CNPD (Portugal) - Deliberação 984/2018: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Portugal |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPT.png |DPA_Abbrevation=CNPD |DPA_With_Country=CNPD (Portugal) |Case_Number_Name...")
 
No edit summary
Line 52: Line 52:
}}
}}


"Portuguese DPA determines generalized access to patient records within a hospital breaches the minimization, integrity and confidentiality principles"
Portuguese DPA determines generalized access to patient records within a hospital breaches the minimization, integrity and confidentiality principles.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
CNPD's investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data, notably data which was part of the Electronic Patient Records (EPR) - which should only be accessed by doctors - through their information system accounts. The profile management system revealed other flaws, as the hospital had 985 registered doctor profiles, while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctors' specialty.
CNPD's investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data, notably data which was part of the Electronic Patient Records (EPR) - which should only be accessed by doctors - through their information system accounts. The profile management system revealed other flaws, as the hospital had 985 registered doctor profiles, while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctors' specialty.


=== Dispute ===
===Dispute===
Does granting hospital’s staff, psychologists, dietitians and other professionals access to Electronic Patient Records (EPR) breach articles 5(1)(c), (f), and 32(1)(b), (d) of the GDPR?  
Does granting hospital’s staff, psychologists, dietitians and other professionals access to Electronic Patient Records (EPR) breach articles 5(1)(c), (f), and 32(1)(b), (d) of the GDPR?  


=== Holding ===
===Holding===
While the controller argued that (i) professionals other than doctors needed access to health data to fulfill their roles and that (ii) system access permissions were not configured by the controller, but by the Health Ministry's shared services (SPMS), the Portuguese DPA found that it was the controller who voluntarily determined said professionals should have indiscriminate access to EPRs and that the controller never asked SPMS to adjust the hospital's professionals' access profiles.  
While the controller argued that (i) professionals other than doctors needed access to health data to fulfill their roles and that (ii) system access permissions were not configured by the controller, but by the Health Ministry's shared services (SPMS), the Portuguese DPA found that it was the controller who voluntarily determined said professionals should have indiscriminate access to EPRs and that the controller never asked SPMS to adjust the hospital's professionals' access profiles.  
When determining the amount of the fine, the Portuguese DPA took into account the number of affected data subjects (dozens of thousands), the nature of the personal data at stake (health-related data) and the intentional character of the breach by the data controller (who did not implement a reliable audit system after a prior instruction by the DPA).  
When determining the amount of the fine, the Portuguese DPA took into account the number of affected data subjects (dozens of thousands), the nature of the personal data at stake (health-related data) and the intentional character of the breach by the data controller (who did not implement a reliable audit system after a prior instruction by the DPA).  


== Comment ==
==Comment==




== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.



Revision as of 08:21, 26 March 2020

CNPD - Deliberação n.º 984/2018
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(c) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.10.2018
Published: 09.10.2018
Fine: 400000 EUR
Parties: Centro Hospitalar Barreiro Montijo, EPE
National Case Number/Name: Deliberação n.º 984/2018
European Case Law Identifier: Processo n.º 9932/2018
Appeal: Unknown
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: n/a

Portuguese DPA determines generalized access to patient records within a hospital breaches the minimization, integrity and confidentiality principles.

English Summary

Facts

CNPD's investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data, notably data which was part of the Electronic Patient Records (EPR) - which should only be accessed by doctors - through their information system accounts. The profile management system revealed other flaws, as the hospital had 985 registered doctor profiles, while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctors' specialty.

Dispute

Does granting hospital’s staff, psychologists, dietitians and other professionals access to Electronic Patient Records (EPR) breach articles 5(1)(c), (f), and 32(1)(b), (d) of the GDPR?

Holding

While the controller argued that (i) professionals other than doctors needed access to health data to fulfill their roles and that (ii) system access permissions were not configured by the controller, but by the Health Ministry's shared services (SPMS), the Portuguese DPA found that it was the controller who voluntarily determined said professionals should have indiscriminate access to EPRs and that the controller never asked SPMS to adjust the hospital's professionals' access profiles. When determining the amount of the fine, the Portuguese DPA took into account the number of affected data subjects (dozens of thousands), the nature of the personal data at stake (health-related data) and the intentional character of the breach by the data controller (who did not implement a reliable audit system after a prior instruction by the DPA).

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.