Datainspektionen - DI-2019-3839
| Datainspektionen - DI-2019-3839 | |
|---|---|
 | |
| Authority: | Datainspektionen (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 02.12.2020 |
| Published: | 02.12.2020 |
| Fine: | 4000000 SEK |
| Parties: | Styrelsen för Karolinska Universitetssjukhuset |
| National Case Number/Name: | DI-2019-3839 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Swedish |
| Original Source: | Datainspektionen (in SV) |
| Initial Contributor: | Charlotte Godhe |
The Swedish DPA holds that access to medical records has to be restricted based on the individual care workers’ necessity to access it to perform his/her job under Article 32 GDPR.
English Summary
Facts
The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity.
Dispute
Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR?
Holding
The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
