DVI (Latvia) - Nacionālajam veselības dienestam
DVI - Nacionālajam veselības dienestam | |
---|---|
Authority: | DVI (Latvia) |
Jurisdiction: | Latvia |
Relevant Law: | Article 24(1) GDPR Article 32(1)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 22.05.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Nacionālajam veselības dienestam |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Latvian |
Original Source: | DVI (Latvia) (in LV) |
Initial Contributor: | mg |
The Latvian DPA found the use of a personal unique identifier was insufficient to prevent unlawful disclosure of special categories of data by the national health service provider.
English Summary
Facts
A Latvian court requested the Latvian National Health Service to share some data concerning a minor. In such an order, the data subject was identified by name and surname.
The National Health Service, the controller, identified a wrong data subject by means of a personal numerical code and disclosed their health data to the court.
The Latvian DPA started an investigation against the controller.
Holding
The DPA pointed out that Latvian law imposes the use of a unique identifier as the safest way to store and process personal data of citizens. These system prevents mistakes such as the unlawful disclosure of health data of people other than the one whose data are requested by a public institution – in this case the court. However, the DPA also held that this system was not sufficient to avoid unlawful disclosures. In particular, the National Health Service should have relied on additional criteria, such as name and surname of the data subject - which was already known to them. The need of a double check became apparent in the case at issue, where matching the code with these additional pieces of information would have easily prevented the controller from disclosing sensitive data of another data subject.
Therefore, the controller did not put in place technical and organisational measures to minimise risks of unauthorised disclosure and violated Articles 24(1) and 32(1)(b) GDPR. Processing was thus unlawful and infringed Articles 6(1)(a) and (f) and 9(2) GDPR.
In light of the above, the DPA held proportionate to order the controller pursuant to Article 58(2)(d) GDPR to adapt its technical and organisational measures, without imposing a fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv Riga [..] For the National Health Service in the eAddress information system The decision Riga, 22.05.2023. [..] On the application of the corrective measure [1] On October 11, 2022, the Data State Inspectorate (hereinafter - DVI) received the Health Inspection letter (hereinafter - Letter) about the National Health Service (hereinafter - Service) carried out [..] (hereinafter - Data subject) processing of personal data. The information provided in the letter indicated that the Riga Orphan's Court (hereinafter - the Orphan's Court), requesting The service has information on whether the electronic information of the unified health sector the system (hereinafter - the E-health system) includes information on the health data of the Data subject, in his request indicated the first and last name of the Data Subject and an incorrect one - for another natural person would be assigned a personal code, while the Service, in response to the request of the Orphan's Court, issued information as if about the Data subject, stating the name and surname of the Data subject in the letter, but not specifying it personal code and adding the data obtained from the E-health system about the person whose personal code was stated in the request of the Orphan's Court. [2] In order to verify the legality of the Service's actions and in accordance with the Data of Natural Persons processing law (hereinafter - FPDAL) Article 4, Paragraph 1, Clause 1 and Article 5, Paragraph 1, Clause 1, General Data Protection Regulation (hereinafter referred to as GDPR) Article 57, Clause 1, subparagraphs a) and h) and GDPR, Article 58, Clause 1, letter a), d), e), DVI started an inspection case on November 24, 2022 [..] on the compliance of personal data processing carried out by the Service with GDPR requirements. 5 [2.1] As part of the inspection, DVI with the letter of November 25, 2022 (hereinafter - Request) invited the Service to provide information on the questions asked in the Request. Service with 2022 1DVI registered with [..] 2 Letter of the Orphan's Court of June 21, 2022 [..] 3 Service's letter of July 4, 2022 [..] 4 Regulation No. 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of natural persons in relation to processing of personal data and free movement of such data and repealing Directive 95/46/EC 5 DVI letter of November 25, 2022 [..] 2 6 The letter of December 7 informed that: [2.1.1] The service selects natural persons (data subjects) in the E-health system and health data only by personal code; [2.1.2] In the opinion of the Service, the personal code is the only information selection criterion that E-health the system ensures error-free, unambiguous and secure processing of personal and health data. In addition, in this in this way, the principle of data minimization is observed - unnecessary data is not processed (obtained). for the specific purpose - to provide an answer to the authorities about whether the person is included in the E-health system card of a narcological patient, as well as a card for a patient with mental and behavioral disorders - to achieve; [2.1.3] by entering the personal codes indicated in the requests of institutions into the E-health system, the Service the employee receives only the following information: a list of documents containing the following fields: date, ID number of the document, type of document and medical institution where the specific services will be received; [2.1.4] without performing additional personal and health data processing in the E-health system, for the Service it is not possible to check/compare the personal data specified in the institution's requests with E-Health for the data selected in the system. At the same time, the Service stated that it is not entitled to expand data processing if specific information is requested in the institution's requests. In response to information from the authorities for requests in which specific and accurate information is requested, the Service refers to the specific ones the outgoing document number of the institution and the name of the person about whom information is requested and surname to avoid incorrect personal codes; [2.1.5] until the day of preparation of the answer, the Service has information on two cases (including this one) when the Service, based on the personal code specified in the institution's request, has provided incorrect information. The Service has not received complaints from data subjects; [2.1.6] in consultation with information requesters, the Service will evaluate the possibility of restoring the practice in the reply letters to the authorities, indicate the personal code of the data subject, instead of the name and surname of the data subject, as so far; [3.] DVI has taken steps to clarify the addressee's opinion and in accordance with 1.- of this decision The findings in point 2 are concluded: [3.1.] GDPR aims to protect the fundamental rights and freedoms of natural persons and, in particular, their rights to the protection of personal data. According to Article 4, Clauses 1, 2 and 15 of GDPR, "personal data" is any information related to to an identified or identifiable natural person ("data subject"), "health data" means personal data, related to the physical or mental health of an individual, including health care services 8 provision, while "processing" refers to any operations with personal data that are fully or partially performed by automated means, as well as operations with such personal data that form or are intended to, to form part of the file. Therefore, a person's name, surname and personal identification number are personal data, information about health care services provided to a person is health data, but with them the activity performed, including acquisition and disclosure, is personal data processing pursuant to Article 4, Clause 2 of GDPR comprehension. 6 Service's letter of December 7, 2022 [..] 7 An identifiable natural person is one that the public can indirectly identify by specifically referring to an identifier, for example name, surname, identification number, location data, online identifier or the said person physical, economic, cultural, social identities, etc. specific to the natural person. factors 8 For example, collecting, organizing, structuring, storing, adapting or transforming, viewing, using, disclosure by sending, distribution or otherwise making available, matching or combining, restriction, or deletion. 9 Processing of personal data by automated means includes data processing in information systems where selection is possible person by specific identifiers, for example, using information technology systems 10 Any structured set of personal data that is accessible according to specific criteria, regardless of whether the data the set is centralized, decentralized or dispersed based on functional or geographical motivation 3 11 The manager is responsible for the compliance of personal data processing with GDPR requirements. Appropriately Cabinet of Ministers Regulation No. 134 of March 11, 2014 "Regulations on the unified health sector electronic information system" to point 2 and published on the website of the E-health system for information, the Service is considered the controller. In order to recognize the data processing performed by the controller as legal and lawful, the controller must comply with the GDPR The principles of personal data processing determined in Article 5, Clause 1, according to which the processing carried out must be for an appropriate legal basis 14 and personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures. 15 Paragraph 1 of Article 6 GDPR states that the processing is legal only to the extent and only if there is at least one of the legal bases is applicable: consent, contract performance, legal obligation, public interest, protection of vital interests and observance of legitimate interests. According to the GDPR Paragraph 1 of Article 9 prohibits the processing of personal health data, if it is not applicable to such processing any of the justifications mentioned in Article 9, Clause 2 of GDPR. Thus, only if any of GDPR Article 6, Clause 1, Article 9, Clause 2 of the legal grounds and in compliance with GDPR The principles of personal data processing defined in Article 5, Clause 1, personal data processing performed by the manager is recognized as legal. In accordance with GDPR Article 24, Clause 1, the manager implements appropriate technical and organizational measures measures to ensure and be able to demonstrably demonstrate that the processing takes place in accordance with the GDPR. Yes if necessary, the mentioned measures are reviewed and updated. Paragraph 1 of Article 32 GDPR states that taking taking into account the state of the art, the costs of implementation and the nature, extent, context and purposes of the processing, how also different possibilities and degrees of severity of risk in relation to the rights and freedoms of natural persons, the manager and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including continuity of processing systems and services 16 confidentiality, integrity, availability and resilience. On the other hand, in accordance with GDPR Article 32, Clause 2, assessing the appropriate level of security shall take into account in particular the risks posed by the processing, in particular accidental or illegal destruction, loss of sent, stored or otherwise processed personal data, modification, unauthorized disclosure or access to them. At the same time, the GDPR leaves the controller a free choice in the selection of the mentioned measures, subject to its actions existing resources, technical capabilities, etc. criteria. Namely, the legislator has determined the goal, which would be achievable, but the means by which to ensure the security of personal data processing and compliance with the GDPR requirements, must be chosen by the manager himself. [3.2] DVI concludes that in the specific case the Service has chosen to select data in the E-health system only according to one selection criterion, i.e. personal code. In addition, when selecting information only by personal code, The service does not have the possibility to compare the personal data specified in the requests of the institutions (name, surname, personal code) with the personal data in the E-health system, because according to the created E-health for the specifics of the system, only the following information is available to the Service employee: personal code and the ID number of the relevant documents, the type of document and the medical institution where the specific documents were received services. DVI shares the opinion of the Service that the personal code is the most secure identifier that is unique 11 Pursuant to Article 4, Clause 7 of GDPR, the controller is a natural or legal person, public institution, agency or other body, which alone or jointly with others determine the purposes and means of personal data processing 12https://likumi.lv/ta/id/264943-rules-for-the-single-health-industry-electronic-information-system 13https://eveseliba.gov.lv/sakums/datu-aizsardz%C4%ABba 14VDAR Article 5, Clause 1, subparagraph a) 15 16VDAR, Article 5, Clause 1, subparagraph f). GDPR, Article 32, Clause 1, Clause b) 4 and assigned to one person only. However, both the specific case and the other case in the Service the received information indicates that using only one selection criterion (personal code) does not correct and safe processing of personal data in the E-health system is ensured. Therefore, the Service the technical and organizational measures implemented may not be sufficient to ensure safe and Processing of personal data in accordance with GDPR requirements. At the discretion of DVI, if the Service, implementing technical and organizational measures, E-health would have introduced additional selection criteria into the system, for example by first name or last name or if, by entering personal code, the Service employee would be able to see a larger amount of information (at least of the data subject name and surname), then this type of violation would not have occurred. Namely, if the institution in its request would have indicated an incorrect personal code belonging to another person or an incorrect first and last name, then the Service, entering these data in the E-health system, would have the opportunity to compare them with the E-health system to the existing personal data (name, surname, personal code) and react accordingly, not allowing others processing (acquisition and disclosure) of a person's personal and health data. Taking into account that myself the name and surname are already indicated in the requests, the Service employees already know this information and no additional information will be disclosed. Taking into account the aforementioned, the set of information obtained within the scope of the inspection is sufficient and allows to conclude, that, the Service, choosing to select data in the E-health system only according to one selection criterion (persons code), has not evaluated all possible risks of personal data processing and has not successively implemented appropriate ones technical and organizational measures, thus allowing illegal third party persons and processing (acquisition and disclosure) of health data. Thus, the Service has violated Article 5 of GDPR The persons mentioned in points a) and f) of point 1, point 1 of Article 6 of GDPR, point 2 of Article 9 of GDPR principles of data processing and Article 24, Clause 1 and Article 32 of GDPR. the provisions of Article 1, Clause "b". requirements. At the same time, DVI takes into account the fact that in the specific case the Orphan's Court itself provided the Service incorrect information, as well as the fact that the Service has not received the data until the day of preparation of the decision complaints of subjects in connection with the provision of incorrect information to the authorities. Likewise, DVI takes into account its own The service recognized that additional information is a selection criterion, such as the first and last name of the data subject use, would reduce the risk of processing incorrect personal and health data. [4] According to Article 58, Clause 2, Subsection d) of GDPR, each supervisory authority has powers to issue an order to the manager or processor to align the processing activities with GDPR regulations, if necessary - in a specific way and in a specific period of time. Article 23 of GDPR stipulates that DVI, when making decisions regarding the imposition of a legal obligation, the Law on Administrative Procedure shall be applied. Taking into account the above and the fact that a violation of the provisions of the GDPR has been found in the Service's operation, DVI in accordance with the first part of Article 66 of the Administrative Procedure Law, it is necessary to decide on the administrative the utility of issuing the act. [4.1] Evaluating the necessity and necessity of the administrative act, DVI concludes that the decision adoption is both necessary and necessary to achieve the goal of preventing the GDPR provision violation. Namely, to prevent unlawful personal and health data in the future operation of the Service processing (acquisition and disclosure) in the E-health system. [4.2.] The administrative act is a suitable means to achieve the goal, because it creates a legal the duty of the Service to prevent the detected violations, as well as to prevent the occurrence of similar violations in the future. [4.3] The administrative act is considered the most proportionate means to achieve the goal, because compared to the decision on the imposition of an administrative penalty, it is considered more lenient. At the same time the imposition of the legal obligation is aimed at the data subject in GDPR, FPDAL and other regulatory acts provision of the expected basic rights to personal data protection. 5 In compliance with the above, DVI, based on Article 3, paragraph 2, Article 5, paragraph 1 a), f) of GDPR subsection, Article 6(1), Article 9(2), Article 58(2)(d), GDPR Article 23 and Article 63, Part One, Clause 2 of the Law on Administrative Procedure, decides: to oblige the Service to review the existing practice in fulfilling the requests of institutions, including evaluate the technical and organizational measures implemented in the E-health system (for example, providing the Service employee with the opportunity to obtain a larger amount of information, i.e. also the data subject first and last name), updating existing or developing new personal data processing accordingly safety regulations and other internal/external regulations. Based on Article 58, Clause 1, subparagraph e) of GDPR and the first part of Article 5 of FPDAL Paragraph 3, notify DVI about planned actions to fulfill the aforementioned obligation in writing by By July 24, 2023, by submitting to DVI information about the services carried out and planned by the Service events. In accordance with the second part of Article 24 of the FPDAL, the first and the second of Article 76 of the Administrative Procedure Law part, the second part of Article 188 and the third part of Article 189 and the decision of the Council of Justice of May 18, 2022 No. 32 "On courts, their operational territories and locations", this decision can be appealed within one month during the day of its entry into force in the Riga Courthouse of the Administrative District Court. Director p.i. L. Dilba 17 is the last day for submitting an answer by mail or sending it with a secure electronic signature