Tietosuojavaltuutetun toimisto (Finland) - 6482/186/2020
Tietosuojavaltuutetun toimisto - 6482/186/2020 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 22 GDPR Article 58(2)(a) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 23.08.2022 |
Published: | 27.10.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 6482/186/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Finnish |
Original Source: | Finlex (in FI) |
Initial Contributor: | Vadym Kublik |
The Finnish DPA issued a warning to a controller for possible automated individual decision-making related to the assessment of health benefits in violation of Article 22 GDPR.
English Summary
Facts
A healthcare provider (controller) requested a prior consultation from the DPA in line with Article 36 GDPR regarding its new Health Benefit Analysis tool. The system meant to improve the preventive and proactive approach to healthcare by using algorithms to identify patients with health risks. After this, a healthcare professional would assess the need for treatment.
To assess the legality of the planned processing of personal data, the DPA decided to handle the case not as a prior consultation but as supervision. The DPA considered in particular whether using the Health Benefit Analysis tool for patients would constitute automated individual decision-making under Article 22 GDPR.
Holding
The DPA held that patients identified by the system for further examination would not be subject to a decision based solely on automated processing. Instead, the healthcare professionals would make a final assessment considering other factors besides the system recommendation. However, for patients not selected by the system, the decision would be final and solely based on automated processing. Furthermore, it would significantly affect them because they would be deprived of the opportunity to receive a healthcare service.
Therefore, the DPA issued a warning to the controller under Article 58(2)(a) GDPR as the envisioned processing would violate Article 22 GDPR.
Comment
The Finnish DPA reached an identical conclusion in the case 3895/83/22, where it also assessed the legal basis for processing of special categories of personal data.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
The emergence of automated individual decisions in a predictive healthcare tool Keywords: Patient information Anticipatory health care Legal basis: decision in accordance with the EU General Data Protection Regulation Diary number: 6482/186/2020 Decision of the Deputy Data Protection Commissioner Subject: the emergence of automated individual decisions The controller has initiated a case at the data protection commissioner's office regarding the implementation of a tool called the health benefit assessment. The data controller initiated the matter as a request for a preliminary hearing referred to in Article 36 of the General Data Protection Regulation ((EU) 2016/679; hereinafter TSA). However, since it has been necessary to assess the legality of the planned processing of personal data, the matter was not handled as a request for a preliminary hearing, but as a control matter. The matter concerns the processing of patient data using a tool called a health benefit assessment. According to the data controller's description, the question is a digital family of products, with the help of which it is possible to improve the effectiveness of basic healthcare and increase the well-being of patients. With the help of the information produced by the health benefit assessment, it is possible to examine whether the treatment of patients is carried out in accordance with the Käypä hoito recommendations and other researched information. The purpose is to move to a more preventive and proactive approach in health care. According to the registrar, the patient data would be processed for two purposes: for the purpose of data management referred to in Section 41 of the Act on the Secondary Processing of Social and Health Data, and to treat the patient with the help of pseudonymized patient data. When the data is processed for the purpose of treating the patient, the Health Benefit Assessment produces information that can be used to identify patients in need of treatment or at high risk and to communicate with them in order to implement the treatment. The latter purpose of use is also referred to later in this decision with the term patient work. This decision concerns the processing of patient data for the purpose of patient work. The decision assesses whether automated individual decisions in accordance with Article 22 of the TSA are formed when the tool is used in patient work. The assessment of legality is limited to the questions defined in section 3, and this decision does not take a position on the legality of the planned processing in other respects. Solving questions The Deputy Data Protection Commissioner assesses whether the use of the health benefit assessment tool for patient work would constitute automated individual decisions referred to in Article 22 of the TSA a) for those patients who are selected for a more detailed examination by a healthcare professional due to the assessment produced by the tool, or b) for those patients who are not selected for a more detailed examination by a healthcare professional due to the assessment produced by the tool. In addition, the deputy data protection commissioner assesses whether it is necessary to use corrective powers in accordance with Article 58, paragraph 2 of the TSA. Investigating the matter The description of the planned processing of personal data given by the controller in connection with the initiation of the case According to the registry keeper, the health benefit assessment tool would process pseudonymized patient data in the patient information system. Pseudonymized patient data is transferred to the database, so that various analyzes and reports can be made using the reporting tool. With the help of the Health Benefit Assessment tool, the effectiveness of the treatment and the implementation of the current treatment would be measured. The patient's pseudonymized identifier can be decoded in the patient information system, when ensuring or correcting the patient's care, which is the responsibility of the organization in question, requires it, e.g. due to a clear lack of care or a significant risk. The health care professional can open the client's medical record to check what could be done to refine the treatment and can, for example, contact the patient to provide the necessary treatment or correct a risk factor. The log monitoring of patient data records which professional has viewed the data, and the professional records the reason for viewing the data in the system as "organization of treatment / revision of the treatment plan based on THA reporting". According to the registrar, users are instructed to open the pseudonymized identifier and view patient record information only if they intend to communicate with the patient in order to promote patient safety or improve treatment. The registrant points out that the health benefit assessment tool is used to perform general profiling, as the customers' health data is processed automatically using the rules in the application, and thus conclusions are drawn about the customer's health status and the need to intensify treatment. The registrar notes that the healthcare professional does not decide on the client's treatment based solely on the profiling result, but examines all the client's patient information in the patient information system and only makes a decision on which measures to take based on that. With the help of profiling, it is possible to view health information in a more extensive and efficient way than in individual patient encounters by browsing the medical record information, because extensive evaluation of the quality of treatment as manual work is not possible, according to the registrar. The registrar further states that the patient is generally informed about the logic of automatic processing and the possible consequences of the processing on the city's website. An individual patient is informed when we contact him about the data processing done with the help of the tool. In connection with the first contact, the patient can deny the use of the tool in his treatment in the future and the contact based on the evaluation produced by the tool. The ban is recorded in the patient information system. However, according to the registry keeper, it is technically not possible to prevent the customer's data from being included in the batch run of the health benefit assessment. According to the material provided by the registrar, users are instructed to review the registered patient's data before contacting them, so that treatment decisions are always made based on the most up-to-date information. The tool is used to evaluate the patient's treatment, identify treatment gaps and plan treatment, not directly for treatment. The healthcare professional thinks about the actual need for treatment based on the information in the patient information system, and only after that is it possible to treat the patient himself. Based on the information provided to the data protection officer's office, the healthcare professional would open pseudonymized data based on the risk raised by the tool. Additional clarification from the registrar The Office of the Data Protection Commissioner has asked the data controller for additional clarification on the use of the health benefit assessment for patient work. The registrar has provided the requested report on 30 October 2020. The registrar was asked to describe how the system is intended to be used in patient work. The registry keeper has stated in his report that the purpose of the tool is to search for patients who are at high risk and need a lot of services, who would benefit from treatment, and direct them to appropriate services. With the help of the system, according to the controller, services are not denied to anyone, but better services are offered to those who have not received adequate or correct services in relation to their needs. The registrar further states that the health benefit assessment tool is used after and between treatment situations in such a way that the patient's data is analyzed with the help of the tool, and pseudonymized views and listings are produced from the data, from which treatment gaps and risks are identified. All patient record data to be analyzed is stored in the patient information system in connection with previous treatment situations. The controller was also asked to describe how profiling is carried out, the related logic and its meaning and planned consequences for the data subjects. The registry keeper states in his report that the health benefit assessment is a tool to assist the work of a health care professional, and this should always assess the patient's situation and treatment as a whole based on the information in the patient information system and check the correctness of the health benefit assessment recommendation before taking measures. As possible consequences for the registrants, the registrar brings up the discovery of a deficiency in patient care and the re-evaluation of the patient's care by a healthcare professional, and thus the improvement of patient safety. The controller was also asked to tell on what grounds it has considered that the question is not an automated individual decision referred to in Article 22 of the TSA. The registrar states in his report that the tool does not make treatment decisions for patients, but the decision about the patient's treatment is always made by a healthcare professional in agreement with the patient. Therefore, according to the controller's understanding, it is not an automatic individual decision, but the general profiling referred to on page 6 of the WP251 rev.01 instruction. The registrar further states that the healthcare professional uses the tool to support his work and is able to use the rules to distinguish patients whose treatment should be specified from pseudonymized patient data. However, the health care professional does not make a decision based on the screening of the tool, but makes an assessment on specifying the patient's treatment after reviewing the patient's information from the patient information system. If the professional assesses that the patient's treatment should be specified, he contacts the patient and makes a decision to specify the patient's treatment in agreement with the patient. The registrar states that the patient has the right to prohibit the use of the tool in his treatment, and the prohibition is recorded in the patient information system. According to the registrar, the treatment is always based on the overall assessment of the patient's health by a healthcare professional, which takes into account all the factors in the patient information system affecting the treatment, and not only on the findings produced by the tool or on the recommended treatment decision for the patient. The registrar considers that the issue is general profiling, because the essential role is a comprehensive assessment of the patient's situation by a healthcare professional based on the patient information of the patient information system, as well as a discussion with the patient about the patient's situation. Therefore, according to the controller, the question is not about an automatic individual decision. Applicable legislation The General Data Protection Regulation applies to the processing of personal data as a general regulation. According to TSA Article 4, paragraph 4, profiling refers to any automatic processing of personal data, in which personal data is used to evaluate certain personal characteristics of a natural person, in particular to analyze or predict features related to the work performance, financial situation, health, personal preferences, interests, reliability, behavior, location or movements. According to Article 22(1) of the TSA, the data subject has the right not to be subject to a decision based solely on automatic processing, such as profiling, which has legal effects concerning him or which similarly significantly affects him. According to TSA Article 22(2), paragraph 1 does not apply if the decision a) is necessary for the conclusion or execution of an agreement between the data subject and the data controller; b) is based on the Union law applicable to the controller or the legislation of a Member State, which also establishes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or c) is based on the express consent of the data subject. According to TSA Article 22, Paragraph 4, the decisions referred to in Paragraph 2 above may not be based on the special personal data groups referred to in TSA Article 9, Paragraph 1, except if Article 9, Paragraph 2 Subparagraph a or g applies and appropriate measures to protect the data subject's rights and freedoms and legitimate interests have been implemented. The remedial powers of the data protection authority are provided for in Article 58(2) of the TSA. According to subparagraph a), the supervisory authority may warn the controller or personal data processor that the intended processing operations are likely to be in violation of TSA regulations. Solution Automated individual decisions are not made for those patients who are selected for a more detailed examination by a healthcare professional due to the assessment produced by the tool. Automated individual decisions are likely to be made for those patients who, due to the assessment produced by the tool, are not selected for a more detailed examination by a healthcare professional. The Deputy Data Protection Commissioner issues a warning to the data controller in accordance with TSA Article 58, paragraph 2, subparagraph a. The planned processing actions are likely to be in violation of TSA regulations, because the controller has not recognized the formation of automated individual decisions, and therefore has not taken into account the TSA Article 22. Reasoning The concept of automated individual decisions TSA Article 22 provides for automated individual decisions. According to the regulation, the data subject has the right not to be the subject of a decision that is based solely on automatic processing of personal data, such as profiling, and which has legal effects concerning him or which affects him in a similar way significantly. It is possible to make automated individual decisions in the situations defined in Article 22 of the TSA. A decision based solely on automatic processing refers to a situation where no human is involved in the decision-making process. If, for example, an automated process produces a recommendation regarding the registered person, which a person takes into account together with other factors when making a final decision, it is not a decision based solely on automatic processing. The emergence of legal effects means that the decision affects a person's legal rights, his/her legal status or contractual rights. Other effects on data subjects will also trigger the application of the regulation on automated decision-making in accordance with Article 22 of the TSA, if they are similarly significant. Significant effects can be considered to be those that are large or significant enough to be worth considering. These can be, for example, decisions that significantly affect a person's circumstances, behavior or choices, or affect the data subject long-term or permanently. For example, a decision that affects a person's chances of receiving health care services has such significant effects for the data subject. The formation of automated individual decisions for those patients who, due to the assessment produced by the tool, are selected for a more detailed examination by a healthcare professional According to the information provided by the registrar, the healthcare professional uses the tool to support his work and is able to use the rules to distinguish patients whose treatment should be specified from the pseudonymized patient data. According to the Deputy Data Protection Commissioner's opinion, this happens in practice by selecting patients in need of clarification of treatment based on the assessment produced by the tool for a more detailed assessment by a healthcare professional. According to the information provided by the registrar, the healthcare professional does not make a decision based on the screening of the tool, but rather makes an assessment on specifying the patient's treatment after reviewing the patient's information from the patient information system. As stated in section 32, a decision based solely on automatic processing is not considered if the automated process produces a recommendation regarding the data subject, which a person takes into account together with other factors when making a final decision. According to the description provided by the registrar, for those patients who are selected for examination by a healthcare professional, the result of the profiling is taken into account as one factor along with the patient data. The final decision on specifying the treatment and contacting the patient is made by a healthcare professional. The Deputy Data Protection Commissioner agrees with the registrar's assessment that automated individual decisions referred to in Article 22 of the TSA do not arise in the case of patients selected for a closer examination due to profiling. This is provided that the healthcare professional has a genuine opportunity, ability and authority to deviate from the recommendation obtained with the help of the tool, if necessary. The formation of automated individual decisions for those patients who, due to the assessment produced by the tool, are not selected for a more detailed examination by a healthcare professional The applicability of Article 22 of the TSA requires, first of all, that decisions are made solely on the basis of automatic processing of personal data. According to the registrar, the healthcare professional can use the rules used in the tool to distinguish patients whose treatment should be specified from pseudonymized patient data. According to the Deputy Data Protection Commissioner's opinion, this is done by selecting patients in need of clarification of treatment based on the assessment produced by the tool for a more detailed assessment carried out by a healthcare professional. In this case, patients who, based on the assessment produced by the tool, are not in need of treatment clarification, will not be selected for a more detailed assessment carried out by a healthcare professional. In the case of these patients, the result of the profiling remains final, according to the Deputy Data Protection Commissioner's opinion, and the person no longer re-evaluates the evaluation produced by the tool. The Deputy Data Protection Commissioner considers that for those patients who are not selected for a more detailed assessment by a healthcare professional because there is no need for this based on profiling, the issue is solely a decision based on automatic processing of personal data. The application of Article 22 of the TSA requires, secondly, that the automated individual decisions have legal effects concerning the data subject or that they affect him in a similar way significantly. The existence of actual legal effects would require that the decision affect a person's legal rights, their legal status or contractual rights. Such could be, for example, decisions regarding the denial of a certain statutory benefit or right. The registrar has stated that no one will be denied services based on the assessment produced by the health benefit assessment tool. According to the Deputy Data Protection Commissioner's opinion, the profiling referred to in the case probably does not have actual legal effects on the data subjects. TSA Article 22 also becomes applicable if the decision has significant effects on the data subject in a manner similar to the legal effects. The Deputy Data Protection Commissioner uses the criteria defined by the European Data Protection Board in assessing the significance of the effects. According to these criteria, the effects on the data subject must be sufficiently large or significant to be noteworthy. The decision must potentially either have a significant impact on the circumstances, behavior or choices of the persons in question, affect the data subject long-term or permanently, or in extreme cases lead to the marginalization or discrimination of persons. In evaluating the significance of the effects, it is also necessary to take into account case-specific features, such as the degree of interference with privacy in the profiling process and the expectations and wishes of the data subjects. In the material provided by the registrar, not all the situations related to the health of the patients, for the detection of which the tool is intended to be used, have been covered. Therefore, the deputy data protection commissioner also evaluates the proactive approach as a whole. It is possible that in all situations included in proactive healthcare, the effects are not the same. The effects and their significance are likely to be different depending, for example, on what kind of health risks or situations where treatment needs to be specified are sought to be detected and on what kind of measures are to be taken after profiling. The significance of the effects is influenced by how the adoption of a proactive approach is reflected in the implementation of health care services. The effects are likely to be different in the short and long term. For example, if the algorithm effectively helps to detect persons at health risk, it is possible that the result of the profiling will start to have a significant impact on access to treatment. A similar effect can be had, for example, if the available resources of health care compel to emphasize health services to patients selected on the basis of clear profiling. As stated above in section 34, significant effects are considered to be, for example, that the decision affects the person's opportunities to receive health care services. The registrar has stated in his additional report that the system does not deny services to anyone, but offers better services to those who have not received adequate or correct services in relation to their needs. The Deputy Data Protection Commissioner considers that, in terms of significant effects, it is not necessary for the patient to be actively denied access to the treatment. It is sufficient that the profiling actually affects the patient's chances of receiving healthcare services. Based on the information provided by the registry keeper, the patient would be excluded from special preventive health care measures as a result of the assessment based on profiling. Thus, the deputy data protection commissioner considers that the effects of profiling on data subjects would probably be significant at least in some situations of proactive healthcare. Even if profiling would not lead to significant effects on the data subject in all situations according to the current methods of operation, it is possible that later with the change of services and the development of algorithms, this would be the case. Therefore, the controller should constantly monitor the different ways in which profiling actually affects the data subjects. When evaluating the significance, it is also necessary to take into account the degree of interference with privacy. The patient data to be processed describe the state of health of the registered person. Profiling would thus be done on the basis of very intimate and detailed information describing the state of health. This emphasizes relevance. The Deputy Data Protection Commissioner considers that the decisions arising from profiling would very likely have a significant impact on the data subject's behavior and circumstances, because proactive healthcare measures that are actively offered to the data subject would be selected based on them. In terms of the data subject's behavior, circumstances and choices, it would probably also be important for the data subject to become aware that some health-related situation (for example risk of illness) has not been identified based on the information about him. The effects on the registrant's health can probably be long-term or permanent, at least in some situations. Based on the above grounds, the deputy data protection commissioner considers that the automated individual decisions referred to in Article 22 of the TSA can probably be made for those patients whose patient data is processed using the tool, but for whom, based on profiling, there is no need for a review by a healthcare professional. On the effects of the application of Article 22 TSA The Deputy Data Protection Commissioner emphasizes that making automated individual decisions is not impossible, but TSA Article 22, Sections 2 and 4 stipulates the conditions under which automated individual decisions can be made. The Deputy Data Protection Commissioner recognizes the beneficial potential of profiling and solutions based on it in healthcare operations. However, it is essential to ensure that the procedures are built by also taking into account aspects arising from data protection regulations and the protection of patients' privacy in a balanced way. Warning from the Deputy Data Protection Commissioner The controller has considered that the planned processing of personal data does not lead to the formation of automated individual decisions referred to in TSA Article 22. The Deputy Data Protection Commissioner has considered, on the grounds described above, that automated individual decisions are likely to be made for patients who, due to profiling, are not selected for examination by a healthcare professional. The Deputy Data Protection Commissioner issues a warning to the data controller in accordance with TSA Article 58, paragraph 2, subparagraph a. The planned processing actions would probably be in violation of TSA regulations, because the controller has not identified the likely formation of automated individual decisions, and thus has not taken into account the TSA Article 22. It is necessary for the controller to ensure, before taking possible processing actions, that the basis for making automated individual decisions according to TSA Article 22, paragraphs 2 and 4 exists, when the decisions determined on the basis of profiling have significant effects on the data subject corresponding to legal effects. Appeal According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court. Service The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt. The decision is legally binding.