DPC - Health Service Executive (IN-19-9-2)

From GDPRhub
Revision as of 20:55, 24 February 2021 by Cellular (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=Hea...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC - Health Service Executive (IN-19-9-2-
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Section 110, Data Protection Act 2018
Section 111, Data Protection Act 2018
Type: Investigation
Outcome: Violation Found
Started:
Decided: 29.09.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: Health Service Executive (IN-19-9-2-
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: Cellular

After a first decision (IN-19-9-1) imposed a fine, reprimanded the HSE, and ordered the HSE to bring its processing into compliance. There were no further additional corrective powers exercised in this second decision (IN-19-9-2) in light of how the first decision addressed the circumstances of the same infringements as were subsequently also identified in the second decision.

English Summary

Facts

A personal data breach has been notified by the HSE to the DPC on 1 May 2019. The personal data breach occurred when a member of the public found documentation that contained the personal data of 15 data subjects, including data relating to clinical information and treatments received. The documents were created in Our Lady of Lourdes Hospital, but were discovered by a member of the public in their front garden.


Dispute

Holding

The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.

Comment

This decision should be read in conjunction with the decision (IN-19-9-1): they concern the same processing operations, undertaken by the same controller, and concern the same time period.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.