Datainspektionen - DI-2019-3844
From GDPRhub
| Datainspektionen - DI-2019-3844 | |
|---|---|
 | |
| Authority: | Datainspektionen (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 32(1) GDPR Article 32(2) GDPR Patientdatalagen (2008:355) |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 02.12.2020 |
| Published: | 02.12.2020 |
| Fine: | 15000000 SEK |
| Parties: | Aleris Sjukvård AB |
| National Case Number/Name: | DI-2019-3844 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | Datainspektionen (in SV) |
| Initial Contributor: | Elisavet Dravalou |
The Swedish DPA (Datainspektionen) imposed a €1.466 million (approximately) fine on the healthcare provider "Aleris Sjukvård AB" for not carrying out the risk assessments required by the Patient Data Act and for granting their employees access to all personal data in the patients' journal system in breach of Article 32 GDPR.
English Summary
Facts
The audit to Aleris Sjukvård AB from the Swedish DPA was initiated in May 2019. Aleris is a healthcare provider and uses a system named "TakeCare" as the main journal keeping system where they store and maintain the patients' journals. According to the Patient Data Act, a caregiver must conduct a needs and risk analysis before allocating access rights in the patients' journals.
Dispute
Holding
The DPA found that Aleris Sjukvård AB did not carry out these assessments and it has granted access to patients' journal to all employees apart from the technicians. By doing so, Aleris Sjukvård AB breached the obligation to apply appropriate technical and organisational measures to ensure the security of the personal data, imposed to controllers by Article 32 GDPR.
The DPA imposed a fine of 15 millions SEK (approximately €1466000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Decision Diary No. 1 (30)
2020-12-02 DI-2019-3844
Aleris Sjukvård AB
c / o Aleris Specialist Care Sabbatsberg
Box 6401
113 82 Stockholm
Stockholm County
Supervision under the Data Protection Regulation and
Patient Data Act- needs and risk analysis and
questions about access in journal systems
Table of Contents
The Data Inspectorate's decision ................................................ ..................................... 2
Report on the supervisory matter ............................................... .............................. 3
What has emerged in the case ............................................. .......................... 3
Internal privacy ................................................ .................................................. ... 5
Consolidated record keeping ................................................ ............................ 8
Documentation of access (logs) ............................................ ............... 9
Aleris opinion on the Data Inspectorate's letter .......................................... 9
Motivation for decision ............................................... ............................................. 10
Applicable rules................................................ ........................................... 10
The Data Inspectorate's assessment ................................................ ....................... 15
Choice of intervention ............................................... .............................................. 23
Appendix ................................................. .................................................. ............. 29
Copy for knowledge of .............................................. ................................... 29
How to appeal............................................... ........................................... 29
Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se
Website: www.datainspektionen.se Phone: 08-657 61 00
Page 1 of 30Datainspektionen DI-2019-3844 2 (30)
The Data Inspectorate's decision
During a review on April 8, 2019, the Data Inspectorate has established that Aleris
Sjukvård AB processes personal data in violation of Article 5 (1) (f) and (2) and
Article 32 (1) and (2) of the Data Protection Regulation by
1. Aleris Sjukvård AB has not carried out a needs and risk analysis
before the allocation of permissions takes place in the journal system TakeCare, i
in accordance with ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act (2008: 355)
and ch. 4 Section 2 The National Board of Health and Welfare's regulations and general advice on
record keeping and processing of personal data in health and
healthcare (HSLF-FS 2016: 40). This means that Aleris Sjukvård AB
have not taken appropriate organizational measures to be able to
ensure and be able to show that the processing of personal data has
a security that is appropriate in relation to the risks.
2. Aleris Sjukvård AB does not limit users' permissions for
access to the TakeCare journal system for what is only needed for
that the user should be able to fulfill his tasks in the health
and healthcare according to ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act and 4
Cape. 2 § HSLF-FS 2016: 40. This means that Aleris Sjukvård AB does not have
taken measures to be able to ensure and be able to show a suitable
security of personal data.
The Data Inspectorate decides on the basis of Articles 58 (2) and 83 i
the Data Protection Ordinance to Aleris Sjukvård AB, for violation of
Article 5 (1) (f) and (2) and Article 32 (1) and (2) of the Data Protection Regulation;
shall pay an administrative penalty fee of 15,000,000 (fifteen
million).
The Data Inspectorate submits pursuant to Article 58 (2) (d) i
data protection ordinance Aleris Sjukvård AB to implement and document
required needs and risk analysis for the TakeCare medical record system and that
then, based on the needs and risk analysis, assign each user
1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016
on the protection of individuals with regard to the processing of personal data and on that
free flow of such data and repealing Directive 95/46 / EC (General
Data Protection Regulation).
Page 2 of 30Datainspektionen DI-2019-3844 3 (30)
individual access to personal data restricted to
only what is needed for the individual to be able to fulfill his
duties in health care, in accordance with Article 5 (1) (f) and
Article 32 (1) and (2) of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40.
Report on the supervisory matter
The Data Inspectorate's inspection began with an inspection letter on 22 March
2019 and has taken place both in writing and through on-site inspection on April 8
2019. The audit has been intended to control whether Aleris Sjukvård AB's (hereinafter referred to as
Aleris) decision on the allocation of authorizations has been preceded by a need and
risk analysis. The supervision has also included how Aleris has granted authorizations
for access to the TakeCare master journal system, and which
access opportunities the granted privileges provide within both the framework of
the internal secrecy according to ch. the Patient Data Act, as the cohesive one
record keeping according to ch. 6 patient data law. In addition to this has
The Data Inspectorate examined which documentation of access (logs) as
is in the journal system.
The Data Inspectorate has only examined the user's access to
the journal system, i.e. what care documentation the user can actually take
part of and read. The supervision has not included which functions were included in
the competence, ie. what the user can actually do in the journal system
(eg issuing prescriptions, writing referrals, etc.).
The inspection is one of several inspections within the framework of a self-initiated
supervisory project at the Swedish Data Inspectorate, where i.a. Karolinska
The university hospital has been included. Due to what has emerged about
Aleri's view on the technical possibilities to limit
readability for its users in TakeCare, Aleris was asked in particular
comment on an opinion from Karolinska University Hospital, which also
uses TakeCare, where the technical possibilities regarding TakeCare
was described.
What has emerged in the case
Aleris has essentially stated the following.
Page 3 of 30Datainspektionen DI-2019-3844 4 (30)
Personal data responsibility
Aleris is the care provider and personal data manager.
The business
Aleri's ownership structure has changed after the Data Inspectorate's review
initiated. Aleris 'new ownership structure is shown in Aleris' supplement from 16
November 2020. The supplement states, among other things, the following.
Aleris has been part of the newly formed Group Parent Company since October 1, 2019,
Aleris Group AB (corporate identity number 559210-7550), and is a subsidiary of Aleris
Healthcare AB (org.nr. 556598–6782). Aleris Group AB is owned by Triton.
Group sales for Aleris Group AB amounted to SEK 1,215,385,000
between October 1, 2019 and December 31, 2019. Since Aleris Group
AB was formed in connection with the change of ownership when Aleris Healthcare AB joined
subsidiaries were acquired, only turnover figures are available for this
period.
The annual turnover for Aleris Healthcare AB amounted to SEK 30,223,866
during 2019.
Journal system
Aleris has been using TakeCare as its main record system since 28 May 2012
for internal secrecy and within the framework of the cohesive
record keeping.
Federation Collaboration TakeCare (FSTC) is the customer of the medical record system
TakeCare and CompuGroup Medical (CGM) are suppliers of the medical record system
and is responsible for the functions that the system has to control permissions.
All functions in the journal system are created by CGM, but it is Aleris who
chooses which functions a certain staff category should have access to among
the functions that are entered. Aleris has no technical possibilities to do
changes in TakeCare because Aleris has no control over
the journal system. Aleris is only a user of the system.
Aleris has not been able to make any demands on CGM in the procurement of
the journal system. The company has, for example, pointed out that there have been problems
with the record system consisting of, as far as the allocation of competences is concerned, that
Page 4 of 30Datainspektionen DI-2019-3844 5 (30)
the system cannot separate read and print permissions for a read function.
CGM has not been interested in changing this despite comments from
Aleris.
It is FSTC that can order changes to the functions and that is then
up to CGM if they want to make the changes or not. Aleris has one
representative in FSTC who can express Aleri's wishes. However, Aleris has not
received some hearing for the company's views.
Number of patients and employees
Aleris had 796,350 unique patients in TakeCare as of May 20, 2019. How
however, many of those who died could not be retrieved.
In May 2019, there were 1,058 active users, 807 active accounts and 63
units in the journal system TakeCare. The number of active users (ie employees
and consultants who may have access to TakeCare) have been calculated by
calculate the number of active AD accounts at relevant cost centers.
Internal secrecy
Aleris has essentially stated the following.
Needs and risk analysis
Aleris has stated that needs and risk analyzes aimed at TakeCare are performed
by a designated risk analysis team for the purpose of reviewing the applicable authorization allocation
and possibly determine new conditions for granting eligibility. Permissions
is always limited to what is needed for the employee to be able to perform
their work and contribute to safe care. The need versus the risk of improperness
access is always weighed against each other before permissions are granted. General
authorization profiles are available, specific authorizations are assigned if necessary. The
later examined in particular in the subsequent analysis of the designated risk analysis team. What
What is especially considered are the risks that can arise if an employee has
too broad eligibility versus too low eligibility and thus not access to
relevant patient information. The result from the needs and risk analysis is
then the basis for selecting the authorization profile used in the assignment
of competencies within Aleris.
Eligibility for TakeCare is ordered by the responsible manager, as stated in
the document, “TakeCare Authorization Management”. The document also states
that the competence is personal and that its scope is based on
Page 5 of 30Datainspektionen DI-2019-3844 6 (30)
the user's professional role and organizational domicile. Furthermore, it appears that
the care provider must ensure that the authority for access to patient data
limited to what a user needs to be able to perform their
tasks in health care.
Aleris has a document called "Needs and Risk Analysis-TakeCare".
The document has looked like it does today since May 28, 2012 when TakeCare
was introduced and applies both to internal secrecy and within its framework
coherent record keeping. The document shows the different profiles,
so-called authority groups. The document shows, among other things
the reading rights and the writing rights for each authority group.
All profiles except technicians have been granted read access to the data in
TakeCare. The eligibility for each group has been justified. The doctors are going to
examples be able to perform their duties and are responsible for
patient information, while the system administrator must be able to troubleshoot,
manage and set up users, systems and local administrators.
Under the heading "Risk of restricted access" it is stated that the user "cannot
perform their duties in full ”. This justification is stated for all
profiles (except for the local administrators where the motivation is “Can not
manage permissions and implement corrective actions ”). During
The heading “Risk of extensive access” states, among other things, that “There is one
risk of disclosure of patient information '. Similar justification is given for everyone
profiles.
Authorization of access to personal data about patients
Aleris has stated that it is the system administrator who has the highest
the level of competence, ie full authorization, in TakeCare. The local
the administrator has access to his own device and is the one who assigns
permissions within the device. What privileges an administrator imposes
a user depends on the business to which the user belongs and on
the user's tasks. All users get the “minimum they should have
to cope ”in terms of accessibility. Access can, however
expanded if necessary. There are basic profiles for, for example, assistant nurses,
who are given the qualifications needed to carry out their duties
tasks. If the manager considers that the assistant nurses need one
extended privileges, local administrators ensure that privileges
"Hangs up" the basic profile. If the extended authorization is not needed, it can be taken
away from the basic profile.
Page 6 of 30Datainspektionen DI-2019-3844 7 (30)
Aleris has stated that all accounts within Aleris are individual and that
authorizations are granted on the basis of the document, ‘Needs and risk analysis
TakeCare ”. As previously mentioned, it appears from the document that everyone
professional profiles in addition to technicians have been granted reading access to the data in
TakeCare.
However, Aleris has stated that all users have different read permissions in
the journal system based on which system functions they have access to
Aleris. According to Aleris, it is possible to steer away access opportunities to TakeCare
by giving different staff access to different functions. Each
staff category only gets access to the functions they need for
to be able to perform their work. Technicians, for example, have limited qualifications
depending on what they are going to do in the system. They only get reading permission if they
need it in their work. Another example concerns users who only
will be at the checkout and thus do not need a reading license.
There is no staff that only has the task of managing the cash register
the current situation.
By choosing different functions for different users, a difference is made in
what different users can do in the system, e.g. as regards verify, sign,
etc. In total, there are 640 different system functions that you can choose to provide
authority to. Among these features, Aleris has selected the features that
different staff categories need to have access to in order to operate safely
patient work. The document "Profiles and permissions" shows the different ones
permissions that each category of staff has been assigned in TakeCare, e.g.
dictate audio files, read activities, sign, read emergency information, read journal text,
vidimering, read referral, administer drug prescription, read scanned
documents and approve care sessions. The document states, among other things
that all profiles ie. doctors, nurses, assistant nurses,
paramedics, secretaries, "administrative", students and "Receptionist
Rehab "has the authority to" read journal text "and that everyone except
"Receptionist Rehab" is authorized to "read scanned documents" in
TakeCare. It also appears that only doctors are authorized to “read
emergency tasks ”and that all profiles except assistant nurse and
"Administrative" can "read diagnoses" in TakeCare.
Aleris has stated that the starting point is that one user on one device only
has read access to the patient records available on the device. One
users who need to read journal entries from another device must
Page 7 of 30Datainspektionen DI-2019-3844 8 (30)
make an active choice in the system. By active choices is meant that the user is allowed to do
a number of "clicks" and select the current device (this function is called
journal filter). Authorization to be able to use the journal filter is given to them
users who need this to be able to perform their work.
The user can never accidentally read one patient record from another
unit.
Aleris has stated that there are features in TakeCare to a caregiver
should be able to "isolate" one care unit and thereby "shut out" others
caregivers 'and care units' access possibilities to the unit's
care documentation, so-called protected units. However, Aleris does not operate
any activity that requires protected devices and has therefore not used
of this function.
Coherent record keeping
Aleris has essentially stated the following.
Needs and risk analysis
The document “Needs and risk analysis - TakeCare” also applies to the system for
coherent record keeping.
Authorization of access to personal data about patients
The allocation of authority takes place in the same way as within the framework of the internal
secrecy.
Within the framework of coherent record keeping in TakeCare, users can take
part of all care documentation with other care providers included in the system.
The user can initially see if a patient is current with other care providers,
but not which. To be able to see who these caregivers are, the user must
click on in the system, ie. make active choices. The user must then
click in the box "consent" or "emergency access" to access it
specific caregiver records.
Aleris has stated the following due to Karolinska
The University Hospital in a statement has stated that there are opportunities to
restrict access in TakeCare.
There is a function to "isolate" a care unit and thereby close
access to other care providers and care units (so-called
Page 8 of 30Datainspektionen DI-2019-3844 9 (30)
protected devices). A care provider can thus from a technical perspective
restrict other care providers' access to their own care documentation.
However, Aleris has assessed that the company does not conduct any business as
need to be blocked and that it is more patient safe to let the patient information
at Aleri's units be available to other care providers. According to Aleris, it is
moreover, not allowed to implement such restrictions if one
caregivers use the TakeCare medical record system and at the same time are part of
coherent record keeping. This following a decision from the Stockholm Region. The
means that all users of Aleris have access to all patient data
at the other care providers in TakeCare, except when patients have requested to
get their information blocked (a so-called caregiver block).
According to Aleris, from a patient safety perspective, this is not practically possible
to opt out of individual care providers' access to their own care documentation
in TakeCare (except for protected devices). Either is the caregiver
included in the system for coherent record keeping or not. It is not possible to
restrict access for competent persons to the information of other care providers
and at the same time in a meaningful way participate in coherent record keeping.
According to Aleris, it is not possible to determine in advance which data are in one
certain cases may be important for patient-safe care. Aleris has therefore decided
not to actively block other caregivers' records. However, such as
mentioned, a caregiver himself blocks other caregivers' access to TakeCare there
these have made the assessment that their patients' medical records should not be
available to other caregivers. These devices are marked in TakeCare
with an asterisk. In this way, a selection of care units has already been made
Aleri's staff do not have access to.
Documentation of access (logs)
Aleri's log documentation states, among other things: the user's and
patient's identity, care unit, date, time, information to the user
has documented in the journal during the last 18 months as well as information
that the patient has had contact with the care unit during the last 18
months.
Aleris has the ability to perform targeted log checks. That means Aleris
can see exactly what a user has done in the system. About the patient or Aleris
suspects data breaches, Aleris can also perform an in-depth log check.
Page 9 of 30Data Inspectorate DI-2019-3844 1 0 (30)
Also all activities that take place within the framework of coherent record keeping
logged in the system. It also means that all active selections are logged in the system. If
the user, for example, has selected "consent" or "emergency access" to be able to take
part of a patient's information to another care provider, this will be
appear from the log documentation.
Aleri's opinion on the Data Inspectorate's letter
Aleris has in comments on the letter Final communication before decision as
received by the Swedish Data Inspectorate on 20 March 2020 stated the following, among other things.
The Data Inspectorate should take into account the figures for the economic unit where they
The alleged shortcomings have taken place, ie Aleris Sjukvård AB.
Aleris has actively worked to continuously strengthen the interior and exterior
confidentiality, including the functionality of TakeCare. When Aleris took over
adequate measures to strengthen, through FSTC, the integrity of TakeCare
actual deficiencies in TakeCare should not be considered to be Aleris' fault.
Justification of decision
Applicable rules
The Data Protection Regulation is the primary source of law
The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and
is the primary legal regulation in the processing of personal data. This
also applies to health care.
The basic principles for the processing of personal data are set out in
Article 5 of the Data Protection Regulation. A basic principle is the requirement
security pursuant to Article 5 (1) (f), which states that personal data shall be processed
in a way that ensures adequate security for personal data,
including protection against unauthorized or unauthorized treatment and against loss,
destruction or damage by accident, using appropriate
technical or organizational measures.
Article 5 (2) states the so-called liability, ie. that it
“Personal data controllers must be responsible for and be able to show that they
the basic principles of paragraph 1 are complied with ".
Page 10 of 30Datainspektionen DI-2019-3844 1 1 (30)
Article 24 deals with the responsibility of the controller. Of Article 24 (1)
it appears that the person responsible for personal data is responsible for implementing appropriate
technical and organizational measures to ensure and demonstrate that
the processing is performed in accordance with the Data Protection Regulation. The measures shall
carried out taking into account the nature, scope, context of the treatment
and purposes and the risks, of varying degrees of probability and severity, for
freedoms and rights of natural persons. The measures must be reviewed and updated
if necessary.
Article 32 regulates the security associated with the processing. According to paragraph 1
the personal data controller and the personal data assistant shall take into account
of the latest developments, implementation costs and treatment
nature, scope, context and purpose as well as the risks, of varying
probability and seriousness, for the rights and freedoms of natural persons shall
the personal data controller and the personal data assistant take appropriate
technical and organizational measures to ensure a level of security
which is appropriate in relation to the risk (…). According to paragraph 2, at
the assessment of the appropriate level of safety, special consideration shall be given to the risks involved
the treatment entails, in particular from accidental or unlawful destruction,
loss or alteration or to unauthorized disclosure of or unauthorized access to
the personal data transferred, stored or otherwise processed.
Recital 75 states that in assessing the risk to natural persons
rights and freedoms, various factors must be taken into account. Among other things mentioned
personal data covered by professional secrecy, health data or
sexual life, if the processing of personal data concerning vulnerable physical persons takes place
persons, especially children, or if the treatment involves a large number
personal data and applies to a large number of registered persons.
Furthermore, it follows from recital 76 that the probable and serious risk of it
data subjects' rights and freedoms should be determined on the basis of processing
nature, scope, context and purpose. The risk should be evaluated on
on the basis of an objective assessment, which determines whether
the data processing involves a risk or a high risk.
Recitals 39 and 83 also contain writings that provide guidance on it
the meaning of the data protection regulation's requirements for security in
Processing of personal data.
Page 11 of 30Datainspektionen DI-2019-3844 1 2 (30)
The Data Protection Regulation and the relationship with complementary national
provisions
According to Article 5 (1). a in the Data Protection Regulation, the personal data shall
treated in a lawful manner. In order for the treatment to be considered legal, it is required
legal basis by fulfilling at least one of the conditions of Article 6 (1).
The provision of health care is one such task of general
interest referred to in Article 6 (1) (e).
In health care, the legal bases can also be legal
obligation pursuant to Article 6 (1) (c) and exercise of authority under Article 6 (1) (e)
updated.
When it comes to the legal bases legal obligation, in general
interest or exercise of authority by the Member States, in accordance with Article
6.2, maintain or introduce more specific provisions for adaptation
the application of the provisions of the Regulation to national circumstances.
National law may specify specific requirements for the processing of data
and other measures to ensure legal and equitable treatment. But
there is not only one possibility to introduce national rules but also one
duty; Article 6 (3) states that the basis for the treatment referred to in
paragraph 1 (c) and (e) shall be determined in accordance with Union law or
national law of the Member States. The legal basis may also include
specific provisions to adapt the application of the provisions of
the Data Protection Regulation. Union law or the national law of the Member States
law must fulfill an objective of general interest and be proportionate to it
legitimate goals pursued.
Article 9 states that the treatment of specific categories of
personal data (so-called sensitive personal data) is prohibited. Sensitive
personal data includes data on health. Article 9 (2) states
except when sensitive personal data may still be processed.
Article 9 (2) (h) states that the processing of sensitive personal data may be repeated
the treatment is necessary for reasons related to, among other things
the provision of health care on the basis of Union law or
national law of the Member States or in accordance with agreements with professionals in
the field of health and provided that the conditions and protective measures provided for in
referred to in paragraph 3 are met. Article 9 (3) imposes a regulated duty of confidentiality.
Page 12 of 30Datainspektionen DI-2019-3844 1 3 (30)
This means that both the legal bases of general interest,
exercise of authority and legal obligation in the treatment of the vulnerable
personal data under the exemption in Article 9 (2) (h)
supplementary rules.
Supplementary national regulations
In the case of Sweden, both the basis for the treatment and those
special conditions for the processing of personal data in the field of health and
healthcare regulated in the Patient Data Act (2008: 355) and
the Patient Data Ordinance (2008: 360). I 1 kap. Section 4 of the Patient Data Act states that
the law complements the data protection regulation.
The purpose of the Patient Data Act is to provide information in health and
healthcare must be organized so as to meet patient safety and
good quality and promotes cost efficiency. Its purpose is also to
personal data shall be designed and otherwise processed so that patients and
the privacy of other data subjects is respected. In addition, must be documented
personal data is handled and stored so that unauthorized persons do not have access to it
them (Chapter 1, Section 2 of the Patient Data Act).
The supplementary provisions in the Patient Data Act aim to:
take care of both privacy protection and patient safety. The legislator has
thus through the regulation made a balance as to how
the information must be processed to meet both the requirements for patient safety
as the right to privacy in the processing of personal data.
The National Board of Health and Welfare has, with the support of the Patient Data Ordinance, issued regulations
and general advice on record keeping and processing of personal data in
health care (HSLF-FS 2016: 40). The regulations constitute such
supplementary rules, which shall be applied in the care provider's treatment of
personal data in health care, see chap. Section 1 of the Patient Data Act.
National provisions supplementing the requirements of the Data Protection Regulation
safety can be found in Chapters 4 and 6. the Patient Data Act and Chapters 3 and 4 HSLF-FS
2016: 40.
Requirement to make a needs and risk analysis
Page 13 of 30Datainspektionen DI-2019-3844 1 4 (30)
According to ch. 4, the care provider must § 2 HSLF-FS 2016: 40 make a needs and
risk analysis, before the allocation of authorizations in the system takes place.
That the analysis requires both the needs and the risks is clear from the preparatory work
to the Patient Data Act, prop. 2007/08: 126 pp. 148-149, as follows.
Authorization for staff's electronic access to patient information shall be restricted to
what the executive needs to be able to perform his duties in health and
healthcare. This includes that authorizations must be followed up and changed or restricted accordingly
hand as changes in the tasks of the individual executive give rise to it.
The provision corresponds in principle to section 8 of the Health Care Register Act. The purpose of the provision is to
imprint the obligation of the responsible caregiver to make active and individual
eligibility assignments based on analyzes of which details are different
staff categories and different types of activities need. But it's not just needed
needs analyzes. Risk analyzes must also be done where different types of risks are taken into account, such as
may be associated with an overly availability of certain types of information.
Protected personal data that is classified, information about publicly known persons,
data from certain clinics or medical specialties are examples of categories such as
may require special risk assessments.
In general, it can be said that the more comprehensive an information system is, the greater the amount
there must be different levels of authorization. Decisive for decisions on eligibility for e.g. various
categories of healthcare professionals for electronic access to data in
patient records should be that the authority should be limited to what the executive needs
for the purpose a good and safe patient care. A more extensive or coarse-meshed
competence allocation should - even if it has points from the point of view of efficiency -
is considered an unjustified dissemination of journal information within a business and should as such
not accepted.
Furthermore, data should be stored in different layers so that more sensitive data require active choices or
otherwise not as easily accessible to staff as less sensitive tasks. When it
applies to personnel who work with business follow-up, statistics production, central
financial administration and similar activities that are not individual-oriented, it should be
most executives have enough access to information that can only be indirectly derived
to individual patients. Electronic access to code keys, social security numbers and others
data that directly point out individual patients should be able to be strong in this area
limited to individuals.
Internal secrecy
The provisions in ch. 4 The Patient Data Act concerns internal confidentiality, ie.
regulates how privacy protection is to be handled within a care provider's business
and in particular employees' opportunities to prepare for access to
personal data that is electronically available in a healthcare provider
organisation.
Page 14 of 30Datainspektionen DI-2019-3844 1 5 (30)
It appears from ch. Section 2 of the Patient Data Act, that the care provider shall decide
conditions for granting access to such data
patients who are fully or partially automated. Such authorization shall
limited to what is needed for the individual to be able to fulfill theirs
tasks in health care.
Of ch. 4 § 2 HSLF-FS 2016: 40 follows that the care provider shall be responsible for each
users are assigned an individual privilege to access
personal data. The caregiver's decision on the allocation of eligibility shall
preceded by a needs and risk analysis.
Coherent record keeping
The provisions in ch. 6 the Patient Data Act concerns cohesive record keeping,
which means that a care provider - under the conditions specified in § 2 the same
chapter of that law - may have direct access to personal data that is processed
by other care providers for purposes related to care documentation. The access to
information is provided by a healthcare provider making the information about a patient
which the care provider registers if the patient is available to other care providers
which participates in the cohesive record keeping system (see Bill 2007/08: 126
p. 247).
Of ch. 6 Section 7 of the Patient Data Act follows that the provisions in Chapter 4 §§ 2 and 3 -
also applies to authorization allocation and access control at cohesion
record keeping. The requirement that the care provider must perform a needs and risk analysis
before the allocation of permissions in the system takes place, thus also applies in systems
for coherent record keeping.
Documentation of access (logs)
Of ch. 4 Section 3 of the Patient Data Act states that a care provider must ensure that
access to such data on patients who are kept in whole or in part
automatically documented and systematically checked.
According to ch. 4 Section 9 HSLF-FS 2016: 40, the care provider shall be responsible for that
1. it appears from the documentation of the access (logs) which
measures taken with information on a patient,
2. it appears from the logs at which care unit or care process
measures have been taken,
3. the logs indicate the time at which the measures were taken;
4. the identity of the user and the patient is stated in the logs.
Page 15 of 30Datainspektionen DI-2019-3844 1 6 (30)
The Data Inspectorate's assessment
Personal data controller's responsibility for security
As previously described, Article 24 (1) of the Data Protection Regulation provides a
general requirement for the personal data controller to take appropriate technical
and organizational measures. The requirement is partly to ensure that
the processing of personal data is carried out in accordance with
the Data Protection Ordinance, and that the data controller must be able to
demonstrate that the processing of personal data is carried out in accordance with
the Data Protection Regulation.
The safety associated with the treatment is regulated more specifically in the articles
5.1 f and 32 of the Data Protection Regulation.
Article 32 (1) states that the appropriate measures shall be both technical and
organizational and they must ensure a level of security that is appropriate in
in relation to the risks to the rights and freedoms of natural persons which
the treatment entails. It is therefore necessary to identify the possible ones
the risks to the data subjects' rights and freedoms and assess
the probability of the risks occurring and the severity if they occur.
What is appropriate varies not only in relation to the risks but also
based on the nature, scope, context and purpose of the treatment. It has
thus the significance of what personal data is processed, how many
data, it is a question of how many people process the data, etc.
The health service has a great need for information in its operations.
It is therefore natural that the possibilities of digitalisation are utilized so much
as possible in healthcare. Since the Patient Data Act was written, one has a lot
extensive digitization has taken place in healthcare. Both the data collections
size as the number of people sharing information with each other has increased
substantially. At the same time, this increase means that the demands on it increase
personal data controller, as the assessment of what is an appropriate
safety is affected by the extent of the treatment.
It is also a question of sensitive personal data and the data concerns
people who are in a situation of dependence when they are in need of care.
It is also often a question of a lot of personal information about each of these
people and that the data over time may be processed by very
Page 16 of 30Datainspektionen DI-2019-3844 1 7 (30)
many people in healthcare. All in all, this places great demands on it
personal data controllers.
The data processed must be protected from outside actors as well
the business as against unauthorized access from within the business. It can
It should be noted that Article 32 (2) states that the controller, at
assessment of the appropriate level of safety, in particular taking into account the risks of
unintentional or unlawful destruction, loss or unauthorized disclosure or
unauthorized access. To be able to know what is an unauthorized access must
the data controller must be clear about what an authorized access is.
Needs and risk analysis
I 4 kap. Section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016: 40), which supplement
the Patient Data Act, it is stated that the care provider must make a needs and
risk analysis before the allocation of authorizations in the system takes place. This means that
national law prescribes requirements for an appropriate organizational measure that shall:
taken before the allocation of authorizations to journal systems takes place.
A needs and risk analysis must include an analysis of the needs and a
analysis of the risks from an integrity perspective that may be associated
with an overly allotment of access to personal data
about patients. Both the needs and the risks must be assessed on the basis of them
tasks that need to be processed in the business, what processes it is
the question of whether and what risks to the privacy of the individual exist.
The assessments of the risks need to be made on the basis of organizational level, there
for example, a certain business part or task may be more
privacy sensitive than another, but also based on the individual level, if it is
the issue of special circumstances that need to be taken into account, such as
that it is a question of protected personal data, publicly known persons or
otherwise particularly vulnerable persons. The size of the system also affects
the risk assessment. The preparatory work for the Patient Data Act shows that the more
comprehensive an information system is, the greater the variety
eligibility levels must exist (Bill 2007/08: 126 p. 149). It is thus
the question of a strategic analysis at the strategic level, which should provide one
authorization structure that is adapted to the business and this must be maintained
updated.
In summary, the regulation requires that the risk analysis identifies
different categories of tasks,
Page 17 of 30Datainspektionen DI-2019-3844 1 8 (30)
Categories of data subjects (eg vulnerable natural persons and
children), or
the scope (eg number of personal data and registered)
negative consequences for data subjects (eg injuries,
significant social or economic disadvantage, deprivation of rights
and freedoms),
and how they affect the risk to the rights and freedoms of natural persons
Processing of personal data. This applies both within internal secrecy
as in coherent record keeping.
The risk analysis must also include special risk assessments, for example
based on whether there is protected personal data that is
classified, information on public figures, information from
certain clinics or medical specialties (Bill 2007/08: 126 p. 148-
149).
The risk analysis must also include an assessment of how probable and serious
the risk to the data subjects' rights and freedoms is based on
the nature, scope, context and purpose of the treatment (recital 76).
It is thus through the needs and risk analysis that it
personal data controller finds out who needs access, which
information the accessibility shall include, at what times and at what
context access is needed, while analyzing the risks to it
the freedoms and rights of the individual that the treatment may lead to. The result should
then lead to the technical and organizational measures needed to
ensure that no one other than the one who needs and
the risk analysis shows that it should be justified.
When a needs and risk analysis is missing prior to the allocation of qualifications in
system, lacks the basis for the personal data controller on a legal
be able to assign their users a correct authorization. The
the data controller is responsible for, and shall have control over, the
personal data processing that takes place within the framework of the business. To
assign users a when accessing journal system, without this being founded
on a performed needs and risk analysis, means that the person responsible for personal data
does not have sufficient control over the personal data processing that takes place in
Page 18 of 30Datainspektionen DI-2019-3844 1 9 (30)
the journal system and also can not show that he has the control that
required.
Aleris has stated that the authorizations are granted on the basis of the document, “
and risk analysis-TakeCare ”. The document states that all
authorization profiles in addition to technicians have been assigned permission to read in the system,
and that the risk with restricted access is that the user cannot perform his
tasks in full. This justification is stated for all users.
It is further stated that the only risk in the event of extensive access is to the user
sees information that he / she does not have the right to see which may involve disclosure
of patient information. Similar justification is given for all profiles. The
means that Aleris makes the same assessment for all profiles regardless
the user's task and needs.
The Data Inspectorate can state that the document, “Needs and risk analysis
TakeCare ”does not contain any analysis of the different profiles' needs
access to patients' data. Aleris has only stated what respectively
profile "must be able to perform" in the journal system and thus not analyzed which
information as it is a question of or what the needs look like in the various
the business components and for different professional roles. The document also lacks one
analysis of the risks to the individual's freedoms and rights as an excessive
eligibility may entail. The needs and risk analysis must be done in a strategic manner
level that should provide an authorization structure that is adapted to the business.
The information in the document "Needs and risk analysis - TakeCare" is too
deficient in relation to the information required for a correct
needs and risk analysis must be able to be performed. As stated above, in a
needs and risk analysis both the needs and the risks are assessed on the basis of them
tasks that need to be processed in the business, what processes it is
the question of whether and what risks to the individual's integrity exist as well
organizational as well as individual level.
In its analysis, Aleris has not taken into account the negative consequences for
registered, different categories of data, categories of registered or
the extent of the number of personal data and registered affects the risk of
the rights and freedoms of natural persons in the treatment of Aleris by
personal information in TakeCare. There are also no special risk assessments
based on whether there is, for example, protected personal data that is
classified, information on public figures, information from
Page 19 of 30Datainspektionen DI-2019-3844 2 0 (30)
certain clinics or medical specialties or other factors such as
requires special protective measures. There is also no assessment of how
probable and serious risk to the data subjects' rights and freedoms
is considered to be.
In the light of the above, the Data Inspectorate can state that
the document “Needs and risk analysis- TakeCare” does not meet the requirements
put on a needs and risk analysis and that Aleris has not been able to show that
the company has carried out a needs and risk analysis within the meaning of 4
Cape. § 2 HSLF-FS 2016: 40, neither within the framework of internal secrecy
according to ch. 4 the Patient Data Act or within the framework of the cohesive
record keeping according to ch. 6 Section 7 of the Patient Data Act. That means Aleris does not
have taken appropriate organizational measures in accordance with Article 5 (1) (f) and
Article 32 (1) and (2) in order to ensure and, in accordance with Article 5 (2),
be able to show that the processing of personal data has a security that is
appropriate in relation to the risks.
Authorization of access to personal data about patients
As reported above, a caregiver may have a legitimate interest in having
a comprehensive processing of data on the health of individuals. Notwithstanding this shall
access to personal data about patients may be limited to
what is needed for the individual to be able to fulfill his or her duties.
With regard to the allocation of authorization for electronic access according to ch.
§ 2 and ch. 6 Section 7 of the Patient Data Act states that in the preparatory work, Bill.
2007/08: 126 pp. 148-149, i.a. that there should be different eligibility categories in
the journal system and that the permissions should be limited to what the user
need to provide the patient with good and safe care. It also appears that “a
more extensive or coarse-grained eligibility should be considered as one
unauthorized dissemination of journal information within a business and should as
such is not accepted. "
In health care, it is the person who needs the information in their work
who may be authorized to access them. This applies both within a
caregivers as between caregivers. It is, as already mentioned, through
the needs and risk analysis that the person responsible for personal data finds out who
who need access, what information the access should include, at which
times and in which contexts access is needed, and at the same time
analyzes the risks to the individual's freedoms and rights
Page 20 of 30Datainspektionen DI-2019-3844 2 1 (30)
the treatment can lead to. The result should then lead to the technical and
organizational measures needed to ensure no allocation
of eligibility provides further access opportunities than the one that needs and
the risk analysis shows is justified. An important organizational measure is to provide
instruction to those who have the authority to assign authorizations on how this
should go to and what should be considered so that it, with the needs and risk analysis
as a basis, becomes a correct authorization allocation in each individual case.
Aleris has stated that there are restrictions regarding users
access options in TakeCare then the company by choosing different functions
for different users can steer away users' access capabilities in
the journal system.
According to Aleris, all users have different read permissions in the journal system
depending on the system features they have access to. Of the document
However, “Needs and risk analysis - TakeCare” states that all professional profiles
in addition to technicians, read access has been assigned to the tasks in TakeCare.
Furthermore, the document "Profiles and Permissions" states that all
occupational profiles, ie. doctors, nurses, assistant nurses, paramedics,
secretary, administrative, student and receptionist Rehab has
authority to "read journal text". This means that virtually all professional profiles
has access to Aleri's personal data about patients in TakeCare. The
limitation that has been introduced is that different professional profiles have different
reading privileges, for example, doctors, nurses, paramedics can read
diagnoses ”or“ read prescriptions ”while other professional profiles, for example
"Administratively" do not have those powers. It also appears that doctors are
the only ones who have the authority to "read emergency information".
The Data Inspectorate considers it positive that Aleris has allocated different
read permissions in the system, but that it is not enough because all
professional profiles still have access to the journal texts in TakeCare.
In addition, the division is rough as it is only a division from the outside
occupational categories and not based on, for example, which organizational
affiliation, which tasks the user has or which patients
personal data that the user needs to access at different times
to. Because different users have different tasks within different
work areas, users need access to personal data about
patients in TakeCare are limited to reflect this.
Page 21 of 30Datainspektionen DI-2019-3844 2 2 (30)
Against this background, the Data Inspectorate can state that Aleris does not have
restricted users 'permissions to access patients'
personal data in the journal system TakeCare. This in turn means that one
majority of the users have had actual access to the care documentation
about a large number of patients in TakeCare.
The review also shows that Aleris uses so-called active choices
for access to personal data about patients and the record filter function.
The fact that Aleris uses active choices does not mean that the access option to
personal data in the system has been restricted to the user, without the data
are still electronically accessible. This means that the active choices are not
such an access restriction as referred to in ch. 4 Section 2 of the Patient Data Act,
as this provision requires that jurisdiction be limited to what
necessary for the individual to be able to fulfill his duties within
health care and that only those who need the information should have
access. The Data Inspectorate thus considers that Aleri's use of active choices
is an integrity enhancing measure but that it does not affect the actual
access possibilities.
Aleris has further stated that there are features in TakeCare for that one
care providers must be able to "isolate" a care unit and thereby "shut out"
other care providers 'and care units' access to the unit
care documentation, so-called protected units. However, Aleris believes that
the company does not conduct any business that requires protected entities and
have therefore not used this function.
As for the unified record keeping, all users at Aleris have
access to all personal data about patients at the other care providers in
TakeCare, except when patients have requested that their data be blocked.
It appears from the review that the care provider has an opportunity to actively
block the records of other caregivers, but that Aleris has chosen not to do so
because the company does not conduct any business that needs to be blocked. Aleris
considers it safer to leave the data at Aleri's units
available to other caregivers.
That the allocation of authorizations has not been preceded by a need and
risk analysis means that Aleris has not analyzed users' needs for
access to the data, the risks that such access may entail and
Page 22 of 30Datainspektionen DI-2019-3844 2 3 (30)
thus also not identifying which access is justified for the users
based on such an analysis. Aleris has thus not used suitable
measures, in accordance with Article 32, to restrict users' access to
patients' data in the medical record system. This in turn has meant that
there has been a risk of unauthorized access and unauthorized distribution of
personal data partly within the framework of internal secrecy, partly within the framework
for the unified record keeping.
Aleris has further stated that the company has no technical possibilities to
make changes to TakeCare because Aleris has no control over it
the journal system. It also appears that Aleris, within the framework of it
coherent record keeping, may not implement certain restrictions
with reference to a decision from the Stockholm Region.
The basis of the Data Protection Ordinance is that the person responsible for personal data
has a responsibility to comply with the obligations set out in the Regulation in order to:
be allowed to process personal data in their activities at all. To take
appropriate technical and organizational measures to ensure an appropriate
security is such an obligation (see Articles 5, 24 and 32 of
the Data Protection Regulation). The Data Inspectorate thus considers that Aleris in
capacity as personal data controller can not waive the responsibility to
take the technical and organizational measures required by the above
articles.
In light of the above, the Swedish Data Inspectorate can state that Aleris
has processed personal data in breach of Article 5 (1) (f) and Article 32 (1) and
32.2 of the Data Protection Regulation in that Aleris has not restricted
users' permissions for accessing the TakeCare journal system to what
which is only needed for the user to be able to fulfill his
tasks in health care according to ch. 4 § 2 and ch. 6 § 7
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40. That means Aleris does not
have taken steps to ensure and, in accordance with Article 5 (2) (i)
the Data Protection Regulation, be able to demonstrate appropriate security for
personal data.
Documentation of access (logs)
Of the documentation of access (logs) that arose due to
The Data Inspectorate's inspection is as follows: date, time,
the identity of the user and the patient, the measures taken and
Page 23 of 30Datainspektionen DI-2019-3844 2 4 (30)
care unit. The same documentation appears when the user takes part
tasks within the framework of coherent record keeping.
The Data Inspectorate has nothing to recall in this part, because
the documentation of the access (logs) in TakeCare is in accordance
with the requirements set out in Chapter 4. 9 § HSLF-FS 2016: 40. Aleris has thus
have taken appropriate technical measures in accordance with Article 32 i
the Data Protection Regulation.
Choice of intervention
Legal regulation
If there has been a violation of the Data Protection Regulation
The Data Inspectorate a number of corrective powers available under the article
58.2 a-j of the Data Protection Regulation. The supervisory authority can, among other things
instruct the data controller to ensure that the processing takes place in
in accordance with the Regulation and if required in a specific way and within a
specific period.
It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate in
in accordance with Article 83 shall impose penalty charges in addition to or in lieu of
other corrective measures referred to in Article 58 (2),
the circumstances of each individual case.
Article 83 (2) sets out the factors to be taken into account in determining whether a
administrative penalty fee shall be imposed, but also what shall affect
the size of the penalty fee. Of central importance for the assessment of
the seriousness of the infringement is its nature, severity and duration. If
in the case of a minor infringement, the supervisory authority may, according to recitals
148 of the Data Protection Regulation, issue a reprimand instead of imposing one
penalty fee.
Order
The health service has a great need for information in its operations. The
It is therefore natural that the possibilities of digitalisation are utilized as much as
possible in healthcare. Since the Patient Data Act was written, one has a lot
extensive digitization has taken place in healthcare. Both the data collections
size as the number of people sharing information with each other has increased
substantially. At the same time, this increase means that the demands on it increase
Page 24 of 30Datainspektionen DI-2019-3844 2 5 (30)
personal data controller, as the assessment of what is an appropriate
safety is affected by the extent of the treatment.
In this context, it means that a great deal of responsibility rests on it
personal data controller to protect the data from unauthorized access,
among other things by having an authorization allocation that is even more
comminuted. It is therefore essential that there is a real analysis of the needs
based on different activities and different executives. Equally important is that
there is an actual analysis of the risks from an integrity perspective
may occur in the event of an override of access rights. From
this analysis must then restrict the access of the individual executive.
This authority must then be followed up and changed or restricted accordingly
hand that changes in the tasks of the individual executive provide
reason for it.
The Data Inspectorate's inspection has shown that Aleris has failed to take appropriate action
security measures to provide protection for the personal data in the record system
TakeCare by not complying with the requirements set out in the Patient Data Act and
The National Board of Health and Welfare's regulations regarding the implementation of needs and
risk analysis, before the allocation of authorizations in the system takes place and that not
restrict the right of access to what is needed to the individual
must be able to fulfill their duties in health care. The
means that Aleris has also failed to comply with the requirements of Article 5 (1) (f) and Article
32.1 and 32.2 of the Data Protection Regulation. Failure includes it as well
internal secrecy according to ch. 4 the Patient Data Act as the cohesive one
record keeping according to ch. 6 patient data law.
The Data Inspectorate therefore submits pursuant to Article 58 (2) (d) i
data protection ordinance Aleris Sjukvård AB to implement and document
required needs and risk analysis for the TakeCare medical record system and that
then, based on the needs and risk analysis, assign each user
individual access to personal data restricted to
only what is needed for the individual to be able to fulfill his
duties in health care, in accordance with Article 5 (1) (f) and
Article 32 (1) and (2) of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7
the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40.
Penalty fee
Page 25 of 30Datainspektionen DI-2019-3844 2 6 (30)
The Data Inspectorate can state that the infringements basically concern Aleris
obligation to take appropriate security measures to provide protection to
personal data in accordance with the Data Protection Regulation.
In this case, it is a matter of large data collections with sensitive
personal data and extensive powers. The caregiver needs to be involved
necessity to have a comprehensive processing of data on the health of individuals.
However, it must not be unrestricted but should be based on what individual
employees need to be able to perform their tasks. The Data Inspectorate
notes that this is information that includes direct identification
by the individual through both name, contact information and social security number,
health information, but it may also be other private information about
for example, family relationships, sexual life and lifestyle. The patient is addicted
of receiving care and is thus in a vulnerable situation. The nature of the data,
scope and the patients' position of dependence give caregivers a special
responsibility to ensure patients' right to adequate protection for their
personal data.
Additional aggravating circumstances are the treatment of
personal data about patients in the main medical record system belongs to the core of a
the activities of caregivers, that the treatment covers many patients and
the possibility of access refers to a large proportion of the employees. In this case, stir
there are almost 800,000 patients and just over 1,000 active users in
the journal system.
It is a central task for the person responsible for personal data to take measures
to ensure an appropriate level of safety in relation to the risk. At
the assessment of the appropriate level of safety, special consideration shall be given to those risks
which the treatment entails, in particular from accidental or unlawful destruction,
loss or alteration or to unauthorized disclosure of or unauthorized access to
the personal data transferred, stored or otherwise processed,
pursuant to Article 32 (2) of the Data Protection Regulation. The requirements for health and
the healthcare area, regarding current security measures, has been specified in
the Patient Data Act and in the National Board of Health and Welfare regulations. Of the preparatory work for
The Patient Data Act clearly states that requirements are placed on both strategic analysis and
that eligibility is assigned individually and adapted to the current one
the situation. That large amounts of sensitive personal data are processed without
basic regulations in the field are followed means that the procedure is assessed as
more serious.
Page 26 of 30Datainspektionen DI-2019-3844 2 7 (30)
The Data Inspectorate also takes into account that Aleris has not chosen to restrict
access in the context of coherent record keeping. According to Aleris
is it more patient safe to leave the data at Aleri's units
available to other caregivers. This means that Aleris has given priority away
the protection of privacy within the coherent record keeping in favor of
patient safety, which is particularly serious.
The Data Inspectorate has also taken into account that Aleris has used some
integrity enhancement measures, performed certain restrictions regarding
occupational categories' reading qualifications and documented access to one
correct way.
In determining the seriousness of the infringements, it can also be stated that
the infringements also cover the basic principles set out in Article 5 (i)
the Data Protection Regulation, which belongs to the categories of more serious
infringements which may give rise to a higher penalty under Article 83 (5) (i)
the Data Protection Regulation.
Taken together, these factors mean that the infringements, not to implement
a needs and risk analysis and not to limit users' permissions
to only what is needed for the user to be able to fulfill theirs
tasks in health care, is not to be judged as minor
infringements without infringements that should lead to an administrative
penalty fee.
The Data Inspectorate considers that these violations are closely related to
each other. That assessment is based on the need and risk analysis
form the basis for the allocation of the authorizations. The Data Inspectorate
therefore considers that these infringements are so closely linked
that they constitute interconnected data processing within the meaning of Article 83 (3) (i)
the Data Protection Regulation. The Data Inspectorate therefore decides on a joint
penalty fee for these infringements.
According to Article 83 (3), the administrative penalty fee may not exceed
the amount of the most serious infringement in the case of one or the same
data processing or interconnected data processing.
The administrative penalty fee shall be effective, proportionate and
deterrent. This means that the amount must be determined so that it
Page 27 of 30Datainspektionen DI-2019-3844 2 8 (30)
the administrative penalty fee leads to correction, that it provides a preventive
effect and that it is also proportional in relation to both current
violations as to the ability of the supervised entity to pay.
As regards the calculation of the amount, Article 83 (5) (i)
the Data Protection Regulation that companies that commit infringements are the ones in question
may be subject to penalty fees of up to EUR 20 million or four
percent of total global annual sales in the previous financial year,
depending on which value is highest.
The term company includes all companies that conduct a financial
activity, regardless of the legal status of the entity or the manner in which it operates
financed. A company can therefore consist of an individual company in the sentence one
legal person, but also by several natural persons or companies. Thus
there are situations where an entire group is treated as a company and its
total annual turnover shall be used to calculate the amount of a
infringement of the Data Protection Regulation by one of its companies.
Recital 150 in the Data Protection Ordinance states, among other things
following. […] If the administrative penalty fees are imposed on a company,
a company for that purpose should be considered a company within the meaning of
Articles 101 and 102 of the TFEU […]. This means that the assessment of
what constitutes a company must be based on the definitions of competition law.
The rules for group liability in EU competition law revolve around
the concept of economic unit. A parent company and a subsidiary are considered
as part of the same economic entity when the parent company exercises one
decisive influence over the subsidiary. The Data Inspectorate therefore adds
as a starting point, the turnover for Aleris Group AB as a basis for
the calculation of the size of the penalty fee.
Aleris Group AB was formed at the end of 2019. Some turnover figures for the whole
2019 is thus not available. There is therefore no information on the annual
turnover for determining the amount of the penalty fee. Aleris has
stated that the group turnover for Aleris Group AB amounted to just over 1.2
billion between 1 October 2019 and 31 December 2019.
Recalculated for an entire year, this would correspond to a turnover of approximately 4.9
billion.
Page 28 of 30Datainspektionen DI-2019-3844 2 9 (30)
The Data Inspectorate states that the actual annual sales for Aleris
Group AB this year will be significantly higher.
In the current case, the Data Inspectorate applies a precautionary principle and
therefore appreciates that the company's annual turnover at least corresponds to that of
the period October - December 2019 recalculated for full year, ie approximately 4.9
billion. The maximum sanction amount that can be determined in the current
case is EUR 20,000,000, which is just over four percent of the company's estimated
revenue.
Given the seriousness of the infringements and that the administrative
the penalty fee must be effective, proportionate and dissuasive
the Data Inspectorate determines the administrative sanction fee for
Aleris Sjukvård AB to SEK 15,000,000 (fifteen million).
This decision was made by Director General Lena Lindgren Schelin after
presentation by the IT security specialist Magnus Bergström. At the final
The case is also handled by the General Counsel Hans-Olof Lindblom, the unit managers
Katarina Tullstedt and Malin Blixt and the lawyer Linda Hamidi participated.
Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature)
Appendix
How to pay penalty fee
Copy for information to
The Data Protection Officer
Page 29 of 30Datainspektionen DI-2019-3844 3 0 (30)
How to appeal
If you want to appeal the decision, you must write to the Data Inspectorate. Enter i
the letter which decision you are appealing and the change you are requesting.
The appeal must have been received by the Data Inspectorate no later than three weeks from
the day you received the decision. If the appeal has been received in due time
the Data Inspectorate forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Data Inspectorate if it does not contain
any privacy-sensitive personal data or data that may be covered by
secrecy. The authority's contact information can be found on the first page of the decision.
Page 30 of 30
