NAIH (Hungary) - NAIH-2894-3/2021
NAIH (Hungary) - NAIH-2894-3/2021 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 32(1)(a) GDPR Article 32(1)(b) GDPR Article 32(2) GDPR Article 33(1) GDPR Article 34(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 14.03.2021 |
Published: | |
Fine: | 10000000 HUF |
Parties: | Budapest Főváros Kormányhivatala XI. kerületi Hivatala |
National Case Number/Name: | NAIH-2894-3/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH webpage (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA determined that transferring health data without password protection to a wider scope of unauthorized persons constitutes a personal data breach resulting in a high risk to the rights and freedoms of natural persons. The emergency situation caused by the Covid-19 outbreak and the related public tasks of authorities and public entities do not exempt them from taking appropriate data security measures and from processing personal data lawfully in accordance with the GDPR.
English Summary
Facts
A public interest disclosure was made to the NAIH detailing a personal data breach. In the given case, the XI. District Office of Budapest Government Office (In Hungarian: "Budapest Főváros Kormányhivatala XI. kerületi Hivatala"; hereinafter referred to as "District Office") transferred by email (in an Excel sheet attached to the email) the data of 1153 patients to general practitioners (physician) in the XI, XII and XXII Districts of Budapest related to the COVID testing of patients. The Excel sheet was not protected by password or by other means. A person (who was not even a general practioner originally addressed by the District Office) forwarded the above referred Excel sheet and the District Office's related email to the NAIH in the form of a public interest disclosure.
Dispute
The NAIH examined in the case, whether the above transferring of patient data by the District Office constituted a personal data breach, the related risks to the rights and freedoms of natural persons, as well as the breach management of the District Office.
It is worth to note that after the receipt of the NAIH's inquiry concerning the personal data breach, the District Office requested the opinion of the data protection officer of the Budapest Government Office on the case. The data protection officer was of the opinion that the above transfer of patient data by email by the District Office constituted a personal data breach, however, the breach did not result in a risk to the rights and freedoms of natural persons, since it was only received by the above referred scope of general practitioners who are subject to professional secrecy.
Holding
The NAIH decided that the above transfer of patient data by email by the District Office constituted a data breach, since the personal data (involving sensitive data) was also forwarded to general practitioners, who did not have the right to access such data. This also means that the District Office should have only sent the data of patients to the competent general practitioners in the given district with password protection (by providing the password through a different channel) or should have chosen another way to transfer the data in a safe manner (e.g. through the Hungarian Electronic Health Service Space).
With regard to the personal data breach, the NAIH also highlighted that it resulted in a high risk to the rights and freedoms of natural persons, since a wide scope of sensitive data became accessible to unauthorized third parties raising the chance of additional unauthorized persons having access to the related data and processing it unlawfully (e.g. the person making the public interest disclosure to the NAIH or any person possibly sending direct marketing materials related to health services).
In addition, NAIH further highlighted that the emergency situation caused by the Covid-19 outbreak did not exempt the District Office from complying with the appropriate data security standards. Bearing in mind that the District Office performs public tasks, processes health data as its core activity, it should therefore be expected to process the related data carefully and in a way that is appropriate from a data protection point of view, and to be able to assess the risks associated with the process of the above referred personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
BFKH XI. data protection incident and data security deficiencies affecting the health data at the District Office of the BFKH XI. data protection incident and data security deficiencies affecting health data at the District Office File size: 318.57 kBDate: 2021. March 24. NAIH-2894-3 / 2021