Datainspektionen - DI-2019-3845: Difference between revisions
From GDPRhub
m (Links to GDPR articles) |
(Keep DPA’s old logo on old decisions) |
||
| (One intermediate revision by one other user not shown) | |||
| Line 3: | Line 3: | ||
|Jurisdiction=Sweden | |Jurisdiction=Sweden | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo=LogoSE.png | |DPAlogo=LogoSE-Datainspektionen.png | ||
|DPA_Abbrevation=Datainspektionen | |DPA_Abbrevation=Datainspektionen | ||
|DPA_With_Country=Datainspektionen (Sweden) | |DPA_With_Country=Datainspektionen (Sweden) | ||
| Line 57: | Line 57: | ||
===Facts=== | ===Facts=== | ||
Kry provides health services via video calls. The patient downloads an app that is available for iOS and Android. The app allows the patient to have a video call with the doctor and renew certain prescriptions without a video call. At the time of the inspection, the caregiver's internal medical record system contained approximately 450,000 patient records accessible by 490 of the caregiver's employees. | The caregiver Kry, provides health services via video calls. The patient downloads an app that is available for iOS and Android. The app allows the patient to have a video call with the doctor and renew certain prescriptions without a video call. At the time of the inspection, the caregiver's internal medical record system contained approximately 450,000 patient records accessible by 490 of the caregiver's employees. | ||
The DPA initiated the investigation on March 22, 2019 and conducted an on-site inspection on April 4, 2019. | The DPA initiated the investigation on March 22, 2019 and conducted an on-site inspection on April 4, 2019. | ||
| Line 65: | Line 65: | ||
'''Risk-needs analysis''' | '''Risk-needs analysis''' | ||
* whether the caregiver had analyzed the risks to which data subjects were exposed as a result of the caregivers processing of personal data | *whether the caregiver had analyzed the risks to which data subjects were exposed as a result of the caregivers processing of personal data | ||
* whether the caregiver had properly assessed which of its employees needed access to which data | *whether the caregiver had properly assessed which of its employees needed access to which data | ||
'''How access to medical data was defined''' | '''How access to medical data was defined''' | ||
* how employees were granted access to the caregiver's internal medical records | *how employees were granted access to the caregiver's internal medical records | ||
* how staff were granted access to other caregiver's medical records through the coherent medical record system (sammanhållen journalföring). | *how staff were granted access to other caregiver's medical records through the coherent medical record system (sammanhållen journalföring). | ||
* whether access and permissions were properly defined based on the risk-needs analysis. | *whether access and permissions were properly defined based on the risk-needs analysis. | ||
'''Logs''' | '''Logs''' | ||
* How the caregiver logged whenever a staff member accessed a patient's data. | *How the caregiver logged whenever a staff member accessed a patient's data. | ||
===Dispute=== | ===Dispute=== | ||
Latest revision as of 11:43, 7 April 2022
| Datainspektionen - DI-2019-3845 | |
|---|---|
 | |
| Authority: | Datainspektionen (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 02.12.2020 |
| Published: | |
| Fine: | None |
| Parties: | Kry |
| National Case Number/Name: | DI-2019-3845 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | Integritetsskyddsmyndigheten (in SV) |
| Initial Contributor: | Kave Noori |
The Swedish DPA, Integritetsskyddsmyndigheten, did not fine a healthcare provider for breaches that in most cases result in fines. The DPA considered it disproportionate as the healthcare provider proactively tried to comply with the rules.
English Summary
Facts
The caregiver Kry, provides health services via video calls. The patient downloads an app that is available for iOS and Android. The app allows the patient to have a video call with the doctor and renew certain prescriptions without a video call. At the time of the inspection, the caregiver's internal medical record system contained approximately 450,000 patient records accessible by 490 of the caregiver's employees.
The DPA initiated the investigation on March 22, 2019 and conducted an on-site inspection on April 4, 2019.
The inspection concerned:
Risk-needs analysis
- whether the caregiver had analyzed the risks to which data subjects were exposed as a result of the caregivers processing of personal data
- whether the caregiver had properly assessed which of its employees needed access to which data
How access to medical data was defined
- how employees were granted access to the caregiver's internal medical records
- how staff were granted access to other caregiver's medical records through the coherent medical record system (sammanhållen journalföring).
- whether access and permissions were properly defined based on the risk-needs analysis.
Logs
- How the caregiver logged whenever a staff member accessed a patient's data.
Dispute
Holding
Risk- needs analysis
The DPA concluded that the risk and necessity analysis did not meet all statutory requirements at the time of inspection. During the supervisory investigation, the caregiver submitted a revised risk analysis twice. The DPA considered the revisions to be significant improvements, but an even more thorough analysis was needed to meet the statutory requirements. The DPA said there was a need to assess risks based on categories of personal data, such as addictions, mental health, domestic violence.
Access to medical records
Although a caregiver has a legitimate interest in processing a lot of personal data about a person's health, permission to access personal data must be limited to what a healthcare worker needs to do their job. The risk and needs assessment is the caregiver's tool to determine who gets access to what. At the time of the inspection the caregiver had not implemented any technical means to limit what their staff can access within internal files or the coherent records (from other caregivers). The caregiver implemented organizational measures to prevent unauthorized access. The caregiver manually reviewed each instance in which a staff member had accessed medical records of a patient he was not currently treating. In addition, once a month the caregiver blocked a doctor's access to medical records if they were not due to attend work for the next 4 weeks.
The DPA considered the lack of technical restrictions on access to patient records as a breach of Article 5(1)(f), Article 32(1) and Article 32(2).
During the supervisory inspection, the caregiver made changes to restrict her employee's access to internal and coherent medical records. The changes resulted in the employee only being able to access the records of a patient for whom she had an appointment, and this access would be revoked four months later. The DPA considered these changes to be positive improvements but reminded the caregiver that the technical measures would need to be reevaluated once the risk and necessity analysis was completed, as required by the DPA.
Logging of unauthorized access
The caregiver logged access to internal medical records and the coherent medical records. After the inspection, the caregiver informed the DPA that he found that his system did not log when someone deleted an unsigned journal entry. The caregiver remedied this on May 16, 2019, and the DPA considered the caregiver's logging practices following the law as of that date.
Sanctions charge
The DPA considers violations of Article 5(1)(f), Article 32(1) and Article 32(2) to be sufficiently serious in most cases that a caregiver should be fined. In this case, the DPA found that the caregiver had made efforts to comply before and during the inspection. The DPA decided not to impose a financial penalty on the caregiver. Instead, the DPA directed the caregiver to take certain compliance measures.
Instruction to implement compliance measures.
The caregiver revised their needs and risk assessment twice during the inspection. The DPA considered these revisions before deciding to instruct the caregiver to make changes. The DPA found that the caregivers risk assessment had improved since the inspection began and it was now better at addressing the risks required by the law.
The DPA directed the caregiver to undertake a more detailed analysis of the risks to the rights and freedoms of data subjects. According to the DPA, this analysis should form the basis of a new assessment of the way in which access rights to patient records are defined for the caregiver’s staff. The DPA required that these changes be implemented by the end of February 2021.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Decision Diary No. 1 (31)
2020-12-02 DI-2019-3845
Digital Medical Supply Sweden AB (KRY)
Torsgatan 21
113 21 Stockholm
Supervision under the Data Protection Regulation and
Patient Data Act - needs and risk analysis and
questions about access in journal systems To Digital
Medical Supply Sweden AB (KRY)
Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se
Website: www.datainspektionen.se Phone: 08-657 61 00Datainspektionen DI-2019-3845 2 (31)
Content
The Data Inspectorate's decision ................................................ ..................................... 3
Report on the supervisory matter ............................................... ............................ 4
What has emerged in the case ............................................. .............................. 5
Personal data controller ................................................. .................................... 5
Operation................................................. .................................................. ..... 5
Journal system ................................................. .................................................. 5
Users and patients ............................................... ................................... 5
Internal privacy ................................................ .................................................. ... 6
Needs and risk analysis .............................................. .................................... 6
Authorization of access to personal data ............................ 9
Consolidated record keeping ................................................ .......................... 10
Needs and risk analysis .............................................. .................................. 10
Authorization of access to personal data about
patients ................................................. .................................................. .... 10
Documentation of access (logs) ............................................ ............... 11
Grounds for the decision ............................................... ........................................... 12
Applicable rules................................................ ........................................... 12
The Data Protection Regulation the primary source of law .................................... 12
The Data Protection Regulation and the relationship with complementary national
regulations ................................................. ........................................... 13
Supplementary national provisions ............................................... .. 14
Requirement to do needs and risk analysis .......................................... ........... 15
Internal privacy ................................................ .............................................. 16
Consolidated record keeping ................................................ ....................... 16
Documentation of access (logs) ............................................ .............. 17
The Data Inspectorate's assessment ................................................ ....................... 17
Responsibility of the data controller for security ....................................... 17
Needs and risk analysis .............................................. .................................. 18
Authorization for access to personal data about patients ... 23Data Inspectorate DI-2019-3845 3 (31)
Documentation of access (logs) ............................................ ......... 25
Choice of intervention ............................................... .............................................. 25
Legal regulation ................................................ .......................................... 25
Assessment of whether a penalty fee should be imposed ......................................... 26
Order................................................. ........................................... 28
How to appeal............................................... .............................................. 30
The Data Inspectorate's decision
During an on-site inspection on April 4, 2019, the Data Inspectorate has established that
Digital Medical Supply Sweden AB (KRY) processes personal data in violation
with Article 5 (1) (f) and (2) and Article 32 (1) and (2) of the Data Protection Regulation 1
by
1. KRY has not carried out needs and risk analyzes that meet
the requirements according to the provisions in ch. 4 § 2 and ch. 6 § 7
the Patient Data Act (2008: 355) and ch. 4 Section 2 of the National Board of Health and Welfare
regulations and general advice on record keeping and processing of
personal data in health care (HSLF-FS 2016: 40) before
allocation of permissions takes place in the journal system ProReNata and
National patient overview. This means that KRY is not in sufficient
to the extent that it has taken appropriate organizational measures to:
be able to ensure and be able to show that the treatment of
the personal data has a security that is appropriate in relation to
the risks.
2. KRY has not shown that KRY has restricted users' permissions for
access to the ProReNata medical record system and the National Patient Overview
limited to what is only needed for the user to be able to
perform their duties in health care accordingly
1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection
for natural persons with regard to the processing of personal data and on the free flow
of such information and repealing Directive 95/46 / EC (General
Data Protection Ordinance) .Data Inspectorate DI-2019-3845 4 (31)
with ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act and Chapter 4 § 2 HSLF-
FS 2016: 40. This means that KRY has not taken sufficient
measures to ensure and demonstrate appropriate security
for personal data.
The Data Inspectorate states that KRY since the inspection on April 4, 2019
has improved its needs and risk analyzes but that the analyzes are not in all
parts meet the requirements that apply according to ch. § 2 and ch. 6 § 7
the Patient Data Act (2008: 355) and ch. 4 Section 2 of the National Board of Health and Welfare's regulations and
general advice on record keeping and processing of personal data in health
and healthcare (HSLF-FS 2016: 40).
The Data Inspectorate submits pursuant to Article 58 (2) (d) i
the data protection ordinance KRY to supplement by the last February 2021
the needs and risk analyzes for the journal systems ProReNata and National
patient overview by developing the analysis of the risks for those registered
rights and freedoms and that thereafter, with the support of needs and
the risk analyzes, make a reassessment regarding the allocation of
permissions so that each user has access to only those
personal data needed for the user to be able to fulfill his
health care tasks, in accordance with Article 32 (1) and
32.2 of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 Section 7 of the Patient Data Act and
Chapter 4 2 § HSLF-FS 2016: 40.
Report on the supervisory matter
The Data Inspectorate initiated supervision by letter dated 22 March 2019 and
has on site on April 4, 2019 reviewed KRY's decision to award
authorizations have been preceded by a needs and risk analysis. Supervision has also
included how KRY assigned permissions for access to
the main medical record system ProReNata and the National Patient Overview and which
access opportunities the granted privileges provide within both the framework of
the internal secrecy according to ch. the Patient Data Act, as the cohesive one
record keeping according to ch. 6 patient data law. In addition to this has
The Data Inspectorate also examined the documentation of access (logs)
contained in the journal system.
The Data Inspectorate has only examined users' access to
journal systems, i.e. what care documentation can the user actually takeData Inspectorate DI-2019-3845 5 (31)
part of and read. Supervision does not include the functions included in
the competence, ie. what the user can actually do in the journal system
(eg issuing prescriptions, writing referrals, etc.).
What has emerged in the case
KRY has mainly stated the following.
Personal data manager
KRY is the care provider and personal data manager.
Operation
KRY conducts care via video meetings, so-called video care, which is done by
the patient downloads the app KRY. KRY is the technical platform and also
the brand that KRY uses externally towards patients. The app is available for
mobile devices with the operating systems iOS or Android.
It is KRY's parent company Webbhälsa AB (hereinafter Webbhälsa) that has
developed the app and which handles the operation of the technical platform.
Webbhälsa owns the brand KRY, develops the technology and services the care provider
KRY with licenses. There are two separate legal units but the staff is sitting
together in the same office.
There are historical reasons behind the fact that there are two companies but one
Operation. When KRY was created, Web Health turned to regions and
county council to offer the service, but it took a long time to get caregivers to
start using the service. That is why Webbhälsa started the company KRY as one
own care provider that conducts care via the app KRY.
Journal system
KRY has stated that the record system used by KRY is called ProReNata
and has been used since the business started in March 2016. For cohesive
record keeping, the National Patient Overview (NPÖ) system is used.
Users and patients
At the time of the inspection, there were 490 people with access to
ProReNata. On April 8, 2019, the total number of patients was registered in
ProReNata 450 331.Datainspektionen DI-2019-3845 6 (31)
Internal secrecy
Needs and risk analysis
During the inspection and subsequent inspection have essentially the following
arrived.
During the inspection on April 4, 2019, the Data Inspectorate took in a needs and
risk analysis dated 11 March 2019. On 10 May 2019, KRY submitted a
revised needs and risk analysis dated 2 May 2019 where also cohesive
record keeping is included but which otherwise essentially contains the same
and risk analysis as the document dated March 11, 2019. March 20, 2020
KRY came in with a new revised version dated March 1, 2020 that contains
a largely revised analysis.
The needs and risk analysis dated 11 March 2019 includes one
description of needs in the business, risks and risk management.
The document states, among other things, the following regarding needs in the business for
healthcare professionals:
Due to the business' medical focus, digital nature and absence of physical
presence in different geographical areas, health and medical staff at KRY are organized in
a single staff pool scheduled by administrative staff for meetings with all types of
patients. Healthcare professionals are thus not organized solely based on
necessary competence in the individual case (eg general practitioner, nurse or psychologist),
scheduling and availability. Although some type of treatment, e.g. treatment of children
under 6 months of age or treatment of certain symptoms typical of e.g. women, should be cared for
by certain specialized personnel, the work of this personnel is not limited to these symptoms then
they also meet other types of patients. In the event that KRY care operations change over time,
by e.g. a larger number of available staff, several different categories of healthcare staff or
care processes (such as specialist care), an updated needs and risk analysis will
carried out to ensure patient safety but also to ensure respect for the patient
integrity is constantly observed.
To ensure good quality, availability and cost efficiency, it is of utmost importance that
staff who participate in the actual care within the framework of KRY outpatient care and in a
patient relationship, has a good and sufficient knowledge of the patient's medical history. All
clinics and relevant administrative staff (such as medical secretaries who have relevant
training for their assignment) hired by KRY may meet all patients who apply
care via KRY and may then participate in the care of these and thus need access to
the patient's medical record in order to be able to fulfill their duties. Data Inspectorate DI-2019-3845 7 (31)
In summary, it is KRY's assessment that it is both business-like and unique
distinctiveness there is a great need not to limit eligibility for medical and relevant
administrative staff to certain geographically or demographically delimited patient groups in
the current situation. For other types of authorizations, there is a more limited need in accordance with what
as stated above.
Under the heading "risks" it is stated that KRY sees a number of risks with a broad
authorization and states that the risks in KRY's view are primarily:
Unauthorized access for healthcare professionals or relevant
administrative staff due to ignorance of rules and procedures
on confidentiality and patient safety;
Unauthorized access for healthcare professionals or relevant
administrative staff as a result of mistakes or otherwise due to
human factor;
Unauthorized access for healthcare professionals or relevant
administrative staff as a result of deliberate abuse;
Unauthorized access by third parties due to health and
healthcare professionals or relevant administrative staff lose
equipment or, knowingly or unknowingly, sharing
login information to systems; and
Unauthorized access by third parties due to data breaches.
Under the heading "risk management" it is stated that KRY's assessment is that they
risks arising from a broad allocation of privileges can be significantly limited
and to an acceptable level through the organizational and technical
safety measures taken by KRY, which mainly include:
Recruitment routines, including background checks, to
minimize the risk of inappropriate individuals being given access to
personal data about patients;
Routines for onboarding, which i.a. includes guidance and
training on the use of systems, equipment, relevant
statutes and routines regarding confidentiality and patient safety to
raise awareness of obligations, rights and responsibilities;
Signing of a reminder of confidentiality and / or confidentiality commitments for
to preventively reduce the risk of unauthorized access and to increase
knowledge of confidentiality and patient safety;
Use of equipment provided and controlled by
KRY; Datainspektionen DI-2019-3845 8 (31)
Routines for allocating, changing and removing permissions for
to preventively minimize the risk that authorizations are not adequate
over time;
Technical tools to preventively minimize the need for beatings in
the record system and thus the risk of illegal access, e.g. like one
results of mistakes or insufficient knowledge. In health and
healthcare professionals' work for digital care, will only be relevant
patient be available. In this system, no patient other than it can
which the meeting concerns to be opened. To be able to search for other patients
current personnel must actively make an unauthorized strike;
Obtaining patient approval before medical
secretaries make beatings in patient records; and
Clear information to relevant personnel and routine for logging and
control in order to prevent employees from refraining from doing so
access and to reactively detect and follow up around such
access. All journal openings that are not connected to one
active care relationship / performed patient meeting is logged and reviewed
manually.
Under the heading "conclusions" it is stated, among other things:
A broad competence for medical and administrative staff for patients
journals are therefore justified under current conditions in KRY to
be able to provide patient-safe care, provided that KRY operates one
continued effective security work to identify, evaluate and manage
risks in their business.
However, this conclusion needs to be reconsidered regularly and may come to
changes as KRY grows, changes medical orientation, develops
their business concept and in other similar circumstances. One
condition for being able to limit eligibility for different clinics, is that we
despite this can ensure accessibility for patients. A division between
clinics for which group of patients one has, presupposes a significant
greater staff than the one currently available for KRY, but is one
desirable goal to aim for in the long run.
In the second revision dated March 1, 2020, KRY has largely reworked
analysis and identified risks based on certain types of data and
patient groups in the form of information on persons with a protected identity, Datainspektionen DI-2019-3845 9 (31)
public figures, employees and staff's own tasks. Furthermore,
KRY in the revised analysis also assessed probability and consequence for
the identified risks. The analysis also contains more detailed information
review of access needs for the various staff categories. To
Unlike the previous versions of the analysis, KRY has come to the conclusion
that a narrow qualification is sufficient for doctors, nurses and psychologists,
except so-called plus doctors, plus psychologists and doctors on call. The tight
the authorization is stated to mean that users can only access information
about patients (both internal medical records and NPÖ) at patient meetings. Further
stated that access is granted in connection with the staff is scheduled with
patient and is automatically withdrawn 4 months after access was granted
and that before meeting with patient has taken place can not beat on such patient
happen.
Authorization for access to personal data
During the inspection, the following mainly emerged.
Clinical staff, at the time of inspection, doctors, nurses and
psychologists and administrative staff in the form of medical secretaries, have
actual access to all data in all patient records in ProReNata. The
there are limitations in the form of organizational and technical controls, which
according to KRY has been an important part of the assessment of authorization management there
KRY thought about what other security can be offered.
KRY systematically reviews all journal accesses. All access is reviewed and
matched against whether clinics had a meeting with the patient that day. In another
In this case, access is flagged and reviewed to see if there is another reasonable one
explanation of access. There is a check every four weeks for
active accounts (by reviewing the personnel schedule). If, for example, one
doctor does not have a passport booked for the next four weeks so is disabled
doctor's account. If a doctor with an inactive account has a passport they have entered
the account is activated for the next four weeks.
The design of the permissions is based on the digital nature of
the service that KRY offers, that care has a general focus and is not
specialized, that patients are spread across the country, that the queue time for
the patient should be as short as possible and that the staff is organized in one
only staff pool. A patient who calls in gets help from a doctor one day and
a completely different doctor the next day, and the doctors can sit in completely different places in the Data Inspectorate DI-2019-3845 1 0 (31)
Sweden. According to KRY, this requires that doctors must be able to see each other
journal information to be able to provide good care.
KRY has made the assessment that all information available about the patients is
relevant to healthcare professionals, but KRY is aware that this may come
to change as the organization grows.
In the needs and risk analysis dated 1 March 2020, KRY has done one more
detailed analysis of the need for access to data in ProReNata based on those
tasks of different categories of staff and concluded that a narrow
eligibility is sufficient for doctors, nurses and psychologists in that way
as described in the section above in the account of the revised needs and
the risk analysis.
Coherent record keeping
During the inspection and subsequent inspection have essentially the following
arrived.
Needs and risk analysis
During the inspection, there was no special needs and risk analysis for access to
NPÖ. KRY has submitted two revised needs and risk analyzes
dated 2 May 2019 and 1 March 2020 covering the use of national
patient overview (NPÖ) in the operation. The needs and risk analysis dated 2
May 2019 otherwise contains essentially the same needs and risk analysis as
the document dated March 11, 2019.
In the needs and risk analysis dated 1 March 2020, KRY has done one more
detailed analysis of the need for access to data in NPÖ based on the various
the tasks of the staff categories.
Authorization of access to personal data about patients
KRY has stated that the care provider is part of a system for cohesion
record keeping through NPÖ as a “consumer”. This means that the staff at
KRY can take part in the information in NPÖ, but KRY "produces" (makes available)
no own information in NPÖ.
At the time of the inspection, it emerged that all staff had access
to ProReNata also had access to NPÖ.Datainspektionen DI-2019-3845 1 1 (31)
The revised needs and risk analysis dated 1 March 2020 shows that
all personnel who have access to ProReNata as a starting point do not have one
need for access to data in NPÖ. Nurses and
care administrators are stated as a starting point to have a need for access to
ProReNata but not to NPÖ.
Documentation of access (logs)
KRY has stated the following.
For each strike in ProReNata, a log message is created with information
about which staff at a given time made a strike. Time
refers to both date and time. It is clear which patient it is,
the identity of the user, what action the user has taken, for example
signing, taking notes and reading. Because KRY is not organized in several
different care units appear only one unit that is the same for all
staff.
There are three different types of logs in ProReNata; visitor logs, server logs
and event logs. Visitor log shows when a user visited a journal and
when it left the journal. Server log shows when the system registered one
server calls to a journal and can mean that users have read but also
other reasons. Event log shows logged system events that affect one
user or patient, for example read, written or signed.
Access to NPÖ is logged by Inera and is available to administrators at
KRY.
After the inspection, KRY has noted that the specific measure
note cancellation (not signed) is not logged separately in ProReNata.
KRY has raised this with ProReNata AB, which at KRY's request has
developed such logging. Shreds of notes will also come
therefore to be logged from 16 May 2019 in order to give KRY even better
opportunities to follow up and ensure good and safe care.Datainspektionen DI-2019-3845 1 2 (31)
Grounds for the decision
Applicable rules
The Data Protection Regulation is the primary source of law
The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and
is the primary legal regulation in the processing of personal data. This
also applies to health care.
The basic principles for the processing of personal data are set out in
Article 5 of the Data Protection Regulation. A basic principle is the requirement
security pursuant to Article 5 (1) (f), which states that personal data shall be processed
in a way that ensures adequate security for personal data,
including protection against unauthorized or unauthorized treatment and against loss,
destruction or damage by accident, using appropriate
technical or organizational measures.
Article 5 (2) states the so-called liability, ie. that it
personal data controllers must be responsible for and be able to show that the basic
the principles set out in paragraph 1 are complied with.
Article 24 deals with the responsibility of the controller. Of Article 24 (1)
it appears that the person responsible for personal data is responsible for implementing appropriate
technical and organizational measures to ensure and demonstrate that
the processing is performed in accordance with the Data Protection Regulation. The measures shall
carried out taking into account the nature, scope, context of the treatment
and purposes and the risks, of varying degrees of probability and severity, for
freedoms and rights of natural persons. The measures must be reviewed and updated
if necessary.
Article 32 regulates the security associated with the processing. According to paragraph 1
the personal data controller and the personal data assistant shall take into account
of the latest developments, implementation costs and treatment
nature, scope, context and purpose as well as the risks, of varying
probability and seriousness, for the rights and freedoms of natural persons
take appropriate technical and organizational measures to ensure a
level of safety appropriate to the risk (…). According to paragraph 2,
when assessing the appropriate level of safety, special consideration is given to the risks
which the processing entails, in particular from accidental or unlawful destruction, Datainspektionen DI-2019-3845 1 3 (31)
loss or alteration or to unauthorized disclosure of or unauthorized access to
the personal data transferred, stored or otherwise processed.
Recital 75 states that in assessing the risk to natural persons
rights and freedoms, various factors must be taken into account. Among other things mentioned
personal data covered by professional secrecy, health data or
sexual life, if the processing of personal data concerning vulnerable physical persons takes place
persons, especially children, or if the treatment involves a large number
personal data and applies to a large number of registered persons.
Furthermore, it follows from recital 76 that the probable and serious risk of it
data subjects' rights and freedoms should be determined on the basis of processing
nature, scope, context and purpose. The risk should be evaluated on
on the basis of an objective assessment, which determines whether
the data processing involves a risk or a high risk.
Recitals 39 and 83 also contain writings that provide guidance on it
the meaning of the data protection regulation's requirements for security in
Processing of personal data.
The Data Protection Regulation and the relationship with complementary national
provisions
According to Article 5 (1) (a) of the Data Protection Regulation, personal data must:
treated in a lawful manner. In order for the treatment to be considered legal, it is required
legal basis by fulfilling at least one of the conditions of Article 6 (1).
The provision of health care is one such task of general
interest referred to in Article 6 (1) (e).
In health care, the legal bases can also be legal
obligation in Article 6 (1) (c) and the exercise of authority under Article 6 (1) (e)
updated.
When it comes to the legal bases legal obligation, in general
interest or exercise of authority by the Member States, in accordance with Article
6.2, maintain or introduce more specific provisions for adaptation
the application of the provisions of the Regulation to national circumstances.
National law may specify specific requirements for the processing of data
and other measures to ensure legal and equitable treatment. But
there is not only an opportunity to introduce national rules but also a Data Inspectorate DI-2019-3845 1 4 (31)
duty; Article 6 (3) states that the basis for the treatment referred to in
paragraph 1 (c) and (e) shall be determined in accordance with Union law or
national law of the Member States. The legal basis may also include
specific provisions to adapt the application of the provisions of
the Data Protection Regulation. Union law or the national law of the Member States
law must fulfill an objective of general interest and be proportionate to it
legitimate goals pursued.
Article 9 states that the treatment of specific categories of
personal data (so-called sensitive personal data) is prohibited. Sensitive
personal data includes data on health. Article 9 (2) states
except when sensitive personal data may still be processed.
Article 9 (2) (h) states that the processing of sensitive personal data may be repeated
the treatment is necessary for reasons related to, among other things
the provision of health care on the basis of Union law or
national law of the Member States or in accordance with agreements with professionals in
the field of health and provided that the conditions and protective measures provided for in
referred to in paragraph 3 are met. Article 9 (3) imposes a regulated duty of confidentiality.
This means that both the legal bases of general interest,
exercise of authority and legal obligation in the treatment of the vulnerable
personal data under the exemption in Article 9 (2) (h)
supplementary rules.
Supplementary national regulations
In the case of Sweden, both the basis for the treatment and those
special conditions for the processing of personal data in the field of health and
healthcare regulated in the Patient Data Act (2008: 355), and
the Patient Data Ordinance (2008: 360). I 1 kap. Section 4 of the Patient Data Act states that
the law complements the data protection regulation.
The purpose of the Patient Data Act is to provide information in health and
healthcare must be organized so as to meet patient safety and
good quality and promotes cost efficiency. Its purpose is also to
personal data shall be designed and otherwise processed so that patients and
the privacy of other data subjects is respected. In addition, must be documented
personal data is handled and stored so that unauthorized persons do not have access to it
them (Chapter 1, Section 2 of the Patient Data Act). The Data Inspectorate DI-2019-3845 1 5 (31)
The supplementary provisions in the Patient Data Act aim to:
take care of both privacy protection and patient safety. The legislator has
thus through the regulation made a balance as to how
the information must be processed to meet both the requirements for patient safety
as the right to privacy in the processing of personal data.
The National Board of Health and Welfare has, with the support of the Patient Data Ordinance, issued regulations
and general advice on record keeping and processing of personal data in
health care (HSLF-FS 2016: 40). The regulations constitute such
supplementary rules, which shall be applied in the care provider's treatment of
personal data in health care.
National provisions supplementing the requirements of the Data Protection Regulation
safety can be found in Chapters 4 and 6. the Patient Data Act and Chapters 3 and 4 HSLF-FS
2016: 40.
Requirement to do needs and risk analysis
According to ch. 4, the care provider must § 2 HSLF-FS 2016: 40 make a needs and
risk analysis, before the allocation of authorizations in the system takes place.
That the analysis requires both the needs and the risks is clear from the preparatory work
to the Patient Data Act, prop. 2007/08: 126 pp. 148-149, as follows.
Authorization for staff's electronic access to patient information shall be restricted to
what the executive needs to be able to perform his duties in health and
healthcare. This includes that authorizations must be followed up and changed or restricted accordingly
hand as changes in the tasks of the individual executive give rise to it.
The provision corresponds in principle to section 8 of the Health Care Register Act. The purpose of the provision is to
imprint the obligation of the responsible caregiver to make active and individual
eligibility assignments based on analyzes of which details are different
staff categories and different types of activities need. But it's not just needed
needs analyzes. Risk analyzes must also be done where different types of risks are taken into account, such as
may be associated with an overly availability of certain types of information.
Protected personal data that is classified, information about publicly known persons,
data from certain clinics or medical specialties are examples of categories such as
may require special risk assessments.
In general, it can be said that the more comprehensive an information system is, the greater the amount
there must be different levels of authorization. Decisive for decisions on eligibility for e.g. various
categories of healthcare professionals for electronic access to data in
patient records should be that the authorization should be limited to what the executive needsData Inspectorate DI-2019-3845 1 6 (31)
for the purpose a good and safe patient care. A more extensive or coarse-meshed
competence allocation should - even if it has points from the point of view of efficiency -
is considered an unjustified dissemination of journal information within a business and should as such
not accepted.
Furthermore, data should be stored in different layers so that more sensitive data require active choices or
otherwise not as easily accessible to staff as less sensitive tasks. When it
applies to personnel who work with business follow-up, statistics production, central
financial administration and similar activities that are not individual-oriented, it should be
most executives have enough access to information that can only be indirectly derived
to individual patients. Electronic access to code keys, social security numbers and others
data that directly point out individual patients should be able to be strong in this area
limited to individuals.
Internal secrecy
The provisions in ch. 4 The Patient Data Act concerns internal confidentiality, ie.
regulates how privacy protection is to be handled within a care provider's business
and especially employees' opportunities to prepare for
personal data that is electronically available in a healthcare provider
organisation.
It appears from ch. Section 2 of the Patient Data Act stipulates that the care provider must decide
conditions for granting access to such data
patients who are fully or partially automated. Such authorization shall
limited to what is needed for the individual to be able to fulfill theirs
tasks in health care.
According to ch. 4 § 2 HSLF-FS 2016: 40, the care provider shall be responsible for each
users are assigned an individual privilege to access
personal data. The caregiver's decision on the allocation of eligibility shall
preceded by a needs and risk analysis.
Coherent record keeping
The provisions in ch. 6 the Patient Data Act concerns cohesive record keeping,
which means that a care provider - under the conditions specified in § 2 of the same
chapter - may have direct access to personal data processed by others
caregivers for purposes related to care documentation. The access to
information is provided by a healthcare provider making the information about a patient
which the care provider registers if the patient is available to other care providers
who participate in the coherent record keeping (see Bill 2007/08: 126 p. 247). The Swedish Data Inspectorate DI-2019-3845 1 7 (31)
Of ch. 6 Section 7 of the Patient Data Act follows that the provisions in Chapter 4 § 2 also
applies to authorization allocation for coherent record keeping. The requirement of
that the care provider must perform a needs and risk analysis before allocating
permissions in the system take place, also applies in systems for cohesion
record keeping.
Documentation of access (logs)
Of ch. 4 Section 3 of the Patient Data Act states that a care provider must ensure that
access to such data on patients who are kept in whole or in part
automatically documented and systematically checked.
According to ch. 4 Section 9 HSLF-FS 2016: 40, the care provider shall be responsible for that
1. it appears from the documentation of the access (logs) which
measures taken with information on a patient,
2. it appears from the logs at which care unit or care process
measures have been taken,
3. the logs indicate the time at which the measures were taken;
4. the identity of the user and the patient is stated in the logs.
The Data Inspectorate's assessment
Personal data controller's responsibility for security
As previously described, Article 24 (1) of the Data Protection Regulation provides a
general requirement for the personal data controller to take appropriate technical
and organizational measures. The requirement is partly to ensure that
the processing of personal data is carried out in accordance with
the Data Protection Ordinance, and that the data controller must be able to
demonstrate that the processing of personal data is carried out in accordance with
the Data Protection Regulation.
The safety associated with the treatment is regulated more specifically in the articles
5.1 f and 32 of the Data Protection Regulation.
Article 32 (1) states that the appropriate measures shall be both technical and
organizational and they must ensure a level of security that is appropriate in
in relation to the risks to the rights and freedoms of natural persons which
the treatment entails. It is therefore necessary to identify the possible ones
the risks to the data subjects' rights and freedoms and assess
the probability that the risks will occur and the severity if they do occur.Datainspektionen DI-2019-3845 1 8 (31)
What is appropriate varies not only in relation to the risks but also
based on the nature, scope, context and purpose of the treatment. It has
thus the significance of what personal data is processed, how many
data, it is a question of how many people process the data, etc.
The health service has a great need for information in its operations. The
It is therefore natural that the possibilities of digitalisation are utilized as much as
possible in healthcare. Since the Patient Data Act was written, one has a lot
extensive digitization has taken place in healthcare. Both the data collections
size as the number of people sharing information with each other has increased
substantially. At the same time, this increase means that the demands on it increase
personal data controller, as the assessment of what is an appropriate
safety is affected by the extent of the treatment.
It is also a question of sensitive personal data and the data concerns
people who are in a situation of dependence when they are in need of care.
It is also often a question of a lot of personal information about each and every one
the data may over time be processed by very many people.
All in all, this places great demands on the person responsible for personal data.
The data processed must be protected from outside actors as well
the business as against unauthorized access from within the business. It can
It should be noted that Article 32 (2) states that the controller, at
assessment of the appropriate level of safety, in particular taking into account the risks of
unintentional or unlawful destruction, loss or unauthorized disclosure or
unauthorized access. To be able to know what is an unauthorized access must
the data controller must be clear about what an authorized access is.
Needs and risk analysis
The National Board of Health and Welfare's regulations that supplement the Patient Data Act contain it
stated in ch. 4 § 2 HSLF-FS 2016: 40, that the care provider shall make a needs and
risk analysis before the allocation of authorizations in the system takes place. This means that
national law prescribes requirements for an appropriate organizational measure that shall:
taken before the allocation of authorizations to journal systems takes place.
A needs and risk analysis must include an analysis of the needs and a
analysis of the risks from an integrity perspective that may be associated
with an excessive allocation of access to personal data
about patients. Both the needs and the risks must be assessed on the basis of the Data Inspectorate DI-2019-3845 1 9 (31)
tasks that need to be processed in the business, what processes it is
the question of whether and what risks to the privacy of the individual exist.
The assessments of the risks need to be made on the basis of organizational level, there
for example, a certain business part or task may be more
privacy sensitive than another, but also based on the individual level, if it is
the issue of, for example, protected personal data, generally known persons
or otherwise particularly vulnerable persons. Also the size of the system
affects the risk assessment. The preparatory work for the Patient Data Act states that
the more comprehensive an information system is, the greater the variety
eligibility levels must exist (Bill 2007/08: 126 p. 149).
It is thus a question of a strategic analysis at a strategic level, which should yield
an authorization structure that is adapted to the business and this should
kept up to date.
In summary, the regulation requires that the risk analysis identifies
different categories of tasks,
Categories of data subjects (eg vulnerable natural persons and
children), or
the scope (eg number of personal data and registered)
negative consequences for data subjects (eg injuries,
significant social or economic disadvantage, deprivation of rights
and freedoms),
and how they affect the risk to the rights and freedoms of natural persons
Processing of personal data. This applies both within internal secrecy
as in coherent record keeping.
The risk analysis must also include special risk assessments, for example
based on whether there is protected personal data that is
classified, information on public figures, information from
certain clinics or medical specialties (Bill 2007/08: 126 p. 148-
149).
The risk analysis must also include an assessment of how probable and serious
the risk to the data subjects' rights and freedoms is based on
the nature, scope, context and purpose of the treatment (recital 76). Data Inspectorate DI-2019-3845 2 0 (31)
It is thus through the needs and risk analysis that it
personal data controller finds out who needs access, which
data access shall include, at what times and at what
context access is needed, while analyzing the risks to it
the freedoms and rights of the individual that the treatment may lead to. The result should
then lead to the technical and organizational measures needed to
ensure that there is no access other than that which is needed and
the risk analysis shows that it should be justified.
When a needs and risk analysis is missing prior to the allocation of qualifications in
system, lacks the basis for the personal data controller on a legal
be able to assign their users a correct authorization. The
the data controller is responsible for, and shall have control over, the
personal data processing that takes place within the framework of the business. To
assign users a when accessing journal system, without this being founded
on a performed needs and risk analysis, means that the person responsible for personal data
does not have sufficient control over the personal data processing that takes place in
the journal system and also can not show that he has the control that
required.
When the Data Inspectorate during the inspection requested a documented
needs and risk analysis, KRY submitted a document dated 11 March 2019
with the heading "Authorization allocation Needs and risk analysis". KRY has
thereafter, on 10 May 2019, KRY submitted a revised needs and
risk analysis dated 2 May 2019, which also includes coherent record keeping
but which otherwise essentially contain the same needs and risk analysis as
the document dated 11 March 2019. On 20 March 2020, KRY submitted a new one
revised version dated March 1, 2020 which contains a largely
revised analysis.
In the needs and risk analysis from 11 March 2019, KRY has carried out an analysis
regarding internal confidentiality where the need for access to personal data in
the journal system has been weighed against risks that KRY considers to follow
access rights. It appears that the purpose is to land based on the analysis
in a model for authorization allocation in the business. In the analysis, KRY
identified and described the need for access based on how KRY conducts its
Operation. Furthermore, KRY has identified and described needs based on different
duties of staff categories. KRY has come to a conclusion after the Data Inspectorate DI-2019-3845 2 1 (31)
have weighed the need against the risks identified by KRY and the measures taken
to reduce the risks.
The Data Inspectorate can state that KRY has carried out a needs and
risk analysis that identifies and analyzes needs and risks. The analysis is
implemented at strategic level and shall form a basis for the business
authorization. The needs and partly also the risks are analyzed
based on the actual conditions in the business. KRY has based on it
analysis that has been carried out identified technical and organizational measures
to reduce the risk of unauthorized access.
In its initial analysis, however, KRY has not taken into account how negative
consequences for data subjects, different categories of data, categories of
registered, or the extent of the number of personal data and registered,
affects the risk to the rights and freedoms of natural persons at KRY
processing of personal data in ProReNata and National Patient Overview.
There are also no special risk assessments based on whether there are e.g.
protected personal data that are classified, general information
celebrities, information from certain clinics or medical
specialties or other factors that require special protection measures. The
there is also no assessment of how likely and serious the risk is for them
data subjects' rights and freedoms are deemed to be.
KRY has thus taken measures that are likely to reduce the risk of physical
rights and freedoms of persons. However, the needs are too general
analyzed and the risks to the data subjects' rights and freedoms are not in
adequately identified and assessed. Among other things, a deeper one is missing
analysis of the risks to the individual's integrity based on both different categories of
data as different categories of data subjects.
In summary, the Data Inspectorate states that KRY at
carried out a needs and risk analysis at strategic level,
but that it does not meet the requirements of the data protection regulations
such analysis because KRY has not considered the risks, of varying
probability and seriousness, for the rights and freedoms of natural persons and
not taken into account the different types of risks to the privacy of the individual that may be
associated with an overly accessible availability regarding certain types of data.
The Data Inspectorate states that KRY thereby at the time of the inspection
has not carried out a needs and risk analysis that meets the requirements that the Data Inspectorate DI-2019-3845 2 2 (31)
set in
Chapter 4 § 2 HSLF-FS 2016: 40, neither within the framework of internal secrecy
or within the framework of the unified record keeping, according to 4 respectively
Chapter 6 patient data law. This means that KRY has not taken appropriate
organizational measures in accordance with Article 5 (1) (f) and Article 31 (1) and (2) for
be able to ensure and, in accordance with Article 5 (2), be able to demonstrate that:
the processing of personal data has a security that is appropriate in
in relation to the risks.
KRY has supplemented with a needs and risk analysis dated 1 March
2020. In the new needs and risk analysis, KRY has largely reworked
analysis and identified risks based on certain types of data and
patient groups in the form of information on persons with a protected identity,
public figures, employees and staff's own tasks. Furthermore,
KRY in the revised analysis also assessed probability and consequence for
the identified risks. The analysis also contains more detailed information
review of access needs for the various staff categories.
Unlike the previous versions of the analysis, KRY has emerged
that a narrow qualification is sufficient for doctors, nurses and psychologists,
except so-called plus doctors, plus psychologists and doctors on call. The tight
the authorization is stated to mean that users can only access information
about patients (both internal medical records and NPÖ) at patient meetings. Further
stated that access is granted in connection with the staff is scheduled with
patient and is automatically withdrawn 4 months after access was granted
and that before meeting with patient has taken place can not beat on such patient
happen.
The Data Inspectorate can state that the new needs and risk analysis
contains an in-depth needs analysis where both organization, different
occupational categories and different tasks have been taken into account. Concerning
the risk assessment, it is also in-depth and at least takes into account different
categories of registered. It also includes an assessment of how likely
or the serious risk to the data subjects' rights and freedoms is. KRY has
based on the new roles created more limited access opportunities.
Based on its special activities, KRY does not have such a complex organization that
further needs assessments are required. As for the risks so
they are still not analyzed on the basis of categories of data. TasksData Inspectorate DI-2019-3845 2 3 (31)
which can be perceived as more privacy-sensitive are, for example, information such as
concerns sexual life, substance abuse, mental illness or threats or violence especially if it is in
close relations. Even the analysis based on categories of registered can
deepened by the categories that are actually dealt with in the business
undergone. The fact that the business has a homogeneous structure means that it will be
even more important to analyze these risks and assess if and how they can
be remedied because such a large proportion of staff need to be assigned the same type
of access.
Authorization for access to personal data about patients
As reported above, a caregiver may have a legitimate interest in having
a comprehensive processing of data on the health of individuals. Notwithstanding this shall
access to personal data about patients may be limited to
what is needed for the individual to be able to fulfill his or her duties.
With regard to the allocation of authorization for electronic access according to ch.
§ 2 and ch. 6 Section 7 of the Patient Data Act states that in the preparatory work, Bill.
2007/08: 126 pp. 148-149, i.a. that there should be different eligibility categories in
the journal system and that the permissions should be limited to what the user
need to provide the patient with good and safe care. It also appears that “a
more extensive or coarse-grained eligibility should be considered as one
unauthorized dissemination of journal information within a business and should as
such is not accepted. "
In health care, it is the person who needs the information in their work
who may be authorized to access them. This applies both within a
caregivers as between caregivers. It is, as already mentioned, through
the needs and risk analysis that the person responsible for personal data finds out who
who need access, what information the access should include, at which
times and in which contexts access is needed, and at the same time
analyzes the risks to the individual's freedoms and rights
the treatment can lead to. The result should then lead to the technical and
organizational measures needed to ensure no allocation
of eligibility provides further access opportunities than the one that needs and
the risk analysis shows is justified. An important organizational measure is to provide
instruction to those who have the authority to assign authorizations on how this
should go to and what should be considered so that it, with the needs and risk analysis
as a basis, becomes a correct authorization allocation in each individual case.Datainspektionen DI-2019-3845 2 4 (31)
It appears that KRY at the time of the inspection had not limited
health care professionals and medical secretaries
access to data on patients either within its framework
internal confidentiality of the ProReNata medical record system, or within the framework of
coherent record keeping in the journal system NPÖ. KRY, on the other hand, had
introduced measures to avoid unauthorized access, including in the form of
logging and manual review of all journal openings that were not
linked to an active care relationship or performed patient meeting and deactivation
of accounts every four weeks for doctors without passports booked the next four
the weeks.
Because the needs and risk analysis that KRY had carried out
the time of the inspection did not take sufficient account of
the risks to the rights and freedoms of natural persons or the different types
risks that may be associated with an overly accessible regarding
certain types of information, KRY has not shown that the reading permissions have been restricted
in the manner required by the Data Protection Ordinance and the Patient Data Act.
This in turn has meant that there has been a risk of unauthorized access and
unjustified dissemination of personal data partly within the framework of the internal
secrecy, partly within the framework of the coherent record keeping. KRY
has, through subsequent measures taken, reduced that risk by improving
analyzes and subsequent measures taken.
In the light of the above, the Data Inspectorate can state that KRY at
the time of the inspection has processed personal data in violation of Article 5 (1) (f)
and Article 32 (1) and (2) of the Data Protection Regulation by KRY, in accordance with
with Article 5 (2) and (1), has not been able to show that KRY has restricted users'
permissions for access to the journal system ProReNata and National
patient overview to what is only needed for the user to be able to
fulfill their duties in health care according to ch. § 2 and
Chapter 6 Section 7 of the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40.
The needs and risk analysis dated 1 March 2020 shows that KRY has introduced
restrictions on access to personal data about patients. Unlike
the previous versions of the analysis, KRY has come to the conclusion that a narrow
eligibility is sufficient for doctors, nurses and psychologists, except so-called
plus doctors, plus psychologists and doctors on call. The narrow authority
is stated to mean that users can only access information about patientsData Inspectorate DI-2019-3845 2 5 (31)
(both internal medical records and NPÖ) at patient meetings. It is further stated that access
assigned in connection with the staff is scheduled with the patient and drawn
automatically returned 4 months after access was granted and that before
meeting with patient has taken place, beating on such patient can not take place.
KRY has thus improved the restriction of access since the inspection.
As stated in the section above regarding the new needs and
However, the risk analysis still requires some additions to the analysis
must be comprehensive and be able to show that access has been restricted accordingly
with the requirements of the Data Protection Ordinance and the Patient Data Act. From
the result of these additions must then KRY assess its model for
authorization.
Documentation of access (logs)
The Data Inspectorate can state that from the logs in ProReNata and NPÖ
information on which staff made one at a given time
beating. Time refers to both date and time. It is clear which
patient it concerns, the user's identity, what the user has taken for
action, such as signing, taking notes, and reading. Because KRY is not
organized in several different care units, only one unit appears that is
the same for all staff.
After the inspection, KRY has noted that the specific measure
note cancellation (not signed) is not logged separately in ProReNata
but that KRY has stated that such logging has been introduced as of the 16th
May 2019. The Data Inspectorate notes that the documentation of the access
(the logs) in ProReNata and NPÖ are now in accordance with the requirements
which appears from ch. 4 9 § HSLF-FS 2016: 40.
Choice of intervention
Legal regulation
If there has been a violation of the Data Protection Regulation
The Data Inspectorate a number of corrective powers available under the article
58.2 a-j of the Data Protection Regulation. The supervisory authority can, among other things
instruct the data controller to ensure that the processing takes place in
in accordance with the Regulation and if required in a specific way and within a
specific period.Datainspektionen DI-2019-3845 2 6 (31)
It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate in
in accordance with Article 83 shall impose penalty charges in addition to or in lieu of
other corrective measures referred to in Article 58 (2),
the circumstances of each individual case. The overall starting point for
imposition of a penalty fee is that in the individual case it is judged to be
effective, proportionate and dissuasive (cf. Article 83 (1)).
Article 83 (2) sets out the factors to be taken into account in determining whether a
administrative penalty fee shall be imposed, but also what shall affect
the size of the penalty fee. Of central importance for the assessment of
the seriousness of the infringement is its nature, severity and duration. If
in the case of a minor infringement, the supervisory authority may, according to reasons
148 of the Data Protection Regulation, issue a reprimand instead of imposing one
penalty fee.
Assessment of whether a penalty fee should be imposed
The health service has a great need for information in its operations. The
It is therefore natural that the possibilities of digitalisation are utilized as much as
possible in healthcare. Since the Patient Data Act was written, one has a lot
extensive digitization has taken place in healthcare. Both the data collections
size as the number of people sharing information with each other has increased
substantially. At the same time, this increase means that the demands on it increase
personal data controller, as the assessment of what is an appropriate
safety is affected by the extent of the treatment.
In this context, it means an even greater responsibility for it
personal data controller to protect the data from unauthorized access,
among other things by having an authorization allocation that is even more
comminuted. It is therefore essential that there is a real analysis of the needs
based on different activities and different executives. Equally important is that
there is an actual analysis of the risks from an integrity perspective
may occur in the event of an override of access rights. From
this analysis must then restrict the access of the individual executive.
This authority must then be followed up and changed or restricted accordingly
hand that changes in the tasks of the individual executive provide
reason for it.
The Data Inspectorate has found that KRY at the Data Inspectorate's inspection
conducted a needs and risk analysis at a strategic level, but that the analysisData Inspectorate DI-2019-3845 2 7 (31)
not fully taken into account the risks, of varying degrees of probability and severity, for
the rights and freedoms of natural persons and that KRY has not taken different considerations into account
kind of risks to the privacy of the individual that may be associated with one
too in the case of availability regarding certain types of data. KRY then has in
March 2020 performed a new needs and risk analysis. The new needs and
the risk analysis goes deeper than the previous one and takes into account both organization and
different occupational categories and tasks. The risk assessment is also that
in-depth and now also includes an assessment of probability and
seriousness of risks to data subjects' fundamental freedoms and rights.
Although the needs analysis can now be considered acceptable, it is missing
still parts relating to the risk assessment. What needs closer
remedied, the Data Inspectorate describes below under the heading injunction.
The Data Inspectorate's inspection has thus shown that KRY has not met the requirement
to take appropriate security measures to protect the personal data in
the journal systems by not having fully complied with the requirements that follow
the Patient Data Act and the National Board of Health and Welfare's regulations on implementing
and risk analysis, before the allocation of authorizations in the system takes place. Thereby
KRY has also not been able to show that KRY has limited the authorization for
access to only what is needed for the individual to be able to fulfill
their duties in health care. This means that KRY does not
has also complied with the requirements of Article 5 (1) (f) and Article 32 (1) and (2) (i)
the Data Protection Regulation. The lack of compliance includes both
the internal secrecy according to ch. the Patient Data Act as the cohesive one
record keeping according to ch. 6 patient data law.
The Data Inspectorate can state that the violations are the starting point
serious in terms of provisions that are fundamental to ensuring that
the processing of personal data is subject to adequate security measures
to protect the data subjects' fundamental freedoms and rights. Also
the nature of the data, the number of data subjects concerned, which in this case amounts to
about
450,000 patients, as the number of employees and the availability of a large proportion of them
employees to these patients' tasks speak in an aggravating direction.
In determining the seriousness of the infringements, it can also be stated that
the infringements also cover the basic principles set out in Article 5 (i)
the Data Protection Ordinance, which belongs to the categories of more serious Data Inspectorate DI-2019-3845 2 8 (31)
infringements which may give rise to a higher penalty under Article 83 (5) (i)
the Data Protection Regulation.
It is thus typically not a question of minor infringements but
infringements which should normally lead to an administrative penalty charge.
When assessing whether a penalty fee should be imposed, it must be considered at the same time
if required, taking into account that it is a matter of a measure as in it
individual case is effective, proportionate and dissuasive.
As has been seen, at the time of the inspection, KRY had made a
and risk analysis at strategic level and taken measures as likely
reduces the risk to the rights and freedoms of natural persons. KRY has thus
tried to comply with the requirements for the processing of personal data and has
to a not insignificant extent taken measures in order to comply with the requirements and
reduce the risks. The Data Inspectorate assesses that KRY's lack of compliance
has not meant that the data subjects have been deprived of protection of their rights
and freedoms to the same extent as if none or only deficient
measures had been taken.
KRY has also taken steps to try to come to terms with it
shortcomings in the needs and risk analysis after the Data Inspectorate's inspection by
to establish and submit to the Data Inspectorate two revised needs
and risk analyzes. It should also be taken into account that KRY itself has drawn attention
lack of logging and taken measures to remedy that shortcoming.
In a weighted assessment, the Data Inspectorate finds that they are relevant
the infringements are admittedly typically of such a nature that a
administrative penalty fee should normally be imposed but that in the case
the case is not proportionate to such an intervention by
The Data Inspectorate. KRY should instead be ordered to take measures to ensure
that the processing takes place in accordance with the Data Protection Regulation.
Order
When deciding on an injunction, the Data Inspectorate considers the revisions of
the needs and risk analysis that KRY has done after the inspection.
During the supervision case, KRY has revised its needs and
risk analysis on two occasions. The first revision was made on 2 May 2019 and the Swedish Data Inspectorate DI-2019-3845 29 (31)
the second revision was made on March 1, 2020. Through the first revision
KRY adjusted the analysis to also include coherent record keeping in
NPÖ. In the second revision, KRY has largely reworked the analysis and
identified risks based on certain types of data and patient groups in form
of data on persons with a protected identity, public figures,
employees and the staff's own tasks.
Furthermore, in the revised analysis, KRY has also assessed probability and
impact on the identified risks. The analysis also contains more
detailed review of access needs for the various
staff categories. Unlike previous versions of the analysis
KRY has come to the conclusion that a narrow qualification is sufficient for doctors,
nurses and psychologists, except for so-called plus doctors and emergency services. The
tight privileges are said to mean that users can only take part
information about patients (both internal medical records and NPÖ) at patient meetings.
It is further stated that access is granted in connection with the staff
scheduled with patient and automatically withdrawn 4 months after
access granted and that before meeting with patient has taken place can not
beating on such patient happen.
The Data Inspectorate states that KRY since the inspection on April 4, 2019
has improved its needs and risk analysis so that it increasingly
meets the requirements for a needs and risk analysis. The Data Inspectorate
notes, however, that the analysis does not describe the risks for those registered on
other than that it is stated that there is a risk of disclosure of confidentiality and
privacy damage or privacy threat. The analysis lacks a more detailed description of
what such injury or threat consists of and the extent of the treatment
affects the risk.
The Data Inspectorate therefore submits KRY, pursuant to Article 58 (2) (d) i
the Data Protection Regulation, to be completed by the last February 2021 at the latest
the needs and risk analyzes for the journal systems ProReNata and National
patient overview by developing the analysis of the risks for those registered
rights and freedoms and that thereafter, with the support of needs and
the risk analyzes, make a reassessment regarding the allocation of
permissions so that each user has access to only those
personal data needed for the user to be able to fulfill his
tasks in health care, in accordance with Article 32 (1) and the Data Inspectorate DI-2019-3845 3 0 (31)
32.2 of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 Section 7 of the Patient Data Act and
Chapter 4 2 § HSLF-FS 2016: 40.
_______________________________________Data Inspectorate DI-2019-3845 3 1 (31)
This decision was made by Director General Lena Lindgren Schelin after
presentation by the IT security specialist Magnus Bergström. At the final
The case is also handled by Hans-Olof Lindblom, General Counsel
unit managers Malin Blixt and Katarina Tullstedt participated.
Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature)
Appendix: Appendix 1 - How to pay a penalty fee
Copy for knowledge of:
Data Protection Officer
How to appeal
If you want to appeal the decision, you must write to the Data Inspectorate. Enter i
the letter which decision you are appealing and the change you are requesting.
The appeal must have been received by the Data Inspectorate no later than three weeks from
the day you received the decision. If the appeal has been received in due time
the Data Inspectorate forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Data Inspectorate if it does not contain
any privacy-sensitive personal data or data that may be covered by
secrecy. The authority's contact information can be found on the first page of the decision.
