs and risk analysis is missing prior to the allocation of qualifications in system, lacks the basis for the personal data controller on a legal be able to assign their users a correct authorization. The the data controller is responsible for, and shall have control over, the personal data processing that takes place within the framework of the business. To assign users a when accessing journal system, without this being founded on a performed needs and risk analysis, means that the person responsible for personal data does not have sufficient control over the personal data processing that takes place in Page 18 of 30Datainspektionen DI-2019-3844 1 9 (30) the journal system and also can not show that he has the control that required. Aleris has stated that the authorizations are granted on the basis of the document, “ and risk analysis-TakeCare ”. The document states that all authorization profiles in addition to technicians have been assigned permission to read in the system, and that the risk with restricted access is that the user cannot perform his tasks in full. This justification is stated for all users. It is further stated that the only risk in the event of extensive access is to the user sees information that he / she does not have the right to see which may involve disclosure of patient information. Similar justification is given for all profiles. The means that Aleris makes the same assessment for all profiles regardless the user's task and needs. The Data Inspectorate can state that the document, “Needs and risk analysis TakeCare ”does not contain any analysis of the different profiles' needs access to patients' data. Aleris has only stated what respectively profile "must be able to perform" in the journal system and thus not analyzed which information as it is a question of or what the needs look like in the various the business components and for different professional roles. The document also lacks one analysis of the risks to the individual's freedoms and rights as an excessive eligibility may entail. The needs and risk analysis must be done in a strategic manner level that should provide an authorization structure that is adapted to the business. The information in the document "Needs and risk analysis - TakeCare" is too deficient in relation to the information required for a correct needs and risk analysis must be able to be performed. As stated above, in a needs and risk analysis both the needs and the risks are assessed on the basis of them tasks that need to be processed in the business, what processes it is the question of whether and what risks to the individual's integrity exist as well organizational as well as individual level. In its analysis, Aleris has not taken into account the negative consequences for registered, different categories of data, categories of registered or the extent of the number of personal data and registered affects the risk of the rights and freedoms of natural persons in the treatment of Aleris by personal information in TakeCare. There are also no special risk assessments based on whether there is, for example, protected personal data that is classified, information on public figures, information from Page 19 of 30Datainspektionen DI-2019-3844 2 0 (30) certain clinics or medical specialties or other factors such as requires special protective measures. There is also no assessment of how probable and serious risk to the data subjects' rights and freedoms is considered to be. In the light of the above, the Data Inspectorate can state that the document “Needs and risk analysis- TakeCare” does not meet the requirements put on a needs and risk analysis and that Aleris has not been able to show that the company has carried out a needs and risk analysis within the meaning of 4 Cape. § 2 HSLF-FS 2016: 40, neither within the framework of internal secrecy according to ch. 4 the Patient Data Act or within the framework of the cohesive record keeping according to ch. 6 Section 7 of the Patient Data Act. That means Aleris does not have taken appropriate organizational measures in accordance with Article 5 (1) (f) and Article 32 (1) and (2) in order to ensure and, in accordance with Article 5 (2), be able to show that the processing of personal data has a security that is appropriate in relation to the risks. Authorization of access to personal data about patients As reported above, a caregiver may have a legitimate interest in having a comprehensive processing of data on the health of individuals. Notwithstanding this shall access to personal data about patients may be limited to what is needed for the individual to be able to fulfill his or her duties. With regard to the allocation of authorization for electronic access according to ch. § 2 and ch. 6 Section 7 of the Patient Data Act states that in the preparatory work, Bill. 2007/08: 126 pp. 148-149, i.a. that there should be different eligibility categories in the journal system and that the permissions should be limited to what the user need to provide the patient with good and safe care. It also appears that “a more extensive or coarse-grained eligibility should be considered as one unauthorized dissemination of journal information within a business and should as such is not accepted. " In health care, it is the person who needs the information in their work who may be authorized to access them. This applies both within a caregivers as between caregivers. It is, as already mentioned, through the needs and risk analysis that the person responsible for personal data finds out who who need access, what information the access should include, at which times and in which contexts access is needed, and at the same time analyzes the risks to the individual's freedoms and rights Page 20 of 30Datainspektionen DI-2019-3844 2 1 (30) the treatment can lead to. The result should then lead to the technical and organizational measures needed to ensure no allocation of eligibility provides further access opportunities than the one that needs and the risk analysis shows is justified. An important organizational measure is to provide instruction to those who have the authority to assign authorizations on how this should go to and what should be considered so that it, with the needs and risk analysis as a basis, becomes a correct authorization allocation in each individual case. Aleris has stated that there are restrictions regarding users access options in TakeCare then the company by choosing different functions for different users can steer away users' access capabilities in the journal system. According to Aleris, all users have different read permissions in the journal system depending on the system features they have access to. Of the document However, “Needs and risk analysis - TakeCare” states that all professional profiles in addition to technicians, read access has been assigned to the tasks in TakeCare. Furthermore, the document "Profiles and Permissions" states that all occupational profiles, ie. doctors, nurses, assistant nurses, paramedics, secretary, administrative, student and receptionist Rehab has authority to "read journal text". This means that virtually all professional profiles has access to Aleri's personal data about patients in TakeCare. The limitation that has been introduced is that different professional profiles have different reading privileges, for example, doctors, nurses, paramedics can read diagnoses ”or“ read prescriptions ”while other professional profiles, for example "Administratively" do not have those powers. It also appears that doctors are the only ones who have the authority to "read emergency information". The Data Inspectorate considers it positive that Aleris has allocated different read permissions in the system, but that it is not enough because all professional profiles still have access to the journal texts in TakeCare. In addition, the division is rough as it is only a division from the outside occupational categories and not based on, for example, which organizational affiliation, which tasks the user has or which patients personal data that the user needs to access at different times to. Because different users have different tasks within different work areas, users need access to personal data about patients in TakeCare are limited to reflect this. Page 21 of 30Datainspektionen DI-2019-3844 2 2 (30) Against this background, the Data Inspectorate can state that Aleris does not have restricted users 'permissions to access patients' personal data in the journal system TakeCare. This in turn means that one majority of the users have had actual access to the care documentation about a large number of patients in TakeCare. The review also shows that Aleris uses so-called active choices for access to personal data about patients and the record filter function. The fact that Aleris uses active choices does not mean that the access option to personal data in the system has been restricted to the user, without the data are still electronically accessible. This means that the active choices are not such an access restriction as referred to in ch. 4 Section 2 of the Patient Data Act, as this provision requires that jurisdiction be limited to what necessary for the individual to be able to fulfill his duties within health care and that only those who need the information should have access. The Data Inspectorate thus considers that Aleri's use of active choices is an integrity enhancing measure but that it does not affect the actual access possibilities. Aleris has further stated that there are features in TakeCare for that one care providers must be able to "isolate" a care unit and thereby "shut out" other care providers 'and care units' access to the unit care documentation, so-called protected units. However, Aleris believes that the company does not conduct any business that requires protected entities and have therefore not used this function. As for the unified record keeping, all users at Aleris have access to all personal data about patients at the other care providers in TakeCare, except when patients have requested that their data be blocked. It appears from the review that the care provider has an opportunity to actively block the records of other caregivers, but that Aleris has chosen not to do so because the company does not conduct any business that needs to be blocked. Aleris considers it safer to leave the data at Aleri's units available to other caregivers. That the allocation of authorizations has not been preceded by a need and risk analysis means that Aleris has not analyzed users' needs for access to the data, the risks that such access may entail and Page 22 of 30Datainspektionen DI-2019-3844 2 3 (30) thus also not identifying which access is justified for the users based on such an analysis. Aleris has thus not used suitable measures, in accordance with Article 32, to restrict users' access to patients' data in the medical record system. This in turn has meant that there has been a risk of unauthorized access and unauthorized distribution of personal data partly within the framework of internal secrecy, partly within the framework for the unified record keeping. Aleris has further stated that the company has no technical possibilities to make changes to TakeCare because Aleris has no control over it the journal system. It also appears that Aleris, within the framework of it coherent record keeping, may not implement certain restrictions with reference to a decision from the Stockholm Region. The basis of the Data Protection Ordinance is that the person responsible for personal data has a responsibility to comply with the obligations set out in the Regulation in order to: be allowed to process personal data in their activities at all. To take appropriate technical and organizational measures to ensure an appropriate security is such an obligation (see Articles 5, 24 and 32 of the Data Protection Regulation). The Data Inspectorate thus considers that Aleris in capacity as personal data controller can not waive the responsibility to take the technical and organizational measures required by the above articles. In light of the above, the Swedish Data Inspectorate can state that Aleris has processed personal data in breach of Article 5 (1) (f) and Article 32 (1) and 32.2 of the Data Protection Regulation in that Aleris has not restricted users' permissions for accessing the TakeCare journal system to what which is only needed for the user to be able to fulfill his tasks in health care according to ch. 4 § 2 and ch. 6 § 7 the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40. That means Aleris does not have taken steps to ensure and, in accordance with Article 5 (2) (i) the Data Protection Regulation, be able to demonstrate appropriate security for personal data. Documentation of access (logs) Of the documentation of access (logs) that arose due to The Data Inspectorate's inspection is as follows: date, time, the identity of the user and the patient, the measures taken and Page 23 of 30Datainspektionen DI-2019-3844 2 4 (30) care unit. The same documentation appears when the user takes part tasks within the framework of coherent record keeping. The Data Inspectorate has nothing to recall in this part, because the documentation of the access (logs) in TakeCare is in accordance with the requirements set out in Chapter 4. 9 § HSLF-FS 2016: 40. Aleris has thus have taken appropriate technical measures in accordance with Article 32 i the Data Protection Regulation. Choice of intervention Legal regulation If there has been a violation of the Data Protection Regulation The Data Inspectorate a number of corrective powers available under the article 58.2 a-j of the Data Protection Regulation. The supervisory authority can, among other things instruct the data controller to ensure that the processing takes place in in accordance with the Regulation and if required in a specific way and within a specific period. It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate in in accordance with Article 83 shall impose penalty charges in addition to or in lieu of other corrective measures referred to in Article 58 (2), the circumstances of each individual case. Article 83 (2) sets out the factors to be taken into account in determining whether a administrative penalty fee shall be imposed, but also what shall affect the size of the penalty fee. Of central importance for the assessment of the seriousness of the infringement is its nature, severity and duration. If in the case of a minor infringement, the supervisory authority may, according to recitals 148 of the Data Protection Regulation, issue a reprimand instead of imposing one penalty fee. Order The health service has a great need for information in its operations. The It is therefore natural that the possibilities of digitalisation are utilized as much as possible in healthcare. Since the Patient Data Act was written, one has a lot extensive digitization has taken place in healthcare. Both the data collections size as the number of people sharing information with each other has increased substantially. At the same time, this increase means that the demands on it increase Page 24 of 30Datainspektionen DI-2019-3844 2 5 (30) personal data controller, as the assessment of what is an appropriate safety is affected by the extent of the treatment. In this context, it means that a great deal of responsibility rests on it personal data controller to protect the data from unauthorized access, among other things by having an authorization allocation that is even more comminuted. It is therefore essential that there is a real analysis of the needs based on different activities and different executives. Equally important is that there is an actual analysis of the risks from an integrity perspective may occur in the event of an override of access rights. From this analysis must then restrict the access of the individual executive. This authority must then be followed up and changed or restricted accordingly hand that changes in the tasks of the individual executive provide reason for it. The Data Inspectorate's inspection has shown that Aleris has failed to take appropriate action security measures to provide protection for the personal data in the record system TakeCare by not complying with the requirements set out in the Patient Data Act and The National Board of Health and Welfare's regulations regarding the implementation of needs and risk analysis, before the allocation of authorizations in the system takes place and that not restrict the right of access to what is needed to the individual must be able to fulfill their duties in health care. The means that Aleris has also failed to comply with the requirements of Article 5 (1) (f) and Article 32.1 and 32.2 of the Data Protection Regulation. Failure includes it as well internal secrecy according to ch. 4 the Patient Data Act as the cohesive one record keeping according to ch. 6 patient data law. The Data Inspectorate therefore submits pursuant to Article 58 (2) (d) i data protection ordinance Aleris Sjukvård AB to implement and document required needs and risk analysis for the TakeCare medical record system and that then, based on the needs and risk analysis, assign each user individual access to personal data restricted to only what is needed for the individual to be able to fulfill his duties in health care, in accordance with Article 5 (1) (f) and Article 32 (1) and (2) of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7 the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40. Penalty fee Page 25 of 30Datainspektionen DI-2019-3844 2 6 (30) The Data Inspectorate can state that the infringements basically concern Aleris obligation to take appropriate security measures to provide protection to personal data in accordance with the Data Protection Regulation. In this case, it is a matter of large data collections with sensitive personal data and extensive powers. The caregiver needs to be involved necessity to have a comprehensive processing of data on the health of individuals. However, it must not be unrestricted but should be based on what individual employees need to be able to perform their tasks. The Data Inspectorate notes that this is information that includes direct identification by the individual through both name, contact information and social security number, health information, but it may also be other private information about for example, family relationships, sexual life and lifestyle. The patient is addicted of receiving care and is thus in a vulnerable situation. The nature of the data, scope and the patients' position of dependence give caregivers a special responsibility to ensure patients' right to adequate protection for their personal data. Additional aggravating circumstances are the treatment of personal data about patients in the main medical record system belongs to the core of a the activities of caregivers, that the treatment covers many patients and the possibility of access refers to a large proportion of the employees. In this case, stir there are almost 800,000 patients and just over 1,000 active users in the journal system. It is a central task for the person responsible for personal data to take measures to ensure an appropriate level of safety in relation to the risk. At the assessment of the appropriate level of safety, special consideration shall be given to those risks which the treatment entails, in particular from accidental or unlawful destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to the personal data transferred, stored or otherwise processed, pursuant to Article 32 (2) of the Data Protection Regulation. The requirements for health and the healthcare area, regarding current security measures, has been specified in the Patient Data Act and in the National Board of Health and Welfare regulations. Of the preparatory work for The Patient Data Act clearly states that requirements are placed on both strategic analysis and that eligibility is assigned individually and adapted to the current one the situation. That large amounts of sensitive personal data are processed without basic regulations in the field are followed means that the procedure is assessed as more serious. Page 26 of 30Datainspektionen DI-2019-3844 2 7 (30) The Data Inspectorate also takes into account that Aleris has not chosen to restrict access in the context of coherent record keeping. According to Aleris is it more patient safe to leave the data at Aleri's units available to other caregivers. This means that Aleris has given priority away the protection of privacy within the coherent record keeping in favor of patient safety, which is particularly serious. The Data Inspectorate has also taken into account that Aleris has used some integrity enhancement measures, performed certain restrictions regarding occupational categories' reading qualifications and documented access to one correct way. In determining the seriousness of the infringements, it can also be stated that the infringements also cover the basic principles set out in Article 5 (i) the Data Protection Regulation, which belongs to the categories of more serious infringements which may give rise to a higher penalty under Article 83 (5) (i) the Data Protection Regulation. Taken together, these factors mean that the infringements, not to implement a needs and risk analysis and not to limit users' permissions to only what is needed for the user to be able to fulfill theirs tasks in health care, is not to be judged as minor infringements without infringements that should lead to an administrative penalty fee. The Data Inspectorate considers that these violations are closely related to each other. That assessment is based on the need and risk analysis form the basis for the allocation of the authorizations. The Data Inspectorate therefore considers that these infringements are so closely linked that they constitute interconnected data processing within the meaning of Article 83 (3) (i) the Data Protection Regulation. The Data Inspectorate therefore decides on a joint penalty fee for these infringements. According to Article 83 (3), the administrative penalty fee may not exceed the amount of the most serious infringement in the case of one or the same data processing or interconnected data processing. The administrative penalty fee shall be effective, proportionate and deterrent. This means that the amount must be determined so that it Page 27 of 30Datainspektionen DI-2019-3844 2 8 (30) the administrative penalty fee leads to correction, that it provides a preventive effect and that it is also proportional in relation to both current violations as to the ability of the supervised entity to pay. As regards the calculation of the amount, Article 83 (5) (i) the Data Protection Regulation that companies that commit infringements are the ones in question may be subject to penalty fees of up to EUR 20 million or four percent of total global annual sales in the previous financial year, depending on which value is highest. The term company includes all companies that conduct a financial activity, regardless of the legal status of the entity or the manner in which it operates financed. A company can therefore consist of an individual company in the sentence one legal person, but also by several natural persons or companies. Thus there are situations where an entire group is treated as a company and its total annual turnover shall be used to calculate the amount of a infringement of the Data Protection Regulation by one of its companies. Recital 150 in the Data Protection Ordinance states, among other things following. […] If the administrative penalty fees are imposed on a company, a company for that purpose should be considered a company within the meaning of Articles 101 and 102 of the TFEU […]. This means that the assessment of what constitutes a company must be based on the definitions of competition law. The rules for group liability in EU competition law revolve around the concept of economic unit. A parent company and a subsidiary are considered as part of the same economic entity when the parent company exercises one decisive influence over the subsidiary. The Data Inspectorate therefore adds as a starting point, the turnover for Aleris Group AB as a basis for the calculation of the size of the penalty fee. Aleris Group AB was formed at the end of 2019. Some turnover figures for the whole 2019 is thus not available. There is therefore no information on the annual turnover for determining the amount of the penalty fee. Aleris has stated that the group turnover for Aleris Group AB amounted to just over 1.2 billion between 1 October 2019 and 31 December 2019. Recalculated for an entire year, this would correspond to a turnover of approximately 4.9 billion. Page 28 of 30Datainspektionen DI-2019-3844 2 9 (30) The Data Inspectorate states that the actual annual sales for Aleris Group AB this year will be significantly higher. In the current case, the Data Inspectorate applies a precautionary principle and therefore appreciates that the company's annual turnover at least corresponds to that of the period October - December 2019 recalculated for full year, ie approximately 4.9 billion. The maximum sanction amount that can be determined in the current case is EUR 20,000,000, which is just over four percent of the company's estimated revenue. Given the seriousness of the infringements and that the administrative the penalty fee must be effective, proportionate and dissuasive the Data Inspectorate determines the administrative sanction fee for Aleris Sjukvård AB to SEK 15,000,000 (fifteen million). This decision was made by Director General Lena Lindgren Schelin after presentation by the IT security specialist Magnus Bergström. At the final The case is also handled by the General Counsel Hans-Olof Lindblom, the unit managers Katarina Tullstedt and Malin Blixt and the lawyer Linda Hamidi participated. Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature) Appendix How to pay penalty fee Copy for information to The Data Protection Officer Page 29 of 30Datainspektionen DI-2019-3844 3 0 (30) How to appeal If you want to appeal the decision, you must write to the Data Inspectorate. Enter i the letter which decision you are appealing and the change you are requesting. The appeal must have been received by the Data Inspectorate no later than three weeks from the day you received the decision. If the appeal has been received in due time the Data Inspectorate forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Data Inspectorate if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision. Page 30 of 30