Persónuvernd (Island) - 2025010124
From GDPRhub
| Persónuvernd - 2025010124 | |
|---|---|
 | |
| Authority: | Persónuvernd (Island) |
| Jurisdiction: | Iceland |
| Relevant Law: | Article 6(1)(e) GDPR Article 9(2)(h) GDPR Act 55/2009 (Lög um sjúkraskrár - Medical Records Act) |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 26.09.2024 |
| Decided: | 17.02.2025 |
| Published: | |
| Fine: | 5,000,000 ISK |
| Parties: | n/a |
| National Case Number/Name: | 2025010124 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Icelandic |
| Original Source: | Personuvernd (in IS) |
| Initial Contributor: | tjk |
The DPA fined a health service provider approximately €34,360 (ISK 5,000,000) for unlawfully granting third parties access to its joint medical record system without seeking the necessary prior permission required by national law.
English Summary
Facts
The controller (Capital Area Health Care Centre) runs multiple health centers. Following findings from procedures against another organisation, the DPA initiated an ex-officio investigation against the controller's processing of personal data in joined medical record systems maintained pursuant to national law (the Medical Records Act).
The DPA found, that the controller had entered into record sharing agreements with roughly a dozen parties (including other health service providers but also e.g. the Icelandic Football Association or Transport Authority) making available the records of ca. 450,000 individuals in one joint medical record system to which healthcare professionals working on behalf of the contracting parties had access. Such sharing agreements require a licensing both by the DPA and the responsible Ministry under the Medical Records Act.
The DPA's investigation revealed, that the controller had only undergone one such licensing process regarding the sharing only with one party. In this licensing process the DPA had considered the sharing necessary for the public interest consisting in better ensuring patient safety, pursuant to the Medical Records Act and Articles 6(1)(e) and 9(2)(h) GDPR. The Controller stated that the other agreements in substance were based on that agreement, despite the fact that they did not undergo a formal licensing process. The controller acknowledged that there were shortcomings in the handling of those agreements.
Holding
The DPA did not question the permission regarding the one agreement where it was actually granted.
However, the DPA found that the required license was missing in all the other cases. The DPA held, that such a licensing process must be carried out each time a new party enters the joint health record system of the controller. Thus, the DPA held, that the controller could not demonstrate a legal basis in violation of Articles 5(1)(a), 5(2) GDPR that the other parties access to the joint medical record system was permitted as the conditions of Article 6(1) and (2) GDPR were not met. However, the DPA found that it is in the best interests of patients to leave the joint medical record system unchanged until the Minister's decision on the other permissions is made. Consequently, the DPA did not direct instruct the Controller for improvements according to Article 58(2) GDPR.
Nonetheless, the DPA decided to impose a fine on the controller. In view of Article 83(2)(a) GDPR, the DPA considered it mitigating that no damage occurred from the violations and following Article 83(2)(c) and (f) GDPR that the controller readily responded to the DPA's requests, applied for the required permissions and blocked access to those parties who are not considered competent to access them at all.
On the other hand, the DPA found the serious nature of the violation, the large number of affected persons and the fact that the processing in the joint record system had been ongoing for numerous years to aggravate the violation in accordance with Article 83(2)(a) GDPR. Additionally, the DPA found the violated obligation to be so clearly stipulated by law that it assumed intent on part of the controller when it failed to obtain the required authorisation thus aggravating the violation in accordance with Article 83(2)(b) GDPR. Additionally the DPA found, that the controller’s violations concern health information, which is considered sensitive personal information under Article 83(2)(g) GDPR.
Taking this into account, the DPA imposed an administrative fine of ISK 5,000,000 (approximately €34,360) on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
The Data Protection Authority has made a decision regarding an ex officio investigation into the processing of personal data in the joint medical record system of the Capital Region Health Service. The investigation was limited to the lawfulness of the processing, i.e. whether the health service had been authorized to merge the health record system of the institution with the health record system of other parties, including granting the relevant parties access to the health records of the institution's patients. The decision concludes that the Capital Region Health Service had not demonstrated that the processing of personal data, which consisted of granting Reykjavík Home Care, Höfði Health Service, Salahverfi Health Service, Urðarhvarfi Health Service, the Icelandic Football Association, the Aviation Medical Centre, the Icelandic Transport Authority, Janusi Rehabilitation ehf., Höfði Suðurnes Health Service, the Welfare Department of the City of Reykjavík and the Directorate of Labour, access to the institution's joint medical record system, had been authorized, cf. 1. point. 1. paragraph. and 2. paragraph. of Article 8, 1. paragraph. of Article 9 and 1. paragraph. of Article 11 of Act No. 90/2018, cf. point a. paragraph 1. and 2. paragraph. of Article 5, 1. paragraph. of Article 6 and 1. paragraph. of Article 9 of Regulation (EU) 679/2016, as the conditions of paragraphs 1 and 2. of Article 20 of Act No. 55/2009 had not been met in the mergers in question. An administrative fine of ISK 5,000,000 was imposed on the Capital Region Health Service for those violations. Decision on the basis of an ex officio investigation into the processing of personal data in the joint health record system of the Capital Region Health Service in case no. 2025010124 (previously 2024091428):ProcedureDraft case1. By letter dated 26 September 2024, the Data Protection Authority notified the Capital Region Health Care that the agency had decided to initiate an ex-ante investigation into the processing of personal data in joint health record systems maintained on the basis of Chapter VI of Act No. 55/2009 on health records.2. The decision to initiate an ex-ante investigation was based on paragraphs 1 and 3 of Article 39 of Act No. 90/2018 on the Protection of Personal Data and the Processing of Personal Data and Article 30 of Rules No. 1150/2023 on the procedure of the Data Protection Authority. In that decision, particular consideration was given to the fact that the processing of personal data in joint health record systems concerns a broad group of people, the nature of the information involved and the extent of the risk the processing poses to the privacy of the data subjects.3. In the decision to initiate an ex officio investigation, the decision of the Data Protection Authority in case no. 2023071182 from 23 September 2024 was also taken into account. In the decision, the Authority concluded, among other things, that the agreement between the Health Care Service in the Capital Region and the Icelandic Transport Authority on a joint health record system had not met the conditions of paragraph 1 and point 2 of paragraph 2 of Article 20 of Act No. 55/2009 on health records, i.e. regarding the Minister's permission and the Data Protection Authority's confirmation of the security of personal data in the system. Since the Capital Region Health Service was not a party to that case, its liability was not examined there. Case investigation4. In the aforementioned letter from the Data Protection Authority dated 26 September 2024, it was requested to be informed whether the Capital Region Health Service operated a joint medical record system on the basis of Chapter VI of Act No. 55/2009 on medical records. Information was requested on the legal basis that permits access to medical records, cf. Article 12 of Act No. 55/2009, and whether permission had been obtained from the Minister for the merger of medical record systems, after receiving confirmation from the Data Protection Authority, in accordance with Article 20 of the Act. In addition, a copy of the Capital Region Health Service agreements on joint medical record systems was requested. The Health Service's response was received on 11 October 2024. The Data Protection Authority then requested further information by letter dated 22 December, including on the scope of processing of personal data in the joint medical record system of the Capital Region Health Service. The Health Service responded by email on 5 November 2020. By email to the Health Service on 18 December 2020, the Data Protection Authority requested a copy of the letter from the Director of Health's Office to the Health Service from 27 September 2020, which was received by the agency by email on 20 November 2020.5. By letter dated 18 December 2020, the Capital Region Health Service was informed of the results of the Data Protection Authority's review of the case data, including possible violations of data protection legislation and that an administrative fine could be imposed on the Health Service for these. The Health Service was given the opportunity to submit comments on this occasion, which were received by the Data Protection Authority on 16 January 2025.6. In resolving the case, all of the above-mentioned data has been taken into account. Opinion7. The objective of the ex officio investigation is to establish the lawfulness of the processing of personal data in the joint medical record system of the Capital Region Health Service. More specifically, the investigation is to determine whether the Capital Region Health Service was authorized to merge the institution's medical record system with the medical record systems of other parties, including granting the relevant parties access to the institution's patient medical records, cf. point 1. paragraph 1. of Article 8, Article 9 and paragraph 1. of Article 11. of Act No. 90/2018 and point a. paragraph 1. of Article 5, paragraph 1. of Article 6 and paragraph 2. of Article 9. of Regulation (EU) 2016/679. Facts of the case and available data8. It is known that the Capital Region Health Service has entered into agreements with twelve parties regarding a joint medical record system and/or authorizations for access to the institution's medical record system. The health service submitted agreements on the operation and unification of medical records with the Lágmúli Health Service (April 15, 2016), Reykjavík Home Service (April 2016), Höfði Health Service (May 18, 2017), Salahverfi Health Service (January 10, 2018), Urðarhvarfi Health Service (August 29, 2018), the Icelandic Football Association (December 17, 2018), the Aviation Medical Center (August 1, 2020), the Icelandic Transport Authority (September 1, 2020), Janus Rehabilitation ehf. (April 13, 2023), the Cape Suðurnes Health Care Centre (October 6, 2023) and the Reykjavík City Welfare Department (October 17, 2023). In addition, access was opened for three nurses from the Directorate of Labour to the health care centre's medical record system (January 30, 2023) without a written agreement to that effect.9. The Capital Region Health Care Centre has informed that the number of registered individuals that have been looked up by any of the above parties is around 195,000. The health care centre's medical record system contains 517,429 individuals, living and deceased, domestic and foreign. However, health information about all of the individuals in question is not available in the database, as the creation of a patient in a patient database can be based on circumstances other than a direct visit by a client seeking health care. The health care centre estimates that approx. 450,000 medical records are present in the system.10. It is clear that the agreement between the Capital Region Health Service and Janus Rehabilitation ehf. was valid until 11 December 2023, cf. Article 9.1. of the agreement. It is also clear that the agreement between the health service and the Reykjavík City Home Services was repealed with the entry into force of the agreement with the Reykjavík City Welfare Department on 17 October 2023, cf. Article 11.2. of the latter agreement.11. The annex Security requirements for the responsible party of the joint medical record system are attached to some of the agreements mentioned in paragraph 8 above. Article 1.1. of the annex states that the Capital Region Health Service and other specific health institutions and workplaces of health professionals, specified in Article 2.1. of the annex, shall transfer and store the medical records of patients who come to them for treatment in a common electronic medical record system on the basis of the permission of the Minister of Health and the confirmation of the Data Protection Authority on the security of the system, and in this connection reference is made to Article 20 of Act No. 55/2009 on medical records. According to Article 2.1 of the annex, the parties to the common medical record system are the Capital Region Health Service, Kirkjusandur Health Service, Salastöð Health Service, Urðarhvarfi Health Service, Höfði Health Service, Reykjavík Home Service at the Reykjavík City Welfare Department, Seljahlíð Nursing Home, Droplaugarstaðir Nursing Home and the practices of individual doctors working outside healthcare institutions according to a special agreement thereto. In Article 1.1. of the annex states that the parties to the joint medical record system have agreed that the Capital Region Health Service is considered the controller of medical records in the system, cf. point 12 of Article 3 of Act No. 55/2009. Article 1.5 also states that the parties to the joint medical record system are each responsible for the processing of personal data, cf. point 6 of Article 3 of Act No. 90/2018, which results from the lawful processing by the relevant party's staff of patients' medical record information stored in the joint medical record system, i.e. registration of medical record information, searches and other processing.12. It is known that the agreement between the Capital Region Health Service and the Lágmúli Health Service on a unified health record was concluded after a licensing process with the Ministry of Welfare (February 10, 2016) and after receiving the opinion of the Data Protection Authority (January 26, 2016). The Data Protection Authority's opinion did not make any comments on the security measures described in the agreement in question and stated that they were compatible with paragraphs 1 and 2 of Article 11 of the then-current Act No. 77/2000. However, the Capital Region Health Service was requested to submit a written risk assessment and registration of security measures for the processing of personal data in the joint health record system, with reference to Article 11 of the then-current Act No. 77/2000 on the Protection of Personal Data and the Processing of Personal Data and Article 3 of Rules No. 299/2001 on the security of personal data, as well as a description of the measures to ensure the patient's right to prohibit or restrict access to information about him or her, cf. the 2nd paragraph of Article 13 and Article 21 of Act No. 55/2009.13. The Ministry of Welfare granted permission for the sharing of electronic medical record systems of the Capital Region Health Care and the Lágmúli Health Care, despite the fact that the data requested by the Data Protection Authority had not been received by the institution. The Ministry's permission refers to the fact that it has been shown that the sharing in question better ensures patient safety and contributes to increased continuity in their treatment. It also emphasizes the importance of ensuring that the level of security that applies to the use of the Capital Region Health Care's medical record system also extends to the new user.14.Other agreements of the Capital Region Health Service on combined health record systems stipulate that the Minister's permission must be obtained, after confirmation by the Data Protection Authority, in accordance with the 2nd paragraph of Article 20 of Act No. 55/2009. However, the agreements in question did not go through a formal licensing process when they were concluded in accordance with the referenced legal provision. Therefore, neither the Minister's permission nor the Data Protection Authority's confirmation that the security of personal data has been ensured according to those agreements is available.15. During the handling of the case, the Capital Region Health Service informed that the institution had requested permission from the Ministry of Health, on 3 October 2024, for the merger of health record systems with the Höfði Health Service, the Salahverfi Health Service, the Urðarhvarfi Health Service, the Höfði Suðurnes Health Service and the Welfare Department of the City of Reykjavík. The health service would then have closed all access that had been granted on the basis of agreements with the Icelandic Transport Authority, the Icelandic Football Association and the Aviation Medical Centre, on 24 September 2024. Access for nurses from the Directorate of Labour would also have been closed on 4 October 2024. The view of the Capital Region Health Service16. The explanations of the Capital Region Health Service provide further information on the implementation of the above agreements. It is stated that each contracting party has been granted access to the medical record system that the Capital Region Health Service has built up through the activities of the institution's health centres. Therefore, there are not twelve independent medical record systems, although twelve different agreements affect the management of the medical record system.17. The Capital Region Health Service refers to the fact that eight of the parties with whom a joint medical record system has been agreed upon base their activities on the provisions of Act No. 40/2007 on health services. Five of these entities are private health care centers (Lágmúli Health Center (now Kirkjusandur), Höfði Health Center, Salahverfi Health Center, Urðarhvarfi Health Center and Höfði Suðurnesjum Health Center). In addition, an agreement has been made with the Welfare Department of the City of Reykjavík (formerly Heimaþjónustó Reykjavíkur) and Janus Rehabilitation ehf. At the time of signing the agreements, the parties in question had a license to operate health services according to the operating register of the Director of Health's Office. In accordance with the provisions of Article 20 of Act No. 55/2009 on health records, two or more health care institutions and health care professionals' offices are permitted, with the permission of the Minister, to enter and store the health records of patients who come to them for treatment in a joint electronic health record system.18. The Capital Region Health Care Center also refers to the fact that, from the ruling of the Data Protection Authority in case no. 2023071182 it will be concluded that other contracting parties, i.e. the Aviation Medical Centre, the Icelandic Football Association, the Icelandic Transport Authority and the Directorate of Labour, do not meet the conditions of Article 20 of Act No. 55/2009. Following the ruling of the Data Protection Authority, the Capital Region Health Service received a letter from the Office of the Director of Health, stating the position of the office that the health service's agreement with the Icelandic Transport Authority constitutes a violation of the provisions of the Act on Medical Records and for that reason the health service should terminate the agreement. It is the position of the health service that the same views expressed in the office's letter also apply to the Aviation Medical Centre, the Icelandic Football Association and the Directorate of Labour. For that reason, access that had been granted on the basis of agreements with the parties in question has been blocked, cf. discussion in paragraph 15.19. The Capital Region Health Service confirms that only six of the aforementioned agreements are still in force, and these are agreements with private health care centers and the Reykjavík City Welfare Department. The agreement with the Lágmúli Health Service was concluded after a licensing process with the Ministry of Welfare and after receiving confirmation from the Data Protection Authority. Other agreements did not go through a formal licensing process at the time they were created, but the health care center requested such permission on October 3, 2024. The agreements that are currently in the licensing process are based on the agreement between the Capital Region Health Service and the Lágmúli Health Service. The Data Protection Authority has already assessed the unified health record system, i.e. in terms of data security and privacy considerations.20. The Capital Region Health Service also confirms that only healthcare professionals who worked for or on behalf of the contracting parties have been granted access to the unified health record system. The Department of Electronic Services at the health care center, which oversees the institution's medical record system, has reviewed all active access and compared it with agreements on shared medical record systems. That review has revealed that active access is entirely restricted to parties who have access to a shared medical record under an agreement. Monitoring of searches in medical records is very active and all healthcare professionals who have access to the system are aware that misuse of access is considered a serious breach of confidentiality.21. The explanations of the Capital Region Health Care Center state that the institution has assessed whether Article 18 of Act No. 55/2009, which deals with the sharing of information through the interconnection of electronic medical record systems, would be better suited to ensuring patient safety during treatment than a shared medical record system based on Article 20 of the same Act. The difference in the technical implementation of the provisions lies in whether the entire medical history appears on the first search (joint medical record) or whether the local part of the medical history appears on the search with an additional button where it is possible to request access to linked medical records. It is both more time-consuming and increases the risk of error in applying the linking operation rather than merging the medical records. In this case, merging medical records is not technically feasible in cases where the contracting parties do not have a specific medical record in their operations. It is noted that the majority of the parties with whom the Health Service has entered into agreements on a joint medical record have patients as their service recipients. Patients can move between contracting parties to some extent at their own request or use services from more than one contracting party at the same time. A unified medical record is necessary to prevent missing information, e.g. in terms of prescriptions for addictive drugs. In those cases, a joint medical record is suitable to increase the quality, efficiency and safety of healthcare services. Objection due to the possible imposition of a fine22. By letter of 18 December 2024, the Capital Region Health Service was granted the right to object due to possible violations of the provisions of the data protection legislation on the lawfulness of processing and the imposition of an administrative fine. The letter from the Data Protection Authority states that the available data seemed to indicate that the health service had violated the provisions of Articles 5, 6 and 9 of Regulation (EU) 2016/679, but violations of those provisions may result in fines according to the 3rd paragraph of Article 46 of Act No. 90/2018, cf. the 5th paragraph of Article 83 of the Regulation. The letter also outlines the issues that the Data Protection Authority considered could lead to a fine being imposed and have an impact on the amount of the fine, according to the 1st paragraph of Article 47 of the Act, cf. the 2nd paragraph of Article 83 of the Regulation.23. The Capital Region Health Service emphasizes that the agency entered into an agreement with the Lágmúli Health Service (16 April 2016) following a licensing process according to the 2nd paragraph of Article 20 of Act No. 55/2009. Other agreements on the merger of health record systems were based in substance on that agreement, despite the fact that they did not go through a formal licensing process. The Health Service admits that there were shortcomings in the handling of those agreements, as the conditions of the 2nd paragraph of Article 20 of Act No. 55/2009 were not met. It is noted that the health care service considers it to serve the interests and activities of the institution to conclude the case in the manner proposed by the Data Protection Authority in a letter dated 18 December 2024. Premises and conclusion Legal environment24. This case concerns the processing of personal data in the joint medical record system of the Health Care Service of the Capital Region. It therefore concerns the processing of personal data that falls within the scope of Act No. 90/2018 on the Protection of Personal Data and the Processing of Personal Data and thus the competence of the Data Protection Authority, cf. Paragraph 1 of Article 4, Paragraph 2 of Article 1 and Paragraph 1 of Article 39 of the Act.25. The person responsible for the processing of personal data is considered to be the controller of the processing, cf. Point 6 of Article 3 of Act No. 90/2018 and Point 7 of Article 4 of the Act. Regulation (EU) 2016/679.26. All processing of personal data must be subject to one of the authorisation provisions of Article 9 of Act No. 90/2018, cf. Article 6(1) of Regulation (EU) 2016/679. This includes the processing of personal data if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, cf. point 5 of the legal provision and point e of the regulatory provision. In accordance with point b of Article 6(3) of the Regulation, the basis for processing based on the said authorisation shall be laid down in the law of the Member State to which the controller is subject.27. Processing of sensitive personal data, including health data, cf. point b of Article 3(3) of the Regulation. of the Act and Article 9(1) of the Regulation, must also comply with one of the additional conditions of Article 11(1) of the Act, cf. Article 9(2) of the Regulation. These include that the processing is necessary for reasons of public interest in the field of public health, such as to protect against serious cross-border threats to health or to ensure the quality and safety of healthcare and medicinal products or medical devices, and is carried out on the basis of a law which provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject, cf. point 9 of the Act and point i of the Regulation.28. The controller shall ensure that personal data are processed lawfully, cf. point 1 of Article 8(1) of Act No. 90/2018 and point a of Article 5(1) of the Regulation. Regulation (EU) 2016/679. This means that the processing of personal data must be based on appropriate processing authorisations and controllers must be able to demonstrate that all conditions of a specific processing authorisation are met, cf.2. paragraph. of the referenced articles.29. When assessing whether the legal provisions outlined above are complied with, the provisions of other applicable laws must be taken into account. In the present case, Act No. 55/2009 on medical records is particularly examined in this regard.30. The term joint medical record system is defined in point 8. of Article 3. of Act No. 55/2009 as an electronic medical record system of two or more health institutions or health care professionals' offices. Chapter VI of the Act discusses joint medical record systems in more detail. In the first paragraph. of Article 20 of the Act, it is stated that two or more health institutions and health care professionals' offices are permitted, with the permission of the Minister, to enter and store the medical records of patients who come to them for treatment in a joint electronic medical record system. In the second paragraph. of the same article, the conditions for the operation of these systems are prescribed. According to the provision, the Minister's permission to operate a joint medical record system shall only be granted if it is demonstrated that a joint medical record system is suitable for ensuring better patient safety during treatment. It also states that the Minister may subject the permission pursuant to paragraph 1 to the conditions he deems necessary to ensure the high-quality entry of medical records, their secure storage and the protection of medical record information. The Minister's permission shall also be subject to the conditions that the operation of the system meets the requirements of the current Regulation on Medical Records, now Regulation No. 550/2015, cf. point 1 of the provision, and that there is confirmation from the Icelandic Data Protection Authority that the security of personal data in the joint electronic medical record system is ensured in accordance with the Act on the Protection of Personal Data and the Processing of Personal Data and the Icelandic Data Protection Authority's rules on the security of personal data, cf. point 2 of the provision.31. In the comments to Article 20 of the bill on the Medical Records Act, the condition that a joint medical record system should be suitable for better ensuring patient safety during treatment is discussed in more detail. It is stated that it must be demonstrated with professional arguments that a joint medical record system better ensures the interests of patients than is possible by sharing information through the interconnection of electronic medical record systems, cf. sources in Article 18 of the bill. It is pointed out that it is generally possible to ensure the privacy interests of patients better in separate medical record systems and that valid professional arguments are therefore needed to justify a deviation from this. Lawfulness of processing32. It is known that the Health Service of the Capital Region made a decision to negotiate with certain parties on the operation of a joint medical record system and on that basis the health service granted the relevant parties access to the institution's patient medical records. The health service is considered the controller of the processing of personal data involved, cf. point 6 of Article 3. Act No. 90/2018 and point 7 of Article 4 of Regulation (EU) 2016/679. Given that the present case focuses solely on the Capital Region Health Care System, the liability of other parties is not examined here.33. As previously explained, healthcare institutions and healthcare professionals' offices are permitted, with the permission of the Minister, to enter and store the medical records of patients who come to them for treatment in a common electronic medical record system, if it is demonstrated that this is conducive to better ensuring patient safety, cf. Article 20 of Act No. 55/2009. In view of the aforementioned provision, the Icelandic Data Protection Authority considers that the processing of personal data involved in the merger of electronic medical record systems can be based on the authorization of point 5 of Article 9 of Act No. 90/2018, cf. point e of the first paragraph of Article 6 of the Regulation. Regulation (EU) 2016/679, where the processing may be necessary for the public interest in better ensuring patient safety in the provision of healthcare. The Data Protection Authority also considers that the additional conditions of point 9 of paragraph 1 of Article 11 of the Act, cf. point h of paragraph 2 of Article 9 of the Regulation, may apply to the merger of health record systems, cf. the discussion of the provisions in paragraph 27.34. The Ministry of Welfare granted permission for the merger of the health record systems of the Capital Region Health Service and the Lágmúli Health Service on 10 February 2016, despite reservations in the Data Protection Authority's opinion, cf. discussion in paragraph 13. Considering that the permission was granted, the Data Protection Authority has no grounds to object to the legality of the merger of the health record systems of the institutions in question, in light of what is discussed in paragraph 30.35. However, it is clear that the Minister's permission was not obtained in other cases that are under discussion in this case, nor was confirmation sought from the Data Protection Authority that the security of personal data was guaranteed in the joint health record system, despite the reservation in Article 20 of Act No. 55/2009 on this subject. The provision stipulates that the Minister's permission to operate a joint health record system shall only be granted if it is demonstrated that it is suitable for better ensuring patient safety during treatment. The provision requires that it must be demonstrated with professional arguments that a joint health record system better protects the interests of patients than is possible with the sharing of information through the interconnection of electronic health record systems, cf. the discussion in paragraph 31. In the opinion of the Data Protection Authority, it is therefore clear that such an assessment must be carried out each time a new party enters the joint health record system of the Capital Region Health Care. The Data Protection Authority also considers it clear that the provision requires that the agency's confirmation of the security of the joint health record system be sought with each granting of a permit by the Minister.36. In light of the above, the Data Protection Authority believes that the Capital Region Health Care has not demonstrated that the processing of personal data, which consisted of providing parties other than the Health Care in Lágmúli with access to the agency's joint health record system, was permitted, cf. point 1 of the first paragraph and paragraph 2 of the second paragraph. Article 8, Article 9, paragraph 1 and Article 11, Act No. 90/2018, cf. point a of paragraph 1 and paragraph 2 of Article 5, paragraph 1 of Article 6 and paragraph 1 of Article 9 of Regulation (EU) 679/2016, as the conditions of paragraphs 1 and 2 of Article 20 of Act No. 55/2009 were not met in the mergers in question.37. It is known that the Capital Region Health Service has now requested permission from the Minister for the entry and storage of medical records in a joint medical record system with the Höfði Health Service, the Salahverfi Health Service, the Urðarhvarfi Health Service, the Höfði Suðurnes Health Service and the Reykjavík City Welfare Department. It has also been reported that the Capital Region Health Service has closed all access granted to the Flight Medical Centre, the Icelandic Football Association, the Icelandic Transport Authority and the Directorate of Labour. The Data Protection Authority also believes that it is in the best interests of patients to ensure that the arrangement of the medical record remains unchanged for the benefit of treatment until the Minister's decision on the granting of the permit is available. In light of this, there is no reason to direct instructions for improvements to the Capital Region Health Service, cf. Article 42 of Act No. 90/2018 and the second paragraph of Article 58 of Regulation (EU) 2016/679, at this time, despite the above-mentioned conclusion. Decision on the imposition of administrative fines38. According to the first paragraph of Article 46 of Act No. 90/2018, the Data Protection Authority may impose an administrative fine on any controller who violates any of the provisions of the Regulation listed in paragraphs 2 and 3 of the same article.39. A fine pursuant to paragraph 3 of Article 46 of the Act may amount to from ISK 100,000 to ISK 2.4 billion or up to 4% of a company's annual global turnover, when Articles 5, 6 and 9 of the Regulation have been violated, among others. As explained in paragraph 36 above, the Health Service in the Capital Region violated the provisions in question.40. When deciding whether to impose an administrative fine and what its amount should be, the factors listed in paragraph 1 of Article 47 of Act No. 90/2018, cf. paragraph 2 of the same article, shall be taken into account. Article 83 of Regulation (EU) 2016/679. In light of these provisions, the Data Protection Authority considers that the following points will be assessed by the Capital Region Health Service in order to remedy the situation when deciding whether to impose an administrative fine and what its amount should be:1. No damage appears to have occurred as a result of the Capital Region Health Service's violations, cf. point 1 of paragraph 1 of Article 47 of Act No. 90/2018 and point a of paragraph 2 of Article 83 of Regulation (EU) 2016/679.2. The Capital Region Health Service has responded promptly to the Data Protection Authority's requests, has committed violations of data protection legislation and has now applied for permission from the Minister to merge the health record systems and has blocked access to those parties who are not considered competent to access them at all, cf. points 3 and 6 of paragraph 1 of Article 47 of the Act and points c and f of the 2nd paragraph of Article 83 of the Regulation.41. The Data Protection Authority further considers that the following points lead to an administrative fine being imposed on the Capital Region Health Service and have the effect of increasing it:1. The violation was against the provisions of Regulation (EU) 2016/679 which fall under the 3rd paragraph of Article 46 of Act No. 90/2018 and are considered serious when compared with the maximum amount of fines under the 2nd paragraph of the same provision, cf. point 1 of the 1st paragraph of Article 47 of the Act and point a of the 2nd paragraph of Article 83 of the Regulation.2. The violations by the Capital Region Health Service involve many thousands of registered individuals and the processing is extensive in that respect, cf. point 1 of the 1st paragraph of Article 47 of the Act. of the Act and point a of paragraph 2 of Article 83 of the Regulation.3. The violations of the Capital Region Health Care were long-standing, as it is clear that the processing of personal data in the institution's joint medical record system has been ongoing for a number of years, cf. point 1 of paragraph 1 of Article 47 of the Act and point a of paragraph 2 of Article 83 of the Regulation.4. The Capital Region Health Care Agreements on joint medical record systems clearly stipulate that the Minister's permission must be obtained, subject to confirmation by the Data Protection Authority, in accordance with Article 20 of Act No. 55/2009. In addition, that obligation is clearly stipulated in the referenced legal provision. Despite this, the Minister's permission was not obtained in connection with agreements other than with the Health Care in Lágmúli. In this respect, the Data Protection Authority considers that the basis must be that the healthcare breach was committed with the lowest level of intent, cf. point 2. of the 1st paragraph of Article 47 of the Act and point b. of the 2nd paragraph of Article 83 of the Regulation.5. The breaches of the healthcare system in the capital region concern health information, which is considered sensitive personal information, cf. point b. of the 3rd paragraph of Article 3 of Act No. 90/2018 and point 1. of Article 9 of Regulation (EU) 2016/679, cf. point 7. of the 1st paragraph of Article 47 of the Act and point g. of the 2nd paragraph of Article 83 of the Regulation.42. In view of all the above, it is the conclusion of the Data Protection Authority that an administrative fine should be imposed on the Reykjavík Region Health Service for the violations of the data protection legislation outlined above. It considers it appropriate to set the fine at 5,000,000 krónur. The decision:43. The Reykjavík Region Health Service has not demonstrated that the processing of personal data, which consisted of providing Reykjavík Home Care, Höfði Health Service, Salahverfi Health Service, Urðarhvarfi Health Service, the Icelandic Football Association, the Aviation Medical Centre, the Icelandic Transport Authority, Janusi Rehabilitation ehf., Höfði Suðurnes Health Service, the Reykjavík City Welfare Department and the Directorate of Labour, was permitted, cf. point 1. of the 1st paragraph and paragraph 2. Article 8, paragraph 1 of Article 9 and paragraph 1 of Article 11 of Act No. 90/2018, cf. point a of paragraph 1 and paragraph 2 of Article 5, paragraph 1 of Article 6 and paragraph 1 of Article 9 of Regulation (EU) 679/2016, as the conditions of paragraphs 1 and 2 of Article 20 of Act No. 55/2009 were not met in the mergers in question.44. An administrative fine of ISK 5,000,000 is imposed on the Capital Region Health Service. The fine shall be paid to the State Treasury within one month from the date of this decision, cf. paragraph 6 of Article 46 of Act No. 90/2018.Privacy, February 17, 2025Ólafur GarðarssonChairmanÁrnína Steinunn KristjánsdóttirBjörn GeirssonVilhelmína HaraldsdóttirÞorvarður Kári Ólafsson
