Difference between revisions of "CNPD - Deliberação n.º 984/2018"

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Portugal |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPT.png |DPA_Abbrevation=CNPD |DPA_With_Country=CNPD (Portugal) |Case_Number_Name...")
 
(Adding a working link to the original source, and adding a translation (which is of bad performance as the original document had to go through OCR first).)
 
(One intermediate revision by one other user not shown)
Line 52: Line 52:
 
}}
 
}}
  
"Portuguese DPA determines generalized access to patient records within a hospital breaches the minimization, integrity and confidentiality principles"
+
Portuguese DPA determines generalized access to patient records within a hospital breaches the minimization, integrity and confidentiality principles.
  
== English Summary ==
+
==English Summary==
  
=== Facts ===
+
===Facts===
 
CNPD's investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data, notably data which was part of the Electronic Patient Records (EPR) - which should only be accessed by doctors - through their information system accounts. The profile management system revealed other flaws, as the hospital had 985 registered doctor profiles, while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctors' specialty.
 
CNPD's investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data, notably data which was part of the Electronic Patient Records (EPR) - which should only be accessed by doctors - through their information system accounts. The profile management system revealed other flaws, as the hospital had 985 registered doctor profiles, while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctors' specialty.
  
=== Dispute ===
+
===Dispute===
 
Does granting hospital’s staff, psychologists, dietitians and other professionals access to Electronic Patient Records (EPR) breach articles 5(1)(c), (f), and 32(1)(b), (d) of the GDPR?  
 
Does granting hospital’s staff, psychologists, dietitians and other professionals access to Electronic Patient Records (EPR) breach articles 5(1)(c), (f), and 32(1)(b), (d) of the GDPR?  
  
=== Holding ===
+
===Holding===
 
While the controller argued that (i) professionals other than doctors needed access to health data to fulfill their roles and that (ii) system access permissions were not configured by the controller, but by the Health Ministry's shared services (SPMS), the Portuguese DPA found that it was the controller who voluntarily determined said professionals should have indiscriminate access to EPRs and that the controller never asked SPMS to adjust the hospital's professionals' access profiles.  
 
While the controller argued that (i) professionals other than doctors needed access to health data to fulfill their roles and that (ii) system access permissions were not configured by the controller, but by the Health Ministry's shared services (SPMS), the Portuguese DPA found that it was the controller who voluntarily determined said professionals should have indiscriminate access to EPRs and that the controller never asked SPMS to adjust the hospital's professionals' access profiles.  
 
When determining the amount of the fine, the Portuguese DPA took into account the number of affected data subjects (dozens of thousands), the nature of the personal data at stake (health-related data) and the intentional character of the breach by the data controller (who did not implement a reliable audit system after a prior instruction by the DPA).  
 
When determining the amount of the fine, the Portuguese DPA took into account the number of affected data subjects (dozens of thousands), the nature of the personal data at stake (health-related data) and the intentional character of the breach by the data controller (who did not implement a reliable audit system after a prior instruction by the DPA).  
  
== Comment ==
+
==Comment==
  
  
== Further Resources ==
+
==Further Resources==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
== English Machine Translation of the Decision ==
+
==English Machine Translation of the Decision==
 
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.
 
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.
 
+
<pre>
+
Page 1
 
+
Case No. 9932/20181NATIONAL COMMISSIONDATA DEPROTECTIONRESOLUTION No. 984/2018| - The National Data Protection Commission (CNPD) prepared, on July 17,2018, deliberation project, in which the defendant was imputedthe practice of two predicted and punishable violations under the terms ofcombined provisions of Articles 5, paragraph 1 to 1. c) and article 5, paragraph 1 al. f) with article83, paragraph 5, al. a), the General Data Protection Regulation (Regulation679/2016, of April 27, hereinafter GDPR), punishable, each, with a fine of €0.00 to € 20,000,000.00 or up to 4% of annual turnover, depending on the amounthigher, as well as the practice of a predicted and punishable violation under the termsof the combined provisions of article 32, paragraph 1, subparagraphs b) and d) and article 83, paragraph 4, al.a), of the GDPR, with a fine of € 0.00 to € 10,000,000.00 or up to 2% of turnoverper year, whichever is the highest.The defendant was notified of the content of the said project and, pursuant to the provisions of article 50.of Decree-Law No. 433/82, of October 27, to present its defense, came to claim(see pages 38 to 82), in short, that:1. The CNPD cannot be considered as a national control authority under theterms of article 51, paragraph 1 of the GDPR, as it has not yet been indicated asformally. Admitting otherwise would violate the principle of legality contained in the article266 of the Constitution of the Portuguese Republic (CRP);2. The conducts foreseen in the GDPR as sanctionable with the fines of the article83 are not sufficiently densified, so the intervention of thenational legislator is indispensable for them to apply, under penalty ofviolation of the principle of typicality formulated in article 29 of the CRP;3. Acknowledges the existence of access profiles under the conditions reported in the projectCNPD deliberation process;4. Considers, however, that professionals with these access profiles (technicalof action / social service, nutritionists, physiotherapists and psychologists) are subjectRua de São Bento, 148-3º «1200-821 LISBOA21 39300 39Tel: 213928400Fax: 213976832PRIVACY LINEwww.cnpd.ptWorking days from 10 am to 1 pmdoubtsenpdpt
</pre>
+
 +
Page 2
 +
10.11.12.Process No. 9932/2018 1vTheobligationsinconfidentialityappropriate,namelyatdeontological;Such professionals have access to the relevant and necessary information for theperformance of its functions;The systems used do not technically allow the stratification of accessesto information in ideal detail, something he understands cannot be taken away from himsince it uses third-party standardized systems, with no possibility ofintervention byand mandatory use, given the determinations ofguardianship entities;It also argues that such stratification of information will tend to beimpossible, since, at the outset, it is not possible to determine which datain particular that may be relevant to the performance of the functionsthose professionals;Informs, however, that the latest updates made available by the ServicesShared by the Ministry of Health resolved some of the issuesraised by CNPD, especially regarding the management of access credentials;It also states that it has already implemented several of the recommendationscontained in Resolution 674/2018, of 17 July, from CNPD;Regarding access to the PDS (Health Data Platform), he declares that“Technically a button being available to access the PDS would not mean thatthe user was able to access, since the PDS information system isa system external to SCclínico, so you should only validate it if the user isdoctor or nurse ”;It refutes the facts that in the deliberation project pointed to the nonexistenceaccess logs to the SClinic system;As for the accounts of active users associated with the functional group of“MEDICO”, ​​in a number far superior to the medical staff declared in thevarious reports and accounts, admits the possibility of some of these accountsare no longer active, although it warns of the reality of hiringphysicians on a service delivery basis, which explains some of thedisparity between the number of accounts and the number of professionals whoeffectively perform functions in the[and
 +
 +
Page 3
 +
Processon. 9932/2018 | twoNATIONAL COMMISSIONDATA DEPROTECTION13. Assumes, also in relation to these inactive accounts, the correction of thesesituations, using internal processes and technical certification;14. Given the impossibility of modeling, altering or correcting the technical aspects ofsystems used, understands to have acted without guilt, therefore it is not imputableany conduct conduct.He gathered eleven documents and four witnesses.Il - Appreciation1) On the alleged existence of a violation of the principle of legality by virtue ofCNPD arrogates itself in a condition that, by way of delight, will not (yet) belong to it,it will always seduce that such an argument does not succeed. Deselogo, and as explainedin the deliberation project, the CNPD is, for all intents and purposes, and as such notis changed, “the national authority whose role is to control and supervisecompliance with legal and regulatory provisions in the field ofprotection of personal data, in strict respect for human rights andfor the freedoms and guarantees enshrined in the Constitution and22, no. 1 of Law no. 67/98, of 26 October, amended by Law no. 103/2015, ofAugust 24, hereinafter LPDP).Such a provision does not contain only a will of the national legislator inassign to CNPD any national matter related to the protection of personal data,but rather the distinct intention of entrusting you with any matter of this nature thatit is not specifically prohibited by law. And we don't see how it can violatethe principle of legality.In addition, the GDPR contains several novelties aimed at standardizing the powerscontrol authorities across the European Union (EU), precisely toallow the useful effect sought by the use of this legal instrument. This respects,for example, the possibility for any of the supervisory authorities in the EU to beequipped with adequate powers of investigation and correction, ending,thus, with the disparity that prevailed until the 25th of May.Ruade São Bento, 148-3º + 1200-821 LISBON21/393/00 39)Tel: 213928400Fax: 213976832PRIVACY LINEwww.cnpd.ptWorking days from 10 am to 1 pmdoubts (Qenpd enfoot
 +
 +
Page 4
 +
4)5)8)Processon. 9932/2018 2vIt happens, however, that, in Portugal, the CNPD has had this type ofpowers, the relevant GDPR not being a novelty, except with regard to theobligations to cooperate with other EU supervisory authorities, withoutthat the paradigmatic transition of hetero-regulation is forgotten (whose mostvisible consisted in the prior evaluation and authorization of data processingpersonal data) for self-assessment, and it is now up to those responsible fortreatments and subcontractors provide for the legality of data processingpersonal actions that they carry out, without any intermediation ofsupervisory authorities.In addition to all these arguments, there is another one, of a purely formal nature, thatit is the institutional representation of Portugal that CNPD already already ensures in the EU.Indeed, the new European Data Protection Committee, foreseen in theSection 3 of Chapter VIl of the GDPR, must, under the terms of paragraph 3 of article 68 of theregulation, be “composed of the director of a supervisory authority for eachMember State ”. This new European Union body then assumes thateach country is represented by the director (or president) of each authoritycontrol of the various Member States, which, in the Portuguese case, resulted in theintegration, as a right member, of CNPD into CEPD, disregards the firstmeeting dated May 25, 2018.As for the principle of typicality invoked by the defendant, even less in theseems to be serviceable. It will suffice, to remove it, to remember, from the outset, the intentionstandardizing the regulation, especially in the area of ​​fines,uncontroversially expressed in recital 150 of the GDPR “In order to reinforceand harmonize administrative sanctions for violations of thisRegulation, supervisory authorities should be empowered to imposeFinnic. This regulation should define the violations and the amountmaximum and the criterion for setting the value of the fines resulting therefrom [underlineddust
 +
 +
Page 5
 +
Process No. 9932/2018 | 3MMNATIONAL COMMISSIONDATA DEPROTECTIONours], which should be determined by the competent supervisory authority, ineach individual case, taking into account all relevant circumstances of thespecific situation, giving due consideration, in particular, to the nature,seriousness and duration of the breach and its consequences and the measurestaken to ensure compliance with the obligations set out in thisregulation and to prevent or mitigate the consequences of the infraction. ”.7) In addition to this reference, the Constitutional Court itself has alreadyrepeatedly to the degree of concreteness demanded by norms typifyingadministrative misconduct. Paulo Pinto de Albuquerque, in his “Commentaryof the General Regime of Administrative Offenses ”, in annotation 16 to article 2, illustratedo exemplarily when it states that “the infraction based on the violationgeneral clauses (general duties of zeal and urbanity) and other obligationsdoes not violate the datipity principle (TC judgment 338/2003, whichfocused on article 82, al. b), of Decree-Law no. 422/89, of 2.12). The samecan be concluded from the breach of the generic duty regarding the organizationaccounting (judgment of TC no. 455/2006, related to article 14 of Law no.56/98, and the judgment of TC No. 198/2010, relating to Article 29 of Law No. 19/2003). ".8) Regarding the matter of fact, it is enlightening that the defendant confirms theexistence of the access profiles as they were described in the project ofdeliberation. In effect, the policy for assigning access credentialsallowed at least 9 (nine) employees of the functional group “TECHNICAL / A”to enjoy the level of access reserved for the functional group “MEDICO”, ​​whichtranslates into the indiscriminate possibility of consulting clinical processes ofall hospital users.9) Regardless of recognizing external standardization and availabilityof a certain set of profile types, it was the defendant who volunteered andconsciously determined that those professionals could, throughprofiles not suited to their functions and professional category, to have accessindiscriminate access to clinical processes throughout the hospital, rather than establishingRua de São Bento, 148-3º «1200-821 LISBOA213930039)Tel: 213 928400Fax: 213976832PRIVACY LINEwoetce
 +
 +
Page 6
 +
Case nº9932 / 2018 | 3mother procedures, perhaps more time consuming, but certainly lessintrusive protection of personal data that any citizen should deserve.10) Without disregarding this critical judgment, the arguments related to theinability to determine, a priori, which information is relevant to eachof technicians with the aforementioned access profiles, a difficulty that isexponentiated by the architecture of the systems that do not allow the definition,and step or case series of access to certain clinical information, a fact that,again, it cannot be attacked to those who do not have the instruments toremedy or mitigate the effects of such construction.11) We even believe that this hypothesis removes direct intent from the defendant's conduct,makes the necessary deception questionable, but does not in any way preclude theexistence of eventual fraud. So much so, that the defendant confesses to always havingproceeded with knowledge of the existence of these weaknesses of the system,however, refraining from continuing to assign undue access privileges to asetinprofessionalswhatNevershouldpoweraccessindiscriminately to clients' clinical files.12) It is unsustainable to defend that any social worker can access thetotality of the client's clinical file in order to perform its function,such defense is even more unsustainable if access to thesemolds without time limit.13) How equally indefensible is the existence of access credentials thatallow any doctor, of any specialty, at any timeaccess customer data for a given hospital. The beginningminimization of data and the principle of “need to know” (or, in the“Need to know” anglicism), prohibit or intend to prohibit collection, but alsoaccess and other treatments to information unnecessary for the purposetarget.
 +
 +
Page 7
 +
Process No. 9932/2018 | 4NATIONAL COMMISSIONDATA DEPROTECTION14) For all these reasons, the CNPD cannot admit that the technical limitations mentionedcan justify the unrestricted adoption of access validation procedureswhich practically render the essential nucleus of the fundamental right toprotection of personal data.15) The defendant's allegation, which points to a much greater restrictiveness of the profiles ofaccess to non-medical professionals with functional group profiles“TECNICO” and the “MEDICO” activity group is clearly reductive since,even if such restrictions exist, they were not enough to avoid eventhat the CNPD technicians would see the defendant's SSI created a user oftest (just from the “TECNICO” functional group and activity group“MEDICO”) that allowed them to “search for registered registrants at that institutionhospital without restrictions and that it was allowed access to all elementsthat make up the clinical process of these assistants ”, as shown in the reportannex to the draft resolution (see pages 6).16) By knowingly allowing professionals from several different categories toaccess to unrestricted information about the clinical process of the clients ofThedefendant did not take the slightest care to ensure compliance with that principle,moreover, having circumvented a limitation of the systems that had been adoptedfor security and privacy reasons.17) In addition to this, according to the defendant's own defense, the defendant will never havecare of the intermediary of the SPMS in order to correct this aspect of the systemwhich, as the recent update demonstrates, should and could be changedpreviously.18) Let it be said, regarding the matter of the possibility of accessing non-existent informationnecessary or relevant allowed by these profiles that, the inspection teamverified and collected proof of access to the PDS from the user account ofRua de São Bento, 148-3º «1200-821 LISBOA'21 / 393/0039Tel: 213928400Fax: 213976832PRIVACY LINEwww.enpd.ptBusiness days from 10 am to 1 pmWhat are you looking for?Jr
 +
 +
Page 8
 +
Process No. 9932/2018 | 4vtest. In fact, as far as it was possible to verify in the context of inspection, thePDS platform does not validate user authentication, so ifexplaining that it was possible to access the PDS with a “USERTEST ”, which had not associated any mechanographic number or numberof order (doctor or nurse).19) Contrary to the arguments of theit is up to hospital centers andother health care institutions do the correct user validationand identification of the corresponding profile, not the PDS.20) As for the maintenance of useless profiles regarding medical professionalswho no longer provide services to theand that he didn't care to eliminate, the judgmentof censorship remains unchanged.21) Remember that, of the 18 (eighteen) user accounts that CNPD verifiedbeing effectively disabled, only one corresponded to a professionaldoctor22) Assuming that this conduct has not caused concrete damage to the protectionpersonal data of the clients of that hospital center, however, it is not possible toignore or disregard the violation of objective duties of those responsible fortreatment, especially when concerned with the potential access to categoriesdata, the concept specified in article 9, paragraph 1 of the GDPR, asit's health data.23) It should be noted that the defendant did not deny the existence of such profiles,to argue that some (few or many) of them are due to the hiring, in regimedeprivation of services, of doctors who are only performingfunctions transiently in the- The concrete and rigorous ignorance of theuniverse of access accounts that should have been eliminated is quitedemonstrating the lack of a reliable audit system."
 +
 +
Page 9
 +
footCase nº9932 / 2018 | 5NATIONAL COMMISSIONDATA DEPROTECTION24) Equally objectionable, the procedure for creating accounts is maintained, which,Contrary to what has been argued, it is not even fully controlled byadministration of25) In fact, evidence was collected in the context of inspection that demonstratethat the account creation process is not always governed by the procedurereferred to by the defendant. The Annex | (defls. 9) displays the message transcriptemails exchanged between the Coordinator of the Physiotherapy sector atthe Directorate of Clinical Pathology and the Information Systems Service(SSI), which expressly determine the request for the creation ofusers, without any pronouncement by the administration of the26) Although it is admitted that the defendant has embarked on a path to correct thissituation, the fact is that, at the time of the inspection, the creation of accounts did not respectminimally the GDPR principles.27) Regarding the lack of access LOGS, it is confirmed that the techniciancomputer performed an export of the table «sys / ogacessos» with the name«Logacessosassistentesocial.XLS», which presents what appear to besystem entry and exit events. They are assumed to be associatedaccess to the SClinic, although it has not been possible to confirm thisinformation.28) From the audit audit point, the check-in and check-out in an applicationprovides very limited information on its use. CNPDrecognizers, however, that the inclusion of a higher level of activity registration isdependent on changes in application logic and that these changes can onlywill be available to the entity that develops the software - in this case, theSPMsS.Rua de São Bento, 148-3º «1200-821 LISBOA21 39 300 39)Tel: 213928400Fax: 213976832PRIVACY LINEwww.cnpd.ptBusiness days from 10 am to 1 pmdoubtsenpdpt
 +
 +
Page 10
 +
Process nº 9932/2018 | 5v29) Compliance with the CNPD recommendations, registered in thein Deliberation No. 674/2018, of 17 July, which are intended precisely tocorrect elements considered critical or of substantive relevance.30) It is recognized that there are updates to the systems provided by theSPMS that follow the rumocorrect, although potentially not complete, ofcompliance with GDPR standards.The witnesses presented were not heard since the matter of fact wasgenerically confirmed and, as for the disputed facts not disclosed, the samethere is no need for further clarification or contradiction, which results in theany testimonies that are relevant to the discovery of material truth.Attentive to the defense presented by the defendant and the critical judgment that CNPD has on hercarried out, some of the facts are altered in the light of the information and clarificationsprovided.ll - With the elements contained in the file, with interest for the decision,we consider the following proven:FactsOn July 2, 2018, the National Data Protection Commission conducted ainspection of management systems and access to information at the premises of theIn the context of this inspection, it was verified that there is no document in whichcorrespondence between the functional competences of the users and the profilesaccess to information, namely clinical information, or wherever they are locatedelencadososcriterias that allow correspondence to be made.It was also verified the absence of any document where they arethe rules for the procedure for creating an account for users of theinformation system;r
 +
 +
Page 11
 +
Process No. 9932/2018 | 6NATIONAL COMMISSIONDATA DEPROTECTIONDeresto, the determination of the creation of the user account and the profiles of access to theinformation is communicated by e-mails to the Information Systems Service(SSI) originating from service managers and other professionals;5. This procedure is currently under review and correction.10.11213.Ouses the Integrated Hospital Information System (DREAM) and thehospital clinical record (SCclínico), applications made available by the ServicesShared by the Ministry of Health, EPE (SPMS); the first is used for supportadministrative department of the hospital and the second records the clinical information of the users,allowing access, use and sharing of that information between health professionalshealth;Oauthorized the processing of personal data from the information systemsSONHO and SAM information (formerly known as the SClinic application).In the SONHO application, each user account has two attributes that allow users tohospital services manage the access profiles to the system: the functional group and the groupactivity, assigning codes to them; the functional group distinguishes the various areasfunctions that exist in a hospital environment (eg, “ADMINISTRATIVE / A”,“TECNICO / A”, “MEDICO”, ​​“INFORMATICO”, ​​“AUXILIAR”, while the group ofactivity allows to distinguish different areas within a functional group (eg, in the groupfunctional of “MEDICO”, ​​there are “SURGERY”, “ANESTHESIST” and “MEDICO”;There is a functional group called “TECNICO / A”, which includes differentactivities - “NUTRICIONISTA”, “FISIOTERAPEUTA”, “PSICÓLOGO” and “SERVICOSOCIAL ”(cf. annex |);The functional group “MEDICO” corresponds to code 5;- The functional group “TECNICO / A" corresponds to code 2;. They are registered in the DREAM information system of the10 professionals in the field“SOCIAL SERVICE” activity (see Annex II);These 10 professionals have associated code 2, which corresponds to the functional group"TECNICO / A";Ruade São Bento, 148-3º «1200-821 LISBOAper So ES)Tel: 213928 400Fax: 213976832PRIVACY LINEwww.cnpd.ptBusiness days from 10 am to 1 pmWhat are you looking for?jo
 +
 +
Page 12
 +
14.15.16.17.18.19.20.21.22.Process No. 9932/2018 | 6vOf these 10 professionals, 9 also have associated code 5, which corresponds to the groupfunctional of “MEDICO” (cf. annexIII);Non-medical professionals who have associated code 5 have, by virtue of thiscode and profile, access permissions to the entire clinical process of all usersthe hospital, through the SClinic system;As a result of the CNPD initiative, a test user account was created (with designation“TEST USER”) with a profile identical to that of the 9 Social Service technicians - withcode 2 and 5 - having verified that it allowed access, without anyrestrictions, the clinical process of users of the, which includes the diagnosis,results of diagnostic helpers and other information recorded in the formclinic of each user (cf. AnnexIV);Still within SClinic, with the same user account (with TECNICO / A profile- SOCIAL SERVICE), was accessed via the Health Data Platform, since thisso allows, to information residing in another hospital of the National Health Serviceon clinical episodes associated with a patientof(cf. Annex V);In point 4 of authorizations No. 5795/2012 and 5796/2012, entitled Measures ofSecurity, CNPD expressly determined the need for the responsible to adoptmechanisms for the identification and authentication of users, as well as the management ofaccess profiles;The information systems made available by the Shared Services of the Ministry ofSaúde, EPE (SPMS) do not allow users to define their own parameters,particularly in terms of access profiles.There are 985 active users associated with the functional group of “MEDICO”, ​​in the;Point 5 (“Human Resources”) of the report and accounts of thein2017(availablein+ indicates, on the staff mapthere inscribed, on page 33, the existence of 280 doctors;The human resources plan, set out on page 14 of the Activity Plan for2018 from this same hospital centerpoints to the existence of 296 doctorsat the service of said EPE, this year.
 +
 +
Page 13
 +
28.24.25.26.27.Process No. 9932/2018 | 7NATIONAL COMMISSIONDATA DEPROTECTIONOrecognized the existence of unusable profiles, albeit safeguarding thereality of service provision contracts, which result in the creation of profilestemporary staff of doctors hired under this regime, failing to quantify thephenomenon.There are only 18 inactive user accounts (15 technicians, 1 pharmacist and 1physician), with the most recent inactivation dated 11/11/2016 (see Annex VI);In point 4 of the authorizations, Under the heading Measures ofSecurity, CNPD expressly determined, in paragraph c), the need for thehave a reliable audit system.The defendant acted deliberately, knowing that she was obliged to apply thetechnical and organizational measures essential to the identification and authentication ofusers, as well as the management and delimitation of their access to information profiles,stratifying them according to the different access privileges corresponding to theprofessional categories of its workers, and also to guarantee the safety of theinformation, in addition to being responsible for having a reliable audit system for suchidentification, access and security guarantees.The defendant acted freely, voluntarily, consciously and knowing that herconducts were as they are prohibited and punished byIV - Motivation of the de facto decisionThe ascertained facts resulted:- Defls inspection report. 4 to 10, where the circumstances are described ininformation access systems operated and the specific conditionsaccesses, allowing professionals with improperly assigned profilesaccess clinical information of all the defendant's clients and not taking care ofto guarantee the minimum conditions of auditability and security of the systems;- On the defendant's written defense, on pages 38 to 82, where theweaknesses detected with regard to the procedures for defining accounts andaccess privileges, regarding the inability to determine restrictions on theaccess to information according to the specific function of workers in theRua de São Bento, 148-3º «1200-821 LISBOA21 393003:Tel: 213928400Fax: 213976832PRIVACY LINEBusiness days from 10 am to 1 pmwww.cnpd.ptWhat are you looking for? ptpn
 +
 +
Page 14
 +
Process No. 9932/2018 | 7vdustand regarding non-compliance with the duties of monitoring accountsunusable and their elimination.V - In view of the factuality found, it is shown to be sufficientlypractice accused by the defendanttwo misdemeanors for the practice oftwo predicted and punishable offenses under the combined provisions of theandarticle 5, paragraph 1 al. c) - breach of the principle of data minimization,allowing indiscriminate access to an excessive set of dataprofessionals who should only access them in specific cases andpreviously justified; and article 83 (5), al. a) - breach of principlesbasic treatment, the General Data Protection Regulation(Regulation 679/2016, of April 27, hereinafter GDPR);as well as theand article 5, no. 1 al. f) - violation of the principle of integrity and confidentiality,due to the non-application of technical and organizational measures aimed atprevent illicit access to personal data; and article 83 (5), al. a) - violationbasic treatment principles, the General Regulation on the Protection ofData (Regulation 679/2016, of April 27, hereinafter GDPR),punishable, each of them, with a fine of € 0.00 to € 20,000,000.00 or up to 4% of theannual turnover, whichever is the highest.The practice is also shown to be sufficiently indicated, by the same guideline,predicted and punishable offense under the combined provisions of theandArticle 32 (1) (b) and (d) - incapacity of the controllerensuring confidentiality, integrity, availability and resiliencetreatment systems and services, as well as the non-application
 +
 +
Page 15
 +
Process No. 98322018 [8PNATIONAL COMMISSIONDATA DEPROTECTIONappropriate technical and organizational measures to ensure a level ofrisk-appropriate safety, namely a process for testing,regularly assess and evaluate the effectiveness of technical and organizational measuresto guarantee the safety of the treatment; and article 83 (4), al. a), the GDPR,with a fine of € 0.00 to € 10,000,000.00 or up to 2% of annual turnover,whichever is the higher.In accordance with the provisions of Article 83 (1), als. a) to k), the determination of the measureThe fine is imposed according to the following criteria:andThe nature, severity and duration of the infringement taking into account the nature,scope or purpose of the data processing concerned, as well as the number ofdata subjects affected and the level of damage suffered by them - we are facingtwo offenses punishable by the most serious condition provided for by the GDPR and oneinfraction punishable by the less burdensome frame of that regulation, being certainthat, at least, since May 25, 2018, both violations have been reported.practiced. The number of affected holders corresponds to the universe of declining, OR either of the two hospitals that compose it, theBeing theneed number of customers difficult to quantify, the Access Report for2017makes it possible to extrapolategif number located in the tens of thousands. It is also relevant in thispoint, to point out that we are dealing with health data, which can bespecial categories of data, which considerably increases the risk of damagefor data holders;andIntentional or negligent character of the infraction - the conduct is considered to be intentionalconcerning the detected infractions, even if the title of intentional deception, since thedefendant represented the practice of offense as a possible consequence of theconduct and conformed to it.Rua de São Bento, 148-3º «1200-821 LISBOA213930039Tel: 213928400Fax: 213976832PRIVACY LINEwww.enpd.ptBusiness days from 10 am to 1 pmdoubtsenpd en
 +
 +
Page 16
 +
Process No. 9832/2018 | Bv*The initiative taken by the controller or the processor tomitigate the damage suffered by the owners - the defendant's conduct is valued,adopted, from the moment of the inspection, the appropriate measures to rectify theweaknesses detected, which are either already implemented or in phaseof implementationandThe degree of responsibility of the controller or processortaking into account the technical or organizational measures implemented by them interms of articles 25 and 32 - the responsibility of thedefendant as regards the violation of restrictions on the levels of access by professionals topersonal data of customers, since it consciously allowed to associate thefunctional group of “MEDICO” who should only be accredited with a profile"TECHNICIAN"; As for the lack of verification procedures for thethe need to maintain the access profiles of doctors who are no longer at theservice ofcannot fail to consider a degree of responsibilityalso raised by the defendant, since it was exclusively her responsibilityensure the control of the need and elimination of these profiles, namelythrough appropriate audit procedures.*Any relevant infractions previously committed by the person responsible for thetreatment or by the subcontractor - which are not verified.*The degree of cooperation with the supervisory authority in order to remedy the infringement andmitigate its possible negative effects - which is deemed appropriate in view of thenot only, the correction of the detected weaknesses, but also the fulfillment of the contentof Resolution No. 674/2018, of July 17;*The specific categories of personal data affected by the infringement - categoriespersonal data, in accordance with the provisions of article 9, paragraph 1 ofGDPR, as well as other non-sensitive information, such as identificationof customers. These data allow the identification of the holder and the accessimproperly permitted with the defendant's conduct constitutes a serious interference in theprivacy of those;andThe way in which the supervisory authority became aware of the infringement, inespecially if the controller or processor has notified it, and inIf so, to what extent they did so - having been known
 +
 +
Page 17
 +
Processonºss2ro1s [917NATIONAL COMMISSIONDATA DEPROTECTIONthrough news from the media and later confirmed in the actioninspection carried out by CNPD;*Compliance with the measures referred to in Article 58.2, paragraph 2, if theyhave previously been imposed on the controller or thesubcontractor concerned for the same matter - this does not apply.criterion, since there were no previously determined corrective measures;andCompliance with codes of conduct approved under the terms of article 40 orcertification procedure approved under the terms of article 42 - criterion thatalso does not apply, because there is no code of conduct or procedure forcertification, under the terms indicated;*Any other aggravating or mitigating factor applicable to the circumstances of the case,light of paragraph k) of no. 2 of article 83 of the GDPR, such as the financial benefitsobtained or losses avoided, directly or indirectly, through the infraction -here, as a factorthe aggravating factor, as regards the infraction related to the violation of article 32, paragraph 1,points b) and d) - the existence of prior authorization from CNPD where,under the heading Security Measures, CNPD expresslydetermined the need for thehave an audit systemreliable, and the defendant may not be unaware of this obligation;the mitigating factor, the fact that the parameters for monitoring theLOGS of SClinic's access to information do not depend on thedefendant, but before the SPMS.=Application of the fineAttentive to the aforementioned criteria, CNPD understands the application as necessary,in the specific case, a fine to the defendant, considering this to be the effective measureproportionate and dissuasive approach given the concrete circumstances in whichinfractions occurred.As expressed in the draft resolution, the framework of the fineabstractly applicable to the defendant for the predicted and punishable infractions under the terms ofRua de São Bento, 148-3º «1200-821 LISBOATel: 213 928400Fax: 213976832PRIVACY LINEvervecnpdptVieieddio
 +
 +
Page 18
 +
Process No. 9932/2018 | 9vcombined provisions of Articles 5, paragraph 1 to 1. c) and article 5, paragraph 1 al. f) with article83, paragraph 5, al. a), the General Data Protection Regulation (Regulation679/2016, of April 27, hereinafter GDPR), punishable, each, with a fine of €0.00 to € 20,000,000.00 or up to 4% of annual turnover, depending on the amounthighest, as well as the practice of an infraction, in competition, foreseen andpunishable under the combined provisions of article 32, paragraph 1, points b) and d) andarticle 83 (4), al. a), of the GDPR, with a fine of € 0.00 to € 10,000,000.00 or up to 2% of theannual turnover, whichever is the highest.However, it turns out that after consulting the defendant's report and accounts for the year 2017a result is observednet ofThis means that the concrete framework of the fines to beapply, in the first case, between € 0.00 to € 20,000,000.00 and, in the second case,between € 0.00 to € 10,000,000.00.Valuing the factuality determined in the light of the criteria set out above, and consideringthe circumstance that the defendant has been led by the regularization of the situation, the CNPD,-pursuant to article 58, paragraph 2, al. b) of the GDPR, considers adjusted, the applicationthe defendant of two fines, each of which, in the amount of € 150,000.00 (one hundred andfifty thousand euros) for the practice of two predicted administrativepunishable under the combined provisions of Articles 5, paragraph 1 to 1. c) and5, paragraph 1, al. f), all of the aforementioned regulations;-pursuant to article 58, paragraph 2, al. i) the GDPR, the application to the defendant of a€ 100,000.00 (one hundred thousand euros) for the practice of administrative offenseforeseeable and punishable under the combined provisions of Articles 32,1, points b) and d) and article 83, paragraph 4, al. a), all documented regulation.-In addition, under the terms of article 83, paragraph 3 of the GDPR, the fine of € 400,000.00(four hundred thousand euros).THE
 +
 +
Page 19
 +
PresgsasorSogai: bTbroNATIONAL COMMISSIONDATA DEPROTECTIONVI - ConclusionIn view of the above, CNPD decides:Apply to the defendantwatching theprovided for in paragraph 3 of article 83 of the GDPR, a single fine, in the amount of €400,000.00 (four hundred thousand euros) due to the violation of the principles ofminimization of data and integrity and confidentiality, as well as thebreach of the obligation to apply technical and organizational measuresappropriate measures to ensure a level of safety appropriate to the risk,in particular, a process for testing, assessing and regularly evaluating theeffectiveness of technical and organizational measures to ensure the security oftreatment.Pursuant to articles 58, paragraphs 2 and 3 of Decree-Law no. 433/82,October 27, current wording, inform the defendant that:a) The conviction becomes final and enforceable if it is not judiciallycontested, under the terms of article 59 of the same model;b) In the event of a judicial challenge, the Court may decides by means of a hearing or,if the defendant and the Public Prosecutor's Office do not object, by simpledispatch.Should the defendant pay the fine within a maximum period of 10 days afterits definitive character, sending the respective payment slips to CNPD. In casedue to the impossibility of the respective timely payment, the defendant communicatesfact, in writing, to CNPD.Rua de São Bento, 148-3º «1200-821 LISBOA21 3930039Tel: 213928400Fax: 213976832PRIVACY LINEBusiness days from 10am to 1pmwww.cnpd.ptWhat are you looking for?"
 +
 +
Page 20
 +
Processon. 9932/2018 10vLisbon, October 9, 2018At“Marques (rapporteur)i,ai Bis =Luís BarrosoRe CRMaria Cândida Guedes de OliveiraBsPedro MourãoFilipa Calvão (President)

Latest revision as of 16:05, 20 April 2021

CNPD - Deliberação n.º 984/2018
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(c) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 09.10.2018
Published: 09.10.2018
Fine: 400000 EUR
Parties: Centro Hospitalar Barreiro Montijo, EPE
National Case Number/Name: Deliberação n.º 984/2018
European Case Law Identifier: Processo n.º 9932/2018
Appeal: Unknown
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: {{{Initial_Contributor}}}

Portuguese DPA determines generalized access to patient records within a hospital breaches the minimization, integrity and confidentiality principles.

English Summary[edit | edit source]

Facts[edit | edit source]

CNPD's investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data, notably data which was part of the Electronic Patient Records (EPR) - which should only be accessed by doctors - through their information system accounts. The profile management system revealed other flaws, as the hospital had 985 registered doctor profiles, while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctors' specialty.

Dispute[edit | edit source]

Does granting hospital’s staff, psychologists, dietitians and other professionals access to Electronic Patient Records (EPR) breach articles 5(1)(c), (f), and 32(1)(b), (d) of the GDPR?

Holding[edit | edit source]

While the controller argued that (i) professionals other than doctors needed access to health data to fulfill their roles and that (ii) system access permissions were not configured by the controller, but by the Health Ministry's shared services (SPMS), the Portuguese DPA found that it was the controller who voluntarily determined said professionals should have indiscriminate access to EPRs and that the controller never asked SPMS to adjust the hospital's professionals' access profiles. When determining the amount of the fine, the Portuguese DPA took into account the number of affected data subjects (dozens of thousands), the nature of the personal data at stake (health-related data) and the intentional character of the breach by the data controller (who did not implement a reliable audit system after a prior instruction by the DPA).

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

Page 1
Case No. 9932/20181NATIONAL COMMISSIONDATA DEPROTECTIONRESOLUTION No. 984/2018| - The National Data Protection Commission (CNPD) prepared, on July 17,2018, deliberation project, in which the defendant was imputedthe practice of two predicted and punishable violations under the terms ofcombined provisions of Articles 5, paragraph 1 to 1. c) and article 5, paragraph 1 al. f) with article83, paragraph 5, al. a), the General Data Protection Regulation (Regulation679/2016, of April 27, hereinafter GDPR), punishable, each, with a fine of €0.00 to € 20,000,000.00 or up to 4% of annual turnover, depending on the amounthigher, as well as the practice of a predicted and punishable violation under the termsof the combined provisions of article 32, paragraph 1, subparagraphs b) and d) and article 83, paragraph 4, al.a), of the GDPR, with a fine of € 0.00 to € 10,000,000.00 or up to 2% of turnoverper year, whichever is the highest.The defendant was notified of the content of the said project and, pursuant to the provisions of article 50.of Decree-Law No. 433/82, of October 27, to present its defense, came to claim(see pages 38 to 82), in short, that:1. The CNPD cannot be considered as a national control authority under theterms of article 51, paragraph 1 of the GDPR, as it has not yet been indicated asformally. Admitting otherwise would violate the principle of legality contained in the article266 of the Constitution of the Portuguese Republic (CRP);2. The conducts foreseen in the GDPR as sanctionable with the fines of the article83 are not sufficiently densified, so the intervention of thenational legislator is indispensable for them to apply, under penalty ofviolation of the principle of typicality formulated in article 29 of the CRP;3. Acknowledges the existence of access profiles under the conditions reported in the projectCNPD deliberation process;4. Considers, however, that professionals with these access profiles (technicalof action / social service, nutritionists, physiotherapists and psychologists) are subjectRua de São Bento, 148-3º «1200-821 LISBOA21 39300 39Tel: 213928400Fax: 213976832PRIVACY LINEwww.cnpd.ptWorking days from 10 am to 1 pmdoubtsenpdpt

Page 2
10.11.12.Process No. 9932/2018 1vTheobligationsinconfidentialityappropriate,namelyatdeontological;Such professionals have access to the relevant and necessary information for theperformance of its functions;The systems used do not technically allow the stratification of accessesto information in ideal detail, something he understands cannot be taken away from himsince it uses third-party standardized systems, with no possibility ofintervention byand mandatory use, given the determinations ofguardianship entities;It also argues that such stratification of information will tend to beimpossible, since, at the outset, it is not possible to determine which datain particular that may be relevant to the performance of the functionsthose professionals;Informs, however, that the latest updates made available by the ServicesShared by the Ministry of Health resolved some of the issuesraised by CNPD, especially regarding the management of access credentials;It also states that it has already implemented several of the recommendationscontained in Resolution 674/2018, of 17 July, from CNPD;Regarding access to the PDS (Health Data Platform), he declares that“Technically a button being available to access the PDS would not mean thatthe user was able to access, since the PDS information system isa system external to SCclínico, so you should only validate it if the user isdoctor or nurse ”;It refutes the facts that in the deliberation project pointed to the nonexistenceaccess logs to the SClinic system;As for the accounts of active users associated with the functional group of“MEDICO”, ​​in a number far superior to the medical staff declared in thevarious reports and accounts, admits the possibility of some of these accountsare no longer active, although it warns of the reality of hiringphysicians on a service delivery basis, which explains some of thedisparity between the number of accounts and the number of professionals whoeffectively perform functions in the[and

Page 3
Processon. 9932/2018 | twoNATIONAL COMMISSIONDATA DEPROTECTION13. Assumes, also in relation to these inactive accounts, the correction of thesesituations, using internal processes and technical certification;14. Given the impossibility of modeling, altering or correcting the technical aspects ofsystems used, understands to have acted without guilt, therefore it is not imputableany conduct conduct.He gathered eleven documents and four witnesses.Il - Appreciation1) On the alleged existence of a violation of the principle of legality by virtue ofCNPD arrogates itself in a condition that, by way of delight, will not (yet) belong to it,it will always seduce that such an argument does not succeed. Deselogo, and as explainedin the deliberation project, the CNPD is, for all intents and purposes, and as such notis changed, “the national authority whose role is to control and supervisecompliance with legal and regulatory provisions in the field ofprotection of personal data, in strict respect for human rights andfor the freedoms and guarantees enshrined in the Constitution and22, no. 1 of Law no. 67/98, of 26 October, amended by Law no. 103/2015, ofAugust 24, hereinafter LPDP).Such a provision does not contain only a will of the national legislator inassign to CNPD any national matter related to the protection of personal data,but rather the distinct intention of entrusting you with any matter of this nature thatit is not specifically prohibited by law. And we don't see how it can violatethe principle of legality.In addition, the GDPR contains several novelties aimed at standardizing the powerscontrol authorities across the European Union (EU), precisely toallow the useful effect sought by the use of this legal instrument. This respects,for example, the possibility for any of the supervisory authorities in the EU to beequipped with adequate powers of investigation and correction, ending,thus, with the disparity that prevailed until the 25th of May.Ruade São Bento, 148-3º + 1200-821 LISBON21/393/00 39)Tel: 213928400Fax: 213976832PRIVACY LINEwww.cnpd.ptWorking days from 10 am to 1 pmdoubts (Qenpd enfoot

Page 4
4)5)8)Processon. 9932/2018 2vIt happens, however, that, in Portugal, the CNPD has had this type ofpowers, the relevant GDPR not being a novelty, except with regard to theobligations to cooperate with other EU supervisory authorities, withoutthat the paradigmatic transition of hetero-regulation is forgotten (whose mostvisible consisted in the prior evaluation and authorization of data processingpersonal data) for self-assessment, and it is now up to those responsible fortreatments and subcontractors provide for the legality of data processingpersonal actions that they carry out, without any intermediation ofsupervisory authorities.In addition to all these arguments, there is another one, of a purely formal nature, thatit is the institutional representation of Portugal that CNPD already already ensures in the EU.Indeed, the new European Data Protection Committee, foreseen in theSection 3 of Chapter VIl of the GDPR, must, under the terms of paragraph 3 of article 68 of theregulation, be “composed of the director of a supervisory authority for eachMember State ”. This new European Union body then assumes thateach country is represented by the director (or president) of each authoritycontrol of the various Member States, which, in the Portuguese case, resulted in theintegration, as a right member, of CNPD into CEPD, disregards the firstmeeting dated May 25, 2018.As for the principle of typicality invoked by the defendant, even less in theseems to be serviceable. It will suffice, to remove it, to remember, from the outset, the intentionstandardizing the regulation, especially in the area of ​​fines,uncontroversially expressed in recital 150 of the GDPR “In order to reinforceand harmonize administrative sanctions for violations of thisRegulation, supervisory authorities should be empowered to imposeFinnic. This regulation should define the violations and the amountmaximum and the criterion for setting the value of the fines resulting therefrom [underlineddust

Page 5
Process No. 9932/2018 | 3MMNATIONAL COMMISSIONDATA DEPROTECTIONours], which should be determined by the competent supervisory authority, ineach individual case, taking into account all relevant circumstances of thespecific situation, giving due consideration, in particular, to the nature,seriousness and duration of the breach and its consequences and the measurestaken to ensure compliance with the obligations set out in thisregulation and to prevent or mitigate the consequences of the infraction. ”.7) In addition to this reference, the Constitutional Court itself has alreadyrepeatedly to the degree of concreteness demanded by norms typifyingadministrative misconduct. Paulo Pinto de Albuquerque, in his “Commentaryof the General Regime of Administrative Offenses ”, in annotation 16 to article 2, illustratedo exemplarily when it states that “the infraction based on the violationgeneral clauses (general duties of zeal and urbanity) and other obligationsdoes not violate the datipity principle (TC judgment 338/2003, whichfocused on article 82, al. b), of Decree-Law no. 422/89, of 2.12). The samecan be concluded from the breach of the generic duty regarding the organizationaccounting (judgment of TC no. 455/2006, related to article 14 of Law no.56/98, and the judgment of TC No. 198/2010, relating to Article 29 of Law No. 19/2003). ".8) Regarding the matter of fact, it is enlightening that the defendant confirms theexistence of the access profiles as they were described in the project ofdeliberation. In effect, the policy for assigning access credentialsallowed at least 9 (nine) employees of the functional group “TECHNICAL / A”to enjoy the level of access reserved for the functional group “MEDICO”, ​​whichtranslates into the indiscriminate possibility of consulting clinical processes ofall hospital users.9) Regardless of recognizing external standardization and availabilityof a certain set of profile types, it was the defendant who volunteered andconsciously determined that those professionals could, throughprofiles not suited to their functions and professional category, to have accessindiscriminate access to clinical processes throughout the hospital, rather than establishingRua de São Bento, 148-3º «1200-821 LISBOA213930039)Tel: 213 928400Fax: 213976832PRIVACY LINEwoetce

Page 6
Case nº9932 / 2018 | 3mother procedures, perhaps more time consuming, but certainly lessintrusive protection of personal data that any citizen should deserve.10) Without disregarding this critical judgment, the arguments related to theinability to determine, a priori, which information is relevant to eachof technicians with the aforementioned access profiles, a difficulty that isexponentiated by the architecture of the systems that do not allow the definition,and step or case series of access to certain clinical information, a fact that,again, it cannot be attacked to those who do not have the instruments toremedy or mitigate the effects of such construction.11) We even believe that this hypothesis removes direct intent from the defendant's conduct,makes the necessary deception questionable, but does not in any way preclude theexistence of eventual fraud. So much so, that the defendant confesses to always havingproceeded with knowledge of the existence of these weaknesses of the system,however, refraining from continuing to assign undue access privileges to asetinprofessionalswhatNevershouldpoweraccessindiscriminately to clients' clinical files.12) It is unsustainable to defend that any social worker can access thetotality of the client's clinical file in order to perform its function,such defense is even more unsustainable if access to thesemolds without time limit.13) How equally indefensible is the existence of access credentials thatallow any doctor, of any specialty, at any timeaccess customer data for a given hospital. The beginningminimization of data and the principle of “need to know” (or, in the“Need to know” anglicism), prohibit or intend to prohibit collection, but alsoaccess and other treatments to information unnecessary for the purposetarget.

Page 7
Process No. 9932/2018 | 4NATIONAL COMMISSIONDATA DEPROTECTION14) For all these reasons, the CNPD cannot admit that the technical limitations mentionedcan justify the unrestricted adoption of access validation procedureswhich practically render the essential nucleus of the fundamental right toprotection of personal data.15) The defendant's allegation, which points to a much greater restrictiveness of the profiles ofaccess to non-medical professionals with functional group profiles“TECNICO” and the “MEDICO” activity group is clearly reductive since,even if such restrictions exist, they were not enough to avoid eventhat the CNPD technicians would see the defendant's SSI created a user oftest (just from the “TECNICO” functional group and activity group“MEDICO”) that allowed them to “search for registered registrants at that institutionhospital without restrictions and that it was allowed access to all elementsthat make up the clinical process of these assistants ”, as shown in the reportannex to the draft resolution (see pages 6).16) By knowingly allowing professionals from several different categories toaccess to unrestricted information about the clinical process of the clients ofThedefendant did not take the slightest care to ensure compliance with that principle,moreover, having circumvented a limitation of the systems that had been adoptedfor security and privacy reasons.17) In addition to this, according to the defendant's own defense, the defendant will never havecare of the intermediary of the SPMS in order to correct this aspect of the systemwhich, as the recent update demonstrates, should and could be changedpreviously.18) Let it be said, regarding the matter of the possibility of accessing non-existent informationnecessary or relevant allowed by these profiles that, the inspection teamverified and collected proof of access to the PDS from the user account ofRua de São Bento, 148-3º «1200-821 LISBOA'21 / 393/0039Tel: 213928400Fax: 213976832PRIVACY LINEwww.enpd.ptBusiness days from 10 am to 1 pmWhat are you looking for?Jr

Page 8
Process No. 9932/2018 | 4vtest. In fact, as far as it was possible to verify in the context of inspection, thePDS platform does not validate user authentication, so ifexplaining that it was possible to access the PDS with a “USERTEST ”, which had not associated any mechanographic number or numberof order (doctor or nurse).19) Contrary to the arguments of theit is up to hospital centers andother health care institutions do the correct user validationand identification of the corresponding profile, not the PDS.20) As for the maintenance of useless profiles regarding medical professionalswho no longer provide services to theand that he didn't care to eliminate, the judgmentof censorship remains unchanged.21) Remember that, of the 18 (eighteen) user accounts that CNPD verifiedbeing effectively disabled, only one corresponded to a professionaldoctor22) Assuming that this conduct has not caused concrete damage to the protectionpersonal data of the clients of that hospital center, however, it is not possible toignore or disregard the violation of objective duties of those responsible fortreatment, especially when concerned with the potential access to categoriesdata, the concept specified in article 9, paragraph 1 of the GDPR, asit's health data.23) It should be noted that the defendant did not deny the existence of such profiles,to argue that some (few or many) of them are due to the hiring, in regimedeprivation of services, of doctors who are only performingfunctions transiently in the- The concrete and rigorous ignorance of theuniverse of access accounts that should have been eliminated is quitedemonstrating the lack of a reliable audit system."

Page 9
footCase nº9932 / 2018 | 5NATIONAL COMMISSIONDATA DEPROTECTION24) Equally objectionable, the procedure for creating accounts is maintained, which,Contrary to what has been argued, it is not even fully controlled byadministration of25) In fact, evidence was collected in the context of inspection that demonstratethat the account creation process is not always governed by the procedurereferred to by the defendant. The Annex | (defls. 9) displays the message transcriptemails exchanged between the Coordinator of the Physiotherapy sector atthe Directorate of Clinical Pathology and the Information Systems Service(SSI), which expressly determine the request for the creation ofusers, without any pronouncement by the administration of the26) Although it is admitted that the defendant has embarked on a path to correct thissituation, the fact is that, at the time of the inspection, the creation of accounts did not respectminimally the GDPR principles.27) Regarding the lack of access LOGS, it is confirmed that the techniciancomputer performed an export of the table «sys / ogacessos» with the name«Logacessosassistentesocial.XLS», which presents what appear to besystem entry and exit events. They are assumed to be associatedaccess to the SClinic, although it has not been possible to confirm thisinformation.28) From the audit audit point, the check-in and check-out in an applicationprovides very limited information on its use. CNPDrecognizers, however, that the inclusion of a higher level of activity registration isdependent on changes in application logic and that these changes can onlywill be available to the entity that develops the software - in this case, theSPMsS.Rua de São Bento, 148-3º «1200-821 LISBOA21 39 300 39)Tel: 213928400Fax: 213976832PRIVACY LINEwww.cnpd.ptBusiness days from 10 am to 1 pmdoubtsenpdpt

Page 10
Process nº 9932/2018 | 5v29) Compliance with the CNPD recommendations, registered in thein Deliberation No. 674/2018, of 17 July, which are intended precisely tocorrect elements considered critical or of substantive relevance.30) It is recognized that there are updates to the systems provided by theSPMS that follow the rumocorrect, although potentially not complete, ofcompliance with GDPR standards.The witnesses presented were not heard since the matter of fact wasgenerically confirmed and, as for the disputed facts not disclosed, the samethere is no need for further clarification or contradiction, which results in theany testimonies that are relevant to the discovery of material truth.Attentive to the defense presented by the defendant and the critical judgment that CNPD has on hercarried out, some of the facts are altered in the light of the information and clarificationsprovided.ll - With the elements contained in the file, with interest for the decision,we consider the following proven:FactsOn July 2, 2018, the National Data Protection Commission conducted ainspection of management systems and access to information at the premises of theIn the context of this inspection, it was verified that there is no document in whichcorrespondence between the functional competences of the users and the profilesaccess to information, namely clinical information, or wherever they are locatedelencadososcriterias that allow correspondence to be made.It was also verified the absence of any document where they arethe rules for the procedure for creating an account for users of theinformation system;r

Page 11
Process No. 9932/2018 | 6NATIONAL COMMISSIONDATA DEPROTECTIONDeresto, the determination of the creation of the user account and the profiles of access to theinformation is communicated by e-mails to the Information Systems Service(SSI) originating from service managers and other professionals;5. This procedure is currently under review and correction.10.11213.Ouses the Integrated Hospital Information System (DREAM) and thehospital clinical record (SCclínico), applications made available by the ServicesShared by the Ministry of Health, EPE (SPMS); the first is used for supportadministrative department of the hospital and the second records the clinical information of the users,allowing access, use and sharing of that information between health professionalshealth;Oauthorized the processing of personal data from the information systemsSONHO and SAM information (formerly known as the SClinic application).In the SONHO application, each user account has two attributes that allow users tohospital services manage the access profiles to the system: the functional group and the groupactivity, assigning codes to them; the functional group distinguishes the various areasfunctions that exist in a hospital environment (eg, “ADMINISTRATIVE / A”,“TECNICO / A”, “MEDICO”, ​​“INFORMATICO”, ​​“AUXILIAR”, while the group ofactivity allows to distinguish different areas within a functional group (eg, in the groupfunctional of “MEDICO”, ​​there are “SURGERY”, “ANESTHESIST” and “MEDICO”;There is a functional group called “TECNICO / A”, which includes differentactivities - “NUTRICIONISTA”, “FISIOTERAPEUTA”, “PSICÓLOGO” and “SERVICOSOCIAL ”(cf. annex |);The functional group “MEDICO” corresponds to code 5;- The functional group “TECNICO / A" corresponds to code 2;. They are registered in the DREAM information system of the10 professionals in the field“SOCIAL SERVICE” activity (see Annex II);These 10 professionals have associated code 2, which corresponds to the functional group"TECNICO / A";Ruade São Bento, 148-3º «1200-821 LISBOAper So ES)Tel: 213928 400Fax: 213976832PRIVACY LINEwww.cnpd.ptBusiness days from 10 am to 1 pmWhat are you looking for?jo

Page 12
14.15.16.17.18.19.20.21.22.Process No. 9932/2018 | 6vOf these 10 professionals, 9 also have associated code 5, which corresponds to the groupfunctional of “MEDICO” (cf. annexIII);Non-medical professionals who have associated code 5 have, by virtue of thiscode and profile, access permissions to the entire clinical process of all usersthe hospital, through the SClinic system;As a result of the CNPD initiative, a test user account was created (with designation“TEST USER”) with a profile identical to that of the 9 Social Service technicians - withcode 2 and 5 - having verified that it allowed access, without anyrestrictions, the clinical process of users of the, which includes the diagnosis,results of diagnostic helpers and other information recorded in the formclinic of each user (cf. AnnexIV);Still within SClinic, with the same user account (with TECNICO / A profile- SOCIAL SERVICE), was accessed via the Health Data Platform, since thisso allows, to information residing in another hospital of the National Health Serviceon clinical episodes associated with a patientof(cf. Annex V);In point 4 of authorizations No. 5795/2012 and 5796/2012, entitled Measures ofSecurity, CNPD expressly determined the need for the responsible to adoptmechanisms for the identification and authentication of users, as well as the management ofaccess profiles;The information systems made available by the Shared Services of the Ministry ofSaúde, EPE (SPMS) do not allow users to define their own parameters,particularly in terms of access profiles.There are 985 active users associated with the functional group of “MEDICO”, ​​in the;Point 5 (“Human Resources”) of the report and accounts of thein2017(availablein+ indicates, on the staff mapthere inscribed, on page 33, the existence of 280 doctors;The human resources plan, set out on page 14 of the Activity Plan for2018 from this same hospital centerpoints to the existence of 296 doctorsat the service of said EPE, this year.

Page 13
28.24.25.26.27.Process No. 9932/2018 | 7NATIONAL COMMISSIONDATA DEPROTECTIONOrecognized the existence of unusable profiles, albeit safeguarding thereality of service provision contracts, which result in the creation of profilestemporary staff of doctors hired under this regime, failing to quantify thephenomenon.There are only 18 inactive user accounts (15 technicians, 1 pharmacist and 1physician), with the most recent inactivation dated 11/11/2016 (see Annex VI);In point 4 of the authorizations, Under the heading Measures ofSecurity, CNPD expressly determined, in paragraph c), the need for thehave a reliable audit system.The defendant acted deliberately, knowing that she was obliged to apply thetechnical and organizational measures essential to the identification and authentication ofusers, as well as the management and delimitation of their access to information profiles,stratifying them according to the different access privileges corresponding to theprofessional categories of its workers, and also to guarantee the safety of theinformation, in addition to being responsible for having a reliable audit system for suchidentification, access and security guarantees.The defendant acted freely, voluntarily, consciously and knowing that herconducts were as they are prohibited and punished byIV - Motivation of the de facto decisionThe ascertained facts resulted:- Defls inspection report. 4 to 10, where the circumstances are described ininformation access systems operated and the specific conditionsaccesses, allowing professionals with improperly assigned profilesaccess clinical information of all the defendant's clients and not taking care ofto guarantee the minimum conditions of auditability and security of the systems;- On the defendant's written defense, on pages 38 to 82, where theweaknesses detected with regard to the procedures for defining accounts andaccess privileges, regarding the inability to determine restrictions on theaccess to information according to the specific function of workers in theRua de São Bento, 148-3º «1200-821 LISBOA21 393003:Tel: 213928400Fax: 213976832PRIVACY LINEBusiness days from 10 am to 1 pmwww.cnpd.ptWhat are you looking for? ptpn

Page 14
Process No. 9932/2018 | 7vdustand regarding non-compliance with the duties of monitoring accountsunusable and their elimination.V - In view of the factuality found, it is shown to be sufficientlypractice accused by the defendanttwo misdemeanors for the practice oftwo predicted and punishable offenses under the combined provisions of theandarticle 5, paragraph 1 al. c) - breach of the principle of data minimization,allowing indiscriminate access to an excessive set of dataprofessionals who should only access them in specific cases andpreviously justified; and article 83 (5), al. a) - breach of principlesbasic treatment, the General Data Protection Regulation(Regulation 679/2016, of April 27, hereinafter GDPR);as well as theand article 5, no. 1 al. f) - violation of the principle of integrity and confidentiality,due to the non-application of technical and organizational measures aimed atprevent illicit access to personal data; and article 83 (5), al. a) - violationbasic treatment principles, the General Regulation on the Protection ofData (Regulation 679/2016, of April 27, hereinafter GDPR),punishable, each of them, with a fine of € 0.00 to € 20,000,000.00 or up to 4% of theannual turnover, whichever is the highest.The practice is also shown to be sufficiently indicated, by the same guideline,predicted and punishable offense under the combined provisions of theandArticle 32 (1) (b) and (d) - incapacity of the controllerensuring confidentiality, integrity, availability and resiliencetreatment systems and services, as well as the non-application

Page 15
Process No. 98322018 [8PNATIONAL COMMISSIONDATA DEPROTECTIONappropriate technical and organizational measures to ensure a level ofrisk-appropriate safety, namely a process for testing,regularly assess and evaluate the effectiveness of technical and organizational measuresto guarantee the safety of the treatment; and article 83 (4), al. a), the GDPR,with a fine of € 0.00 to € 10,000,000.00 or up to 2% of annual turnover,whichever is the higher.In accordance with the provisions of Article 83 (1), als. a) to k), the determination of the measureThe fine is imposed according to the following criteria:andThe nature, severity and duration of the infringement taking into account the nature,scope or purpose of the data processing concerned, as well as the number ofdata subjects affected and the level of damage suffered by them - we are facingtwo offenses punishable by the most serious condition provided for by the GDPR and oneinfraction punishable by the less burdensome frame of that regulation, being certainthat, at least, since May 25, 2018, both violations have been reported.practiced. The number of affected holders corresponds to the universe of declining, OR either of the two hospitals that compose it, theBeing theneed number of customers difficult to quantify, the Access Report for2017makes it possible to extrapolategif number located in the tens of thousands. It is also relevant in thispoint, to point out that we are dealing with health data, which can bespecial categories of data, which considerably increases the risk of damagefor data holders;andIntentional or negligent character of the infraction - the conduct is considered to be intentionalconcerning the detected infractions, even if the title of intentional deception, since thedefendant represented the practice of offense as a possible consequence of theconduct and conformed to it.Rua de São Bento, 148-3º «1200-821 LISBOA213930039Tel: 213928400Fax: 213976832PRIVACY LINEwww.enpd.ptBusiness days from 10 am to 1 pmdoubtsenpd en

Page 16
Process No. 9832/2018 | Bv*The initiative taken by the controller or the processor tomitigate the damage suffered by the owners - the defendant's conduct is valued,adopted, from the moment of the inspection, the appropriate measures to rectify theweaknesses detected, which are either already implemented or in phaseof implementationandThe degree of responsibility of the controller or processortaking into account the technical or organizational measures implemented by them interms of articles 25 and 32 - the responsibility of thedefendant as regards the violation of restrictions on the levels of access by professionals topersonal data of customers, since it consciously allowed to associate thefunctional group of “MEDICO” who should only be accredited with a profile"TECHNICIAN"; As for the lack of verification procedures for thethe need to maintain the access profiles of doctors who are no longer at theservice ofcannot fail to consider a degree of responsibilityalso raised by the defendant, since it was exclusively her responsibilityensure the control of the need and elimination of these profiles, namelythrough appropriate audit procedures.*Any relevant infractions previously committed by the person responsible for thetreatment or by the subcontractor - which are not verified.*The degree of cooperation with the supervisory authority in order to remedy the infringement andmitigate its possible negative effects - which is deemed appropriate in view of thenot only, the correction of the detected weaknesses, but also the fulfillment of the contentof Resolution No. 674/2018, of July 17;*The specific categories of personal data affected by the infringement - categoriespersonal data, in accordance with the provisions of article 9, paragraph 1 ofGDPR, as well as other non-sensitive information, such as identificationof customers. These data allow the identification of the holder and the accessimproperly permitted with the defendant's conduct constitutes a serious interference in theprivacy of those;andThe way in which the supervisory authority became aware of the infringement, inespecially if the controller or processor has notified it, and inIf so, to what extent they did so - having been known

Page 17
Processonºss2ro1s [917NATIONAL COMMISSIONDATA DEPROTECTIONthrough news from the media and later confirmed in the actioninspection carried out by CNPD;*Compliance with the measures referred to in Article 58.2, paragraph 2, if theyhave previously been imposed on the controller or thesubcontractor concerned for the same matter - this does not apply.criterion, since there were no previously determined corrective measures;andCompliance with codes of conduct approved under the terms of article 40 orcertification procedure approved under the terms of article 42 - criterion thatalso does not apply, because there is no code of conduct or procedure forcertification, under the terms indicated;*Any other aggravating or mitigating factor applicable to the circumstances of the case,light of paragraph k) of no. 2 of article 83 of the GDPR, such as the financial benefitsobtained or losses avoided, directly or indirectly, through the infraction -here, as a factorthe aggravating factor, as regards the infraction related to the violation of article 32, paragraph 1,points b) and d) - the existence of prior authorization from CNPD where,under the heading Security Measures, CNPD expresslydetermined the need for thehave an audit systemreliable, and the defendant may not be unaware of this obligation;the mitigating factor, the fact that the parameters for monitoring theLOGS of SClinic's access to information do not depend on thedefendant, but before the SPMS.=Application of the fineAttentive to the aforementioned criteria, CNPD understands the application as necessary,in the specific case, a fine to the defendant, considering this to be the effective measureproportionate and dissuasive approach given the concrete circumstances in whichinfractions occurred.As expressed in the draft resolution, the framework of the fineabstractly applicable to the defendant for the predicted and punishable infractions under the terms ofRua de São Bento, 148-3º «1200-821 LISBOATel: 213 928400Fax: 213976832PRIVACY LINEvervecnpdptVieieddio

Page 18
Process No. 9932/2018 | 9vcombined provisions of Articles 5, paragraph 1 to 1. c) and article 5, paragraph 1 al. f) with article83, paragraph 5, al. a), the General Data Protection Regulation (Regulation679/2016, of April 27, hereinafter GDPR), punishable, each, with a fine of €0.00 to € 20,000,000.00 or up to 4% of annual turnover, depending on the amounthighest, as well as the practice of an infraction, in competition, foreseen andpunishable under the combined provisions of article 32, paragraph 1, points b) and d) andarticle 83 (4), al. a), of the GDPR, with a fine of € 0.00 to € 10,000,000.00 or up to 2% of theannual turnover, whichever is the highest.However, it turns out that after consulting the defendant's report and accounts for the year 2017a result is observednet ofThis means that the concrete framework of the fines to beapply, in the first case, between € 0.00 to € 20,000,000.00 and, in the second case,between € 0.00 to € 10,000,000.00.Valuing the factuality determined in the light of the criteria set out above, and consideringthe circumstance that the defendant has been led by the regularization of the situation, the CNPD,-pursuant to article 58, paragraph 2, al. b) of the GDPR, considers adjusted, the applicationthe defendant of two fines, each of which, in the amount of € 150,000.00 (one hundred andfifty thousand euros) for the practice of two predicted administrativepunishable under the combined provisions of Articles 5, paragraph 1 to 1. c) and5, paragraph 1, al. f), all of the aforementioned regulations;-pursuant to article 58, paragraph 2, al. i) the GDPR, the application to the defendant of a€ 100,000.00 (one hundred thousand euros) for the practice of administrative offenseforeseeable and punishable under the combined provisions of Articles 32,1, points b) and d) and article 83, paragraph 4, al. a), all documented regulation.-In addition, under the terms of article 83, paragraph 3 of the GDPR, the fine of € 400,000.00(four hundred thousand euros).THE

Page 19
PresgsasorSogai: bTbroNATIONAL COMMISSIONDATA DEPROTECTIONVI - ConclusionIn view of the above, CNPD decides:Apply to the defendantwatching theprovided for in paragraph 3 of article 83 of the GDPR, a single fine, in the amount of €400,000.00 (four hundred thousand euros) due to the violation of the principles ofminimization of data and integrity and confidentiality, as well as thebreach of the obligation to apply technical and organizational measuresappropriate measures to ensure a level of safety appropriate to the risk,in particular, a process for testing, assessing and regularly evaluating theeffectiveness of technical and organizational measures to ensure the security oftreatment.Pursuant to articles 58, paragraphs 2 and 3 of Decree-Law no. 433/82,October 27, current wording, inform the defendant that:a) The conviction becomes final and enforceable if it is not judiciallycontested, under the terms of article 59 of the same model;b) In the event of a judicial challenge, the Court may decides by means of a hearing or,if the defendant and the Public Prosecutor's Office do not object, by simpledispatch.Should the defendant pay the fine within a maximum period of 10 days afterits definitive character, sending the respective payment slips to CNPD. In casedue to the impossibility of the respective timely payment, the defendant communicatesfact, in writing, to CNPD.Rua de São Bento, 148-3º «1200-821 LISBOA21 3930039Tel: 213928400Fax: 213976832PRIVACY LINEBusiness days from 10am to 1pmwww.cnpd.ptWhat are you looking for?"

Page 20
Processon. 9932/2018 10vLisbon, October 9, 2018At“Marques (rapporteur)i,ai Bis =Luís BarrosoRe CRMaria Cândida Guedes de OliveiraBsPedro MourãoFilipa Calvão (President)