IMY (Sweden) - DI-2021-5595: Difference between revisions
From GDPRhub
No edit summary |
|||
| Line 73: | Line 73: | ||
In order to determine the fine for these violations, as aggravating factors, the IMY took into consideration the large amount of data and the long period of time over which it was shared, as well as the fact that the hospital had violated specific regional policy guidelines. As a mitigating factor, the IMY recognised that the hospital had eventually introduced an encryption solution for files in 2019. Based on these considerations, the IMY imposed a fine of approximately €150,000 (1,600,000 SEK) on the University Hospital Board for the violation of [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR#1|32(1) GDPR]]. | In order to determine the fine for these violations, as aggravating factors, the IMY took into consideration the large amount of data and the long period of time over which it was shared, as well as the fact that the hospital had violated specific regional policy guidelines. As a mitigating factor, the IMY recognised that the hospital had eventually introduced an encryption solution for files in 2019. Based on these considerations, the IMY imposed a fine of approximately €150,000 (1,600,000 SEK) on the University Hospital Board for the violation of [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR#1|32(1) GDPR]]. | ||
== Comment == | == Comment == | ||
The data breach notification in this case also generated a parallel investigation in which the IMY imposed a fine of approximately €30,000 on the Uppsala Regional Council for a violation of [[Article 32 GDPR|Article 32(1) GDPR]] by emailing unencrypted medical data to administrative bodies, researchers and physicians ([[IMY (Sweden) - DI-2019-9457]]). | |||
== Further Resources == | == Further Resources == | ||
Latest revision as of 18:51, 21 March 2022
| IMY (Sweden) - DI-2021-5595 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 07.05.2019 |
| Decided: | 26.01.2022 |
| Published: | |
| Fine: | 1,600,000 SEK |
| Parties: | n/a |
| National Case Number/Name: | DI-2021-5595 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | Cesar Manso-Sayao |
The Swedish DPA imposed a fine of approximately €150,000 on a hospital for a violation of Articles 5(1)(f) and 32(1) GDPR by emailing unencrypted medical records to patients and hospitals abroad.
English Summary
Facts
Uppsala regional authorities notified the Swedish DPA (Integritetsskyddsmyndigheten - IMY) that a personal data breach had occurred in their jurisdiction in 2019. Based on this notification, the Swedish DPA initiated an investigation into the medical data which the Uppsala University Hospital emailed to patients from abroad, as well as to the foreign hospitals which referred those patients.
According to its internal procedures, once the hospital had finalized treatment to a patient from abroad, a medical report was sent to the patient and the referring hospital. Although it can be sent by post, the hospital gave the recipient the option of choosing their preferred channel to receive the report, which in the majority of cases was via email.
These medical reports have been sent by email without encryption since 2014. Although at some point the hospital began using Microsoft Outlook’s Transport Layer Security (TLS) encryption, if the email software on the recipients’ side did not support TLS, the emails were sent without encryption. Once sent, the emails and medical records themselves remained stored in the hospital’s Outlook account.
In 2019, after conducting an internal risk analysis and a Data Protection Impact Assessment (DPIA) the hospital introduced an encryption solution for secure email.
Holding
In its decision, the IMY established that its investigation was limited to analysing matters related to the security of the processing, and it had not examined whether this processing complied with other GDPR provisions, such as those related to the transfer of personal data to third countries.
The IMY took into account Recital 75 and 76 GDPR in order to carry out an assessment of the responsibilities of the University Hospital Board (the controller in this case), according to the risks involved in the data it was processing. The IMY highlighted that this case involved large amounts of medical data, which is a special category of data with extra protections under Article 9 GDPR, including children’s data. The IMY held that in this case, because of the fact that the data sent was only encrypted once Outlook’s TLS was eventually adopted, and also only when the recipients’ software supported this protocol, the hospital had not been able to ensure that the emails it sent were encrypted according to the risk involved in the processing, in breach of Article 5(1)(f) GDPR.
The IMY also noted that the local government of Uppsala had issued a policy document related to the handling of emails which specifically prohibited sending sensitive personal data by email, and therefore the hospital should have identified the risks posed through processing the data in this manner. Additionally, the IMY stated that the purpose of an email system like Outlook is to disseminate and communicate information, and not an appropriate place for the storage medical data, because of its exposure to unauthorised access on the internet. Therefore, the IMY held that the University Hospital Board had violated Article 32(1) GDPR by failing to incorporate appropriate technical and organisational measures to ensure a level of security appropriate to the risk represented by the processing.
In order to determine the fine for these violations, as aggravating factors, the IMY took into consideration the large amount of data and the long period of time over which it was shared, as well as the fact that the hospital had violated specific regional policy guidelines. As a mitigating factor, the IMY recognised that the hospital had eventually introduced an encryption solution for files in 2019. Based on these considerations, the IMY imposed a fine of approximately €150,000 (1,600,000 SEK) on the University Hospital Board for the violation of Articles 5(1)(f) and 32(1) GDPR.
Comment
The data breach notification in this case also generated a parallel investigation in which the IMY imposed a fine of approximately €30,000 on the Uppsala Regional Council for a violation of Article 32(1) GDPR by emailing unencrypted medical data to administrative bodies, researchers and physicians (IMY (Sweden) - DI-2019-9457).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (11)
The National Board of Health and Welfare in the Uppsala Region
751 85 Uppsala
Record number:
DI-2021-5595 Decision after supervision according to
Date: the Data Protection Regulation against
2022-01-26
The National Board of Health and Welfare in the Uppsala Region
Table of Contents
The decision of the Integrity Protection Authority ................................................ ........................... 2
Report on the supervisory matter ............................................... ....................................... 2
The starting point for the supervisory matter ............................................... ...................... 2
Information from the hospital board ............................................... ............................. 3
Personal data responsibility ................................................. .............................. 3
E-mail sent unencrypted over an open network to third countries .................... 3
Storage in the e-mail hosting service Outlook ............................................ ............ 4
Grounds for the decision ............................................... .................................................. ... 5
Applicable rules................................................ .................................................. .. 5
The responsibility of the personal data controller ............................................... ...... 5
The requirement for security in the processing of personal data, etc ..................... 5
IMY's assessment .............................................. .................................................. 6
Personal data responsibility ................................................. .............................. 6
Sensitive personal data has been sent unencrypted via open network ............... 6
Sensitive personal data has been stored in Outlook ......................................... 7
Choice of intervention ............................................... .................................................. 8
Legal regulation ................................................ ....................................... 8
Imposition of a penalty fee ............................................... ..................... 8
How to appeal............................................... .................................................. ..... 11
Postal address:
Box 8114
104 20 Stockholm
Website:
www.imy.se
E-mail:
imy@imy.se
Phone:
08-657 61 00
Page 1 of 11, Integrity Protection Authority Record number: DI-2021-5595 2 (11)
Date: 2022-01-26
The decision of the Integrity Protection Authority
The Integrity Protection Authority (IMY) states that the Hospital Board in the Uppsala Region
(the hospital board) as the person responsible for personal data, during the period from 25 May 2018
until 7 May 2019, processed personal data in violation of Articles 5.1 f and 32.1 i
the Data Protection Regulation as follows:
The hospital board has sent sensitive personal data that was not encrypted
via open network to patients and referrers. The treatment has also taken place in combat
with Region Uppsala's own guidelines. This means that the hospital board does not have
have taken appropriate technical and organizational measures to ensure a
level of safety appropriate to the risk of treatment.
The hospital board has stored sensitive personal data in the e-mail hosting service
Outlook. This means that the hospital board has not taken appropriate technical measures
measures to ensure a level of safety appropriate to:
the risk of treatment.
The IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Ordinance and Chapter 6.
§ 2 of the Data Protection Act that the hospital board, for violation of Articles 5.1 f and 32.1
in the Data Protection Regulation, shall pay an administrative penalty fee of 1,600,000 (a
million six hundred thousand) kronor.
Report on the supervisory matter
The starting point for the supervisory matter
IMY decided to initiate an investigation against the Uppsala Region due to the region's
notification on 7 May 2019 of personal data incident.
IMY's review includes the processing of personal data carried out by the hospital board
in connection with the University Hospital sending e-mails with patient information to
patients and remittances in third countries. IMY's review also includes the storage of
patient information in the Outlook e-mail hosting service.
Within the framework of this supervision, the IMY has reviewed the matter in question
the processing of personal data meets the security requirements set out in Articles 5 (1) (f)
and 32 of the Data Protection Regulation. IMY has not reviewed
the processing of personal data is compatible with the regulation in the Data Protection Regulation in
other, for example, the provisions on the transfer of personal data to third countries.
The Data Protection Ordinance came into force on 25 May 2018. IMY's supervision covers
therefore the period from 25 May 2018 to 7 May 2019 (when notification was received). IMY has
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with
concerning the processing of personal data and on the free movement of such data and on the repeal of
Directive 95/46 / EC (General Data Protection Regulation).
2The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation.
Page 2 of 11, Integrity Protection Authority Record number: DI-2021-5595 3 (11)
Date: 2022-01-26
has not reviewed the measures that the hospital board has stated that it has taken after the 7th
May 2019.
Information from the hospital board
The Regional Board of the Uppsala Region has stated that it has the right to represent the region
outwards. The hospital board has stated that it agrees with what the regional board has stated.
The Hospital Board has, through the Regional Board, stated, among other things, the following.
Personal data responsibility
The hospital board is responsible for personal data for the processing of personal data
occurs when e-mails are sent from and to patients or referrers abroad. The treatment
takes place at the administration, Akademiska sjukhuset, which is located under the board
the hospital board. This assessment is made in light of the fact that the hospital board is one
independent managing authority that determines the purpose and means with
personal data processing.
E-mail sent unencrypted over an open network to third countries
Processing of personal data in e-mail
The academic hospital sends e-mails to patients and referrers (that is
the home hospital) abroad at the initiative of the patient or the referrer. It's up to
the patient or the referrer to choose how the information is to be submitted. The dialogue
between the patient or the referrer and the Academic Hospital takes place mainly via
E-mail.
A patient from abroad who receives care at the Academic Hospital is registered in
the main journal system Cosmic. Journal documents obtained from the patient about hens
health status is scanned into Cosmic. Also the care performed at Akademiska
the hospital is documented in Cosmic. When the care is terminated, the doctor in charge writes one
compilation of care in a so-called Medical report in Cosmic. Medical report
sent to the patient or referrer by mail, but if urgent, it is sent
via e-mail.
The purpose of the treatment is to provide highly specialized health care at
Academic Hospital.
The University Hospital sends an estimated 500-1,000 such e-mails
per month. The emails were sent in 2018 to patients alternatively
remittances in Lebanon, Morocco, Nepal, Pakistan, Peru, Russia, Saudi Arabia,
Switzerland, Thailand, Turkey, USA, Argentina, Australia, India, Iraq, Iran, Israel,
Canada, Kenya and China.
The e-mails usually contain journal documents and are forwarded to those concerned
operations manager, specialist and in some cases other staff within Akademiska
the hospital. Two people have access to the personal data. It's administrative
staff with a care background who have access to personal data and staff
covered by confidentiality.
The personal data that is processed is information about health and information about the patient
name, backup number, home address, e-mail address, telephone number, remittant,
Page 3 of 11, Integrity Protection Authority Record number: DI-2021-5595 4 (11)
Date: 2022-01-26
affected area of activity and time of booked care. The registered are employees,
patients and children. As far as employees are concerned, information about them only appears in
sending and receiving email addresses.
The processing of personal data concerned approximately 300 registered persons per year from 2014 onwards
May 2019. The number applies to both people who have submitted requests for care and
those treated at the Academic Hospital.
The processing of personal data has been ongoing since 2014 and is still ongoing. The
appears from a letter from the hospital board dated June 2, 2021.
Encryption
Personal data is sent unencrypted over an open network. This means that the transfer of
the e-mail and the information in the e-mails are not protected by encryption.
Since the introduction of Outlook, the hospital board has used Microsoft
default settings, which means that the transmission of the e-mail takes place with it
3
Opportunistic Cryptographic Communication Protocol, OTLS. The National Board of Health and Welfare
uses version 1.2 of the cryptographic communication protocol (TLS 1.2).
This means that if the recipient's email provider does not have this version of TLS, select
a previous version of TLS.
If TLS is not supported by the recipient's e-mail provider, the e-mail
the mail messages are unencrypted at the time of transmission. According to the hospital board, this is approx
1 of 9,000 emails. However, the hospital board has not verified exactly how
many of these emails per day are sent unencrypted in this
personal data processing.
The hospital board has not fulfilled the requirements for the transfer of personal data in the open
networks must be made in such a way that unauthorized persons cannot access them. This then
the transfer was made unencrypted via Outlook.
Control document
According to Region Uppsala's governing document on handling e-mail gets sensitive
personal data is not communicated via e-mail.
Measures taken after the incident
In September 2019, the Hospital Board introduced an encryption solution for files, which
enabled secure email transfer.
Systematic improvement work is underway and the hospital board has worked on one
risk analysis and an impact assessment.
Storage in the e-mail hosting service Outlook
In Outlook, the e-mails are stored between the patient or remit and the Academic
the hospital. The journal documents are also stored in Outlook.
3Opportunistic Transport Layer Security.
Page 4 of 11, Integrity Protection Authority Record number: DI-2021-5595 5 (11)
Date: 2022-01-26
Justification of the decision
Applicable rules
The responsibility of the personal data controller
He who alone or together with others decides the purposes and means for
the processing of personal data is the person responsible for personal data. It is stated in Article 4 (7)
in the Data Protection Regulation.
The person responsible for personal data is responsible for and must be able to show that the basics
the principles of Article 5 of the Data Protection Regulation are complied with (Article 5 (2)).
The person responsible for personal data is responsible for implementing appropriate technical and
organizational measures to ensure and be able to demonstrate that the treatment is carried out in
in accordance with the Data Protection Regulation. The measures shall be implemented taking into account
the nature, scope, context and purpose of the treatment and the risks, of
varying degrees of probability and seriousness, for the freedoms and rights of natural persons.
The measures must be reviewed and updated as necessary. It is stated in Article 24 (1) (i)
the Data Protection Regulation.
The requirement for security in the processing of personal data, etc.
A basic principle for the processing of personal data is the requirement for security
in accordance with Article 5 (1) (f) of the Data Protection Regulation, which states that personal data shall:
processed in a way that ensures appropriate security for personal data,
including protection against unauthorized or unauthorized treatment and against loss, destruction or
damage by accident, using appropriate technical or
organizational measures.
Health information constitutes so-called sensitive personal data. It is forbidden to
process such personal data in accordance with Article 9 (1) of the Data Protection Regulation, unless
the treatment is not covered by any of the exceptions in Article 9 (2) of the Regulation.
It follows from Article 32 (1) of the Data Protection Regulation that the controller and
the personal data assistant shall take appropriate technical and organizational measures to:
ensure a level of safety that is appropriate in relation to the risk of the treatment.
This must be done taking into account the latest developments, the implementation costs
and the nature, scope, context and purpose of the treatment and the risks, of
varying degrees of probability and seriousness, for the rights and freedoms of natural persons.
In assessing the appropriate level of safety, special consideration shall be given to the risks involved
the treatment entails, in particular from accidental or unlawful destruction, loss or
change or to unauthorized disclosure of or unauthorized access to the personal data that
transferred, stored or otherwise processed. It is clear from Article 32 (2) (i)
the Data Protection Regulation.
Recital 75 of the Data Protection Regulation sets out the factors to be taken into account
the assessment of the risk to the rights and freedoms of natural persons that may
arise in the processing of personal data. Among other things, should be reconsidered
the processing concerns personal data on health or on vulnerable natural persons,
especially children, or if the processing involves a large number of personal data and
applies to a large number of registered.
Page 5 of 11, Integrity Protection Authority Record number: DI-2021-5595 6 (11)
Date: 2022-01-26
Recitals 39 and 83 also provide guidance on the more detailed meaning of
the requirements of the Data Protection Regulation on security when processing personal data.
IMY's assessment
Personal data responsibility
The National Board of Health and Welfare has stated that it is responsible for personal data for it
personal data processing that takes place when e-mail is sent from the University Hospital to
patients and remittances abroad. This is supported by the other investigation in the case.
IMY therefore considers that the hospital board is responsible for personal data for the e-
postal transfers in question. Furthermore, IMY assesses that
The hospital board is also responsible for the processing of personal data
which occurs during storage in the e-mail hosting service Outlook because the e-mail transmissions
happens from there.
Sensitive personal data has been sent unencrypted via the open network
As the person responsible for personal data, the hospital board must take appropriate technical and
organizational measures to ensure an appropriate level of security in
relation to the risks (Article 32 of the Data Protection Regulation). The personal data as
treated must, for example, be protected against unauthorized disclosure or unauthorized access.
What is the appropriate level of security varies in relation to, among other things, the risks for
the rights of natural persons which the treatment entails and the nature of the treatment,
scope, context and purpose. In the assessment, it must, for example
take into account the type of personal data being processed, such as data on
health.4
The hospital board has sent a large number of personal data via e-mail to patients and
remitters abroad. These are an estimated 500-1,000 sent e-mails
mail messages per month. The current emails contained
personal data on health that are sensitive personal data. Treatment of sensitive
personal data can pose significant risks to personal privacy and
therefore, strong protection is required in the processing of such data. This means that if
such personal data sent by e-mail must be protected in such a way that
unauthorized persons cannot take part in them. Personal data can, for example, be protected by
encryption.
The hospital board's information shows that the hospital board used a technology, so
called OTLS, which means that the transmission of the e-mail is encrypted for that case
receiving e-mail server supports TLS. If the receiving e-mail server does not support
TLS, the transmission of the e-mail becomes unencrypted. This means that the hospital board
uses a technology that is dependent on the receiver's technical settings, which means
that the hospital board can not ensure that the transmission of the e-mail is encrypted. E-
the mail has been sent externally (ie outside the Uppsala Region), which has resulted
that it was not possible to ensure that the e-mail sent from the Academic Hospital
received with an encryption that is appropriate in relation to the risk of the treatment.
The National Board of Health and Welfare has itself stated that it has not verified how many of the
the mail messages sent unencrypted via open network per day.
In the present case, the information is sent in the emails without encryption, that is
say the information has been read in plain text via the open network (internet). This means that
4See recitals 75 and 76 of the Data Protection Regulation.
Page 6 of 11, Integrity Protection Authority Record number: DI-2021-5595 7 (11)
Date: 2022-01-26
unauthorized persons have been able to access the personal data in the e-mails and that
other than intended recipients have been able to access the information both below
the transmission, in cases where the recipient's e-mail server did not support TLS, and after
the transmission of the e-mail. According to IMY, there is a risk that the data will come in
wrong hands after the transfer, as the person sending the data would
be able to write an incorrect recipient address [1.
IMY finds that the information in the emails should have been protected against unauthorized use
disclosure or unauthorized access, and this regardless of the transmission of the e-mail
been encrypted or not. The hospital board should have taken technical measures, to
examples in the form of encryption, to protect personal data and thereby
ensure an appropriate level of data protection.
That a large number of sensitive personal data has been exposed to for a long time
internet without protection against unauthorized disclosure or unauthorized access, means according to IMY
that the lack of security has been of such a serious nature that it also involves one
infringement of Article 5 (1) (f) of the Data Protection Regulation.
According to the hospital board, Region Uppsala's governing document on handling mail states
and e-mail that sensitive personal data may not be communicated via e-mail.
The hospital board has thus identified the risks of treating the sensitive
personal data in e-mail entails but has not taken sufficient measures to comply
guidelines. IMY thus finds that the hospital board has not taken the appropriate ones
organizational measures required to ensure the safety of treatment.
Overall, IMY finds that the hospital board, by not taking appropriate action
technical and organizational measures to ensure a level of security that is
appropriate in relation to the risk of the processing, has processed personal data in violation
with Articles 5 (1) (f) and 32 (1) of the Data Protection Regulation.
Sensitive personal data has been stored in Outlook
The hospital board has stated that the medical records are also stored in Outlook in addition
storage in the main journal system Cosmic.
The journal documents contain personal information about health that is sensitive
personal data. Processing of sensitive personal data can mean significant
risks to privacy and therefore strong protection is required during treatment
of such information. This means, among other things, that this personal data must
protected in such a way that unauthorized persons cannot access them.
The purpose of an email system (in this case Outlook) is to disseminate and communicate
information. An e-mail system is exposed to the internet, which means that the information in
the system risks becoming inaccessible to unauthorized persons. Outlook is therefore generally one
inappropriate storage for sensitive personal data.
By storing journal documents in Outlook, the current data has been exposed to one
high risk that they will be disclosed or that unauthorized persons will gain access to them. This means that
the hospital board has not taken the technical measures required under Article 32 i
the Data Protection Regulation to ensure adequate data protection.
That a large number of sensitive personal data has been exposed to for a long time
internet without protection against unauthorized disclosure or unauthorized access, means according to IMY
[1See the Swedish Data Inspectorate's report Reported personal data incidents 2019 (report 2020: 2).
Page 7 of 11, Integrity Protection Authority Record number: DI-2021-5595 8 (11)
Date: 2022-01-26
that the lack of security has been of such a serious nature that it also involves one
infringement of Article 5 (1) (f) of the Data Protection Regulation.
In summary, IMY considers that the hospital board has not taken appropriate technical measures
measures to prevent unauthorized disclosure of or unauthorized access to
the personal data stored in Outlook. As a result, the hospital board has not
ensure a level of safety that is appropriate in relation to the risk of the treatment.
The Hospital Board has thus processed the personal data in violation of Articles 5.1 f
and 32.1 of the Data Protection Regulation.
Choice of intervention
Legal regulation
In the event of violations of the Data Protection Regulation, the IMY has a number of corrections
powers available under Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia
reprimand, injunction and penalty fees.
IMY shall impose penalty fees in addition to or in lieu of other corrective actions
referred to in Article 58 (2), depending on the circumstances of each case.
Member States may lay down rules on whether and to what extent administrative
penalty fees can be imposed on public authorities. It is clear from Article 83 (7) (i)
Regulation. Sweden has accordingly decided that the supervisory authority shall receive
charge sanction fees by authorities. For infringements of, inter alia, Article 32,
the fee amounts to a maximum of SEK 5,000,000. For infringements of, inter alia, Article 5 i
According to the ordinance, the fee shall amount to a maximum of SEK 10,000,000. It appears from ch. 6 2
§ of the Data Protection Act and Article 83 (4) and 83 (5) of the Data Protection Ordinance.
If a personal data controller or a personal data assistant, with respect to a
and the same or interconnected data processing, intentionally or by
negligence violates several of the provisions of this Regulation may it
the total amount of the administrative penalty fee does not exceed the amount determined
for the most serious infringement. It is clear from Article 83 (3) (i)
the Data Protection Regulation.
Each supervisory authority shall ensure that the imposition of administrative
penalty fees in each individual case are effective, proportionate and dissuasive. The
provided for in Article 83 (1) of the Data Protection Regulation.
Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account in order to:
decide whether to impose an administrative penalty fee, but also at
determining the amount of the penalty fee. If it is a question of a smaller
infringement may IMY as set out in recital 148 instead of imposing a
issue a reprimand in accordance with Article 58 (2) (b) of the Regulation. Consideration shall
taken to aggravating and mitigating circumstances in the case, such as the infringement
character, degree of difficulty and duration as well as previous violations of relevance.
Imposition of a penalty fee
IMY has above assessed that the hospital board has violated Articles 5.1 f and 32.1 i
the Data Protection Regulation. Violations of these provisions may, as is apparent
above, give rise to penalty fees.
Page 8 of 11, Integrity Protection Authority Record number: DI-2021-5595 9 (11)
Date: 2022-01-26
The violations have taken place because the hospital board has sent a large amount
patient data via unencrypted e-mail via open network to patients and referrers in
third country and because the patient data has been stored in Outlook. The personal data
which were processed were sensitive personal data, which means a high risk for those
freedoms and rights were registered. The treatments described in the case have taken place
systematically and for a long time. The treatments via e-mail have also taken place in conflict
with Region Uppsala's own guidelines. Taken together, these factors mean that one
penalty fee should be imposed.
IMY estimates that the treatments via e-mail and storage refer to two interconnected
data processing in accordance with Article 83 (3) of the Data Protection Regulation. This because
the treatments concern the handling of the same personal data in Outlook and refer to
violation of the same provisions.
In determining the size of the penalty fee, the IMY shall take into account both aggravating and
mitigating circumstances and that the administrative penalty fee should be
effective, proportionate and dissuasive.
It is aggravating that the personal data processing has been going on for a long time, that is
say during the period under review from 25 May 2018 to 7 May 2019, and that
the hospital board did not promptly take measures to protect personal data despite
that the hospital board was aware of the shortcomings in safety. It is also aggravating
that the treatments included a large amount of health information that was sent unencrypted
via open network and stored in Outlook. It has been about between
500 and 1,000 e-mails per month that unauthorized persons have been able to access
to via the internet and included about 300 registered per year. Through the information provided
processed, the data subjects can be identified directly by name, contact details and
health information. IMY therefore considers the nature, scope and nature of the data
the dependent's dependency gives the hospital board a special responsibility to ensure
appropriate protection of personal data, which has not happened.
It is further aggravating that the treatments have taken place systematically and that they have taken place in
contrary to Region Uppsala's own guidelines that sensitive personal data should not
sent by e-mail.
As a mitigating circumstance, it is taken into account that the hospital board introduced in September 2019
technical measures in the form of an encryption solution for files.
IMY decides based on an overall assessment that the hospital board should be imposed on one
administrative penalty fee of 1,600,000 (one million six hundred thousand) kronor.
This decision was made by Director General Lena Lindgren Schelin after the presentation
by lawyer Linda Hamidi. At the final hearing, the Chief Justice also has David
Törngren, unit manager Malin Blixt and IT security specialist Ulrika Sundling
participated.
Lena Lindgren Schelin, 2022-01-26 (This is an electronic signature)
Page 9 of 11, Integrity Protection Authority Record number: DI-2021-5595 10 (11)
Date: 2022-01-26
Appendix
Information on payment of penalty fee.
Copy to
The Data Protection Officer.
Page 10 of 11, Integrity Protection Authority Record number: DI-2021-5595 11 (11)
Date: 2022-01-26
How to appeal
If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the date of the decision
was announced. If the appeal has been received in time, send
The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or data that may be covered by
secrecy. The authority's contact information can be found on the first page of the decision.
Page 11 of 10
