AEPD - PD-00125-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 15 GDPR §18 Ley 41/2002, de 14 de noviembre, básica reguladora de la Autonomía del Paciente y de Derechos y Obligaciones en Materia de Información y Documentación Clínica |
Type: | Complaint |
Outcome: | Upheld |
Started: | 23.03.2022 |
Decided: | |
Published: | 19.09.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | PD-00125-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
Resolution regarding the right to access (art. 15 GDPR) and its formalities art. 12(2) GDPR. The Health service of the Balearic Islands (Controller) didn’t comply with the period stablished and delivered a copy of the documentation six months after the request.
English Summary
Facts
Data subject submits a complaint against the DPA since her request to access (15/01/2022) to her and her daughter’s medical record and administrative file (assistance of pregnancy, childbirth and subsequent clinical care), has not been answered.
The data controller is the Heath Service of the Balearic Islands (IB-SALUT) and the request included documentation from three different hospitals and clinics. During the proceeding before the DPA the controller sent some parts of the file required, however, the last piece of documents was delivered to the data subject on 15/06/2022 which was late since the period stablished in the GDPR and national legislation is one month.
The justification of the data controller was the excess of work from that period and the fact that the request included documents from diverse entities which delayed the collection of the medical records.
The DPA reminds of the legislation regarding Patients’ autonomy and their rights and obligations regarding information and medical records, which states the patient’s right to access it as well as request a copy.
Holding
The DPA upholds the complaint since the access to the requested medical record was fulfilled late. It alluded to art. 12 GDPR (12 of the national legislation) and recital 59 and following which foresees the period of one month to satisfy the request.
Notwithstanding, the data controller was not fined since by the moment of the resolution the requested had been fulfilled.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 File No.: EXP202203996 RESOLUTION No.: R/00628/2022 Considering the claim made on March 23, 2022 before this Agency by D. A.A.A. on behalf of Ms. B.B.B. , against the HEALTH SERVICE OF THE ILLES BALEARS (IB-SALUT), for not having been duly attended to their right to access. Carrying out the procedural actions provided for in Title VIII of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: Dated 01/15/2022, D. A.A.A. on behalf of Ms. B.B.B. (in hereinafter, the complaining party) exercised the right of access to the clinical history and administrative file before the HEALTH SERVICE OF THE BALEARIC ISLANDS (IB-SALUT) (hereinafter, the claimed one), without your request having received the legally established response. The complaining party makes it clear that he requested the clinical history and file administrative of the mother and minor daughter C.C.C. in connection with assistance of pregnancy, childbirth and subsequent clinical care of both up to the present or time of processing this application. All this with respect to the center of primary care health of Manacor Sa Torre, the Manacor Hospital and the Son Espases University Hospital. The complaining party provides various documentation related to the claim raised before this Agency and on the exercise of the exercised right. SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a mechanism prior to the admission to processing of the claims that are formulated before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the purposes foreseen in article 37 of the aforementioned rule, or to these when they have not been designated, transferred the claim to the claimed entity so that it could proceed with its analysis and respond to the complaining party and this Agency within a month, no response. THIRD: The result of the transfer process indicated in the previous Fact does not allowed to understand satisfied the claims of the claimant. In Consequently, on May 31, 2022, for the purposes provided in its article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the submitted claim for processing and informed the parties that the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 maximum term to resolve this procedure, which is understood to have started through said admission agreement, it will be six months. The aforementioned agreement granted the respondent entity a hearing procedure, to that within a period of fifteen business days present the allegations that it deems convenient. Said entity made, in summary, the following allegations: The representative/Delegate of Data Protection of the claimed person states that, due to the need to analyze it and contact the different areas in charge of managing the rights of the interested parties of the Management of the centers hospitals and Primary Care to request information regarding said request, has made it impossible to deliver within the established period. That there has been no desire not to satisfy the request to exercise the right of access to the medical records of the claimant and his daughter, a minor. That the lack of attention in type and form of the request coincides with a discharge period workload, which inadvertently caused a delay in managing the request of right of the interested party and once it was verified that it had not proceeded to respond automatically, a request was made to process the same. FOURTH: After examining the allegations presented by the respondent, they are subject to transfer to the complaining party, so that, within fifteen business days, it can formulate allegations you deem appropriate: The complaining party states that, despite having exercised the rights, the response has been unsatisfactory as no response has been given to each and every one of the requests made in the original request, being that at the current date no received any documentation from the Primary Care Health Center of Sa Towers. That information security incidents cannot serve as a excuse to be distracted from the obligations inherent to the position of DPD. that the omissions or delays in the responses to the exercises of rights by the Ib Salut and its care centers are a common practice. What is normal and usual said requests are biased, limited or partial, forcing to request that complement the documentation, which sometimes means that the deadlines prescribe before administrations and insurers. The presentations of some protocols are of no use if they are not complied with and the mere mention of the existence of protocols does not imply that they are carried out and implemented correctly, as in the case at hand, for this reason, the opening of the informative file and possibly sanctioning the Ib Salut. FIFTH: After examining the allegations presented by the complaining party, they are subject to of transfer to the claimed, so that, within fifteen business days, it formulates allegations you deem appropriate: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/8 The defendant sets forth chronologically the background related to the request for the clinical history of the complaining party and indicates that, constantly, produces an improvement in the management and procedure in terms of data protection within the scope of the Health Service and it should be noted that all the Managements have online training on the protocol, as well as access to the latest rights care versions. The protocols and improvements carried out by the different managements of IB- Salut in relation to access to the data contained in the clinical history. In relation to the claim, at the date of preparation of this report, proceeded to satisfy the request for access to the existing clinical history in three hospitals. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and the free circulation of these data (hereinafter GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote awareness of controllers and processors about the obligations incumbent on them, as well as dealing with claims presented by an interested party and investigate the reason for them. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have appointed a data protection delegate, article 39 of the RGPD attributes to it the function of cooperate with that authority. Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has foreseen a mechanism prior to the admission to processing of the claims that are formulated before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to these when they have not been designated, so that they proceed to the analysis of said claims and to respond to them within a month. In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was transferred to the responsible entity to proceed with its analysis, respond to this Agency within a month and prove that they have provided the claimant with the due response, in the event of exercising the rights regulated in articles 15 to 22 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/8 The result of said transfer did not allow to understand satisfied the claims of the claiming party. Consequently, on May 31, 2022, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the submitted claim for processing. Saying agreement of admission to procedure determines the opening of the present procedure of lack of attention to a request to exercise the rights established in the articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will start by agreement of admission to process, which will be shall adopt in accordance with the provisions of the following article. In this case, the term to resolve the procedure will be six months from from the date on which the claimant was notified of the admission agreement to Procedure. Once this period has elapsed, the interested party may consider their claim". The purging of administrative responsibilities in the framework of the of a sanctioning procedure, whose exceptional nature implies that it is chosen, whenever possible, due to the prevalence of alternative mechanisms that have protection in current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative that must be purged in a sanctioning procedure and, in consequently, the decision on its opening, not existing obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not concur in the present case, considering that With this procedure, the guarantees and guarantees are duly restored. claimant's rights. THIRD: The rights of individuals in terms of data protection personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects related to the exercise of these rights are established in the articles 12 of the RGPD and 12 of the LOPDGDD. It also takes into account what is expressed in Considerations 59 and following of the GDPR. In accordance with the provisions of these rules, the data controller must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to the requests made no later than one month, unless you can show that you are unable to identify the interested party, and to express his reasons in case he was not going to attend said C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/8 request. The proof of compliance with the duty of respond to the request to exercise their rights made by the affected party. The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with a clear and simple language. Regarding the right of access to personal data, in accordance with the established in article 13 of the LOPDGDD, when the exercise of the right is refers to a large amount of data, the person in charge may request the affected party to specify the “data or treatment activities to which the request refers”. The right will be understood granted if the person in charge provides remote access to the data, taking the request as granted (although the interested party may request the information referring to the ends provided for in article 15 of the RGPD). The exercise of this right may be considered repetitive on more than one occasion. for a period of six months, unless there is legitimate cause for it. On the other hand, the request will be considered excessive when the affected party chooses a means other than the one offered that involves a disproportionate cost, which must be assumed by the affected party. FOURTH: In accordance with the provisions of article 15 of the RGPD and article 13 of the LOPDGDD, "the interested party has the right to obtain from the data controller confirmation of whether or not personal data concerning you is being processed and, in such case, right of access to personal data”. Like the rest of the rights of the interested party, the right of access is a personal right. Allows the citizen to obtain information about the treatment what is being done with your data, the possibility of obtaining a copy of the data that concern you and that are being processed, as well as information, in particular, on the purposes of the treatment, the categories of data individuals in question, the recipients or categories of recipients to whom communicated or will be communicated the personal data, the foreseen term or criteria of conservation, the possibility of exercising other rights, the right to present a claim before the control authority, the information available on the origin of the data (if these have not been obtained directly from the owner), the existence of automated decisions, including profiling, and information about transfers of personal data to a third country or to an international organization. The possibility of obtaining a copy of the personal data subject to treatment does not will adversely affect the rights and freedoms of others, that is, the right to Access will be granted in such a way that it does not affect the data of third parties. The right of access in relation to the clinical history is specifically regulated in Article 18 of Law 41/2002, of November 14, basic regulation of the Patient Autonomy and Rights and Obligations Regarding Information and Clinical Documentation (hereinafter LAP), whose literal tenor expresses: "1. The patient has the right of access, with the reservations indicated in section 3 of this article, to the documentation of the clinical history and to obtain a copy of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/8 data contained in it. The health centers will regulate the procedure that guarantee the observance of these rights. 2. The patient's right of access to the clinical history can also be exercised by duly accredited representation. 3. The right of access of the patient to the documentation of the clinical history does not may be exercised to the detriment of the right of third parties to confidentiality of the data contained in it collected in the therapeutic interest of the patient, nor in detriment of the right of the professionals participating in its elaboration, which they can oppose to the right of access the reservation of their subjective annotations. 4. Health centers and individual exercise physicians will only facilitate the access to the medical history of deceased patients to people linked to it, for family or de facto reasons, unless the deceased had prohibited it expressly and so accredited. In any case the access of a third party to the history clinic motivated by a risk to your health will be limited to the pertinent data. I don't know will provide information that affects the privacy of the deceased or the annotations subjective of the professionals, nor that it harms third parties”. In this sense, we must highlight article 15 of the LPA that includes the content minimum medical history: "1. The clinical history will incorporate the information that is considered transcendental for the truthful and up-to-date knowledge of the patient's health status. Every patient or The user has the right to record, in writing or in the most technical support adequate, of the information obtained in all its assistance processes, carried out by the health service both in the field of primary care and specialized. 2. The main purpose of the clinical history will be to facilitate healthcare, leaving proof of all those data that, under medical criteria, allow the knowledge truthful and up-to-date health status. The minimum content of the clinical history will be the following: a) The documentation related to the clinical-statistical sheet. b) The entry authorization. c) The emergency report. d) History and physical examination. e) Evolution. f) Medical orders. g) The interconsultation sheet. h) The reports of complementary explorations. i) Informed consent. j) The anesthesia report. k) The operating room report or birth registration. l) The pathological anatomy report. m) The evolution and planning of nursing care. n) The therapeutic application of nursing. ñ) The graph of constants. o) The discharge clinical report. Paragraphs b), c), i), j), k), I), ñ) and o) will only be required in the completion of the clinical history in the case of hospitalization processes or so available. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/8 3. Completion of the clinical history, in aspects related to the direct assistance to the patient, will be the responsibility of the professionals who intervene in it. 4. The clinical history will be kept with unit and integration criteria, in each care institution at least, to facilitate the best and most timely knowledge by the doctors of the data of a certain patient in each healthcare process”. Regarding the conservation of the clinical history, article 17 of the LPA, in its points 1 and 5, provides that: "1. Health centers are obliged to keep clinical documentation in conditions that guarantee its correct maintenance and safety, although necessarily in the original support, for the due assistance to the patient during the time appropriate to each case and, at least, five years from the date discharge from each healthcare process... 5. Health professionals who carry out their activity individually are responsible for the management and custody of the care documentation that generate”. FIFTH: In the case analyzed here, the claimant requested the clinical history and administrative file of the mother and minor daughter C.C.C. regarding assistance during pregnancy, childbirth and subsequent clinical assistance, with respect to the center of primary attention health of Manacor Sa Torre, of the Hospital of Manacor and of the University Hospital of Son Espases and your request did not obtain a legal response required, given that the required access was not provided. The LAP establishes a series of obligations for healthcare professionals and centres, in its article 15 collects the minimum content of the clinical history, it also indicates an obligation to preserve the clinical history for the health center established in article 17. The LOPD, in relation to articles 17, 18 and, especially article 15 of the LAP, recognizes a right of access to all of the clinical history by its owner or representative. That said, having examined the documentation in the proceeding and as follows from the allegations made and the documentation provided to the procedure, the entity claimed in the process of transferring the claim accredited the communication sent to the interested party, taking into account the right of access to the medical history. In relation to what was stated by the complaining party that no copy of the clinical history corresponding to the Sa Torres Primary Care Health Center, claims it in the process of allegations, has entry in this Agency on 07/15/2022, copy of the documentation sent by the Primary Care Health Center of Sa Torres dated May 27, 2022 and delivered on June 15, 2022, according to a copy of the acknowledgment of receipt processed by the Post Office. Based on the foregoing, considering that this procedure has as object that the guarantees and rights of those affected are duly restored, and given that the right of access to the clinical history was served outside the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/8 established period, it is appropriate to estimate for formal reasons the present claim to the having issued the response extemporaneously without requiring the performance of additional actions by the person responsible for the file Considering the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE for formal reasons, the claim made by D. A.A.A. in representation of Ms. B.B.B., against the HEALTH SERVICE OF LAS ILLES BALEARIC ISLANDS (IB-SALUT). However, the issuance of a new certification by part of said entity, as the response was issued extemporaneously without requires the performance of additional actions by the person in charge. SECOND: NOTIFY this resolution to D. A.A.A. on behalf of Ms. BBB and to the HEALTH SERVICE OF THE BALEARIC ISLANDS (IB-SALUT). In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 1188-080921 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es