AEPD (Spain) - EXP202201746
AEPD - PS/00097/2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 83(4) GDPR Article 83(5) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 27.01.2022 |
Decided: | 08.09.2023 |
Published: | 08.09.2023 |
Fine: | n/a |
Parties: | SERVICIO CANARIO DE LA SALUD |
National Case Number/Name: | PS/00097/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mgrd |
The Spanish DPA issued a warning sanction to Servicio Canario De La Salud. Medical records had been improperly accessed and the diagnosis disclosed to third parties, violating Article 5(1)(f) and Article 32 GDPR.
English Summary
Facts
On November 2, 2021 the data subject requested his clinical history. Along with the history, the Canary health service (Servicio Canario De La Salud) provided a list of accesses made by primary care givers and a list of access made by specialists at the Fuerteventura General Hospital. These lists showed that health professionals, who were not associated with any clinical process or consultation related to the data subject, had accessed the subject's clinical history.
Upon receiving the data subject's complaint, the controller (Servicio Canario De La Salud) hired Electromedical and Information Services (ASEI) to carry out an audit to assess whether the access to the data subject's medical records by health professionals could be justified. This audit resulted in an internal warning within the Servicio Canario to be careful when accessing documents. The data subject appealed this, stating that the audit does not justify the accesses nor the reasons that led to the personnel in question to access the file.
After a DPA investigation, it was determined that in total ten professionals from the General Hospital of Fuerteventura had accessed the file. Of the ten, only two of them were justified to access the file as they were professionals in the Anesthesia and Resuscitation Area (FEA), which was related to the data subject's condition.
Holding
The Spanish DPA considered that there has been undue access to the data subject's clinical history and disclosure of personal information to third parties, without the consent of the owner. Such facts represent a breach of confidentiality and integrity, violating Article 5(1)(f) GDPR, since there had been accesses to the data subject's medical history by third parties who were not authorised to do so.
The DPA also highlighted the lack of measures in place aimed at guaranteeing the confidentiality of such information. Due to this, the security measures of the controller were not adequate, which constituted an infringement of Article 32 GDPR.
Therefore, the Spanish DPA issued a warning sanction for each violation of Article 5(1)(f) and Article 32 GDPR.
Comment
AEPD highlighted a similar procedure PS/00250/2021 against Servicio Extremeño De Salud, in which there has been improper access to the data subject’s medical records by a worker of the Extremadura Health Service (SES). The accesses were made without the data subject’s authorisation and without any relationship that could justify it.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/21 File No.: EXP202201746 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On January 27, 2022, it was entered into the Spanish Agency of Data Protection (hereinafter, AEPD) written claim, presented by A.A.A. (hereinafter, the complaining party) The claim is directed against SERVICIO CANARIO DE LA SALUD with NIF Q8555011I (hereinafter, the claimed part). The reasons on which the claim is based are the following: The claimant states that there have been improper accesses to her medical history and the diagnosis has been revealed to third parties. It also states that the website of the Ministry of Health of the Government of The Canary Islands (https://www.gobiernodecanarias.org/sanidad/) uses cookies without warning of them or having a cookie policy and without requesting consent express for use. They also do not have a Privacy Policy. Date on which the claimed events took place: November 2, 2021. Relevant documentation provided by the complaining party: - Response issued by the CANARY HEALTH SERVICE regarding access to the Clinical History, which includes a List of Accesses made by Primary Care from 10/5/21 to 12/9/2021 and List of Accesses made by Attention Specialized in Fuerteventura General Hospital from 10/6/2021 to 10/12/2021. In this document the claimant states that the accesses marked in color are not associated with any clinical process or consultation. SECOND: In accordance with the mechanism prior to the admission for processing of the claims that are made before the AEPD, provided for in article 65.4 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), which consists of transferring the same to the data protection delegates designated by those responsible or those in charge of the treatment, or to them when they have not been designated, and with the purpose indicated in the aforementioned article, the claim was transferred to CANARY HEALTH SERVICE (hereinafter, the claimed party) so that proceed to its analysis and respond within a period of one month, which has been verified by written date of entry into this Agency of May 6, 2022. In response to the transfer and request for information, the claimed party stated that had transferred the claim to the Security Office (ODS) of the Services Area C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/21 Electromedical and Information Services (ASEI) and the Health Services Management of Fuerteventura. The ASEI states that it has proceeded to audit the accesses marked by the claimant asking the people who accessed the justification for such access. The Management of Health Services of Fuerteventura stated that, having reviewed the files kept in this management center, there was no “documentation kept relation to the reference file.” On April 25, the General Secretariat of the claimed party sent the result of the audit carried out by the ASEI and told the AEPD that it was sent in writing to all managements in the following terms: "The Spanish Data Protection Agency has sent, in a short space of time, several complaints relating to supposedly improper access to the clinical history of patients by center staff. Instruction No. 4/10 of this Directorate, relating to the actions of the personnel of the Canarian Health Service that, due to the performance of its job, processes personal data, makes it clear that in the bodies providing services, the person in charge of the care center will determine which units will be adopted, on behalf of the person responsible for the treatment, the necessary measures so that the personnel of each unit know, in an understandable way, the safety regulations of the files that affect the development of its functions (fifth section). In this sense, it is important that the personnel who access the medical history know the disciplinary and even criminal responsibilities in which you can incur if, despite the warning that already appears in the application, you access the history clinic of a patient for unjustified reasons. Likewise, they are reminded that, in the event of any indication of improper access, the corresponding management must adopt the necessary measures to purify the administrative or criminal responsibilities that may arise". The complained party also added that it had been considered appropriate to prepare a protocol for the processing of applications received in which the person interested party request information about who accessed their medical history. THIRD: On May 17, 2022, after analyzing the documentation that appeared in the file, a resolution was issued by the Director of the Spanish Agency of Data Protection, agreeing to file the claim. The resolution was notified to the appellant on May 17, through the Electronic Notification Service and Electronic Address Enabled according to certificate that appears in the file. FOURTH: On June 13, 2022, the claimant filed an appeal power of reconsideration against said resolution, in which he alleged that there had been unauthorized access to your medical records and disclosure of your health data to hospital staff about which has not been resolved, pointing out that the Service C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/21 Canario de Salud limits itself to indicating that “it has audited the accesses marked by the party claimant”, without justifying each of those accesses and the reasons that led to the personnel in question to access, since said accesses and movements in their history clinical are not associated with any clinical process or medical visit. FIFTH: On July 27, 2022, the appeal filed was sent to the party claimed within the framework of the provisions of article 118.1 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) for the purposes of formulating the allegations and presenting the documents and supporting documents that it deems appropriate. The referral of the transfer was notified on July 27, 2022, through the Electronic Notification Service and Electronic Address Enabled according to certificate that appears in the file, with no allegations having been provided by the claimed part to what was stated by the appellant in the appeal for reconsideration presented. Said procedure was notified on July 27, 2022, without having received no allegation from the claimed party as of the date of the current resolution. SIXTH: On October 6, 2022, the replacement appeal is estimated filed by A.A.A. against the resolution of this Agency issued on date 17 May 2022, which agreed to file the claim referring to CANARY HEALTH SERVICE. SEVENTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: The CANARY HEALTH SERVICE is part of the COUNCIL OF HEALTH OF THE GOVERNMENT OF THE CANARY ISLANDS. On December 5, 2022, the Data Inspection website is accessed THE HEALTH DEPARTMENT OF THE GOVERNMENT OF THE CANARY ISLANDS https://www.gobiernodecanarias.org/sanidad/ verifying that you do not have a section on Privacy Policy. There is no evidence that data is collected in this website. The website contains a notice about cookies “This web portal uses its own and third-party cookies. third parties to collect information that helps optimize your visit. Cookies are not used to collect personal information. You can change your configuration whenever you want. More information is available in our policy of cookies”. Acceptance is not requested and access to the cookie policy includes “Error 404. Document not found.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/21 On December 5, 2022, the website is accessed from the Data Inspection https://www3.gobiernodecanarias.org/sanidad/scs/ of the CANARY SERVICE OF SALUD verifying that it has a Privacy Policy section in which identifies the person responsible for the treatment and includes, among others, a link to the Treatment Activity Record in which the purpose, basis and legal, recipients and conservation. Likewise, a link is included to exercise the rights of interested parties, email address of the Delegate of Data Protection and a link to the website of the Spanish Data Protection Agency Data. The treatment appears in the Registry of Treatment Activities CLINICAL HISTORY where the aforementioned is reported. When accessing the website of the CANARY HEALTH SERVICE there is a notice about cookies “The web portal of the Canarian health service uses its own cookies and third parties to collect information that helps optimize your visit. Cookies are not used to collect personal information. You can allow their use or refuse it. You can also change your settings whenever you want. Has For more information in our cookie policy” The Cookie Policy provides information on technical cookies and analytical cookies in the which is indicated “Analytical cookies for monitoring and statistical analysis of the behavior of all users. If these cookies are disabled, the site website may continue to function, without prejudice to the information captured by these Cookies about the use of our website and its content allow us to improve our services" On December 9, 2022, the website is accessed from the Data Inspection HEALTH DEPARTMENT OF THE GOVERNMENT OF THE CANARY ISLANDS verifying that it generates three cookies from the Government of the Canary Islands. One of them is a section and the others, with expiration dates 10-12-2022 and 01-13-2024, are from Google Analytics. (D. cookies). On this same date, the SERVICE website is accessed from the Data Inspection CANARIO DE SALUD verifying that it generates four cookies belonging to the Government of Canary Islands. With expiration dates: 12-9 and 10-2022 and 01-9 and 13-2024. three of them They are from Google Analytics. (D cookies). In the proceedings AT/0724/2022, the claim was transferred to the HEALTH DEPARTMENT OF THE GOVERNMENT OF THE CANARY ISLANDS and the SERVICE CANARIO DE LA SALUD being answered by the CANARIO DE LA SERVICE HEALTH in the following terms: There is no evidence that the claimant has made a claim before the OFFICE OF SAFETY (ODS) OF THE AREA OF ELECTROMEDICAL SERVICES AND THE INFORMATION (ASEI) since, as stated at the end of the list provided by the complainant, it is reported that “if any of the accesses included in the report could been improper or unlawful, you may file a claim in order to have the security office carry out the appropriate verifications that help clarify said access". A report issued by the ODS has been provided on the audit prepared by the accesses made by PRIMARY CARE AND SPECIALIZED CARE IN GENERAL HOSPITAL OF FUERTEVENTURA in which it is revealed that The accesses were carried out by ten professionals, of which two of them C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/21 They accessed the story to inquire about the claimant's state of health and who identified her on the emergency list since she is a professional in the Health Area. Anesthesia and Resuscitation (FEA). Regarding cookies and the privacy policy, they state that they are working on it and providing drafts about it. These drafts are similar to those that are available on the website of the CANARY HEALTH SERVICE in date December 5, 2022, date on which access was made from the Data Inspection. The CANARY HEALTH SERVICE states and provides a written document in this regard, that the DIRECTORATE OF THE CANARY HEALTH SERVICE, the body responsible for Clinical History treatments, both Primary Care and Care Specialized, has sent a letter to all management in the following terms: “The Spanish Data Protection Agency has sent, in a short space of time, several complaints relating to allegedly improper access to medical records of patients by center staff. Instruction No. 4/10 of this Address…. makes it clear that in the service-providing bodies, the person responsible The healthcare center will determine which units will adopt, on behalf of the responsible for the treatment, the necessary measures so that the staff of each unit knows, in an understandable way, the security rules for the files it affect the development of their functions (fifth section). In this sense, it is It is important that the personnel who access the medical history know the disciplinary responsibilities..., accesses a patient's medical history by unjustified reasons. Likewise, they are reminded that, in the event of any indication of improper access, the corresponding management must adopt the measures necessary to purge the administrative or criminal responsibilities to which there is room." On December 12, 2022, a request for information is sent to CANARY HEALTH SERVICE (hereinafter SCS) and the response received is reveals: In relation to the Security Policy The SCS has provided a copy of the Security Policy, whose approval resolution was published in the Official Gazette of the Canary Islands on February 13, 2014, where general criteria for security procedures are established (Document 1). All personnel must be informed of it as well as the instruction 04/2010 of the Director of the Canarian Health Service, regarding the actions of the personnel who, in the performance of their job, process personal data personal nature (Document 2). This instruction is required reading and compliance for all personnel who access SCS systems, including the Clinical history of the patients. The SCS states that when accessed for the first time, and sporadically and randomly, a notice appears on the screen reminding you of the existence of said instruction and with the collection of the consequent acceptance by the staff of its reading and compression and provides a screen print of the aforementioned notice informing: “In the records of this Service it does not appear that, as a worker who provides his services in the SCS and under the Data Protection regulations of a nature Personal, you have read and accepted instruction 04/2010 of the Canary Service of the Health related to the actions of personnel who process personal data. By C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/21 Please, to continue, read the instruction and click on the corresponding button” (Document 3). The SCS has provided a copy of the Security Document (Document 4) in which includes, among other aspects, matters related to the identification and authentication of the users with access to the information systems and where it is indicated that the technical managers of each application will be able to obtain the updated list of users as well as their access profiles. Likewise, it is indicated that there will be a relationship updated list of users with access to non-automated documents along with their rights of access. And, regarding access control, it indicates that users only They will access the necessary resources to do their work. In the case of files that contain high-level data, the following is established, among others: The access information specified in the regulations will be saved. If access is authorized, the information that allows the identification of the user will be saved. record that the user has accessed. The Security Manager will control the mechanisms of this registry. Safety measures of treatment CLINICAL HISTORIES Access to medical history is regulated in Decree 178/2005, of July 26, which approves the Regulation that regulates the clinical history in the centers and hospital establishments and establishes the content, conservation and purge of your documents. In article 28 on Procedure for confirming access to medical history and its use, in section 5 it establishes: “The computerization, where appropriate, of the procedure Everything regulated in this article will guarantee security, identification and authentication of the people who access the information, as well as a record of said access, by creating the corresponding file, guaranteeing compliance with the provided in current legislation on the protection of personal data. “sonal.” The SCS states that it has a file that collects user activity in the different applications linked to clinical history. The SCS provides the document “Logical access control regulations” where describes the logical access control procedure that applies to all personnel with access to the information kept by the SCS (Document 6) and that, as shown In it, it includes what is required in the National Security Scheme. In section 5 on Logical Access Control states that in addition to the identification and authentication the system, based on the identification and authentication data, Provides the user with the necessary privileges to access resources. The SCS has also provided a copy of the Risk Analysis which includes the treatments related to the Clinical History defined as Critical and state that The security measures provided for in the National Security Scheme apply. (Document 7). In this regard, they state that it is in the implementation phase and adaptation to Royal Decree 311/2022, of May 3, which regulates the National Security Scheme. In relation to the clinical history of the Fuerteventura Hospital, they have provided an audit verification of User Management (Document 8), as well as the general audit of SCS user management (Document 9). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/21 In relation to the Data Protection Officer The SCS states that “the Data Protection Officer fulfills her functions as pursuant to Article 39 of the GDPR, primarily advises and supervises the compliance with current data protection regulations ex officio or instance of the service involved, assessing and reporting what it considers necessary for the correct processing of personal data.” EIGHTH. The issue related to possible access is the subject of this file. undue damages to the claimant's medical history. The possible requirement of liability for the use of analytical cookies without obtaining consent of users on the website of the Ministry of Health of the Government of the Canary Islands, will be subject, where appropriate, to a different procedure. NINTH: On April 20, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of article 5.1.f) of the RGPD and article 32 of the RGPD, typified in article 83.5 of the RGPD. TENTH: The aforementioned initiation agreement has been notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), the claimed party, on May 8 of 2023 presented a written statement of allegations in which it stated that in relation to the violation of article 5.1 f) of the RGPD, in order to provide comprehensive assistance and as complete as possible, an electronic medical history (hereinafter HC) is available, which must be accessed by username and password, thereby leaving registered the access logs to the different HCs. It is currently not technically feasible to restrict users' access to HC only to those healthcare workers who are providing assistance at the time exact to the patients, since there may be various cases in which it is necessary access specialties, or tests requested and reviewed by another professional or center or that during assistance a referral has to be made to another professional. That is, to avoid compromising health care, it is not appropriate completely restrict access to the HC. From the audits carried out on 10 professionals, it has been proven that effectively- Mindfully, 2 of these accesses have occurred without justification for care, although they do not It is proven that the information they have accessed has been disclosed by no some means Both professionals indicated that they were aware of the admission of his partner because they saw his name on the emergency list. Therefore, they agreed to their history to see if they could contribute any knowledge of their specialty to help in your improvement. In relation to the alleged violation of article 32 of the GDPR, the claimed entity states that the security measures that have gone missing have been implemented determining based on the treatments carried out, assessing in any case the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/21 Possible threats that could put information security at risk treated. Being aware that there is no such thing as absolute security, the SCS has been adopting security measures and carrying out awareness-raising tasks for its staff that have has been demonstrating its effectiveness until this particular case. Evidence of this review and adoption of new measures is indicated in the publication of Instruction 6/2023 and the preparation of a new instruction access to HC by SCS staff. Likewise, when there is knowledge of these possible improper accesses, has carried out an internal audit aimed at the professionals involved, so that justify the reason for the access, and from the corresponding Management, they are carrying out disciplinary instruction actions to purge possible responsibilities. The claimed entity concludes by indicating that considering that it is a fact isolate produced in the good faith of health professionals to help in the recovery of his companion, that additional measures are being taken necessary measures aimed at guaranteeing to a greater extent the confidentiality of the information, requests the archiving of the proceedings. ELEVENTH: On May 9, 2023, the instructor of the procedure agrees consider reproduced for evidentiary purposes the claim filed by A.A.A. and his documentation, the documents obtained and generated during the admission phase to processing of the claim, and the report of previous investigation actions that They are part of the procedure. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of initiation of the referenced sanctioning procedure, presented by SERVICIO CANARIO DE LA SALUD, and the documentation that accompanies them. TWELFTH: On May 30, 2023, a proposed resolution is issued in the that it is proposed that by the Director of the Spanish Data Protection Agency A warning is sent to the CANARY HEALTH SERVICE, with NIF Q8555011I, for each of the two violations committed, one for the violation of the article 5.1.f) of the RGPD and another for the violation of article 32 of the RGPD, classified both in article 83.5 of the RGPD. THIRTEENTH: On June 9, 2923, the following were received allegations by the claimed entity in response to the proposal resolution: “1º.- Taking into account the provisions of art. 5.1 of the GDPR, it is determined that the data will be f) processed in such a way as to ensure adequate data security personal data, including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or organizational measures ("integrity and confidentiality"), it is considered that what C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/21 is being stated is that the SCS does not process data that guarantees the application of the principles included in the aforementioned precept, not being agree with this extreme. Taking into account the type of services that the SCS provides to users, and so that the health care is as comprehensive and complete as possible, there is a history electronic clinic (hereinafter HC) that professionals can access healthcare, through username and password, and whose access logs are recorded. Currently and due to the activity of the SCS, it is not technically feasible to restrict the access to users' HC only to those health workers who are providing assistance at the exact moment to patients, since various situations can occur. cases in which it is necessary to access specialties, or requested tests and reviewed by another professional or center or that during assistance you have to make a referral to another professional. However, in the interest of exercising proactive responsibility, the SCS is preparing an instruction to try to limit access to the HC, starting from the previously stated premise that it is not possible to have restricted access to the HC to guarantee the agility with which they must be developed assistance benefits. In this new instruction from the SCS Directorate, indications are being given to implement justification of accesses to the HC when, for example, it is not a user belonging to the professional's quota or is not being attended to by him in emergencies or in some specialty (the latest draft of the instruction for accesses to the HC as Doc. 1), as the claimant requested from a colleague to know test statuses or try to expedite administrative procedures. Apart from this, the SCS carries out awareness-raising and training work. to staff and an update to the previous Instruction 4/2010, Instruction No. 6/2023 of the Director of the Canarian Service of the Health, related to the processing of personal data carried out by the staff of the Canarian Health Service, in the performance of their job, which has been disseminated among the staff and is accessible on the intranet (it is attached as Doc. 2). Therefore, it is not considered appropriate to affirm that a) The processing of personal data is being carried out in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679, since the responsible for the treatment, the SCS, has adopted measures to guarantee the confidentiality of the data contained in the electronic HC, with various notices to the start the session, raising awareness among staff about the need to maintain confidentiality and access to those strictly essential for the development of their functions, etc., measures that are also currently being reinforced with the new Instruction for Access to the HC in the process of approval. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/21 According to the AEPD, the claimant affirms that the health information related to her person has been disclosed to third parties by the professionals who accessed their HC, if Well, this fact is not proven beyond the assertion on the part and without verification of this fact by professionals when requested in the directed audit that was carried out on them, so said statement is not proven and should not be taken into consideration. 2nd.- On the other hand, sanctions are imposed for non-compliance with article 32, which determines that "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes, among others: […] b) the ability to guarantee confidentiality, integrity, availability and resilience permanent treatment systems and services;” Well, the SCS has been implementing the security measures that have been determining based on the treatments carried out, assessing in any case the Possible threats that could put information security at risk treated. In the analyzes carried out, the human factor has always been and is taken into account. as one of the threats present in any treatment; applying the timely countermeasures to mitigate said risk that, to date, have proven effective, although with this specific case it has been shown that they are not infallible. Therefore, determine that technical and organizational measures have not been applied to guarantee the confidentiality of the information and sanction for it, it is considered excessive, since if measures have been established based on the risks analyzed, although, as indicated above, they have been shown to be not invulnerable. Being aware that there is no such thing as absolute security, the SCS has been adopting security measures and carrying out awareness-raising tasks for its staff that have has been demonstrating its effectiveness until this particular case, among others, with the publication of Instruction 6/20PS/00587/2021, a PS open to the MADRID SERVICE OF HEALTH. 23 and the development of a new instruction for access to HC by staff of the SCS. 3º.- A double sanction is applied for the same act, whenever it is proposed sanction as very serious the violation of article 5.1.f) of the RGPD and as serious the violation of article 32 of the RGPD, among whose measures is already guaranteeing the confidentiality of the information, which is why the sanction of the alleged act committed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/21 For all the above, and considering that it is an isolated event that occurred from the good faith of health professionals to help in the recovery of their companion, that reinforcement measures are being taken to guarantee in confidentiality of the information to a greater extent, WE REQUEST the archiving of the performances.” In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS FIRST: There have been improper accesses to the claimant's medical history, which which makes possible the disclosure of such personal data to third parties despite not having the consent of the owner thereof. SECOND: The claimed entity has provided a report issued by the Office of Security (ODS) of the Electromedical and Information Services Area (ASEI) on the audit prepared of the accesses made by Primary Care and Specialized Care at Fuerteventura General Hospital in which manifest that the accesses were carried out by ten professionals, of which two of them accessed history to be interested in the state of health of the claimant since they identified her on the emergency list since she is a healthcare professional. Anesthesia and Resuscitation Area (FEA). FOUNDATIONS OF LAW Yo In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of this data (GDPR), and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2 of Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD) is competent to initiate and resolve this procedure the Director of the Agency Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Regarding health data, recital 35 of the GDPR states: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/21 “Personal data related to health must include all data relating to the state of health of the interested party that provide information about his state of health. physical or mental health past, present or future. Information is included about the natural person collected on the occasion of their registration for health care purposes, or on the occasion of the provision of such assistance, in accordance with the Directive 2011/24/EU of the European Parliament and of the Council; any number, symbol or data assigned to a natural person who uniquely identifies him or her for the purposes sanitary; information obtained from tests or examinations of a part of the body or of a bodily substance, including that from genetic data and samples biological, and any information relating, by way of example, to a disease, a disability, risk of disease, medical history, treatment clinical or physiological or biomedical state of the interested party, regardless of their source, for example a doctor or other healthcare professional, a hospital, a device medical, or an in vitro diagnostic test.” For its part, article 4 of the GDPR defines: “2) “treatment”: any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction;” 7) "responsible for the treatment" or "responsible": the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of processing; whether Union or Member State law determines the purposes and means of the treatment, the person responsible for the treatment or the Specific criteria for their appointment may be established by Union Law. or of the Member States; 10) "third party": natural or legal person, public authority, service or other body of the interested party, the person responsible for the treatment, the person in charge of the treatment and the persons authorized to process personal data under the direct authority of the responsible or the person in charge;” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/21 III The processing of data from medical records is regulated in the Law 41/2002, of November 14, basic regulation of patient autonomy and rights and obligations regarding clinical information and documentation. Its article 3 states: “Clinical history: the set of documents that contain the data, evaluations and information of any kind about the situation and clinical evolution of a patient throughout the care process.” In article 16, the uses of medical history are established: "1. The clinical history is an instrument designed fundamentally to guarantee adequate patient care. The care professionals at the center who perform the diagnosis or treatment of the patient have access to the medical history of this as a fundamental instrument for their adequate assistance. 2. Each center will establish the methods that enable access to the medical history of each patient by the professionals who assist them.” IV The principles relating to the processing of personal data are regulated in the Article 5 of the RGPD which establishes that “personal data will be: “a) treated in a lawful, fair and transparent manner in relation to the interested party (“legality, loyalty and transparency»); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with said purposes; according to article 89, section 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not considered incompatible with the initial purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary in relation to the purposes for which that are processed ("data minimization"); d) accurate and, if necessary, updated; all measures will be taken reasonable grounds for the immediate deletion or rectification of personal data are inaccurate with respect to the purposes for which they are processed (“accuracy”); e) maintained in a way that allows the identification of the interested parties during no longer than necessary for the purposes of processing personal data; the Personal data may be retained for longer periods provided that treated exclusively for archival purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with Article 89(1), without prejudice to the application of the appropriate technical and organizational measures that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/21 This Regulation is imposed in order to protect the rights and freedoms of the interested party ("retention period limitation"); f) processed in such a way as to ensure adequate data security personal data, including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or organizational arrangements ("integrity and confidentiality"). The person responsible for the treatment will be responsible for compliance with the provisions of paragraph 1 and able to demonstrate it (“proactive responsibility”).” V In the present case, a claim is filed for improper access to the history clinic and the disclosure to third parties of the diagnosis of the complaining party. In relation to improper access, the entity has provided: Report issued by the Security Office (ODS) of the Services Area Electromedical and Information (ASEI) on the audit prepared by the accesses made by Primary Care and Specialized Care in Hospital General of Fuerteventura in which it is revealed that the accesses were carried out by ten professionals, of which two of them accessed the history to be interested in the state of health of the claimant since the identified on the emergency list since he is a professional in the Area of Anesthesia and Resuscitation (FEA). There is no evidence that the claimant has made a claim to the ODS. In relation to the Safety of the treatments, the entity has provided Security Policy, whose approval resolution was published in the Bulletin Official of the Canary Islands dated February 13, 2014. Instruction 04/2010 of the Director of the CANARY HEALTH SERVICE, regarding to the actions of personnel who, due to the performance of their position work, processes personal data. Security document. Decree 178/2005, of July 26, which approves the Regulation that regulates clinical history in hospital centers and establishments and establishes the content, conservation and redaction of your documents. Logical access control regulations in accordance with the National Scheme of security. Risk Analysis which includes the treatments related to the Clinical History defined as Critical and state that security measures are applied provided for in the National Security Scheme. As indicated in the legal basis III, from the reading of article 16 of Law 41/2002, of November 14, basic regulation of the autonomy of the patient and rights and obligations regarding information and documentation clinic it is clearly inferred that, although the clinical history is the instrument to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/21 provide healthcare to the patient, which must be properly guaranteed, so is the fact that access to the clinical history by the professionals who assist you, not in general terms, but with particular character carrying out the diagnosis or treatment of the patient. Despite the technical and organizational measures implemented, it has not prevented access to the clinical history of a patient, by third parties, which denotes the absence of measures that ensure adequate security of personal data, including the protection against unauthorized or illicit treatment and against its loss, destruction or accidental damage. incidental, through the application of appropriate technical or organizational measures. And regarding the principle of data protection by design, the GDPR requires in its article 25: "1. Taking into account the state of the art, the cost of the application and the nature za, scope, context and purposes of the treatment, as well as the risks of various probabilities. severity and seriousness that the treatment entails for the rights and freedoms of individuals. physical data, the person responsible for the treatment will apply, both at the time of determining nar the means of treatment as at the time of the treatment itself, measures appropriate technical and organizational techniques, such as pseudonymization, designed to apply effectively implement data protection principles, such as minimizing data, and integrate the necessary guarantees in the treatment, in order to meet the requirements. “of this Regulation and protect the rights of the interested parties.” Therefore, it is considered that such events represent a violation of the confidentiality, and thereby contravenes article 5.1 f) of the GDPR, which governs the principle of integrity and confidentiality, since there have been improper accesses to the medical history, losing the health data that it contains confidentiality, by allowing access by third parties who were not legitimate to it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/21 The AEPD's criteria in relation to this type of unauthorized access has a clear precedent, produced in a sanctioning procedure processed after the entry in force of the GDPR. This is file reference PS/00250/2021, in which sanctioned the EXTREMEÑO HEALTH SERVICE for a problem identical to the one that occupies in this file. In the narration of the events it appears: “Inspection actions begin upon receipt of a written notice of A.A.A. claim (hereinafter, the claimant), in which he states that improper access to his medical history by a worker at the Extremadura Health Service (hereinafter SES), with professional category of nurse. The accesses are made without the authorization of the claimant and without any mediation a relationship that justifies it.” Therefore, this Agency considers that the reported facts consisting of the disclosure of the claimant's medical data to unauthorized persons constitutes a violation of article 5.1.f) of the GDPR SAW The violation of article 5.1.f) of the RGPD implies the commission of the violations typified in article 83.5 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” For the purposes of the limitation period, article 72.1 a) of the LOPDGDD states that “in Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679”. VII On the other hand, security in the processing of personal data is regulated in the article 32 of the RGPD which establishes the following: "1. Taking into account the state of the art, the application costs, and the nature za, the scope, context and purposes of the processing, as well as probability risks and severity for the rights and freedoms of natural persons, the responsibility sable and the person in charge of the treatment will apply appropriate technical and organizational measures. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/21 measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes already, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data of quickly in case of physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to ta the risks presented by data processing, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted stored, preserved or otherwise processed, or unauthorized communication or access. two to said data. 3. Adherence to a code of conduct approved under Article 40 or to a mechanism Certification system approved in accordance with Article 42 may serve as an element for demonstrate compliance with the requirements established in section 1 of this article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person in charge or in charge and having ga access to personal data can only process said data following instructions of the controller, unless it is obliged to do so by virtue of Union law or Member States.” Recital 75 of the GDPR lists a series of factors or assumptions associated with risks to the guarantees of the rights and freedoms of the interested parties: “The risks to the rights and freedoms of natural persons, of seriousness and variable probability, may be due to data processing that could cause physical, material or immaterial damages, particularly in cases where that the treatment may give rise to problems of discrimination, usurpation of identity or fraud, financial loss, reputational damage, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of the pseudonymization or any other significant economic or social harm; in the cases in which the interested parties are deprived of their rights and freedoms or are prevents you from exercising control over your personal data; in cases where the data processed personal reveals ethnic or racial origin, political opinions, religion or philosophical beliefs, militancy in unions and the processing of genetic data, data relating to health or data on sexual life, or convictions and offenses criminal or related security measures; in cases in which they are evaluated personal aspects, in particular the analysis or prediction of aspects related to the performance at work, economic situation, health, preferences or interests personal, reliability or behavior, situation or movements, in order to create or C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid headquartersagpd.gob.es 18/21 use personal profiles; in cases in which personal data of vulnerable people, particularly children; or in cases where the treatment involves a large amount of personal data and affects a large number of interested.” The violation of article 32 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” For the purposes of the limitation period, article 73.g) of the LOPDGDD, under the heading “Infringements considered serious provide: “Based on article 83.4 of Regulation (EU) 2016/679, they will be considered serious and Infractions that involve a substantial violation will expire after two years. of the articles mentioned therein, and in particular the following: g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented as required by article 32.1 of Regulation (EU) 2016/679.” VIII In this case, this Agency has verified that the security measures of the claimed entity are not adequate, which constitutes on the part of the entity claimed, violation of the provisions of article 32 of the RGPD. The lack of adoption of measures to guarantee the principle of confidentiality makes that it cannot be considered that there are measures that provide a level of protection appropriate to the existing risks, this is because the Security policy established is based on a resolution dated February 13, 2014, a Instruction of the year 2010 dictated by the Director of the CANARY SERVICE OF THE HEALTH, and a Decree 178/2005, of July 26, which approves the Regulation that regulates the clinical history in hospital centers and establishments and establishes the content, conservation and purge of your documents, all of them are standards prior to the current regulations on data protection, the axis of which is based on GDPR 2016/679, effective May 25, 2018. Therefore, by not adopting the necessary security measures to guarantee the protection of personal data of patients of this service health, it is considered that article 32 of the RGPD has been violated. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/21 IX In conclusion, it must be noted that in accordance with the evidence from which provides, it is considered that the claimed entity has processed personal data of the claimant, his medical history and diagnosis, allowing access without adopting the appropriate technical or organizational measures, which implies a violation of the article 5.1 f) of the GDPR, nor have security measures been adopted required by regulations on the protection of personal data, giving rise to a violation of article 32 of the RGPD. Thus, this Agency considers that the claimed entity has violated the articles 5.1 f) and 32 of the RGPD, by violating the principle of integrity and confidentiality, as well as such as not adopting the necessary security measures to guarantee the protection of the personal data of the patients of this health service. Therefore, this procedure concludes with the imposition of two sanctions for these facts: one for the violation of article 5.1.f) RGPD, and another for article 32 GDPR. x Article 58.2 of the GDPR provides the following: “Each supervisory authority will have of all the following corrective powers indicated below: b) send a warning to any person responsible or in charge of processing when the processing operations have infringed the provisions of this Regulation; d) order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where applicable, in a certain way and within a specified period; i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case; XI Article 83 “General conditions for the imposition of administrative fines” of the GDPR in section 7 establishes: “Without prejudice to the corrective powers of the supervisory authorities under the Article 58(2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and organizations public establishments in that Member State.” Likewise, article 77 “Regime applicable to certain categories of responsible or in charge of processing” of the LOPDGDD, provides, in accordance with the wording in force at the time of the events, the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 20/21 "1. The regime established in this article will apply to the treatments of who are responsible or in charge: d) Public bodies and public law entities linked or dependent on Public Administrations. 2. When the persons responsible or in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will dictate resolution sanctioning them with a warning. The resolution will establish Likewise, the measures that should be adopted to stop the conduct or correct it. the effects of the infraction that has been committed. The resolution will be notified to the person responsible or in charge of the treatment, to the body of the that depends hierarchically, if applicable, and to those affected who have the condition of interested party, if applicable. 3. Without prejudice to what is established in the previous section, the authority for the protection of data will also propose the initiation of disciplinary actions when there are sufficient evidence for this. In this case, the procedure and sanctions to apply will be those established in the legislation on disciplinary or sanctioning regime that results of application. Likewise, when the infractions are attributable to authorities and managers, and are prove the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution in which the sanction will include a reprimand with the name of the responsible position and will order the publication in the Official State or autonomous Gazette that correspond. 4. The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under the protection of this article.” Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DIRECT to SERVICIO CANARIO DE LA SALUD, with NIF Q8555011I, for a violation of article 5.1.f) of the RGPD and article 32 of the RGPD, typified in the article 83.5 and 83.4 of the RGPD respectively, a sanction of warning for each infraction committed. SECOND: NOTIFY this resolution to SERVICIO CANARIO DE LA HEALTH. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/21 THIRD: PROPOSE the initiation of disciplinary actions against physicians who accessed the claimant's medical history. FOURTH: COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-181022 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es