Datainspektionen - DI-2019-3839: Difference between revisions
No edit summary |
|||
Line 77: | Line 77: | ||
<pre> | <pre> | ||
Data Inspectorate | |||
DI-2019-3839 | |||
The Data Inspectorate's decision | |||
The Swedish Data Protection Authority has found in its review on 27 March 2019 that | |||
The Board of Karolinska University Hospital (Karolinska | |||
University Hospital) processes personal data in breach of Article 5(1)(f) and | |||
5(2) and Article 32(1) and (2) of the General Data Protection Regulation1 by | |||
1. | |||
Karolinska University Hospital in its capacity as | |||
the controller does not comply with the requirement that it has | |||
carried out a needs and risk analysis before the allocation of | |||
authorisations are made in the TakeCare medical record system, in accordance with Chapter 4, Section 2 | |||
§ and Chapter 6. 7 § Patient Data Act (2008:355) and Chapter 4 § 2 | |||
The National Board of Health and Welfare's regulations and general advice (HSLF-FS 2016:40) on | |||
record keeping and processing of personal data in health and | |||
health care. This means that Karolinska University Hospital does not | |||
has taken appropriate organisational measures to be able to | |||
ensure and be able to demonstrate that the processing of personal data has | |||
a level of security appropriate to the risks involved. | |||
2. Karolinska University Hospital does not have limited | |||
user permissions for accessing the medical record system | |||
TakeCare to what is needed only for the user to | |||
be able to carry out their duties in the health sector | |||
under Chapter 4, Section 2 and Chapter 6. 7 of the Patient Data Act and Chapter 4, Section 2 | |||
HSLF-FS 2016:40. This means that Karolinska | |||
The University Hospital has not taken measures to | |||
ensure and be able to demonstrate adequate security for | |||
personal data. | |||
The Data Protection Inspectorate decides on the basis of Articles 58(2) and 83 of the | |||
the General Data Protection Regulation and Chapter 6, Section 2 of the Act (2018:218) with | |||
supplementary provisions to the EU Data Protection Regulation that | |||
Karolinska Universitetssjukhuset, for infringement of Article 5(1)(f) and (2) | |||
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection | |||
of natural persons with regard to the processing of personal data and on the free flow | |||
of such data and repealing Directive 95/46/EC (General Data Protection | |||
Data Protection Regulation). | |||
1 | |||
and Article 32(1) and (2) of the General Data Protection Regulation shall pay a | |||
an administrative fine of SEK 4 000 000 (four million). | |||
The Data Protection Inspectorate, on the basis of Article 58(2)(d) of the | |||
the General Data Protection Regulation Karolinska University Hospital to ensure that | |||
the necessary needs and risk analysis is carried out and documented for | |||
the TakeCare medical record system and then, with the support of needs and | |||
risk analysis, each user is assigned individual access rights to | |||
personal data to only what is necessary for the individual to | |||
carry out their duties in the health sector, in accordance with | |||
Article 5(1)(f) and Article 32(1) and (2) of the General Data Protection Regulation, Chapter 4, Section 2, and | |||
Chapter 6. 7 § Patient Data Act and 4 ch. 2 § HSLF-FS 2016:40. | |||
Description of the supervision case | |||
The Swedish Data Protection Authority initiated supervision by letter on 22 March 2019 and has | |||
on site on 27 March 2019 examined whether Karolinska University Hospital's | |||
decisions on the allocation of authorisations have been preceded by a needs and | |||
risk analysis. The audit has also covered how Karolinska | |||
The University Hospital assigned permissions for access to | |||
the main medical record system TakeCare, and what access possibilities they assigned | |||
the competences provide within the framework of the internal secrecy according to chapter 4. | |||
the Patient Data Act, as the coherent record keeping according to Chapter 6. | |||
patient data law. In addition, the Swedish Data Protection Authority has also examined which | |||
documentation of access (logs) available in the record system. | |||
The Swedish Data Protection Authority has only examined users' access to | |||
system, i.e. what health care documentation the user actually | |||
can take part in and read. The review does not cover the functions that | |||
included in the permission, i.e. what the user can actually do in | |||
the medical record system (e.g. issuing prescriptions, writing referrals, etc.). | |||
Previous review of Karolinska University Hospital's authorisation management | |||
The Swedish Data Protection Authority has previously conducted an inspection of Karolinska | |||
University Hospital's access control etc. By the Data Inspectorate | |||
Decision 920-2012, notified on 26 August 2013, states | |||
that Karolinska University Hospital was instructed, among other things, to carry out a needs and risk analysis as a basis for assigning authorisations in TakeCare. With | |||
Following the decision, Karolinska University Hospital submitted a | |||
written reply of 18 December 2013, stating, inter alia, that Karolinska | |||
The university hospital had started work on an action plan | |||
and a needs and risk analysis. | |||
What has emerged in the case | |||
Karolinska University Hospital has essentially stated the following. | |||
Controller | |||
Karolinska University Hospital is a separate authority within Region | |||
Stockholm. The Board of Karolinska University Hospital is | |||
controller for the processing of personal data by | |||
Karolinska University Hospital performs in the main medical record system TakeCare. | |||
Organisation | |||
Care at Karolinska University Hospital is organised on the basis of | |||
medical themes and a number of functions that bring together competences. | |||
Wards, clinics and day care are organised according to themes. | |||
Each theme is divided into a number of patient areas, which bring together similar | |||
patient flows. Function is an area of expertise that cuts across | |||
theme. A function assists with skills and resources, which are used in | |||
many different patient groups and thus in several themes. There is a | |||
a patient area manager and a functional area manager for each area. | |||
Journal system | |||
Karolinska University Hospital uses TakeCare as | |||
main medical record system, and participates in TakeCare's coherent | |||
journal entries. | |||
Karolinska University Hospital manages TakeCare, and has | |||
signed the contract with the supplier. Karolinska University Hospital has | |||
thus a large number of data-processing and sub-processing agreements with | |||
other health care providers. | |||
There is both a regional and a local organisation for TakeCare. The | |||
regional organisation consists of a management group (steering group), which | |||
in addition to Karolinska University Hospital consists of representatives of six | |||
other health care providers. | |||
Users and patients | |||
Karolinska University Hospital has almost 16,000 employees in total. The number | |||
users of the medical record system TakeCare who are employed at Karolinska | |||
University Hospital is 12 285, of which 1 328 users are | |||
inactive. At the time of the inspection, there were therefore 10 957 active users. | |||
A user account is automatically deactivated if no login has been made for 60 | |||
days. | |||
The TakeCare medical record system contains records for about 3 million patients. | |||
Of these, 1 970 000 patient records are registered on, and de facto patients | |||
at, Karolinska University Hospital. | |||
The unified record keeping in TakeCare covers about 200-400 | |||
health care providers. It is now possible to search for all personal identity numbers available | |||
i TakeCare. However, there are discussions at regional level to limit in some cases | |||
the possibility of seeking information for a limited number of patients, to | |||
for example, patients in a particular residence. | |||
Internal confidentiality | |||
Needs and risk analysis | |||
Karolinska University Hospital cannot submit any completed | |||
needs and risk analysis for TakeCare. It is the respective patient area and | |||
functional area manager who will carry out and document the needs and | |||
risk analyses before assigning permissions. However, it is regularly investigated | |||
what the needs are and what permissions should be assigned to employees, | |||
e.g. for new hires. The template for needs and risk analyses | |||
available in Karolinska University Hospital's guidelines are not filled in | |||
regularly. | |||
Karolinska University Hospital is unable to answer whether the work initiated | |||
following the Data Inspectorate's previous supervisory decision of 26 August 2013 | |||
resulted in a needs and risk analysis for TakeCare. | |||
Following the inspection, Karolinska University Hospital has begun work | |||
to ensure that needs and risk assessments are carried out throughout the | |||
organization. Among other things, a needs and risk analysis has been carried out for | |||
the Perioperative Medicine and Intensive Care function in accordance with Karolinska | |||
University Hospital Guidelines. | |||
Granting access to personal data of patients | |||
There are approximately 40 authorization profiles in TakeCare that contain functions | |||
such as "reading recipes". Of these, 26 are so-called read functions. There are, for example, two authorisation profiles for nurses, | |||
where the difference between the profiles is that one has automated login. | |||
This means that logging in takes place automatically at the care unit you belong to for | |||
one eligibility profile, but not for the other. Also for doctors there are | |||
there are two eligibility profiles. The difference between the profiles is that one has | |||
access to a so-called emergency ligature. As a user you can have several different | |||
eligibility profiles, up to a maximum of five. For example, a medical candidate may have | |||
been assigned permissions from multiple entities. Staff tick | |||
cases themselves in the journal filter in TakeCare, which means that they make a | |||
active choice to access patient information on different devices. If a | |||
user ticks the "all devices" option, no further active | |||
choice to access patient information from all units. Although it | |||
are different access profiles, Karolinska states that users "have | |||
access to all patients in TakeCare". | |||
All accounts are individual, i.e. there is no account that multiple | |||
users can use (group account). | |||
In the policy document "Decision on the allocation of competences" from 2015 (latest | |||
updated on 23 October 2018)2 provides a general description of the regulatory framework | |||
and the conditions for assigning permissions. It also contains a | |||
description of an approach to conducting a needs and risk analysis, | |||
based on the user's need to have access to personal data concerning | |||
patients in their work and refers to the assignment of eligibility profile. In the guideline | |||
further recalls certain relevant issues. It is also stated that some | |||
of the examples do not match with the eligibility profiles available. | |||
After the inspection, Karolinska University Hospital carried out a needs and | |||
risk analysis for the Perioperative Medicine and Intensive Care function. In this | |||
the risks to be taken into account are those that arise if employees | |||
within the business do not have access to relevant information, and risks | |||
related to too broad or generous access to patient information. | |||
The guideline "Assignment of permissions" has been developed by lawyers and established by | |||
the Chief Medical Officer in the area of quality and patient safety. | |||
2 | |||
Access to personal data of patients in the Stockholm County Health Care Area | |||
During the inspection it was found that users at Karolinska | |||
The University Hospital has access to data on patients in | |||
The Stockholm County Health Authority (SLSO). According to Karolinska | |||
University Hospital, this is due to the fact that Karolinska University Hospital | |||
and SLSO are listed as "one and the same" care unit in TakeCare. This means that | |||
users at Karolinska University Hospital technically have access | |||
also to information on patients at SLSO within the internal confidentiality, and vice | |||
versa. | |||
Regarding the background and motives for Karolinska University Hospital | |||
and SLSO is listed as a care unit in TakeCare, Karolinska | |||
University Hospital referred to an enforcement decision dated 2010-01 | |||
and minutes of the Board meeting. The minutes show that | |||
the director of the county council has established in the enforcement decision that | |||
County Council (SLL) administrations that provide health care belong to | |||
care provider SLL and that this means that Karolinska University Hospital | |||
and SLSO, until further notice, shall remain unchanged as one and the same | |||
healthcare providers in TakeCare. | |||
Coherent record keeping | |||
Needs and risk analysis | |||
No needs and risks analysis has been carried out before the staff has | |||
allowed access to other health care providers' health care documentation in the context of | |||
coherent record keeping. | |||
Granting access to personal data of patients | |||
Users at Karolinska University Hospital have access to other | |||
healthcare providers' data on patients in TakeCare within the framework of | |||
coherent record keeping. Access is prepared on a patient basis, and requires | |||
the patient's consent. When searching for a patient, the healthcare providers who | |||
the patient has previously sought care from. This gives an indication that it may | |||
there is information about the patient at another healthcare provider. Information | |||
can be important when prescribing medicines, for example. By making a | |||
active selection and clicking on a specific device, you can access | |||
information. | |||
There is a decision from the Stockholm Region that every care provider who chooses | |||
to use the TakeCare medical record system must also be included in the | |||
coherent record keeping. | |||
Karolinska University Hospital has a policy document "Access to | |||
patient record, guideline", effective from 17 August 20183. Guideline | |||
contains a general description of the regulatory framework and sets out | |||
the conditions for accessing the care documentation in TakeCare in certain | |||
situations. | |||
Technical limitations in TakeCare regarding access to | |||
personal data of patients | |||
The technical limitations on user access that | |||
used by Karolinska University Hospital relates to so-called protected units | |||
i TakeCare. There are currently six such units, including | |||
ANNOVA, SESAM reception and the child protection team. | |||
In the case of sheltered care units, it is not possible to limit | |||
competences at individual level, but access to | |||
medical record documentation for these patients is limited to a defined | |||
user group. The protected devices are not visible when | |||
record keeping and they are not included in the default profile role in the record filter. | |||
Decisions on protected units have been preceded by an assessment based on both | |||
a patient safety as well as a privacy perspective. Protected care units | |||
is currently used only to a limited extent. This is because a more | |||
widespread use would pose significant patient safety risks. | |||
Karolinska University Hospital has stated in a supplementary statement | |||
the following. | |||
Technical restrictions on access by individual managers: | |||
The TakeCare electronic health record system allows access to be restricted by | |||
the healthcare facility can control what information each user group (usually professional group) | |||
at the device can see and what each user group can do. The healthcare unit can also | |||
control what information other user groups at other healthcare facilities can see or | |||
do. However, as TakeCare is configured today, it only allows control on | |||
The guideline "Access to patient records, guideline" is developed by lawyers and established by | |||
the Chief Medical Officer in the area of quality and patient safety. | |||
3 | |||
user group level. Any possibility of technical restriction for individual managers | |||
access facilities are not available. This applies both to so-called internal confidentiality and to | |||
the framework for access through single entry. As regards the hospital's so-called protected | |||
it is also not possible to restrict permissions at the individual level, but | |||
access to the medical records of these patients is limited to a defined | |||
user group. | |||
The possibility for a healthcare provider to opt out of access to the other healthcare providers' | |||
patient documentation in TakeCare | |||
Following a decision by the Stockholm Region, every healthcare provider who chooses to use | |||
the TakeCare medical record system is also included in the coherent medical record system. This means that a | |||
healthcare providers cannot restrict other healthcare providers' access to their own healthcare records. | |||
However, the individual healthcare provider can control its users' access to data in the | |||
coherent record keeping. The TakeCare journal system offers features that provide | |||
the healthcare provider may restrict the access of its users in such a way that they can only | |||
has access to medical records from, for example, a designated group with other | |||
health care providers. To illustrate this, Karolinska University has referred to a screenshot, | |||
showing eligibility by provider. | |||
From the screenshot it can be seen that at the device level it is possible to control | |||
the eligibility of a unit's users in relation to other healthcare providers | |||
devices by setting them to "view documents" or "do not view | |||
documents" lists. The latter list shows that it is possible to block | |||
units of other health care providers. However, it does not appear that the function exists per | |||
provider, but you have to block all devices of the current provider | |||
if you want to block a healthcare provider. | |||
Documentation of access (logs) | |||
Karolinska University Hospital has presented various logs and stated in | |||
essentially the following. | |||
There are two types of logs, in-depth logs and targeted logs. | |||
In-depth log information can be requested on either the user | |||
(the employee) or on the patient. Targeted log information can be requested by | |||
for example a patient. | |||
From a screenshot, showing the documentation in logs, it appears that | |||
data recorded in the log; patient, status, time, user, system, | |||
the server call (action) performed and from which care unit the action was performed. | |||
Grounds for the decision | |||
Current rules | |||
GDPR the primary source of law | |||
The General Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and | |||
is the primary legal framework for processing personal data. This | |||
also applies to health care. | |||
The basic principles for the processing of personal data are set out in | |||
Article 5 of the General Data Protection Regulation. A fundamental principle is the requirement of | |||
security under Article 5(1)(f), which states that personal data shall be processed | |||
in a way that ensures appropriate security of the personal data, | |||
including protection against unauthorised or unlawful processing and against loss, | |||
destruction or accidental damage, using appropriate | |||
technical or organisational measures. | |||
Article 5(2) sets out the so-called "accountability", i.e. that | |||
the controller is responsible for and can demonstrate that the | |||
the basic principles set out in paragraph 1 are complied with. | |||
Article 24 deals with the responsibility of the controller. Article 24(1) | |||
it is stated that the controller is responsible for implementing appropriate | |||
technical and organisational measures to ensure and demonstrate that | |||
the processing is carried out in accordance with the General Data Protection Regulation. The measures shall | |||
be carried out taking into account the nature, scope, context of the processing | |||
and purposes and the risks, of varying degrees of probability and severity, to | |||
rights and freedoms of natural persons. The measures will be reviewed and updated | |||
if necessary. | |||
Article 32 regulates the security of the processing. According to paragraph 1 | |||
the controller and the processor shall take into account | |||
of recent developments, implementation costs and treatment | |||
nature, scope, context and purpose, and the risks, of varying | |||
likelihood and severity, to the rights and freedoms of natural persons | |||
take appropriate technical and organisational measures to ensure a | |||
level of security appropriate to the risk (...). Paragraph 2 provides that | |||
when assessing the appropriate level of safety, particular account is taken of the risks | |||
processing, in particular from accidental or unlawful destruction, | |||
loss or alteration or to unauthorised disclosure of or access to | |||
the personal data transmitted, stored or otherwise processed. | |||
Recital 75 states that in assessing the risk to natural persons | |||
rights and freedoms, various factors must be taken into account. These include | |||
personal data covered by the obligation of professional secrecy, data concerning health or | |||
sexual life, if there is processing of personal data relating to vulnerable natural | |||
persons, especially children, or if the treatment involves a large number of | |||
personal data and concerns a large number of data subjects. | |||
Furthermore, it follows from recital 76 that the likelihood and severity of the risk to the | |||
rights and freedoms of data subjects should be determined on the basis of the | |||
nature, scope, context and purpose. The risk should be evaluated on | |||
on the basis of an objective assessment, which determines whether | |||
the data processing involves a risk or a high risk. | |||
Recitals 39 and 83 also contain wording providing guidance on the | |||
more detailed meaning of the security requirements of the GDPR in | |||
processing of personal data. | |||
The General Data Protection Regulation and the relationship with complementary national | |||
provisions | |||
According to Article 5(1)(a) of the GDPR, personal data shall | |||
treated in a lawful manner. For the processing to be considered lawful, it is necessary that | |||
legal basis, in that at least one of the conditions laid down in Article 6(1) is fulfilled. | |||
The provision of health care is a task of general interest | |||
interest referred to in Article 6(1)(e). | |||
In the health sector, the legal bases may also be legal | |||
obligation under Article 6(1)(c) and the exercise of official authority under Article 6(1)(e) | |||
updated. | |||
When it comes to the legal grounds of legal obligation, general | |||
interest or the exercise of official authority, Member States may, under Article | |||
6.2, maintain or introduce more specific provisions to adapt | |||
the application of the provisions of the Regulation to national circumstances. | |||
National law may further define specific requirements for data processing | |||
and other measures to ensure lawful and fair treatment. But | |||
there is not only a possibility to introduce national rules but also a obligation; Article 6(3) states that the ground for processing referred to in | |||
paragraph 1(c) and (e) shall be determined in accordance with Union law; or | |||
the national law of the Member States. The legal basis may also include | |||
specific provisions to adapt the application of the provisions of | |||
the General Data Protection Regulation. Union law or Member States' national | |||
right must meet an objective of general interest and be proportionate to the | |||
legitimate objectives pursued. | |||
Article 9 states that the processing of special categories of | |||
personal data (so-called sensitive personal data) is prohibited. Sensitive | |||
personal data includes health data. Article 9(2) states | |||
the exceptions where sensitive personal data may still be processed. | |||
Article 9(2)(h) states that processing of sensitive personal data may take place if | |||
the processing is necessary for reasons related to, inter alia | |||
the provision of healthcare on the basis of Union law or | |||
national law of the Member States or by agreement with professionals in the | |||
health and provided that the conditions and safeguards | |||
referred to in paragraph 3 are fulfilled. Article 9(3) requires regulated professional secrecy. | |||
This means that both the legal grounds of general interest, | |||
exercise of official authority and legal obligation as processing of sensitive | |||
personal data by virtue of the derogation in Article 9(2)(h) need | |||
supplementary rules. | |||
Additional national provisions | |||
In the case of Sweden, both the basis for the treatment and the | |||
specific conditions for processing personal data in the health and | |||
healthcare regulated in the Patient Data Act (2008:355), and | |||
the Patient Data Regulation (2008:360). In Chapter 1. 4 of the Patient Data Act states that | |||
the Act complements the General Data Protection Regulation. | |||
The purpose of the Patient Data Act is to ensure that information management in health and | |||
health care should be organised in such a way as to ensure patient safety and | |||
good quality and promotes cost efficiency. Its purpose is also to | |||
personal data shall be designed and otherwise processed in such a way that the | |||
the privacy of other data subjects is respected. In addition, documented | |||
personal data is processed and stored in such a way that unauthorised persons cannot access it | |||
them (Chapter 1, Section 2 of the Patient Data Act). | |||
According to Chapter 2. 6 of the Patient Data Act, a healthcare provider is a data controller | |||
for the processing of personal data carried out by the healthcare provider. In a region | |||
and a municipality is any authority which provides health services | |||
controller for the processing of personal data by | |||
the authority performs. | |||
The additional provisions of the Patient Data Act aim to | |||
addressing both privacy and patient safety. The legislator has | |||
Thus, the regulation strikes a balance in terms of how | |||
information should be processed to meet both patient safety requirements | |||
as the right to privacy in the processing of personal data. | |||
The National Board of Health and Welfare has issued regulations under the Patient Data Regulation | |||
and general guidance on record keeping and processing of personal data in | |||
health care (HSLF-FS 2016:40). The regulations constitute such | |||
supplementary rules, which shall apply to the processing by healthcare providers of | |||
personal data in health care. | |||
National rules complementing the requirements of the GDPR for | |||
security is contained in Chapters 4 and 6 of the Patient Data Act and Chapters 3 and 4 of the Data Protection Act. HSLF-FS | |||
2016:40. | |||
Requirement to carry out needs and risk analysis | |||
According to chapter 4, section 2 of HSLF-FS 2016:40, the care provider must make a needs and | |||
risk analysis, before assigning permissions in the system. | |||
The need for an analysis of both needs and risks is clear from the preparatory work | |||
to the Patient Data Act, prop. 2007/08:126 p. 148-149, as follows. | |||
Authorisation for electronic access by staff to patient data shall be limited to | |||
what the official needs to perform his/her duties in the health and social services | |||
health care. This includes monitoring and changing or restricting authorisations according to | |||
as soon as changes in the duties of the individual officer so require. | |||
The provision corresponds in principle to Section 8 of the Health Care Register Act. The purpose of the provision is to | |||
inculcate the obligation for the responsible care provider to make active and individual | |||
based on analyses of the details of the information that different | |||
categories of staff and different types of activities need. But not only | |||
needs assessments. Risk analyses must also be carried out, taking into account the different types of risks such as | |||
may be associated with an excessive availability of certain types of data. | |||
Protected personal data marked as confidential, data on publicly known persons, data from certain clinics or medical specialties are examples of categories that | |||
may require specific risk assessments. | |||
Generally speaking, the more comprehensive an information system is, the greater the amount of | |||
different levels of authority must exist. Decisive for the decision on eligibility for e.g. different | |||
categories of health professionals to electronic access to data in | |||
medical records should be that the authorisation should be limited to what the manager needs | |||
for the purpose of good and safe patient care. A broader or coarser mesh | |||
assignment of access rights, even if it had merit from an efficiency point of view, should be considered as an unjustified dispersion of medical records within an organisation and as such should | |||
not accepted. | |||
Furthermore, data should be stored in different layers so that more sensitive data requires active choices or | |||
otherwise not as easily accessible to staff as less sensitive data. When it | |||
applies to staff involved in monitoring activities, producing statistics, central | |||
financial administration and similar activities that are not individually oriented, it should | |||
the majority of executives, it is sufficient to have access to information that can only be indirectly | |||
to individual patients. Electronic access to code keys, social security numbers and other | |||
data directly pointing to individual patients should in this area be able to be strongly | |||
limited to single persons. | |||
Internal confidentiality | |||
The provisions of Chapter 4 of the Patient Data Act concern internal confidentiality, i.e. | |||
say regulates how privacy is to be handled within a healthcare provider's | |||
activities and, in particular, the ability of employees to access | |||
personal data available electronically in a healthcare provider's | |||
organisation. | |||
Chapter 4, section 2 of the Patient Data Act states that the healthcare provider shall determine | |||
conditions for granting access rights to such data on | |||
patients who are fully or partially automated. Such authorisation shall | |||
limited to what is necessary for the individual to fulfil his or her | |||
tasks in health care. | |||
According to chapter 4, section 2 of HSLF-FS 2016:40, the healthcare provider shall be responsible for ensuring that each | |||
users are assigned an individual permission to access | |||
personal data. The decision of the healthcare provider to grant authorisation shall | |||
be preceded by a needs and risk analysis. | |||
Coherent record keeping | |||
Provisions in Chapter 6 of the Patient Data Act relate to coherent record keeping, | |||
which means that a healthcare provider - under the conditions set out in § 2 of the same | |||
chapter - may have direct access to personal data processed by other | |||
health care providers for purposes related to health care documentation. Access to | |||
information is provided by a healthcare provider making the information about a patient | |||
that the healthcare provider records about the patient available to other healthcare providers | |||
participating in the coherent record keeping (see prop. 2007/08:126 p. 247). | |||
From Chapter 6. 7 § Patient Data Act follows that the provisions of Chapter 4 also apply to | |||
for assigning access rights in the case of shared medical records. The requirement to | |||
the healthcare provider must carry out a needs and risk analysis before assigning | |||
permissions in the system, also applies in systems for coherent | |||
journal entries. | |||
Documentation of access (logs) | |||
Chapter 4, section 3 of the Patient Data Act states that a healthcare provider must ensure that | |||
access to such data on patients held in whole or in part | |||
automatically documented and systematically controlled. | |||
According to Chapter 4. 9 § HSLF-FS 2016:40, the care provider shall be responsible for | |||
1. the documentation of the access (logs) shows which | |||
actions that have been taken with the data of a patient, | |||
2. the logs indicate the care unit or care process | |||
the measures taken, | |||
3. the logs show the time at which the measures were taken, | |||
4. the identity of the user and the patient is shown in the logs. | |||
The Data Inspectorate's assessment | |||
Responsibility of the controller for security | |||
As described above, the National Board of Health and Welfare's regulations give the | |||
responsibility for information management in healthcare, such as | |||
conduct a needs and risk analysis before assigning permissions in | |||
system happens. In the public health sector, there is no coincidence | |||
always the concept of the healthcare provider with the controller. | |||
Both the fundamental principles of Article 5 and Article 24(1) | |||
the General Data Protection Regulation, it is clear that it is the controller | |||
who shall implement appropriate technical and organisational measures to | |||
ensure and be able to demonstrate that the treatment is carried out in accordance with | |||
the General Data Protection Regulation. | |||
The Data Protection Inspectorate notes that the General Data Protection Regulation, as | |||
EU regulation is directly applicable in Swedish law and that the regulation | |||
specify when additional regulation should or may be introduced nationally. There are | |||
for example, scope to regulate nationally who is | |||
controller within the meaning of Article 4 of the General Data Protection Regulation. It is | |||
however, it is not possible to give a different regulation concerning the | |||
responsibility of the controller to take appropriate technical and | |||
organisational measures to ensure a level of security appropriate to the | |||
relation to the risk. This means that the National Board of Health and Welfare's | |||
that it is the care provider who should take certain measures, does not change that | |||
the responsibility to take appropriate security measures rests with the | |||
controller under the General Data Protection Regulation. Data Protection Authority | |||
can state that Karolinska University Hospital, in its capacity as | |||
controller, is responsible for ensuring that these measures are taken. | |||
As described above, Article 24(1) of the GDPR sets a | |||
general requirement for the controller to implement appropriate technical | |||
and organisational measures. The requirement aims to ensure that | |||
the processing of personal data is carried out in accordance with | |||
the General Data Protection Regulation, and that the controller should be able to | |||
demonstrate that the processing of personal data is carried out in accordance with | |||
the General Data Protection Regulation. | |||
The security of processing is more specifically regulated in Article 5(1)(f) | |||
and Article 32 of the General Data Protection Regulation. | |||
Article 32(1) states that the appropriate measures shall be both technical and | |||
organisational and they shall ensure a level of security appropriate in | |||
in relation to the risks to the rights and freedoms of natural persons | |||
treatment. It is therefore necessary to identify the possible | |||
risks to the rights and freedoms of data subjects and assesses | |||
the likelihood of the risks occurring and the severity if they do occur. | |||
What is appropriate varies not only in relation to the risks but also | |||
based on the nature, scope, context and purposes of the processing. It has | |||
It is therefore important what personal data are processed, how many | |||
data involved, how many people process the data, etc. | |||
The health sector has a great need for information in its activities. The | |||
is therefore natural that the possibilities of digitalisation are exploited as much as possible | |||
possible in health care. Since the introduction of the Patient Data Act, a very | |||
extensive digitalisation has taken place in healthcare. Both the data collections | |||
size as the number of people sharing information with each other has increased | |||
significantly. At the same time, this increase places greater demands on the | |||
controller, as the assessment of what is an appropriate | |||
safety is affected by the extent of treatment. | |||
Moreover, sensitive personal data are involved. The data also concern | |||
people who are in a situation of dependency when they are in need of care. | |||
There is also often a lot of personal data about each of these | |||
persons and the data may be processed over time by very | |||
many people in healthcare. All this places great demands on the | |||
controller. | |||
The data processed must be protected both from outside actors | |||
business as against unauthorised access from within the business. It is clear | |||
of Article 32(2) that the controller, when assessing the appropriateness | |||
level of security, shall in particular take into account the risks of accidental or unlawful | |||
destruction, loss or unauthorised disclosure or access. In order to | |||
to know what is an unauthorised access, it must | |||
the controller is clear about what constitutes authorised access. | |||
Needs and risk analysis | |||
In chapter 4, section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016:40), which supplement | |||
the Patient Data Act, it is stated that the healthcare provider must make a needs and | |||
risk analysis before assigning permissions in the system. This means that | |||
national law requires an appropriate organisational measure to be | |||
be taken before assigning access rights to the medical record system. | |||
A needs and risk analysis should include an analysis of the needs and a | |||
analysis of the risks from a privacy perspective that may be associated with | |||
with an excessive allocation of access rights to patient data. | |||
Both the needs and the risks must be assessed on the basis of the data | |||
need to be addressed in the business, what processes are involved and | |||
the risks to the privacy of the individual. | |||
Risk assessments need to be made at the organisational level, where | |||
for example, a certain part of the activity or task may be more | |||
privacy-sensitive than another, but also on an individual level, if it is | |||
the question of special circumstances that need to be taken into account, such as | |||
that it concerns protected personal data, publicly known persons or | |||
otherwise particularly vulnerable persons. The size of the system also affects | |||
the risk assessment. The preparatory work for the Patient Data Act shows that the more | |||
comprehensive an information system is, the greater the variety of | |||
levels of authority there must be. (prop. 2007/08:126 p. 149). It is thus | |||
the question of a strategic analysis at the strategic level, which will provide a | |||
an authorisation structure adapted to the business and this must be maintained | |||
updated. | |||
In summary, the regulation requires that the risk analysis identifies different categories of data (e.g. health data), | |||
categories of data subjects (e.g. vulnerable natural persons and | |||
child), or the scope (e.g. number of personal data and data subjects) | |||
negative consequences for data subjects (e.g. injuries, | |||
significant social or economic disadvantage, deprivation of rights | |||
and freedoms) | |||
and how they affect the risk to the rights and freedoms of natural persons in | |||
processing of personal data. This applies both to internal confidentiality | |||
as in the case of coherent record keeping. | |||
The risk analysis shall also include specific risk assessments such as | |||
on the basis of the existence of protected personal data that is | |||
marked as confidential, information on publicly known persons, information from | |||
certain clinics or medical specialties (prop. 2007/08:126 p. 148149). | |||
The risk analysis shall also include an assessment of the likelihood and severity of | |||
the risk to the rights and freedoms of data subjects is and in any event determine | |||
whether it is a risk or a high risk (recital 76). | |||
It is thus through the needs and risk analysis that the | |||
the controller finds out who needs access, which data | |||
data to be accessed, at what times and in what formats | |||
context access is needed, while analysing the risks to the | |||
rights and freedoms of individuals that the processing may lead to. The result should | |||
then lead to the technical and organisational measures needed to | |||
ensure that no access other than that required by the | |||
the risk analysis shows to be justified shall be possible. | |||
In the absence of a needs and risk analysis for the allocation of competences in | |||
system, there is no basis for the controller to lawfully | |||
be able to assign the correct permissions to its users. The | |||
The controller is responsible for, and shall have control over, the | |||
personal data processing carried out within the framework of the activity. To | |||
assign users broad access to record systems, without this being based on | |||
on the basis of a needs and risk analysis, means that the controller | |||
does not have sufficient control over the processing of personal data carried out in | |||
system, nor can he demonstrate that he has the control | |||
required. | |||
When the Swedish Data Protection Authority has requested a needs and risk analysis | |||
Karolinska University Hospital referred to the policy document "Decision on | |||
allocation of competences, guideline "4 (guidelines on the allocation of competences) and | |||
stated that it is the respective patient area and functional area manager | |||
to carry out and document needs and risk analyses before | |||
assignment of permissions. According to Karolinska University Hospital | |||
when assigning authorisations, for example in the case of new recruitment, regularly | |||
an assessment of the employee's need for certification, even if | |||
the template for needs and risk analysis provided in the guideline is not completed | |||
regularly. Karolinska University Hospital could at the time of | |||
the inspection does not show a needs and risk analysis, but has | |||
subsequently stated that they had begun work to ensure that needs and | |||
risk analyses are carried out in the business. They have also submitted a documented | |||
"needs and risks analysis" for the functional area of Perioperative Medicine. | |||
As stated above, a needs and risk analysis should address both the needs and | |||
the risks are assessed on the basis of the data that need to be processed in | |||
operations, the processes involved and the risks to the | |||
integrity of the individual, both at organisational and individual level | |||
4 | |||
"Decision on the assignment of competences, guideline" valid from 23 October 2018. | |||
level. It is therefore a question of a strategic analysis at a strategic level, which | |||
shall provide an authorisation structure adapted to the activities. It should | |||
should lead to instructions on the assignment of authorisations, but it is | |||
not the instructions to the permission assignor that is the analysis. | |||
At the time of the inspection, Karolinska University Hospital was unable to | |||
present any needs and risk analysis. The needs and risk analysis | |||
the risk analysis for the Perioperative Medicine function does not meet | |||
the data protection provisions' requirements for such an analysis under Chapter 4, Section 2 of HSLFFS 2016:40, as it constitutes a general description of tasks in | |||
TakeCare for some specific professional categories. The document contains no | |||
analysis of the data needed by employees to perform their tasks | |||
tasks. The document does not contain an analysis of the risks that may | |||
be associated with an excessive availability of different types of | |||
personal data. | |||
The Data Inspectorate further notes that the approach described in | |||
guidelines on the assignment of authorisations to analyse which authorisation | |||
to be assigned to an individual user is based on the existing | |||
eligibility profiles. These are created based on what users need | |||
be able to do with the tasks, for example reading or writing, and not from | |||
what information about the patient the individual user needs to have | |||
to carry out their work. | |||
The needs and risk analyses described in Karolinska University Hospital's | |||
guidelines on credentialing is not an analysis under the requirements of a | |||
needs and risk analysis according to data protection regulations. Karolinska | |||
The University Hospital has also failed to demonstrate that the work initiated | |||
following the previous audit in 2013 resulted in the implementation of a | |||
needs and risk analysis for TakeCare in accordance with the injunction. | |||
The Data Inspectorate can therefore conclude that Karolinska | |||
The allocation of authorisations by the University Hospital has not been preceded by a | |||
necessary needs and risk analysis. | |||
Granting of access rights to personal data concerning | |||
wait | |||
As explained above, a healthcare provider may have a legitimate interest in having | |||
extensive processing of personal health data. Notwithstanding this | |||
access to personal data of patients be limited to | |||
what is necessary for the individual to perform his/her duties. | |||
With regard to the granting of authorisation for electronic access under Chapter 4. | |||
2 § and 6 chap. 7 § Patient Data Act, it is clear from the preparatory work, prop. | |||
2007/08:126 pp. 148-149, including that there should be different | |||
categories of access in the health record system and that the access | |||
limited to what the user needs to provide the patient with a good and safe | |||
care. It is also stated that "a broader or more coarse-meshed | |||
allocation of competences should be considered as an unjustified proliferation of | |||
medical records within a business and as such should not be accepted." | |||
In health care, the person who needs the data in his or her work | |||
who may be authorised to access them. This applies both within a | |||
care providers as between care providers. It is, as already mentioned, through | |||
the needs and risks analysis that the controller finds out who | |||
who needs access, what data the access should cover, at what | |||
when and in what contexts access is needed, and at the same time | |||
analyses the risks to the rights and freedoms of individuals that | |||
treatment may lead to. The result should then lead to the technical and | |||
organisational measures necessary to ensure that no allocation | |||
of access provides wider access possibilities than that provided by the | |||
the risk analysis shows is justified. An important organisational measure is to provide | |||
instructions to those authorised to grant authorisations on how to do so | |||
and what should be taken into account so that, with the needs and risk analysis | |||
as a basis, will be a correct assignment of authority in each case. | |||
In addition to Karolinska University Hospital's guideline for allocation of | |||
permissions, there is also a guidance document "Access to patient records, | |||
guideline" (access guidelines), which will apply from 17 August 2018.5 | |||
However, the guidelines provide only a general description of the regulatory framework and | |||
describes the conditions for the assignment of permissions respectively for | |||
to access the care documentation in TakeCare in different situations. | |||
The Data Inspectorate notes that although each user has de facto | |||
assigned an individual permission, the permissions assigned have not | |||
The guideline "access to patient records, guideline" is established by the head physician in the area | |||
quality and patient safety, and lawyers have participated in the development area. | |||
5 | |||
restricted in a way that ensures that the user does not have | |||
access to more personal data of patients or personal data | |||
about more patients than he needs to do his job. The allocated | |||
permissions means that the user has access to virtually all | |||
personal data of patients in TakeCare. This is because there are only two | |||
eligibility profiles for nurses and doctors respectively, and where the only | |||
that distinguishes the authorization profiles is that one | |||
the nursing authorisation has automated login to the care unit | |||
the staff belongs to and one medical authority has access to a so-called | |||
acute care. The restriction that has otherwise emerged regarding | |||
access to personal data in the medical record system refers to so-called | |||
protected devices. | |||
Against this background, the Data Inspectorate considers that, since the allocation | |||
of permissions was not preceded by the necessary needs and risk analysis, not | |||
there were conditions to restrict assigned permissions or there was support | |||
to determine what is justified access for executives | |||
at Karolinska University Hospital. | |||
The fact that the allocation of permissions has not been preceded by a needs and | |||
risk analysis means that Karolinska University Hospital has not analysed | |||
the users' need for access to the data, the risks associated with this access | |||
and thus not identified what access possibilities | |||
justified to users on the basis of such an analysis. Karolinska | |||
The university hospital has thus not taken appropriate organisational | |||
measures, in accordance with Article 32 of the General Data Protection Regulation, to limit | |||
users' access to personal data of patients in the medical record system. | |||
This in turn has meant that there has been a risk of unauthorised access and | |||
unwarranted dissemination of personal data in the context of the internal | |||
confidentiality, on the one hand, and in the context of the single file management, on the other. The number of | |||
users at Karolinska University Hospital is close to 11 000 and | |||
TakeCare contains personal data of about 3 million patients, of which | |||
about 2 million have been patients at Karolinska University Hospital. | |||
In light of the above, the Swedish Data Protection Authority can conclude that | |||
Karolinska University Hospital has processed personal data in breach of | |||
Article 5(1)(f) and Article 32(1) and (2) of the General Data Protection Regulation by | |||
Karolinska University Hospital has not restricted users | |||
permissions for access to the TakeCare medical record system to what is | |||
needed for the user to perform his/her tasks within the | |||
health care pursuant to Chapter 4, Section 2 and Chapter 6. 7 § of the Patient Data Act and 4 | |||
Chapter 2 § HSLF-FS 2016:40. This means that Karolinska University Hospital | |||
has not taken the measures necessary to ensure and, in accordance with Article | |||
5.2 of the General Data Protection Regulation, be able to demonstrate adequate security for | |||
personal data. | |||
Documentation of access in logs | |||
The Data Inspectorate notes that the logs in TakeCare show that | |||
information about the specific patient, which user has opened the | |||
the medical record, actions taken, which medical record has been | |||
opened, the period of time the user has been in, all openings of | |||
the medical record made on that patient during the selected time period and | |||
the time and date of the last opening. According to the Data Inspectorate | |||
assessment, this is consistent with the requirements for documentation of | |||
accesses in the logs set out in the regulations of the National Board of Health and Welfare. | |||
Choice of intervention | |||
Legal regulation | |||
If there has been a breach of the General Data Protection Regulation | |||
The Data Protection Inspectorate has a number of remedial powers at its disposal under Article | |||
58.2 a - j of the GDPR. The supervisory authority may, inter alia | |||
order the controller to ensure that the processing is carried out in | |||
in accordance with the Regulation and, if necessary, in a specific manner and within a | |||
specific period. | |||
It follows from Article 58(2) of the GDPR that the Data Protection Inspectorate in | |||
in accordance with Article 83 shall impose penalties in addition to, or instead of, | |||
other corrective measures referred to in Article 58(2), depending on | |||
the circumstances of each case. | |||
For public authorities, Article 83(7) of the GDPR allows national | |||
rules specify that administrative penalties may be imposed on public authorities. | |||
According to Chapter 6, Section 2 of the Data Protection Act, penalties may be imposed for | |||
authorities, but not exceeding SEK 5 000 000 or SEK 10 000 000 | |||
depending on whether the infringement concerns articles covered by Article 83(4) | |||
or 83.5 of the GDPR. | |||
Article 83(2) sets out the factors to be taken into account in determining whether a | |||
administrative penalty should be imposed, but also what should affect | |||
the amount of the penalty. Central to the assessment of | |||
the seriousness of the infringement is its nature, severity and duration. About | |||
in the case of a minor infringement, the supervisory authority may, pursuant to recital | |||
148 of the General Data Protection Regulation, issue a reprimand instead of imposing a | |||
penalty fee. | |||
Injunction | |||
As mentioned, the health sector has a great need for information in its | |||
activities and in recent years a very extensive digitalisation | |||
occurred in the health care sector. Both the size of the data collections and the number of | |||
sharing information with each other has increased significantly. This increases the demands on | |||
the controller, since the assessment of what is an appropriate | |||
safety is affected by the extent of treatment. | |||
In health care, this means even greater responsibility for the | |||
controller to protect the data from unauthorised access, | |||
including by having a fine-grained allocation of competences. The | |||
is therefore essential that there is a real analysis of the needs from different | |||
businesses and different executives. It is equally important that there is a | |||
actual analysis of the risks that may arise from a privacy perspective | |||
in the case of an excessive allocation of access rights. Based on this analysis | |||
then the individual officer's access shall be restricted. This | |||
eligibility must then be monitored and modified or restricted as appropriate | |||
that changes in the duties of the individual post holder result in | |||
reason for it. | |||
The Data Inspectorate's supervision has shown that Karolinska University Hospital does not | |||
has taken appropriate security measures to provide protection to | |||
personal data in the medical record system by Karolinska | |||
The University Hospital, as data controller, failed to comply with the requirements | |||
set out in the Patient Data Act and the National Board of Health and Welfare's regulations. Karolinska | |||
The University Hospital has thereby failed to comply with the requirements of Article 5(1)(f) | |||
and Article 32(1) and (2) of the General Data Protection Regulation. The failure includes | |||
both the internal secrecy according to chapter 4 of the Patient Data Act and the | |||
coherent record keeping according to Chapter 6 of the Patient Data Act. | |||
The Data Inspectorate therefore orders, on the basis of 58.2(d) of the | |||
the General Data Protection Regulation, Karolinska University Hospital to ensure that | |||
the necessary needs and risk analysis for the TakeCare medical record system is carried out | |||
within the framework of both internal secrecy and | |||
coherent record keeping. The needs and risk analysis must be documented. | |||
Karolinska University Hospital shall, with the support of the needs and | |||
the risk analysis, assign each user individual access rights to | |||
personal data limited to what is necessary for the | |||
the individual is able to carry out his or her duties in the health care sector. | |||
Penalty fee | |||
The Data Protection Inspectorate notes that the infringements basically concern | |||
Karolinska University Hospital's obligation to take appropriate | |||
security measures to provide protection to personal data under | |||
the General Data Protection Regulation. | |||
In this case, it is a question of very large data collections with sensitive | |||
personal data and wide-ranging permissions. The healthcare provider needs with | |||
need to have extensive processing of data on individual health. | |||
However, it must not be unrestricted but must be based on what individuals | |||
employees need to perform their tasks. Data Protection Inspectorate | |||
notes that the data in question involves direct identification | |||
of the individual by name, contact details and personal identity number, | |||
health data, but that it may also concern other private | |||
information on, for example, family circumstances, sexual life and lifestyle. Patient | |||
are dependent on receiving care and are therefore in a vulnerable situation. Data | |||
the nature, extent and dependency of patients gives healthcare providers a | |||
particular responsibility to ensure patients' rights to adequate protection of their | |||
personal data. | |||
Further aggravating circumstances are that the treatment of | |||
patient data in the main record system is at the core of a healthcare provider's | |||
activities, that the treatment covers many patients and the possibility of | |||
access concerns a large proportion of the employees. | |||
around 2 000 000 patients under the internal confidentiality regime and | |||
around 1 000 000 additional patients under the coherent | |||
record keeping. There are only six so-called protected units where | |||
the data is not accessible to users outside these devices. | |||
The Data Inspectorate can also state that Karolinska | |||
The University Hospital did not comply with the Data Inspectorate's previous injunction from | |||
of 26 August 2013 to carry out a needs and risk analysis that | |||
the basis for the allocation of authorisations according to the then requirement in Chapter 2. 6 | |||
§ second paragraph second sentence SOSFS 2008:14, which corresponds to the current | |||
provision in Chapter 4, Section 2 of HSLF-FS 2016:40. This is an aggravating | |||
circumstance, pursuant to Article 83(2)(e) of the GDPR. | |||
The deficiencies now identified have thus been known to Karolinska | |||
the University Hospital for several years, which means that the action | |||
intentional and therefore considered more serious. | |||
In determining the gravity of the infringements, it can also be noted that | |||
the infringements also include the fundamental principles of Article 5 of | |||
the General Data Protection Regulation, which belongs to the categories of more serious | |||
infringements which may give rise to a higher penalty under Article 83(5) of | |||
the General Data Protection Regulation. | |||
These factors taken together mean that the infringements are not to be assessed | |||
as minor infringements without infringements that should lead to a | |||
administrative penalty. | |||
The Data Protection Inspectorate considers that these infringements are closely related to | |||
each other. This assessment is based on the fact that the needs and risks analysis should | |||
be the basis for the allocation of the permissions. The Swedish Data Protection Authority | |||
therefore considers that these infringements are so closely linked | |||
that they constitute linked processing operations within the meaning of Article 83(3) of the | |||
the General Data Protection Regulation. The Data Protection Inspectorate therefore determines a common | |||
penalties for these infringements. | |||
The administrative penalty shall be effective, proportionate and | |||
deterrent. This means that the amount should be determined in such a way that the | |||
administrative penalty leads to correction, that it provides a preventive | |||
effect, and that it is proportionate to both the current | |||
infringements as to the ability of the supervised entity to pay. | |||
The maximum amount of the fine in this case is SEK 10 million | |||
pursuant to Chapter 6, Section 2 of the Act (2018:218) with supplementary provisions to the EU | |||
Data Protection Regulation. | |||
In view of the seriousness of the infringements and the fact that the administrative | |||
the penalty shall be effective, proportionate and dissuasive | |||
the Data Protection Inspectorate determines the administrative penalty fee for | |||
Karolinska University Hospital to SEK 4 000 000 (four million). | |||
This decision has been taken by the Director General Lena Lindgren Schelin after | |||
presentation by cyber security specialist Magnus Bergström. At the final | |||
Hans-Olof Lindblom, the Chief Legal Officer, the Heads of Unit | |||
Katarina Tullstedt and Malin Blixt, and lawyer Maja Savic. | |||
Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature) | |||
Appendix: | |||
How to pay the penalty fee | |||
Copy for information to: | |||
Data Protection Officer | |||
How to appeal | |||
If you wish to appeal against the decision, you should write to the Swedish Data Protection Authority. Please state in | |||
the decision you are appealing and the change you are requesting. | |||
The appeal must have been received by the Swedish Data Protection Authority no later than three weeks from | |||
on the date of notification of the decision. If the appeal has been lodged in due time | |||
the Data Inspectorate forwards it to the Administrative Court in Stockholm for | |||
examination. | |||
You can email the appeal to the Data Protection Authority if it does not contain | |||
any privacy-sensitive personal data or data that may be covered by | |||
confidentiality. The contact details of the authority are given on the first page of the decision. | |||
</pre> | </pre> |
Revision as of 14:24, 3 April 2021
Datainspektionen - DI-2019-3839 | |
---|---|
Authority: | Datainspektionen (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 32(1) GDPR Article 32(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 02.12.2020 |
Published: | 02.12.2020 |
Fine: | 4000000 SEK |
Parties: | Styrelsen för Karolinska Universitetssjukhuset |
National Case Number/Name: | DI-2019-3839 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Swedish |
Original Source: | Datainspektionen (in SV) |
Initial Contributor: | Charlotte Godhe |
The Swedish DPA (Datainspektionen) held that access to medical records has to be restricted based on the individual care workers’ necessity to perform his/her job. The DPA therefore fined the Karolinska University Hospital approximately €391000 for a breach of Articles 5 and 32 GDPR.
English Summary
Facts
The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity.
Dispute
Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR?
Holding
The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Data Inspectorate DI-2019-3839 The Data Inspectorate's decision The Swedish Data Protection Authority has found in its review on 27 March 2019 that The Board of Karolinska University Hospital (Karolinska University Hospital) processes personal data in breach of Article 5(1)(f) and 5(2) and Article 32(1) and (2) of the General Data Protection Regulation1 by 1. Karolinska University Hospital in its capacity as the controller does not comply with the requirement that it has carried out a needs and risk analysis before the allocation of authorisations are made in the TakeCare medical record system, in accordance with Chapter 4, Section 2 § and Chapter 6. 7 § Patient Data Act (2008:355) and Chapter 4 § 2 The National Board of Health and Welfare's regulations and general advice (HSLF-FS 2016:40) on record keeping and processing of personal data in health and health care. This means that Karolinska University Hospital does not has taken appropriate organisational measures to be able to ensure and be able to demonstrate that the processing of personal data has a level of security appropriate to the risks involved. 2. Karolinska University Hospital does not have limited user permissions for accessing the medical record system TakeCare to what is needed only for the user to be able to carry out their duties in the health sector under Chapter 4, Section 2 and Chapter 6. 7 of the Patient Data Act and Chapter 4, Section 2 HSLF-FS 2016:40. This means that Karolinska The University Hospital has not taken measures to ensure and be able to demonstrate adequate security for personal data. The Data Protection Inspectorate decides on the basis of Articles 58(2) and 83 of the the General Data Protection Regulation and Chapter 6, Section 2 of the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation that Karolinska Universitetssjukhuset, for infringement of Article 5(1)(f) and (2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Data Protection Regulation). 1 and Article 32(1) and (2) of the General Data Protection Regulation shall pay a an administrative fine of SEK 4 000 000 (four million). The Data Protection Inspectorate, on the basis of Article 58(2)(d) of the the General Data Protection Regulation Karolinska University Hospital to ensure that the necessary needs and risk analysis is carried out and documented for the TakeCare medical record system and then, with the support of needs and risk analysis, each user is assigned individual access rights to personal data to only what is necessary for the individual to carry out their duties in the health sector, in accordance with Article 5(1)(f) and Article 32(1) and (2) of the General Data Protection Regulation, Chapter 4, Section 2, and Chapter 6. 7 § Patient Data Act and 4 ch. 2 § HSLF-FS 2016:40. Description of the supervision case The Swedish Data Protection Authority initiated supervision by letter on 22 March 2019 and has on site on 27 March 2019 examined whether Karolinska University Hospital's decisions on the allocation of authorisations have been preceded by a needs and risk analysis. The audit has also covered how Karolinska The University Hospital assigned permissions for access to the main medical record system TakeCare, and what access possibilities they assigned the competences provide within the framework of the internal secrecy according to chapter 4. the Patient Data Act, as the coherent record keeping according to Chapter 6. patient data law. In addition, the Swedish Data Protection Authority has also examined which documentation of access (logs) available in the record system. The Swedish Data Protection Authority has only examined users' access to system, i.e. what health care documentation the user actually can take part in and read. The review does not cover the functions that included in the permission, i.e. what the user can actually do in the medical record system (e.g. issuing prescriptions, writing referrals, etc.). Previous review of Karolinska University Hospital's authorisation management The Swedish Data Protection Authority has previously conducted an inspection of Karolinska University Hospital's access control etc. By the Data Inspectorate Decision 920-2012, notified on 26 August 2013, states that Karolinska University Hospital was instructed, among other things, to carry out a needs and risk analysis as a basis for assigning authorisations in TakeCare. With Following the decision, Karolinska University Hospital submitted a written reply of 18 December 2013, stating, inter alia, that Karolinska The university hospital had started work on an action plan and a needs and risk analysis. What has emerged in the case Karolinska University Hospital has essentially stated the following. Controller Karolinska University Hospital is a separate authority within Region Stockholm. The Board of Karolinska University Hospital is controller for the processing of personal data by Karolinska University Hospital performs in the main medical record system TakeCare. Organisation Care at Karolinska University Hospital is organised on the basis of medical themes and a number of functions that bring together competences. Wards, clinics and day care are organised according to themes. Each theme is divided into a number of patient areas, which bring together similar patient flows. Function is an area of expertise that cuts across theme. A function assists with skills and resources, which are used in many different patient groups and thus in several themes. There is a a patient area manager and a functional area manager for each area. Journal system Karolinska University Hospital uses TakeCare as main medical record system, and participates in TakeCare's coherent journal entries. Karolinska University Hospital manages TakeCare, and has signed the contract with the supplier. Karolinska University Hospital has thus a large number of data-processing and sub-processing agreements with other health care providers. There is both a regional and a local organisation for TakeCare. The regional organisation consists of a management group (steering group), which in addition to Karolinska University Hospital consists of representatives of six other health care providers. Users and patients Karolinska University Hospital has almost 16,000 employees in total. The number users of the medical record system TakeCare who are employed at Karolinska University Hospital is 12 285, of which 1 328 users are inactive. At the time of the inspection, there were therefore 10 957 active users. A user account is automatically deactivated if no login has been made for 60 days. The TakeCare medical record system contains records for about 3 million patients. Of these, 1 970 000 patient records are registered on, and de facto patients at, Karolinska University Hospital. The unified record keeping in TakeCare covers about 200-400 health care providers. It is now possible to search for all personal identity numbers available i TakeCare. However, there are discussions at regional level to limit in some cases the possibility of seeking information for a limited number of patients, to for example, patients in a particular residence. Internal confidentiality Needs and risk analysis Karolinska University Hospital cannot submit any completed needs and risk analysis for TakeCare. It is the respective patient area and functional area manager who will carry out and document the needs and risk analyses before assigning permissions. However, it is regularly investigated what the needs are and what permissions should be assigned to employees, e.g. for new hires. The template for needs and risk analyses available in Karolinska University Hospital's guidelines are not filled in regularly. Karolinska University Hospital is unable to answer whether the work initiated following the Data Inspectorate's previous supervisory decision of 26 August 2013 resulted in a needs and risk analysis for TakeCare. Following the inspection, Karolinska University Hospital has begun work to ensure that needs and risk assessments are carried out throughout the organization. Among other things, a needs and risk analysis has been carried out for the Perioperative Medicine and Intensive Care function in accordance with Karolinska University Hospital Guidelines. Granting access to personal data of patients There are approximately 40 authorization profiles in TakeCare that contain functions such as "reading recipes". Of these, 26 are so-called read functions. There are, for example, two authorisation profiles for nurses, where the difference between the profiles is that one has automated login. This means that logging in takes place automatically at the care unit you belong to for one eligibility profile, but not for the other. Also for doctors there are there are two eligibility profiles. The difference between the profiles is that one has access to a so-called emergency ligature. As a user you can have several different eligibility profiles, up to a maximum of five. For example, a medical candidate may have been assigned permissions from multiple entities. Staff tick cases themselves in the journal filter in TakeCare, which means that they make a active choice to access patient information on different devices. If a user ticks the "all devices" option, no further active choice to access patient information from all units. Although it are different access profiles, Karolinska states that users "have access to all patients in TakeCare". All accounts are individual, i.e. there is no account that multiple users can use (group account). In the policy document "Decision on the allocation of competences" from 2015 (latest updated on 23 October 2018)2 provides a general description of the regulatory framework and the conditions for assigning permissions. It also contains a description of an approach to conducting a needs and risk analysis, based on the user's need to have access to personal data concerning patients in their work and refers to the assignment of eligibility profile. In the guideline further recalls certain relevant issues. It is also stated that some of the examples do not match with the eligibility profiles available. After the inspection, Karolinska University Hospital carried out a needs and risk analysis for the Perioperative Medicine and Intensive Care function. In this the risks to be taken into account are those that arise if employees within the business do not have access to relevant information, and risks related to too broad or generous access to patient information. The guideline "Assignment of permissions" has been developed by lawyers and established by the Chief Medical Officer in the area of quality and patient safety. 2 Access to personal data of patients in the Stockholm County Health Care Area During the inspection it was found that users at Karolinska The University Hospital has access to data on patients in The Stockholm County Health Authority (SLSO). According to Karolinska University Hospital, this is due to the fact that Karolinska University Hospital and SLSO are listed as "one and the same" care unit in TakeCare. This means that users at Karolinska University Hospital technically have access also to information on patients at SLSO within the internal confidentiality, and vice versa. Regarding the background and motives for Karolinska University Hospital and SLSO is listed as a care unit in TakeCare, Karolinska University Hospital referred to an enforcement decision dated 2010-01 and minutes of the Board meeting. The minutes show that the director of the county council has established in the enforcement decision that County Council (SLL) administrations that provide health care belong to care provider SLL and that this means that Karolinska University Hospital and SLSO, until further notice, shall remain unchanged as one and the same healthcare providers in TakeCare. Coherent record keeping Needs and risk analysis No needs and risks analysis has been carried out before the staff has allowed access to other health care providers' health care documentation in the context of coherent record keeping. Granting access to personal data of patients Users at Karolinska University Hospital have access to other healthcare providers' data on patients in TakeCare within the framework of coherent record keeping. Access is prepared on a patient basis, and requires the patient's consent. When searching for a patient, the healthcare providers who the patient has previously sought care from. This gives an indication that it may there is information about the patient at another healthcare provider. Information can be important when prescribing medicines, for example. By making a active selection and clicking on a specific device, you can access information. There is a decision from the Stockholm Region that every care provider who chooses to use the TakeCare medical record system must also be included in the coherent record keeping. Karolinska University Hospital has a policy document "Access to patient record, guideline", effective from 17 August 20183. Guideline contains a general description of the regulatory framework and sets out the conditions for accessing the care documentation in TakeCare in certain situations. Technical limitations in TakeCare regarding access to personal data of patients The technical limitations on user access that used by Karolinska University Hospital relates to so-called protected units i TakeCare. There are currently six such units, including ANNOVA, SESAM reception and the child protection team. In the case of sheltered care units, it is not possible to limit competences at individual level, but access to medical record documentation for these patients is limited to a defined user group. The protected devices are not visible when record keeping and they are not included in the default profile role in the record filter. Decisions on protected units have been preceded by an assessment based on both a patient safety as well as a privacy perspective. Protected care units is currently used only to a limited extent. This is because a more widespread use would pose significant patient safety risks. Karolinska University Hospital has stated in a supplementary statement the following. Technical restrictions on access by individual managers: The TakeCare electronic health record system allows access to be restricted by the healthcare facility can control what information each user group (usually professional group) at the device can see and what each user group can do. The healthcare unit can also control what information other user groups at other healthcare facilities can see or do. However, as TakeCare is configured today, it only allows control on The guideline "Access to patient records, guideline" is developed by lawyers and established by the Chief Medical Officer in the area of quality and patient safety. 3 user group level. Any possibility of technical restriction for individual managers access facilities are not available. This applies both to so-called internal confidentiality and to the framework for access through single entry. As regards the hospital's so-called protected it is also not possible to restrict permissions at the individual level, but access to the medical records of these patients is limited to a defined user group. The possibility for a healthcare provider to opt out of access to the other healthcare providers' patient documentation in TakeCare Following a decision by the Stockholm Region, every healthcare provider who chooses to use the TakeCare medical record system is also included in the coherent medical record system. This means that a healthcare providers cannot restrict other healthcare providers' access to their own healthcare records. However, the individual healthcare provider can control its users' access to data in the coherent record keeping. The TakeCare journal system offers features that provide the healthcare provider may restrict the access of its users in such a way that they can only has access to medical records from, for example, a designated group with other health care providers. To illustrate this, Karolinska University has referred to a screenshot, showing eligibility by provider. From the screenshot it can be seen that at the device level it is possible to control the eligibility of a unit's users in relation to other healthcare providers devices by setting them to "view documents" or "do not view documents" lists. The latter list shows that it is possible to block units of other health care providers. However, it does not appear that the function exists per provider, but you have to block all devices of the current provider if you want to block a healthcare provider. Documentation of access (logs) Karolinska University Hospital has presented various logs and stated in essentially the following. There are two types of logs, in-depth logs and targeted logs. In-depth log information can be requested on either the user (the employee) or on the patient. Targeted log information can be requested by for example a patient. From a screenshot, showing the documentation in logs, it appears that data recorded in the log; patient, status, time, user, system, the server call (action) performed and from which care unit the action was performed. Grounds for the decision Current rules GDPR the primary source of law The General Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and is the primary legal framework for processing personal data. This also applies to health care. The basic principles for the processing of personal data are set out in Article 5 of the General Data Protection Regulation. A fundamental principle is the requirement of security under Article 5(1)(f), which states that personal data shall be processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against loss, destruction or accidental damage, using appropriate technical or organisational measures. Article 5(2) sets out the so-called "accountability", i.e. that the controller is responsible for and can demonstrate that the the basic principles set out in paragraph 1 are complied with. Article 24 deals with the responsibility of the controller. Article 24(1) it is stated that the controller is responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that the processing is carried out in accordance with the General Data Protection Regulation. The measures shall be carried out taking into account the nature, scope, context of the processing and purposes and the risks, of varying degrees of probability and severity, to rights and freedoms of natural persons. The measures will be reviewed and updated if necessary. Article 32 regulates the security of the processing. According to paragraph 1 the controller and the processor shall take into account of recent developments, implementation costs and treatment nature, scope, context and purpose, and the risks, of varying likelihood and severity, to the rights and freedoms of natural persons take appropriate technical and organisational measures to ensure a level of security appropriate to the risk (...). Paragraph 2 provides that when assessing the appropriate level of safety, particular account is taken of the risks processing, in particular from accidental or unlawful destruction, loss or alteration or to unauthorised disclosure of or access to the personal data transmitted, stored or otherwise processed. Recital 75 states that in assessing the risk to natural persons rights and freedoms, various factors must be taken into account. These include personal data covered by the obligation of professional secrecy, data concerning health or sexual life, if there is processing of personal data relating to vulnerable natural persons, especially children, or if the treatment involves a large number of personal data and concerns a large number of data subjects. Furthermore, it follows from recital 76 that the likelihood and severity of the risk to the rights and freedoms of data subjects should be determined on the basis of the nature, scope, context and purpose. The risk should be evaluated on on the basis of an objective assessment, which determines whether the data processing involves a risk or a high risk. Recitals 39 and 83 also contain wording providing guidance on the more detailed meaning of the security requirements of the GDPR in processing of personal data. The General Data Protection Regulation and the relationship with complementary national provisions According to Article 5(1)(a) of the GDPR, personal data shall treated in a lawful manner. For the processing to be considered lawful, it is necessary that legal basis, in that at least one of the conditions laid down in Article 6(1) is fulfilled. The provision of health care is a task of general interest interest referred to in Article 6(1)(e). In the health sector, the legal bases may also be legal obligation under Article 6(1)(c) and the exercise of official authority under Article 6(1)(e) updated. When it comes to the legal grounds of legal obligation, general interest or the exercise of official authority, Member States may, under Article 6.2, maintain or introduce more specific provisions to adapt the application of the provisions of the Regulation to national circumstances. National law may further define specific requirements for data processing and other measures to ensure lawful and fair treatment. But there is not only a possibility to introduce national rules but also a obligation; Article 6(3) states that the ground for processing referred to in paragraph 1(c) and (e) shall be determined in accordance with Union law; or the national law of the Member States. The legal basis may also include specific provisions to adapt the application of the provisions of the General Data Protection Regulation. Union law or Member States' national right must meet an objective of general interest and be proportionate to the legitimate objectives pursued. Article 9 states that the processing of special categories of personal data (so-called sensitive personal data) is prohibited. Sensitive personal data includes health data. Article 9(2) states the exceptions where sensitive personal data may still be processed. Article 9(2)(h) states that processing of sensitive personal data may take place if the processing is necessary for reasons related to, inter alia the provision of healthcare on the basis of Union law or national law of the Member States or by agreement with professionals in the health and provided that the conditions and safeguards referred to in paragraph 3 are fulfilled. Article 9(3) requires regulated professional secrecy. This means that both the legal grounds of general interest, exercise of official authority and legal obligation as processing of sensitive personal data by virtue of the derogation in Article 9(2)(h) need supplementary rules. Additional national provisions In the case of Sweden, both the basis for the treatment and the specific conditions for processing personal data in the health and healthcare regulated in the Patient Data Act (2008:355), and the Patient Data Regulation (2008:360). In Chapter 1. 4 of the Patient Data Act states that the Act complements the General Data Protection Regulation. The purpose of the Patient Data Act is to ensure that information management in health and health care should be organised in such a way as to ensure patient safety and good quality and promotes cost efficiency. Its purpose is also to personal data shall be designed and otherwise processed in such a way that the the privacy of other data subjects is respected. In addition, documented personal data is processed and stored in such a way that unauthorised persons cannot access it them (Chapter 1, Section 2 of the Patient Data Act). According to Chapter 2. 6 of the Patient Data Act, a healthcare provider is a data controller for the processing of personal data carried out by the healthcare provider. In a region and a municipality is any authority which provides health services controller for the processing of personal data by the authority performs. The additional provisions of the Patient Data Act aim to addressing both privacy and patient safety. The legislator has Thus, the regulation strikes a balance in terms of how information should be processed to meet both patient safety requirements as the right to privacy in the processing of personal data. The National Board of Health and Welfare has issued regulations under the Patient Data Regulation and general guidance on record keeping and processing of personal data in health care (HSLF-FS 2016:40). The regulations constitute such supplementary rules, which shall apply to the processing by healthcare providers of personal data in health care. National rules complementing the requirements of the GDPR for security is contained in Chapters 4 and 6 of the Patient Data Act and Chapters 3 and 4 of the Data Protection Act. HSLF-FS 2016:40. Requirement to carry out needs and risk analysis According to chapter 4, section 2 of HSLF-FS 2016:40, the care provider must make a needs and risk analysis, before assigning permissions in the system. The need for an analysis of both needs and risks is clear from the preparatory work to the Patient Data Act, prop. 2007/08:126 p. 148-149, as follows. Authorisation for electronic access by staff to patient data shall be limited to what the official needs to perform his/her duties in the health and social services health care. This includes monitoring and changing or restricting authorisations according to as soon as changes in the duties of the individual officer so require. The provision corresponds in principle to Section 8 of the Health Care Register Act. The purpose of the provision is to inculcate the obligation for the responsible care provider to make active and individual based on analyses of the details of the information that different categories of staff and different types of activities need. But not only needs assessments. Risk analyses must also be carried out, taking into account the different types of risks such as may be associated with an excessive availability of certain types of data. Protected personal data marked as confidential, data on publicly known persons, data from certain clinics or medical specialties are examples of categories that may require specific risk assessments. Generally speaking, the more comprehensive an information system is, the greater the amount of different levels of authority must exist. Decisive for the decision on eligibility for e.g. different categories of health professionals to electronic access to data in medical records should be that the authorisation should be limited to what the manager needs for the purpose of good and safe patient care. A broader or coarser mesh assignment of access rights, even if it had merit from an efficiency point of view, should be considered as an unjustified dispersion of medical records within an organisation and as such should not accepted. Furthermore, data should be stored in different layers so that more sensitive data requires active choices or otherwise not as easily accessible to staff as less sensitive data. When it applies to staff involved in monitoring activities, producing statistics, central financial administration and similar activities that are not individually oriented, it should the majority of executives, it is sufficient to have access to information that can only be indirectly to individual patients. Electronic access to code keys, social security numbers and other data directly pointing to individual patients should in this area be able to be strongly limited to single persons. Internal confidentiality The provisions of Chapter 4 of the Patient Data Act concern internal confidentiality, i.e. say regulates how privacy is to be handled within a healthcare provider's activities and, in particular, the ability of employees to access personal data available electronically in a healthcare provider's organisation. Chapter 4, section 2 of the Patient Data Act states that the healthcare provider shall determine conditions for granting access rights to such data on patients who are fully or partially automated. Such authorisation shall limited to what is necessary for the individual to fulfil his or her tasks in health care. According to chapter 4, section 2 of HSLF-FS 2016:40, the healthcare provider shall be responsible for ensuring that each users are assigned an individual permission to access personal data. The decision of the healthcare provider to grant authorisation shall be preceded by a needs and risk analysis. Coherent record keeping Provisions in Chapter 6 of the Patient Data Act relate to coherent record keeping, which means that a healthcare provider - under the conditions set out in § 2 of the same chapter - may have direct access to personal data processed by other health care providers for purposes related to health care documentation. Access to information is provided by a healthcare provider making the information about a patient that the healthcare provider records about the patient available to other healthcare providers participating in the coherent record keeping (see prop. 2007/08:126 p. 247). From Chapter 6. 7 § Patient Data Act follows that the provisions of Chapter 4 also apply to for assigning access rights in the case of shared medical records. The requirement to the healthcare provider must carry out a needs and risk analysis before assigning permissions in the system, also applies in systems for coherent journal entries. Documentation of access (logs) Chapter 4, section 3 of the Patient Data Act states that a healthcare provider must ensure that access to such data on patients held in whole or in part automatically documented and systematically controlled. According to Chapter 4. 9 § HSLF-FS 2016:40, the care provider shall be responsible for 1. the documentation of the access (logs) shows which actions that have been taken with the data of a patient, 2. the logs indicate the care unit or care process the measures taken, 3. the logs show the time at which the measures were taken, 4. the identity of the user and the patient is shown in the logs. The Data Inspectorate's assessment Responsibility of the controller for security As described above, the National Board of Health and Welfare's regulations give the responsibility for information management in healthcare, such as conduct a needs and risk analysis before assigning permissions in system happens. In the public health sector, there is no coincidence always the concept of the healthcare provider with the controller. Both the fundamental principles of Article 5 and Article 24(1) the General Data Protection Regulation, it is clear that it is the controller who shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the treatment is carried out in accordance with the General Data Protection Regulation. The Data Protection Inspectorate notes that the General Data Protection Regulation, as EU regulation is directly applicable in Swedish law and that the regulation specify when additional regulation should or may be introduced nationally. There are for example, scope to regulate nationally who is controller within the meaning of Article 4 of the General Data Protection Regulation. It is however, it is not possible to give a different regulation concerning the responsibility of the controller to take appropriate technical and organisational measures to ensure a level of security appropriate to the relation to the risk. This means that the National Board of Health and Welfare's that it is the care provider who should take certain measures, does not change that the responsibility to take appropriate security measures rests with the controller under the General Data Protection Regulation. Data Protection Authority can state that Karolinska University Hospital, in its capacity as controller, is responsible for ensuring that these measures are taken. As described above, Article 24(1) of the GDPR sets a general requirement for the controller to implement appropriate technical and organisational measures. The requirement aims to ensure that the processing of personal data is carried out in accordance with the General Data Protection Regulation, and that the controller should be able to demonstrate that the processing of personal data is carried out in accordance with the General Data Protection Regulation. The security of processing is more specifically regulated in Article 5(1)(f) and Article 32 of the General Data Protection Regulation. Article 32(1) states that the appropriate measures shall be both technical and organisational and they shall ensure a level of security appropriate in in relation to the risks to the rights and freedoms of natural persons treatment. It is therefore necessary to identify the possible risks to the rights and freedoms of data subjects and assesses the likelihood of the risks occurring and the severity if they do occur. What is appropriate varies not only in relation to the risks but also based on the nature, scope, context and purposes of the processing. It has It is therefore important what personal data are processed, how many data involved, how many people process the data, etc. The health sector has a great need for information in its activities. The is therefore natural that the possibilities of digitalisation are exploited as much as possible possible in health care. Since the introduction of the Patient Data Act, a very extensive digitalisation has taken place in healthcare. Both the data collections size as the number of people sharing information with each other has increased significantly. At the same time, this increase places greater demands on the controller, as the assessment of what is an appropriate safety is affected by the extent of treatment. Moreover, sensitive personal data are involved. The data also concern people who are in a situation of dependency when they are in need of care. There is also often a lot of personal data about each of these persons and the data may be processed over time by very many people in healthcare. All this places great demands on the controller. The data processed must be protected both from outside actors business as against unauthorised access from within the business. It is clear of Article 32(2) that the controller, when assessing the appropriateness level of security, shall in particular take into account the risks of accidental or unlawful destruction, loss or unauthorised disclosure or access. In order to to know what is an unauthorised access, it must the controller is clear about what constitutes authorised access. Needs and risk analysis In chapter 4, section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016:40), which supplement the Patient Data Act, it is stated that the healthcare provider must make a needs and risk analysis before assigning permissions in the system. This means that national law requires an appropriate organisational measure to be be taken before assigning access rights to the medical record system. A needs and risk analysis should include an analysis of the needs and a analysis of the risks from a privacy perspective that may be associated with with an excessive allocation of access rights to patient data. Both the needs and the risks must be assessed on the basis of the data need to be addressed in the business, what processes are involved and the risks to the privacy of the individual. Risk assessments need to be made at the organisational level, where for example, a certain part of the activity or task may be more privacy-sensitive than another, but also on an individual level, if it is the question of special circumstances that need to be taken into account, such as that it concerns protected personal data, publicly known persons or otherwise particularly vulnerable persons. The size of the system also affects the risk assessment. The preparatory work for the Patient Data Act shows that the more comprehensive an information system is, the greater the variety of levels of authority there must be. (prop. 2007/08:126 p. 149). It is thus the question of a strategic analysis at the strategic level, which will provide a an authorisation structure adapted to the business and this must be maintained updated. In summary, the regulation requires that the risk analysis identifies different categories of data (e.g. health data), categories of data subjects (e.g. vulnerable natural persons and child), or the scope (e.g. number of personal data and data subjects) negative consequences for data subjects (e.g. injuries, significant social or economic disadvantage, deprivation of rights and freedoms) and how they affect the risk to the rights and freedoms of natural persons in processing of personal data. This applies both to internal confidentiality as in the case of coherent record keeping. The risk analysis shall also include specific risk assessments such as on the basis of the existence of protected personal data that is marked as confidential, information on publicly known persons, information from certain clinics or medical specialties (prop. 2007/08:126 p. 148149). The risk analysis shall also include an assessment of the likelihood and severity of the risk to the rights and freedoms of data subjects is and in any event determine whether it is a risk or a high risk (recital 76). It is thus through the needs and risk analysis that the the controller finds out who needs access, which data data to be accessed, at what times and in what formats context access is needed, while analysing the risks to the rights and freedoms of individuals that the processing may lead to. The result should then lead to the technical and organisational measures needed to ensure that no access other than that required by the the risk analysis shows to be justified shall be possible. In the absence of a needs and risk analysis for the allocation of competences in system, there is no basis for the controller to lawfully be able to assign the correct permissions to its users. The The controller is responsible for, and shall have control over, the personal data processing carried out within the framework of the activity. To assign users broad access to record systems, without this being based on on the basis of a needs and risk analysis, means that the controller does not have sufficient control over the processing of personal data carried out in system, nor can he demonstrate that he has the control required. When the Swedish Data Protection Authority has requested a needs and risk analysis Karolinska University Hospital referred to the policy document "Decision on allocation of competences, guideline "4 (guidelines on the allocation of competences) and stated that it is the respective patient area and functional area manager to carry out and document needs and risk analyses before assignment of permissions. According to Karolinska University Hospital when assigning authorisations, for example in the case of new recruitment, regularly an assessment of the employee's need for certification, even if the template for needs and risk analysis provided in the guideline is not completed regularly. Karolinska University Hospital could at the time of the inspection does not show a needs and risk analysis, but has subsequently stated that they had begun work to ensure that needs and risk analyses are carried out in the business. They have also submitted a documented "needs and risks analysis" for the functional area of Perioperative Medicine. As stated above, a needs and risk analysis should address both the needs and the risks are assessed on the basis of the data that need to be processed in operations, the processes involved and the risks to the integrity of the individual, both at organisational and individual level 4 "Decision on the assignment of competences, guideline" valid from 23 October 2018. level. It is therefore a question of a strategic analysis at a strategic level, which shall provide an authorisation structure adapted to the activities. It should should lead to instructions on the assignment of authorisations, but it is not the instructions to the permission assignor that is the analysis. At the time of the inspection, Karolinska University Hospital was unable to present any needs and risk analysis. The needs and risk analysis the risk analysis for the Perioperative Medicine function does not meet the data protection provisions' requirements for such an analysis under Chapter 4, Section 2 of HSLFFS 2016:40, as it constitutes a general description of tasks in TakeCare for some specific professional categories. The document contains no analysis of the data needed by employees to perform their tasks tasks. The document does not contain an analysis of the risks that may be associated with an excessive availability of different types of personal data. The Data Inspectorate further notes that the approach described in guidelines on the assignment of authorisations to analyse which authorisation to be assigned to an individual user is based on the existing eligibility profiles. These are created based on what users need be able to do with the tasks, for example reading or writing, and not from what information about the patient the individual user needs to have to carry out their work. The needs and risk analyses described in Karolinska University Hospital's guidelines on credentialing is not an analysis under the requirements of a needs and risk analysis according to data protection regulations. Karolinska The University Hospital has also failed to demonstrate that the work initiated following the previous audit in 2013 resulted in the implementation of a needs and risk analysis for TakeCare in accordance with the injunction. The Data Inspectorate can therefore conclude that Karolinska The allocation of authorisations by the University Hospital has not been preceded by a necessary needs and risk analysis. Granting of access rights to personal data concerning wait As explained above, a healthcare provider may have a legitimate interest in having extensive processing of personal health data. Notwithstanding this access to personal data of patients be limited to what is necessary for the individual to perform his/her duties. With regard to the granting of authorisation for electronic access under Chapter 4. 2 § and 6 chap. 7 § Patient Data Act, it is clear from the preparatory work, prop. 2007/08:126 pp. 148-149, including that there should be different categories of access in the health record system and that the access limited to what the user needs to provide the patient with a good and safe care. It is also stated that "a broader or more coarse-meshed allocation of competences should be considered as an unjustified proliferation of medical records within a business and as such should not be accepted." In health care, the person who needs the data in his or her work who may be authorised to access them. This applies both within a care providers as between care providers. It is, as already mentioned, through the needs and risks analysis that the controller finds out who who needs access, what data the access should cover, at what when and in what contexts access is needed, and at the same time analyses the risks to the rights and freedoms of individuals that treatment may lead to. The result should then lead to the technical and organisational measures necessary to ensure that no allocation of access provides wider access possibilities than that provided by the the risk analysis shows is justified. An important organisational measure is to provide instructions to those authorised to grant authorisations on how to do so and what should be taken into account so that, with the needs and risk analysis as a basis, will be a correct assignment of authority in each case. In addition to Karolinska University Hospital's guideline for allocation of permissions, there is also a guidance document "Access to patient records, guideline" (access guidelines), which will apply from 17 August 2018.5 However, the guidelines provide only a general description of the regulatory framework and describes the conditions for the assignment of permissions respectively for to access the care documentation in TakeCare in different situations. The Data Inspectorate notes that although each user has de facto assigned an individual permission, the permissions assigned have not The guideline "access to patient records, guideline" is established by the head physician in the area quality and patient safety, and lawyers have participated in the development area. 5 restricted in a way that ensures that the user does not have access to more personal data of patients or personal data about more patients than he needs to do his job. The allocated permissions means that the user has access to virtually all personal data of patients in TakeCare. This is because there are only two eligibility profiles for nurses and doctors respectively, and where the only that distinguishes the authorization profiles is that one the nursing authorisation has automated login to the care unit the staff belongs to and one medical authority has access to a so-called acute care. The restriction that has otherwise emerged regarding access to personal data in the medical record system refers to so-called protected devices. Against this background, the Data Inspectorate considers that, since the allocation of permissions was not preceded by the necessary needs and risk analysis, not there were conditions to restrict assigned permissions or there was support to determine what is justified access for executives at Karolinska University Hospital. The fact that the allocation of permissions has not been preceded by a needs and risk analysis means that Karolinska University Hospital has not analysed the users' need for access to the data, the risks associated with this access and thus not identified what access possibilities justified to users on the basis of such an analysis. Karolinska The university hospital has thus not taken appropriate organisational measures, in accordance with Article 32 of the General Data Protection Regulation, to limit users' access to personal data of patients in the medical record system. This in turn has meant that there has been a risk of unauthorised access and unwarranted dissemination of personal data in the context of the internal confidentiality, on the one hand, and in the context of the single file management, on the other. The number of users at Karolinska University Hospital is close to 11 000 and TakeCare contains personal data of about 3 million patients, of which about 2 million have been patients at Karolinska University Hospital. In light of the above, the Swedish Data Protection Authority can conclude that Karolinska University Hospital has processed personal data in breach of Article 5(1)(f) and Article 32(1) and (2) of the General Data Protection Regulation by Karolinska University Hospital has not restricted users permissions for access to the TakeCare medical record system to what is needed for the user to perform his/her tasks within the health care pursuant to Chapter 4, Section 2 and Chapter 6. 7 § of the Patient Data Act and 4 Chapter 2 § HSLF-FS 2016:40. This means that Karolinska University Hospital has not taken the measures necessary to ensure and, in accordance with Article 5.2 of the General Data Protection Regulation, be able to demonstrate adequate security for personal data. Documentation of access in logs The Data Inspectorate notes that the logs in TakeCare show that information about the specific patient, which user has opened the the medical record, actions taken, which medical record has been opened, the period of time the user has been in, all openings of the medical record made on that patient during the selected time period and the time and date of the last opening. According to the Data Inspectorate assessment, this is consistent with the requirements for documentation of accesses in the logs set out in the regulations of the National Board of Health and Welfare. Choice of intervention Legal regulation If there has been a breach of the General Data Protection Regulation The Data Protection Inspectorate has a number of remedial powers at its disposal under Article 58.2 a - j of the GDPR. The supervisory authority may, inter alia order the controller to ensure that the processing is carried out in in accordance with the Regulation and, if necessary, in a specific manner and within a specific period. It follows from Article 58(2) of the GDPR that the Data Protection Inspectorate in in accordance with Article 83 shall impose penalties in addition to, or instead of, other corrective measures referred to in Article 58(2), depending on the circumstances of each case. For public authorities, Article 83(7) of the GDPR allows national rules specify that administrative penalties may be imposed on public authorities. According to Chapter 6, Section 2 of the Data Protection Act, penalties may be imposed for authorities, but not exceeding SEK 5 000 000 or SEK 10 000 000 depending on whether the infringement concerns articles covered by Article 83(4) or 83.5 of the GDPR. Article 83(2) sets out the factors to be taken into account in determining whether a administrative penalty should be imposed, but also what should affect the amount of the penalty. Central to the assessment of the seriousness of the infringement is its nature, severity and duration. About in the case of a minor infringement, the supervisory authority may, pursuant to recital 148 of the General Data Protection Regulation, issue a reprimand instead of imposing a penalty fee. Injunction As mentioned, the health sector has a great need for information in its activities and in recent years a very extensive digitalisation occurred in the health care sector. Both the size of the data collections and the number of sharing information with each other has increased significantly. This increases the demands on the controller, since the assessment of what is an appropriate safety is affected by the extent of treatment. In health care, this means even greater responsibility for the controller to protect the data from unauthorised access, including by having a fine-grained allocation of competences. The is therefore essential that there is a real analysis of the needs from different businesses and different executives. It is equally important that there is a actual analysis of the risks that may arise from a privacy perspective in the case of an excessive allocation of access rights. Based on this analysis then the individual officer's access shall be restricted. This eligibility must then be monitored and modified or restricted as appropriate that changes in the duties of the individual post holder result in reason for it. The Data Inspectorate's supervision has shown that Karolinska University Hospital does not has taken appropriate security measures to provide protection to personal data in the medical record system by Karolinska The University Hospital, as data controller, failed to comply with the requirements set out in the Patient Data Act and the National Board of Health and Welfare's regulations. Karolinska The University Hospital has thereby failed to comply with the requirements of Article 5(1)(f) and Article 32(1) and (2) of the General Data Protection Regulation. The failure includes both the internal secrecy according to chapter 4 of the Patient Data Act and the coherent record keeping according to Chapter 6 of the Patient Data Act. The Data Inspectorate therefore orders, on the basis of 58.2(d) of the the General Data Protection Regulation, Karolinska University Hospital to ensure that the necessary needs and risk analysis for the TakeCare medical record system is carried out within the framework of both internal secrecy and coherent record keeping. The needs and risk analysis must be documented. Karolinska University Hospital shall, with the support of the needs and the risk analysis, assign each user individual access rights to personal data limited to what is necessary for the the individual is able to carry out his or her duties in the health care sector. Penalty fee The Data Protection Inspectorate notes that the infringements basically concern Karolinska University Hospital's obligation to take appropriate security measures to provide protection to personal data under the General Data Protection Regulation. In this case, it is a question of very large data collections with sensitive personal data and wide-ranging permissions. The healthcare provider needs with need to have extensive processing of data on individual health. However, it must not be unrestricted but must be based on what individuals employees need to perform their tasks. Data Protection Inspectorate notes that the data in question involves direct identification of the individual by name, contact details and personal identity number, health data, but that it may also concern other private information on, for example, family circumstances, sexual life and lifestyle. Patient are dependent on receiving care and are therefore in a vulnerable situation. Data the nature, extent and dependency of patients gives healthcare providers a particular responsibility to ensure patients' rights to adequate protection of their personal data. Further aggravating circumstances are that the treatment of patient data in the main record system is at the core of a healthcare provider's activities, that the treatment covers many patients and the possibility of access concerns a large proportion of the employees. around 2 000 000 patients under the internal confidentiality regime and around 1 000 000 additional patients under the coherent record keeping. There are only six so-called protected units where the data is not accessible to users outside these devices. The Data Inspectorate can also state that Karolinska The University Hospital did not comply with the Data Inspectorate's previous injunction from of 26 August 2013 to carry out a needs and risk analysis that the basis for the allocation of authorisations according to the then requirement in Chapter 2. 6 § second paragraph second sentence SOSFS 2008:14, which corresponds to the current provision in Chapter 4, Section 2 of HSLF-FS 2016:40. This is an aggravating circumstance, pursuant to Article 83(2)(e) of the GDPR. The deficiencies now identified have thus been known to Karolinska the University Hospital for several years, which means that the action intentional and therefore considered more serious. In determining the gravity of the infringements, it can also be noted that the infringements also include the fundamental principles of Article 5 of the General Data Protection Regulation, which belongs to the categories of more serious infringements which may give rise to a higher penalty under Article 83(5) of the General Data Protection Regulation. These factors taken together mean that the infringements are not to be assessed as minor infringements without infringements that should lead to a administrative penalty. The Data Protection Inspectorate considers that these infringements are closely related to each other. This assessment is based on the fact that the needs and risks analysis should be the basis for the allocation of the permissions. The Swedish Data Protection Authority therefore considers that these infringements are so closely linked that they constitute linked processing operations within the meaning of Article 83(3) of the the General Data Protection Regulation. The Data Protection Inspectorate therefore determines a common penalties for these infringements. The administrative penalty shall be effective, proportionate and deterrent. This means that the amount should be determined in such a way that the administrative penalty leads to correction, that it provides a preventive effect, and that it is proportionate to both the current infringements as to the ability of the supervised entity to pay. The maximum amount of the fine in this case is SEK 10 million pursuant to Chapter 6, Section 2 of the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation. In view of the seriousness of the infringements and the fact that the administrative the penalty shall be effective, proportionate and dissuasive the Data Protection Inspectorate determines the administrative penalty fee for Karolinska University Hospital to SEK 4 000 000 (four million). This decision has been taken by the Director General Lena Lindgren Schelin after presentation by cyber security specialist Magnus Bergström. At the final Hans-Olof Lindblom, the Chief Legal Officer, the Heads of Unit Katarina Tullstedt and Malin Blixt, and lawyer Maja Savic. Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature) Appendix: How to pay the penalty fee Copy for information to: Data Protection Officer How to appeal If you wish to appeal against the decision, you should write to the Swedish Data Protection Authority. Please state in the decision you are appealing and the change you are requesting. The appeal must have been received by the Swedish Data Protection Authority no later than three weeks from on the date of notification of the decision. If the appeal has been lodged in due time the Data Inspectorate forwards it to the Administrative Court in Stockholm for examination. You can email the appeal to the Data Protection Authority if it does not contain any privacy-sensitive personal data or data that may be covered by confidentiality. The contact details of the authority are given on the first page of the decision.