APDCAT (Catalonia) - IAI 50/2022
APDCAT - IAI 50/2022 | |
---|---|
Authority: | APDCAT (Catalonia) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(c) GDPR Article 86 GDPR Llei 19/2014, de 29 de desembre, de transparència, accés a la informació pública I bon govern |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | 13.10.2022 |
Decided: | 09.01.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | IAI 50/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Catalan, Valencian |
Original Source: | APDCAT (in CA) |
Initial Contributor: | Mapez |
The Catalan DPA found that the principles of GDPR do not limit the right to access public information on the number of gender transition cases in Catalonia broken down by sex, age, and year because of the efficient anonymisation of the data.
English Summary
Facts
On 13 October 2022, the applicant filed an access to information request to the regional administration of Catalonia (the controller), asking for the number of gender transition cases in Catalonia from 2012 to 2021. More specifically, the applicant requested for each gender transition patient (the data subject) the sex, age, and year of care in the traffic unit.
The controller partially approved the request and provided the sex and year of treatment of the data subjects. The controller did not provide the age of each data subjects but grouped the patients by age range.
Example:
Year: 2018
Sex of patient: female/male/unrecorded
Age range: Age<10 years/Age 10-14/etc
The controller held that because of the very small number of patients treated by the gender transition units within Catalonia, the data should only be disclosed by age range and not year by year.
On 17 November 2022, the applicant filed an appeal by the Commission for the Guarantee of the Right of Access to Public Information (Comissió de Garantia del Dret d’Accés a la Informació Pública - GAIP). The GAIP requested the Catalan DPA (Autoritat Catalana de Protecció de Dades - APDCAT) to issue a legal opinion on the lawfulness of the processing of such data.
Holding
First, the APDCAT recalled that the treatment of personal data such as the one requested by the applicant required a legal basis, Article 6 GDPR. The APDCAT then assessed whether the controller had a legal obligation to proceed to such treatment, Article 6(1)(c) GDPR. At the same time, Article 86 GDPR states that the right to access information is regulated by national law. Article 18 of Llei 19/2014, de 29 de desembre de 2014, de transparència, accés a la informació i bon govern (Law 19/2014 of 29 December 2014 on transparency, access to information and good governance - LTC) provides a right for individuals or legal entities to access public information. According to Article 23 LTC, the access to the information should be denied should the information contain particularly protected personal data, such as health data.
The APDCAT found that the information that a natural person had attended gender transition units in Catalonia should be considered health data. Hence any disclosure of information that would allow direct or indirect identification of the data subjects should not be provided. The APDCAT further noted that other legal provision could restrain the access to the data, such as the protection of the rights of minors and the protection of people in situations of special vulnerability. However, the APDCAT recalled that the principles of data protection were not applicable to anonymous data, provided that the anonymisation mechanism would ensure that the data subjects were no longer identifiable, be it directly or indirectly through complementary information.
The APDCAT then assessed the risks of reidentification of the data subjects through the provision of the age of the patients year by year, and not by age range. The APDCAT recalled that the risk of reidentification was inherent to any anonymisation technique. In the case at hand, the APDCAT held that the number of affected people over the last ten years was relatively small given that all the data subjects had been served in Catalonia, by a very specialised service. However, the set of population taken as reference was at least the entire population of Catalonia, which according to the APDCAT greatly reduced the risk of reidentification. In addition to this, the APDCAT noted that the numbers were be provided at the regional level, and not for each gender transit unit. Finally, the risk of identification, by contrario sensu, of the persons who had not been treated by gender transition units in Catalonia was not a serious, as this information would not be considered health data.
For all these reasons, the APDCAT concluded that the anonymisation of the data was effective and the provision of the age of the data subject and not only its age range, complied with the principles of data protection.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.
https://apdcat.gencat.cat/web/.content/Resolucio/Resolucions_Cercador/Dictamens/2022/Documents/ca_iai_2022_050.pdf