AEPD (Spain) - PS/00097/2023
|AEPD - PS/00097/2023|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
Article 83(4) GDPR
Article 83(5) GDPR
|Parties:||SERVICIO CANARIO DE LA SALUD|
|National Case Number/Name:||PS/00097/2023|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA issued a reprimand to Servicio Canario De La Salud. Medical records had been improperly accessed and the diagnosis disclosed to third parties, violating Article 5(1)(f) and Article 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
On November 2, 2021 the data subject requested his clinical history. Along with the history, the Canary health service (Servicio Canario De La Salud) provided a list of accesses made by primary care givers and a list of access made by specialists at the Fuerteventura General Hospital. These lists showed that health professionals, who were not associated with any clinical process or consultation related to the data subject, had accessed the subject's clinical history.
Upon receiving the data subject's complaint, the controller (Servicio Canario De La Salud) hired Electromedical and Information Services (ASEI) to carry out an internal investigation to assess whether the access to the data subject's medical records by health professionals could be justified. This internal investigation resulted in an internal warning within the Servicio Canario to be careful when accessing documents. The data subject appealed this to the DPA, stating that the results of the audit does not justify the accesses nor the reasons that led to the personnel in question to access the file.
After a DPA investigation, it was determined that in total ten professionals from the General Hospital of Fuerteventura had accessed the file. Of the ten, only two of them were justified to access the file as they were professionals in the Anesthesia and Resuscitation Area (FEA), which was related to the data subject's condition.
Holding[edit | edit source]
The Spanish DPA considered that there has been undue access to the data subject's clinical history and disclosure of personal information to third parties, without the consent of the owner. Such facts represent a breach of confidentiality and integrity, violating Article 5(1)(f) GDPR, since there had been accesses to the data subject's medical history by third parties who were not authorised to do so.
The DPA also highlighted the lack of measures in place aimed at guaranteeing the confidentiality of such information. Due to this, the security measures of the controller were not adequate, which constituted an infringement of Article 32 GDPR.
Comment[edit | edit source]
AEPD highlighted a similar procedure PS/00250/2021 against Servicio Extremeño De Salud, in which there has been improper access to the data subject’s medical records by a worker of the Extremadura Health Service (SES). The accesses were made without the data subject’s authorisation and without any relationship that could justify it.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.