AEPD (Spain) - EXP202201746

From GDPRhub
AEPD - PS/00097/2023
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 83(4) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started: 27.01.2022
Decided: 08.09.2023
Published: 08.09.2023
Fine: n/a
Parties: SERVICIO CANARIO DE LA SALUD
National Case Number/Name: PS/00097/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA issued a reprimand to Servicio Canario De La Salud. Medical records had been improperly accessed and the diagnosis disclosed to third parties, violating Article 5(1)(f) and Article 32 GDPR.

English Summary

Facts

On November 2, 2021 the data subject requested his clinical history. Along with the history, the Canary health service (Servicio Canario De La Salud) provided a list of accesses made by primary care givers and a list of access made by specialists at the Fuerteventura General Hospital. These lists showed that health professionals, who were not associated with any clinical process or consultation related to the data subject, had accessed the subject's clinical history.

Upon receiving the data subject's complaint, the controller (Servicio Canario De La Salud) hired Electromedical and Information Services (ASEI) to carry out an internal investigation to assess whether the access to the data subject's medical records by health professionals could be justified. This internal investigation resulted in an internal warning within the Servicio Canario to be careful when accessing documents. The data subject appealed this to the DPA, stating that the results of the audit does not justify the accesses nor the reasons that led to the personnel in question to access the file.

After a DPA investigation, it was determined that in total ten professionals from the General Hospital of Fuerteventura had accessed the file. Of the ten, only two of them were justified to access the file as they were professionals in the Anesthesia and Resuscitation Area (FEA), which was related to the data subject's condition.

Holding

The Spanish DPA considered that there has been undue access to the data subject's clinical history and disclosure of personal information to third parties, without the consent of the owner. Such facts represent a breach of confidentiality and integrity, violating Article 5(1)(f) GDPR, since there had been accesses to the data subject's medical history by third parties who were not authorised to do so.

The DPA also highlighted the lack of measures in place aimed at guaranteeing the confidentiality of such information. Due to this, the security measures of the controller were not adequate, which constituted an infringement of Article 32 GDPR.

Therefore, the Spanish DPA issued a warning sanction for each violation of Article 5(1)(f) and Article 32 GDPR.

Comment

AEPD highlighted a similar procedure PS/00250/2021 against Servicio Extremeño De Salud, in which there has been improper access to the data subject’s medical records by a worker of the Extremadura Health Service (SES). The accesses were made without the data subject’s authorisation and without any relationship that could justify it.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/21








     File No.: EXP202201746



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following

                                  BACKGROUND


FIRST: On January 27, 2022, it was entered into the Spanish Agency of
Data Protection (hereinafter, AEPD) written claim, presented by
A.A.A. (hereinafter, the complaining party)


The claim is directed against SERVICIO CANARIO DE LA SALUD with NIF
Q8555011I (hereinafter, the claimed part).

The reasons on which the claim is based are the following:

The claimant states that there have been improper accesses to her medical history
and the diagnosis has been revealed to third parties.

It also states that the website of the Ministry of Health of the Government of
The Canary Islands (https://www.gobiernodecanarias.org/sanidad/) uses cookies without warning
of them or having a cookie policy and without requesting consent
express for use. They also do not have a Privacy Policy.

Date on which the claimed events took place: November 2, 2021.

Relevant documentation provided by the complaining party:

- Response issued by the CANARY HEALTH SERVICE regarding access to
the Clinical History, which includes a List of Accesses made by Primary Care
from 10/5/21 to 12/9/2021 and List of Accesses made by Attention
Specialized in Fuerteventura General Hospital from 10/6/2021 to
10/12/2021.

In this document the claimant states that the accesses marked in color are not
associated with any clinical process or consultation.


SECOND: In accordance with the mechanism prior to the admission for processing of the
claims that are made before the AEPD, provided for in article 65.4 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), which consists of transferring the
same to the data protection delegates designated by those responsible or

those in charge of the treatment, or to them when they have not been designated, and with the
purpose indicated in the aforementioned article, the claim was transferred to
CANARY HEALTH SERVICE (hereinafter, the claimed party) so that
proceed to its analysis and respond within a period of one month, which has been
verified by written date of entry into this Agency of May 6,

2022.

In response to the transfer and request for information, the claimed party stated that
had transferred the claim to the Security Office (ODS) of the Services Area
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/21








Electromedical and Information Services (ASEI) and the Health Services Management of
Fuerteventura.


The ASEI states that it has proceeded to audit the accesses marked by the claimant
asking the people who accessed the justification for such access. The
Management of Health Services of Fuerteventura stated that, having reviewed the
files kept in this management center, there was no “documentation kept
relation to the reference file.”


On April 25, the General Secretariat of the claimed party sent the result
of the audit carried out by the ASEI and told the AEPD that it was sent in writing to
all managements in the following terms:

"The Spanish Data Protection Agency has sent, in a short space of

time, several complaints relating to supposedly improper access to the
clinical history of patients by center staff.

Instruction No. 4/10 of this Directorate, relating to the actions of the personnel of the
Canarian Health Service that, due to the performance of its job,
processes personal data, makes it clear that in the bodies providing

services, the person in charge of the care center will determine which units will be adopted,
on behalf of the person responsible for the treatment, the necessary measures so that the
personnel of each unit know, in an understandable way, the safety regulations
of the files that affect the development of its functions (fifth section).


In this sense, it is important that the personnel who access the medical history
know the disciplinary and even criminal responsibilities in which you can
incur if, despite the warning that already appears in the application, you access the history
clinic of a patient for unjustified reasons.


Likewise, they are reminded that, in the event of any indication of improper access, the
corresponding management must adopt the necessary measures to purify the
administrative or criminal responsibilities that may arise".

The complained party also added that it had been considered appropriate to prepare
a protocol for the processing of applications received in which the person

interested party request information about who accessed their medical history.

THIRD: On May 17, 2022, after analyzing the documentation that
appeared in the file, a resolution was issued by the Director of the Spanish Agency
of Data Protection, agreeing to file the claim.


The resolution was notified to the appellant on May 17, through the
Electronic Notification Service and Electronic Address Enabled according to
certificate that appears in the file.


FOURTH: On June 13, 2022, the claimant filed an appeal
power of reconsideration against said resolution, in which he alleged that there had been
unauthorized access to your medical records and disclosure of your health data to
hospital staff about which has not been resolved, pointing out that the Service

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/21








Canario de Salud limits itself to indicating that “it has audited the accesses marked by the party
claimant”, without justifying each of those accesses and the reasons that led to the
personnel in question to access, since said accesses and movements in their history

clinical are not associated with any clinical process or medical visit.

FIFTH: On July 27, 2022, the appeal filed was sent to the party
claimed within the framework of the provisions of article 118.1 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations
(hereinafter, LPACAP) for the purposes of formulating the allegations and presenting

the documents and supporting documents that it deems appropriate.

The referral of the transfer was notified on July 27, 2022, through the
Electronic Notification Service and Electronic Address Enabled according to
certificate that appears in the file, with no allegations having been provided by the

claimed part to what was stated by the appellant in the appeal for reconsideration
presented.

Said procedure was notified on July 27, 2022, without having received
no allegation from the claimed party as of the date of the current resolution.



SIXTH: On October 6, 2022, the replacement appeal is estimated
filed by A.A.A. against the resolution of this Agency issued on date 17
May 2022, which agreed to file the claim referring to
CANARY HEALTH SERVICE.


SEVENTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)

2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:


The CANARY HEALTH SERVICE is part of the COUNCIL OF
HEALTH OF THE GOVERNMENT OF THE CANARY ISLANDS.

On December 5, 2022, the Data Inspection website is accessed
THE HEALTH DEPARTMENT OF THE GOVERNMENT OF THE CANARY ISLANDS
https://www.gobiernodecanarias.org/sanidad/ verifying that you do not have a
section on Privacy Policy. There is no evidence that data is collected in

this website.
The website contains a notice about cookies “This web portal uses its own and third-party cookies.
third parties to collect information that helps optimize your visit. Cookies are not

used to collect personal information. You can change your
configuration whenever you want. More information is available in our policy
of cookies”. Acceptance is not requested and access to the cookie policy includes
“Error 404. Document not found.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/21








On December 5, 2022, the website is accessed from the Data Inspection
https://www3.gobiernodecanarias.org/sanidad/scs/ of the CANARY SERVICE OF
SALUD verifying that it has a Privacy Policy section in which
identifies the person responsible for the treatment and includes, among others, a link to the
Treatment Activity Record in which the purpose, basis and

legal, recipients and conservation. Likewise, a link is included to exercise the
rights of interested parties, email address of the Delegate of
Data Protection and a link to the website of the Spanish Data Protection Agency
Data.

The treatment appears in the Registry of Treatment Activities CLINICAL HISTORY
where the aforementioned is reported.

When accessing the website of the CANARY HEALTH SERVICE there is a notice about
cookies “The web portal of the Canarian health service uses its own cookies and
third parties to collect information that helps optimize your visit. Cookies are not
used to collect personal information. You can allow their use or
refuse it. You can also change your settings whenever you want. Has

For more information in our cookie policy”
The Cookie Policy provides information on technical cookies and analytical cookies in the

which is indicated “Analytical cookies for monitoring and statistical analysis of the
behavior of all users. If these cookies are disabled, the site
website may continue to function, without prejudice to the information captured by these
Cookies about the use of our website and its content allow us to improve our
services"

On December 9, 2022, the website is accessed from the Data Inspection
HEALTH DEPARTMENT OF THE GOVERNMENT OF THE CANARY ISLANDS verifying that it generates
three cookies from the Government of the Canary Islands. One of them is a section and the others,
with expiration dates 10-12-2022 and 01-13-2024, are from Google Analytics. (D.

cookies).
On this same date, the SERVICE website is accessed from the Data Inspection

CANARIO DE SALUD verifying that it generates four cookies belonging to the Government of
Canary Islands. With expiration dates: 12-9 and 10-2022 and 01-9 and 13-2024. three of them
They are from Google Analytics. (D cookies).

In the proceedings AT/0724/2022, the claim was transferred to the
HEALTH DEPARTMENT OF THE GOVERNMENT OF THE CANARY ISLANDS and the SERVICE
CANARIO DE LA SALUD being answered by the CANARIO DE LA SERVICE
HEALTH in the following terms:

There is no evidence that the claimant has made a claim before the OFFICE OF
SAFETY (ODS) OF THE AREA OF ELECTROMEDICAL SERVICES AND THE
INFORMATION (ASEI) since, as stated at the end of the list provided by the
complainant, it is reported that “if any of the accesses included in the report could

been improper or unlawful, you may file a claim in order to have the
security office carry out the appropriate verifications that help clarify said
access".

A report issued by the ODS has been provided on the audit prepared by the
accesses made by PRIMARY CARE AND SPECIALIZED CARE IN
GENERAL HOSPITAL OF FUERTEVENTURA in which it is revealed that
The accesses were carried out by ten professionals, of which two of them
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/21








They accessed the story to inquire about the claimant's state of health and
who identified her on the emergency list since she is a professional in the Health Area.
Anesthesia and Resuscitation (FEA).

Regarding cookies and the privacy policy, they state that they are
working on it and providing drafts about it. These drafts are similar to
those that are available on the website of the CANARY HEALTH SERVICE in

date December 5, 2022, date on which access was made from the
Data Inspection.

The CANARY HEALTH SERVICE states and provides a written document in this regard, that the
DIRECTORATE OF THE CANARY HEALTH SERVICE, the body responsible for
Clinical History treatments, both Primary Care and Care
Specialized, has sent a letter to all management in the following terms: “The
Spanish Data Protection Agency has sent, in a short space of time,
several complaints relating to allegedly improper access to medical records

of patients by center staff. Instruction No. 4/10 of this
Address…. makes it clear that in the service-providing bodies, the person responsible
The healthcare center will determine which units will adopt, on behalf of the
responsible for the treatment, the necessary measures so that the staff of each
unit knows, in an understandable way, the security rules for the files it

affect the development of their functions (fifth section). In this sense, it is
It is important that the personnel who access the medical history know the
disciplinary responsibilities..., accesses a patient's medical history by
unjustified reasons. Likewise, they are reminded that, in the event of any indication of
improper access, the corresponding management must adopt the measures

necessary to purge the administrative or criminal responsibilities to which
there is room."
On December 12, 2022, a request for information is sent to

CANARY HEALTH SERVICE (hereinafter SCS) and the response received is
reveals:

In relation to the Security Policy
The SCS has provided a copy of the Security Policy, whose approval resolution

was published in the Official Gazette of the Canary Islands on February 13, 2014, where
general criteria for security procedures are established
(Document 1). All personnel must be informed of it as well as the instruction
04/2010 of the Director of the Canarian Health Service, regarding the actions of the
personnel who, in the performance of their job, process personal data
personal nature (Document 2). This instruction is required reading and

compliance for all personnel who access SCS systems, including the
Clinical history of the patients.

The SCS states that when accessed for the first time, and sporadically and
randomly, a notice appears on the screen reminding you of the existence of said instruction and
with the collection of the consequent acceptance by the staff of its reading and
compression and provides a screen print of the aforementioned notice informing:
“In the records of this Service it does not appear that, as a worker who provides his

services in the SCS and under the Data Protection regulations of a nature
Personal, you have read and accepted instruction 04/2010 of the Canary Service of the
Health related to the actions of personnel who process personal data. By

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/21








Please, to continue, read the instruction and click on the corresponding button”
(Document 3).

The SCS has provided a copy of the Security Document (Document 4) in which
includes, among other aspects, matters related to the identification and authentication of the
users with access to the information systems and where it is indicated that the
technical managers of each application will be able to obtain the updated list of
users as well as their access profiles. Likewise, it is indicated that there will be a relationship

updated list of users with access to non-automated documents along with their
rights of access. And, regarding access control, it indicates that users only
They will access the necessary resources to do their work.

In the case of files that contain high-level data, the following is established, among others:
 The access information specified in the regulations will be saved.

 If access is authorized, the information that allows the identification of the user will be saved.
    record that the user has accessed.

 The Security Manager will control the mechanisms of this registry.

Safety measures of treatment CLINICAL HISTORIES
Access to medical history is regulated in Decree 178/2005, of July 26,

which approves the Regulation that regulates the clinical history in the centers and
hospital establishments and establishes the content, conservation and purge of
your documents.

In article 28 on Procedure for confirming access to medical history and
its use, in section 5 it establishes: “The computerization, where appropriate, of the procedure
Everything regulated in this article will guarantee security, identification and authentication
of the people who access the information, as well as a record of said access,
by creating the corresponding file, guaranteeing compliance with the

provided in current legislation on the protection of personal data.
“sonal.”
The SCS states that it has a file that collects user activity

in the different applications linked to clinical history.
The SCS provides the document “Logical access control regulations” where
describes the logical access control procedure that applies to all personnel

with access to the information kept by the SCS (Document 6) and that, as shown
In it, it includes what is required in the National Security Scheme. In section
5 on Logical Access Control states that in addition to the identification and
authentication the system, based on the identification and authentication data,
Provides the user with the necessary privileges to access resources.

The SCS has also provided a copy of the Risk Analysis which includes the
treatments related to the Clinical History defined as Critical and state that
The security measures provided for in the National Security Scheme apply.

(Document 7). In this regard, they state that it is in the implementation phase
and adaptation to Royal Decree 311/2022, of May 3, which regulates the
National Security Scheme.

In relation to the clinical history of the Fuerteventura Hospital, they have provided an audit
verification of User Management (Document 8), as well as the general audit
of SCS user management (Document 9).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/21








In relation to the Data Protection Officer

The SCS states that “the Data Protection Officer fulfills her functions as
pursuant to Article 39 of the GDPR, primarily advises and supervises the
compliance with current data protection regulations ex officio or
instance of the service involved, assessing and reporting what it considers
necessary for the correct processing of personal data.”



EIGHTH. The issue related to possible access is the subject of this file.
undue damages to the claimant's medical history. The possible requirement of
liability for the use of analytical cookies without obtaining consent
of users on the website of the Ministry of Health of the Government of the Canary Islands, will be

subject, where appropriate, to a different procedure.


NINTH: On April 20, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of article 5.1.f) of the RGPD and article
32 of the RGPD, typified in article 83.5 of the RGPD.

TENTH: The aforementioned initiation agreement has been notified in accordance with the rules established in

Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the claimed party, on May 8
of 2023 presented a written statement of allegations in which it stated that in relation to the
violation of article 5.1 f) of the RGPD, in order to provide comprehensive assistance and
as complete as possible, an electronic medical history (hereinafter HC) is available,

which must be accessed by username and password, thereby leaving
registered the access logs to the different HCs.

It is currently not technically feasible to restrict users' access to HC
only to those healthcare workers who are providing assistance at the time

exact to the patients, since there may be various cases in which it is necessary
access specialties, or tests requested and reviewed by another professional or
center or that during assistance a referral has to be made to another
professional. That is, to avoid compromising health care, it is not appropriate
completely restrict access to the HC.


From the audits carried out on 10 professionals, it has been proven that effectively-
Mindfully, 2 of these accesses have occurred without justification for care, although they do not
It is proven that the information they have accessed has been disclosed by no
some means Both professionals indicated that they were aware of the admission of
his partner because they saw his name on the emergency list. Therefore, they agreed to

their history to see if they could contribute any knowledge of their specialty to
help in your improvement.

In relation to the alleged violation of article 32 of the GDPR, the claimed entity
states that the security measures that have gone missing have been implemented
determining based on the treatments carried out, assessing in any case the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/21








Possible threats that could put information security at risk
treated.


Being aware that there is no such thing as absolute security, the SCS has been adopting
security measures and carrying out awareness-raising tasks for its staff that have
has been demonstrating its effectiveness until this particular case.

Evidence of this review and adoption of new measures is indicated in the
publication of Instruction 6/2023 and the preparation of a new instruction

access to HC by SCS staff.

Likewise, when there is knowledge of these possible improper accesses,
has carried out an internal audit aimed at the professionals involved, so that
justify the reason for the access, and from the corresponding Management, they are

carrying out disciplinary instruction actions to purge possible
responsibilities.

The claimed entity concludes by indicating that considering that it is a fact
isolate produced in the good faith of health professionals to help in the
recovery of his companion, that additional measures are being taken

necessary measures aimed at guaranteeing to a greater extent the confidentiality of the
information, requests the archiving of the proceedings.

ELEVENTH: On May 9, 2023, the instructor of the procedure agrees
consider reproduced for evidentiary purposes the claim filed by A.A.A. and his

documentation, the documents obtained and generated during the admission phase to
processing of the claim, and the report of previous investigation actions that
They are part of the procedure.

Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of

initiation of the referenced sanctioning procedure, presented by SERVICIO
CANARIO DE LA SALUD, and the documentation that accompanies them.

TWELFTH: On May 30, 2023, a proposed resolution is issued in the
that it is proposed that by the Director of the Spanish Data Protection Agency
A warning is sent to the CANARY HEALTH SERVICE, with NIF

Q8555011I, for each of the two violations committed, one for the violation of the
article 5.1.f) of the RGPD and another for the violation of article 32 of the RGPD, classified
both in article 83.5 of the RGPD.



THIRTEENTH: On June 9, 2923, the following were received
allegations by the claimed entity in response to the proposal
resolution:

“1º.- Taking into account the provisions of art. 5.1 of the GDPR, it is determined that the data

will be f) processed in such a way as to ensure adequate data security
personal data, including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures

or organizational measures ("integrity and confidentiality"), it is considered that what
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/21








is being stated is that the SCS does not process data that guarantees the
application of the principles included in the aforementioned precept, not being

agree with this extreme.

Taking into account the type of services that the SCS provides to users, and so that the
health care is as comprehensive and complete as possible, there is a history

electronic clinic (hereinafter HC) that professionals can access
healthcare, through username and password, and whose access logs are recorded.
Currently and due to the activity of the SCS, it is not technically feasible to restrict the

access to users' HC only to those health workers who are providing
assistance at the exact moment to patients, since various situations can occur.
cases in which it is necessary to access specialties, or requested tests and

reviewed by another professional or center or that during assistance you have to
make a referral to another professional.


However, in the interest of exercising proactive responsibility, the SCS is
preparing an instruction to try to limit access to the
HC, starting from the previously stated premise that it is not possible to have

restricted access to the HC to guarantee the agility with which they must be developed
assistance benefits.

In this new instruction from the SCS Directorate, indications are being given to

implement justification of accesses to the HC when, for example, it is not a user
belonging to the professional's quota or is not being attended to by him in
emergencies or in some specialty (the latest draft of the instruction for

accesses to the HC as Doc. 1), as the claimant requested from a colleague
to know test statuses or try to expedite administrative procedures.

Apart from this, the SCS carries out awareness-raising and training work.

to staff and an update to the previous
Instruction 4/2010, Instruction No. 6/2023 of the Director of the Canarian Service of the
Health, related to the processing of personal data carried out by the staff of the

Canarian Health Service, in the performance of their job, which has been
disseminated among the staff and is accessible on the intranet (it is attached as

Doc. 2).

Therefore, it is not considered appropriate to affirm that

a) The processing of personal data is being carried out in violation of the principles and
guarantees established in article 5 of Regulation (EU) 2016/679, since the

responsible for the treatment, the SCS, has adopted measures to guarantee the
confidentiality of the data contained in the electronic HC, with various notices to the

start the session, raising awareness among staff about the need to maintain
confidentiality and access to those strictly essential for the development of
their functions, etc., measures that are also currently being reinforced with the

new Instruction for Access to the HC in the process of approval.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/21








According to the AEPD, the claimant affirms that the health information related to her
person has been disclosed to third parties by the professionals who accessed their HC, if

Well, this fact is not proven beyond the assertion on the part and without
verification of this fact by professionals when requested in the
directed audit that was carried out on them, so said statement is not proven and

should not be taken into consideration.

2nd.- On the other hand, sanctions are imposed for non-compliance with article 32, which determines that
"1. Taking into account the state of the art, the application costs, and the

nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and

appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, where appropriate, includes, among others: […]


b) the ability to guarantee confidentiality, integrity, availability and resilience
permanent treatment systems and services;”

Well, the SCS has been implementing the security measures that have been

determining based on the treatments carried out, assessing in any case the
Possible threats that could put information security at risk
treated.


In the analyzes carried out, the human factor has always been and is taken into account.
as one of the threats present in any treatment; applying the
timely countermeasures to mitigate said risk that, to date, have proven

effective, although with this specific case it has been shown that they are not infallible.

Therefore, determine that technical and organizational measures have not been applied to
guarantee the confidentiality of the information and sanction for it, it is considered

excessive, since if measures have been established based on the risks analyzed,
although, as indicated above, they have been shown to be not invulnerable.
Being aware that there is no such thing as absolute security, the SCS has been adopting

security measures and carrying out awareness-raising tasks for its staff that have
has been demonstrating its effectiveness until this particular case, among others, with the publication
of Instruction 6/20PS/00587/2021, a PS open to the MADRID SERVICE OF

HEALTH.

23 and the development of a new instruction for access to HC by staff
of the SCS.


3º.- A double sanction is applied for the same act, whenever it is proposed
sanction as very serious the violation of article 5.1.f) of the RGPD and as serious the
violation of article 32 of the RGPD, among whose measures is already guaranteeing

the confidentiality of the information, which is why the sanction of the
alleged act committed.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/21








For all the above, and considering that it is an isolated event that occurred
from the good faith of health professionals to help in the recovery of their

companion, that reinforcement measures are being taken to guarantee in
confidentiality of the information to a greater extent, WE REQUEST the archiving of the
performances.”



In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:

                                PROVEN FACTS


FIRST: There have been improper accesses to the claimant's medical history, which
which makes possible the disclosure of such personal data to third parties despite
not having the consent of the owner thereof.


SECOND: The claimed entity has provided a report issued by the Office of
Security (ODS) of the Electromedical and Information Services Area (ASEI)
on the audit prepared of the accesses made by Primary Care and

Specialized Care at Fuerteventura General Hospital in which
manifest that the accesses were carried out by ten professionals, of which two
of them accessed history to be interested in the state of health of the
claimant since they identified her on the emergency list since she is a healthcare professional.
Anesthesia and Resuscitation Area (FEA).


                           FOUNDATIONS OF LAW


                                            Yo

In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679
of the European Parliament and of the Council of April 27, 2016 on the protection

of natural persons with regard to the processing of personal data and the
free circulation of this data (GDPR), and as established in articles 47,
48.1, 64.2 and 68.1 and 68.2 of Organic Law 3/2018, of December 5, on Protection
of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD) is
competent to initiate and resolve this procedure the Director of the Agency
Spanish Data Protection.


Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures.”


                                           II


Regarding health data, recital 35 of the GDPR states:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/21








“Personal data related to health must include all data
relating to the state of health of the interested party that provide information about his state of health.
physical or mental health past, present or future. Information is included about the

natural person collected on the occasion of their registration for health care purposes,
or on the occasion of the provision of such assistance, in accordance with the Directive
2011/24/EU of the European Parliament and of the Council; any number, symbol or data
assigned to a natural person who uniquely identifies him or her for the purposes
sanitary; information obtained from tests or examinations of a part of the body or
of a bodily substance, including that from genetic data and samples

biological, and any information relating, by way of example, to a disease, a
disability, risk of disease, medical history, treatment
clinical or physiological or biomedical state of the interested party, regardless of their
source, for example a doctor or other healthcare professional, a hospital, a device
medical, or an in vitro diagnostic test.”


For its part, article 4 of the GDPR defines:

“2) “treatment”: any operation or set of operations performed on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,

conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;”

7) "responsible for the treatment" or "responsible": the natural or legal person,

public authority, service or other body that, alone or jointly with others, determines the
purposes and means of processing; whether Union or Member State law
determines the purposes and means of the treatment, the person responsible for the treatment or the
Specific criteria for their appointment may be established by Union Law.
or of the Member States;


10) "third party": natural or legal person, public authority, service or other body
of the interested party, the person responsible for the treatment, the person in charge of the treatment and the
persons authorized to process personal data under the direct authority of the
responsible or the person in charge;”



















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/21








                                            III

The processing of data from medical records is regulated in the Law

41/2002, of November 14, basic regulation of patient autonomy and
rights and obligations regarding clinical information and documentation.

Its article 3 states:

“Clinical history: the set of documents that contain the data, evaluations and

information of any kind about the situation and clinical evolution of a
patient throughout the care process.”

In article 16, the uses of medical history are established:


"1. The clinical history is an instrument designed fundamentally to guarantee
adequate patient care. The care professionals at the center who
perform the diagnosis or treatment of the patient have access to the medical history
of this as a fundamental instrument for their adequate assistance.

2. Each center will establish the methods that enable access to

the medical history of each patient by the professionals who assist them.”

                                            IV

The principles relating to the processing of personal data are regulated in the

Article 5 of the RGPD which establishes that “personal data will be:

“a) treated in a lawful, fair and transparent manner in relation to the interested party (“legality,
loyalty and transparency»);


b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with said purposes; according to article 89,
section 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research purposes or statistical purposes are not
considered incompatible with the initial purposes ("purpose limitation");


c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that are processed ("data minimization");

d) accurate and, if necessary, updated; all measures will be taken
reasonable grounds for the immediate deletion or rectification of personal data

are inaccurate with respect to the purposes for which they are processed (“accuracy”);

e) maintained in a way that allows the identification of the interested parties during no
longer than necessary for the purposes of processing personal data; the
Personal data may be retained for longer periods provided that

treated exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with Article 89(1),
without prejudice to the application of the appropriate technical and organizational measures that


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es                                    14/21








This Regulation is imposed in order to protect the rights and freedoms of the
interested party ("retention period limitation");

f) processed in such a way as to ensure adequate data security
personal data, including protection against unauthorized or unlawful processing and against

its loss, destruction or accidental damage, through the application of technical measures
or organizational arrangements ("integrity and confidentiality").

The person responsible for the treatment will be responsible for compliance with the provisions of
paragraph 1 and able to demonstrate it (“proactive responsibility”).”


                                            V


In the present case, a claim is filed for improper access to the history
clinic and the disclosure to third parties of the diagnosis of the complaining party.
In relation to improper access, the entity has provided:

 Report issued by the Security Office (ODS) of the Services Area
    Electromedical and Information (ASEI) on the audit prepared by the

    accesses made by Primary Care and Specialized Care in Hospital
    General of Fuerteventura in which it is revealed that the accesses were
    carried out by ten professionals, of which two of them accessed the
    history to be interested in the state of health of the claimant since the
    identified on the emergency list since he is a professional in the Area of
    Anesthesia and Resuscitation (FEA).

 There is no evidence that the claimant has made a claim to the ODS.

In relation to the Safety of the treatments, the entity has provided

 Security Policy, whose approval resolution was published in the Bulletin
    Official of the Canary Islands dated February 13, 2014.

 Instruction 04/2010 of the Director of the CANARY HEALTH SERVICE, regarding
    to the actions of personnel who, due to the performance of their position
    work, processes personal data.

 Security document.

 Decree 178/2005, of July 26, which approves the Regulation that regulates
    clinical history in hospital centers and establishments and establishes the
    content, conservation and redaction of your documents.

 Logical access control regulations in accordance with the National Scheme
    of security.

 Risk Analysis which includes the treatments related to the Clinical History
    defined as Critical and state that security measures are applied
    provided for in the National Security Scheme.


As indicated in the legal basis III, from the reading of article 16
of Law 41/2002, of November 14, basic regulation of the autonomy of the
patient and rights and obligations regarding information and documentation
clinic it is clearly inferred that, although the clinical history is the instrument to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/21








provide healthcare to the patient, which must be properly
guaranteed, so is the fact that access to the

clinical history by the professionals who assist you, not in general terms, but with
particular character carrying out the diagnosis or treatment of the patient.

Despite the technical and organizational measures implemented, it has not prevented access to
the clinical history of a patient, by third parties, which denotes the absence of measures

that ensure adequate security of personal data, including the protection
against unauthorized or illicit treatment and against its loss, destruction or accidental damage.
incidental, through the application of appropriate technical or organizational measures.



And regarding the principle of data protection by design, the GDPR requires in its
article 25:

"1. Taking into account the state of the art, the cost of the application and the nature
za, scope, context and purposes of the treatment, as well as the risks of various probabilities.

severity and seriousness that the treatment entails for the rights and freedoms of individuals.
physical data, the person responsible for the treatment will apply, both at the time of determining
nar the means of treatment as at the time of the treatment itself, measures
appropriate technical and organizational techniques, such as pseudonymization, designed to apply
effectively implement data protection principles, such as minimizing

data, and integrate the necessary guarantees in the treatment, in order to meet the requirements.
“of this Regulation and protect the rights of the interested parties.”


Therefore, it is considered that such events represent a violation of the
confidentiality, and thereby contravenes article 5.1 f) of the GDPR, which governs the principle

of integrity and confidentiality, since there have been improper accesses to the
medical history, losing the health data that it contains
confidentiality, by allowing access by third parties who were not legitimate to
it.























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/21








The AEPD's criteria in relation to this type of unauthorized access has a
clear precedent, produced in a sanctioning procedure processed after the entry
in force of the GDPR. This is file reference PS/00250/2021, in which

sanctioned the EXTREMEÑO HEALTH SERVICE for a problem identical to the one that
occupies in this file. In the narration of the events it appears:

“Inspection actions begin upon receipt of a written notice of
A.A.A. claim (hereinafter, the claimant), in which he states that
improper access to his medical history by a worker at the

Extremadura Health Service (hereinafter SES), with professional category of
nurse. The accesses are made without the authorization of the claimant and without any mediation
a relationship that justifies it.”

Therefore, this Agency considers that the reported facts consisting of the

disclosure of the claimant's medical data to unauthorized persons constitutes
a violation of article 5.1.f) of the GDPR

                                            SAW

The violation of article 5.1.f) of the RGPD implies the commission of the violations

typified in article 83.5 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

global total annual business volume of the previous financial year, opting for
the largest amount:

   a) the basic principles for the treatment, including the conditions for the
   consent under articles 5, 6, 7 and 9; (…)”


For the purposes of the limitation period, article 72.1 a) of the LOPDGDD states that “in
Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:


a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679”.

                                           VII


On the other hand, security in the processing of personal data is regulated in the
article 32 of the RGPD which establishes the following:

"1. Taking into account the state of the art, the application costs, and the nature
za, the scope, context and purposes of the processing, as well as probability risks

and severity for the rights and freedoms of natural persons, the responsibility
sable and the person in charge of the treatment will apply appropriate technical and organizational measures.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/21








measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes
already, among others:

a) pseudonymization and encryption of personal data;
b) the ability to guarantee confidentiality, integrity, availability and resilience

permanent treatment systems and services;
c) the ability to restore the availability and access to personal data of
quickly in case of physical or technical incident;

d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.


2. When evaluating the adequacy of the security level, particular consideration will be given to
ta the risks presented by data processing, in particular as a consequence
of the accidental or unlawful destruction, loss or alteration of personal data transmitted

stored, preserved or otherwise processed, or unauthorized communication or access.
two to said data.

3. Adherence to a code of conduct approved under Article 40 or to a mechanism
Certification system approved in accordance with Article 42 may serve as an element for

demonstrate compliance with the requirements established in section 1 of this
article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person in charge or in charge and having
ga access to personal data can only process said data following instructions

of the controller, unless it is obliged to do so by virtue of Union law or
Member States.”

Recital 75 of the GDPR lists a series of factors or assumptions associated with
risks to the guarantees of the rights and freedoms of the interested parties:


“The risks to the rights and freedoms of natural persons, of seriousness and
variable probability, may be due to data processing that could cause

physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of
identity or fraud, financial loss, reputational damage, loss of

confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social harm; in the
cases in which the interested parties are deprived of their rights and freedoms or are

prevents you from exercising control over your personal data; in cases where the data
processed personal reveals ethnic or racial origin, political opinions, religion
or philosophical beliefs, militancy in unions and the processing of genetic data,

data relating to health or data on sexual life, or convictions and offenses
criminal or related security measures; in cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the

performance at work, economic situation, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid        headquartersagpd.gob.es 18/21








use personal profiles; in cases in which personal data of
vulnerable people, particularly children; or in cases where the treatment

involves a large amount of personal data and affects a large number of
interested.”



The violation of article 32 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,

In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:

    a) the obligations of the controller and the processor pursuant to Articles 8,

    11, 25 to 39, 42 and 43; (…)”

For the purposes of the limitation period, article 73.g) of the LOPDGDD, under the heading
“Infringements considered serious provide:

“Based on article 83.4 of Regulation (EU) 2016/679, they will be considered serious and

Infractions that involve a substantial violation will expire after two years.
of the articles mentioned therein, and in particular the following:

g) The breach, as a consequence of the lack of due diligence, of the
technical and organizational measures that have been implemented as required

by article 32.1 of Regulation (EU) 2016/679.”

                                          VIII

In this case, this Agency has verified that the security measures of the

claimed entity are not adequate, which constitutes on the part of the entity
claimed, violation of the provisions of article 32 of the RGPD.

The lack of adoption of measures to guarantee the principle of confidentiality makes
that it cannot be considered that there are measures that provide a level of protection
appropriate to the existing risks, this is because the Security policy

established is based on a resolution dated February 13, 2014, a
Instruction of the year 2010 dictated by the Director of the CANARY SERVICE OF THE
HEALTH, and a Decree 178/2005, of July 26, which approves the Regulation
that regulates the clinical history in hospital centers and establishments and establishes
the content, conservation and purge of your documents, all of them are standards

prior to the current regulations on data protection, the axis of which is based on
GDPR 2016/679, effective May 25, 2018.

Therefore, by not adopting the necessary security measures to guarantee the
protection of personal data of patients of this service

health, it is considered that article 32 of the RGPD has been violated.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/21









                                          IX


In conclusion, it must be noted that in accordance with the evidence from which
provides, it is considered that the claimed entity has processed personal data of the
claimant, his medical history and diagnosis, allowing access without adopting the
appropriate technical or organizational measures, which implies a violation of the
article 5.1 f) of the GDPR, nor have security measures been adopted
required by regulations on the protection of personal data,

giving rise to a violation of article 32 of the RGPD.

Thus, this Agency considers that the claimed entity has violated the
articles 5.1 f) and 32 of the RGPD, by violating the principle of integrity and confidentiality, as well as
such as not adopting the necessary security measures to guarantee the protection of

the personal data of the patients of this health service.

Therefore, this procedure concludes with the imposition of two sanctions for
these facts: one for the violation of article 5.1.f) RGPD, and another for article 32
GDPR.


                                           x

Article 58.2 of the GDPR provides the following: “Each supervisory authority will have
of all the following corrective powers indicated below:


b) send a warning to any person responsible or in charge of processing when the
processing operations have infringed the provisions of this Regulation;

d) order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,

in a certain way and within a specified period;

i) impose an administrative fine in accordance with Article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each
particular case;


                                          XI

Article 83 “General conditions for the imposition of administrative fines” of the
GDPR in section 7 establishes:


“Without prejudice to the corrective powers of the supervisory authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and organizations
public establishments in that Member State.”


Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of processing” of the LOPDGDD, provides, in accordance with the
wording in force at the time of the events, the following:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 20/21








"1. The regime established in this article will apply to the treatments of
who are responsible or in charge:


d) Public bodies and public law entities linked or
dependent on Public Administrations.

2. When the persons responsible or in charge listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will dictate

resolution sanctioning them with a warning. The resolution will establish
Likewise, the measures that should be adopted to stop the conduct or correct it.
the effects of the infraction that has been committed.

The resolution will be notified to the person responsible or in charge of the treatment, to the body of the

that depends hierarchically, if applicable, and to those affected who have the condition
of interested party, if applicable.

3. Without prejudice to what is established in the previous section, the authority for the protection of
data will also propose the initiation of disciplinary actions when there are
sufficient evidence for this. In this case, the procedure and sanctions to apply

will be those established in the legislation on disciplinary or sanctioning regime that
results of application.

Likewise, when the infractions are attributable to authorities and managers, and are
prove the existence of technical reports or recommendations for the treatment that

had not been duly attended to, in the resolution in which the
sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official State or autonomous Gazette that
correspond.


4. The resolutions that
fall in relation to the measures and actions referred to in the sections
previous.

5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued

under the protection of this article.”

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DIRECT to SERVICIO CANARIO DE LA SALUD, with NIF Q8555011I, for
a violation of article 5.1.f) of the RGPD and article 32 of the RGPD, typified in the
article 83.5 and 83.4 of the RGPD respectively, a sanction of warning for

each infraction committed.

SECOND: NOTIFY this resolution to SERVICIO CANARIO DE LA
HEALTH.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/21









THIRD: PROPOSE the initiation of disciplinary actions against physicians

who accessed the claimant's medical history.

FOURTH: COMMUNICATE this resolution to the Ombudsman,
in accordance with the provisions of article 77.5 of the LOPDGDD.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through

of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


                                                                                938-181022
Sea Spain Martí
Director of the Spanish Data Protection Agency















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es