DPC - Health Service Executive - August 2020 (IN-19-9-1)
DPC - Health Service Executive - August 2020 (IN-19-9-1) | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 18.08.2020 |
Published: | |
Fine: | 65000 EUR |
Parties: | Health Service Executive |
National Case Number/Name: | Health Service Executive - August 2020 (IN-19-9-1) |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Data Protection Commission (in EN) |
Initial Contributor: | Cellular |
The Irish Data Protection Commission (DPC) fined the HSE with € 65.000 for a violation of Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organizational measures to ensure the appropriate level of security to prevent the existent risks.
English Summary
Facts
The Irish Data Protection Commission (DPC) commenced inquiry IN-19-9-1 in respect of one personal data breach notified by the HSE to the DPC. The personal data breach occurred when documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, were disposed of in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County.One personal data breach has been notified by the HSE to the DPC. The personal data breach occurred when documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, were disposed of in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County.
Holding
The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.
Comment
Decision IN-19-9-1 was issued in August 2020 and Decision IN-19-9-2 was issued in September 2020. These decisions should be read in conjunction with one another in circumstances where they concern the same processing operations, undertaken by the same controller, and concern the same time period.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Note on this document This document contains two statutory decisions issued by the Data Protection Commission concerning the HSE. Decision IN-19-9-1 was issued in August 2020 and Decision IN-19-9-2 was issued in September 2020. These decisions should be read in conjunction with one another in circumstances where they concern the same processing operations, undertaken by the same controller, and concern the same time period. The first decision (IN-19-9-1) imposed a fine, reprimanded the HSE, and ordered the HSE to bring its processing into compliance. There were no further additional corrective powers exercised in the second decision (IN-19-9-2) in light of how the first decision addressed the circumstances of the same infringements as were subsequently also identified in the second decision. In the matter of the General Data Protection Regulation DPC Case Reference: IN-19-9-1 In the matter of The Health Service Executive (HSE South) Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act 2018 Further to an own-volition inquiry commenced pursuant to Section 110 of the Data Protection Act 2018 DECISION Decision-Maker for the Commission: 18 August 2020 Helen Dixon Commissioner for Data Protection Data Protection Commission 2 Fitzwilliam Square South Dublin 2, Ireland 2 Contents 1. Introduction ....................................................................................................................................3 2. Legal Framework for the Inquiry and the Decision.........................................................................3 i. Legal Basis for the Inquiry...........................................................................................................3 ii. Data Controller............................................................................................................................4 iii. Legal Basis for the Decision.........................................................................................................4 3. Factual Background.........................................................................................................................4 4. Scope of the Inquiry and the Application of the GDPR...................................................................6 5. Analysis and Findings......................................................................................................................8 i. Assessing Risk..............................................................................................................................9 ii. Security Measures Implemented by the HSE............................................................................12 iii. The Appropriate Level of Security.............................................................................................15 iv. Finding.......................................................................................................................................18 6. Corrective Powers.........................................................................................................................18 A. Order to Bring Processing into Compliance..............................................................................18 B. Reprimand.................................................................................................................................19 C. Administrative Fine...................................................................................................................20 i. Decision to Impose an Administrative Fine ..........................................................................20 ii. The Same or Linked Processing Operations..........................................................................26 iii. The Permitted Range ............................................................................................................26 iv. Calculating the Administrative Fine......................................................................................28 7. Right of Appeal..............................................................................................................................29 Appendix: Schedule of Materials Considered for the Purposes of this Decision...............................30 3 1. Introduction 1.1 This document (“the Decision”) is the decision made by the Data Protection Commission (“the DPC”) in accordance with Section 111 of the Data Protection Act 2018 (“the 2018 Act”). I make this Decision having considered the information obtained in the separate own volition inquiry (“the Inquiry”) conducted by an Authorised Officer of the DPC (“the Case Officer”) pursuant to Section 110 of the 2018 Act. The Case Officer provided the Health Service Executive (“the HSE”) with the Draft Inquiry Report and the Final Inquiry Report. The scope of the Inquiry is to examine whether or not the HSE has discharged its obligations in connection with the subject matter of personal data breach BN-19-6-237 and determine whether or not any provision(s) of the Act and/or the General Data Protection Regulation (“the GDPR”) has been contravened by the HSE in that context. 1.2 The HSE was provided with the Draft Decision on this Inquiry on 23 July 2020 to provide it with a final opportunity to make submissions. The Decision is being provided to the HSE pursuant to Section 116(1)(a) of the 2018 Act in order to give the HSE notice of the Decision and the reasons for it, and the corrective powers that I have decided to exercise. This Decision contains corrective powers under Section 115 of the 2018 Act and Article 58(2) of the GDPR arising from the infringements that have been identified herein. The HSE is required to comply with these corrective powers, and it is open to this office to serve an enforcement notice on the HSE in accordance with Section 133 of the 2018 Act. 2. Legal Framework for the Inquiry and the Decision i. Legal Basis for the Inquiry 2.1 The GDPR is the legal regime covering the processing of personal data in the European Union. As a regulation, the GDPR is directly applicable in EU member states. The GDPR is given further effect in Irish law by the 2018 Act. As stated above, the Inquiry was commenced pursuant to Section 110 of the 2018 Act. By way of background in this regard, under Part 6 of the 2018 Act, the Commission has the power to commence an inquiry on several bases, including on foot of a complaint, or of its own volition. 2.2 Section 110(1) of the 2018 Act provides that the Commission may, for the purpose of Section 109(5)(e) or Section 113(2) of the 2018 Act, or of its own volition, cause such inquiry as it thinks fit to be conducted, in order to ascertain whether an infringement has occurred or is occurring of the GDPR or a provision of the 2018 Act, or regulation under the Act, that gives further effect to the GDPR. Section 110(2) of the 2018 Act provides that the Commission may, for the purposes of Section 110(1), where it considers it appropriate to do so, cause any of its powers under Chapter 4 of Part 6 of the 2018 Act (excluding Section 135 of the 2018 Act) to be exercised and / or cause an investigation under Chapter 5 of Part 6 of the 2018 Act to be carried out. 4 ii. Data Controller 2.3 In commencing the Inquiry, the Case Officer considered that the HSE may be the controller, within the meaning of Article 4(7) of the GDPR, in respect of the personal data that was the subject of Breach BN-19-6-237. In this regard, the HSE confirmed that it was the controller, both in its notification to the Commission on 14 June 2019 and in correspondence to the Commission during the course of the Inquiry1 . iii. Legal Basis for the Decision 2.4 The decision-making process for the Inquiry which applies to this case is provided for under Section 111 of the 2018 Act, and requires that the Commission must consider the information obtained during the Inquiry; to decide whether an infringement is occurring or has occurred; and if so, to decide on the corrective powers, if any, to be exercised. As the sole member of the Commission, I perform this function in my role as the decision-maker in the Commission. In so doing, I am required to carry out an independent assessment of all of the materials provided to me by the Case Officer as well as any other materials which have been furnished to me by HSE, and any other materials which I consider to be relevant, in the course of the decision-making process 2.5 The Final Inquiry Report was transmitted to me on 27 April 2020, together with the Case Officer’s file, containing copies of all correspondence exchanged between the Case Officer and the HSE; and copies of all submissions made by the HSE, including the submissions made by the HSE in respect of the Draft Inquiry Report. A full schedule of all documentation considered by me for the purpose of my preparation of this Decision is appended hereto. I issued a letter to the HSE on 23 June 2020 to notify it of the commencement of the decisionmaking process. 2.6 Having reviewed the Final Inquiry Report, and the other materials provided to me by the Case Officer (including the submissions made by the HSE), I was satisfied that the Inquiry was correctly conducted and that fair procedures were followed throughout, including, but not limited to, notifications to the controller and opportunities for the controller to comment on the Draft Inquiry Report before it was submitted to me as decision-maker. 3. Factual Background 3.1 The HSE notified the DPC of personal data breach BN-19-6-237 on 14 June 2019. This personal data breach occurred on 4 June 2019 when a student on work placement disposed of documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County. The HSE became aware of the breach on 12 June 2019 when that member of the public notified them. 1 Correspondence dated 7 February 2020. 5 3.2 The Case Officer informed the HSE of the commencement of the Inquiry by way of a Notice of Commencement of Inquiry dated 17 October 2019 (“the Notice”). The Notice set out the scope and legal basis of the Inquiry. The decision to commence the Inquiry was taken having regard to the circumstances of personal data breach BN-19-6-237. The Notice informed the HSE that the Inquiry would examine whether or not the HSE discharged its obligations in connection with the subject matter of that personal data breach and determine whether or not any provision(s) of the 2018 Act and/or the GDPR has been contravened by the HSE in that context. In this regard, the scope of the Inquiry was expressly stated to include Articles 5(1)(f) and 32(1) of the GDPR, with focus on the areas of Data Protection Governance, Training and Awareness, Records Management, and Security of Personal Data. The Notice also noted that personal data breach BN-19-6-237 was the fourth such occurrence involving inappropriate disposal of patient records in the HSE South region. It also noted that the HSE had also notified the DPC of four further personal data breaches concerning the loss of paper records. The Notice set out that the Inquiry would formally document the facts as they relate to the subject of the Inquiry. The facts, as established during the course of the Inquiry, are set out below. 3.3 The HSE acknowledged receipt of the Notice on 22 October 2019 and nominated a point of contact. The Case Officer wrote to the HSE on 6 November 2019 inviting submissions of any additional information. The HSE made comprehensive submissions on 26 November 2019, in which it also accepted that the background provided in the Notice was an accurate account. 3.4 In its submissions dated 26 November 2019, the HSE “outlined the technical and organisational measures which the HSE have in place to meet the requirements of the GDPR principles”. The submissions outlined policies, codes, and procedures that the HSE has in place in relation to data protection governance. It also referred to certain codes and guidance provided by the Nurse and Midwifery Board of Ireland. The submissions detailed the steps that the HSE has taken to provide training and awareness to staff to ensure compliance with the GDPR. The submissions also set out security measures implemented that are specific to the loss of documents in the breaches considered in the Inquiry, including the policy on the availability of confidential waste bins, and steps taken to encourage staff to handle personal data appropriately. The submissions also appended a number of documents, which are considered throughout this Decision. 3.5 Having received the HSE’s submissions, the Case Officer proceeded to prepare the Draft Inquiry Report, which set out the Case Officer’s provisional views as to the facts identified and views as to whether the HSE had complied with its obligations under the 2018 Act and the GDPR. The Case Officer furnished the HSE with the Draft Inquiry Report on 12 December 2019 and invited the HSE’s submissions on the issues contained therein. 3.6 The HSE made submissions on the Draft Inquiry Report on 16 January 2020. The HSE submitted that its National Director of Internal Audit included data protection audits within the annual HSE Internal Audit Programme in 2019, and that two such audits have taken place, in the Human Resource Investigation Unit and a large acute hospital. The submissions also detailed the HSE Internal Controls Assurance Function, which places responsibility on managers to 6 confirm that data protection policies and procedures are fully applied in their area of responsibility. The submissions also provided that the HSE uses a document management system to ensure that the most updated version of documents are available to staff. The HSE confirmed that the staff member who removed the personal data in BN-19-6-237 had signed a Practice Placement Agreement. The HSE also made submissions on the role of the Nurse and Midwifery Board of Ireland in regulating, monitoring and enforcing standards imposed on nurses, midwives, and students. The submissions also appended the HSE External Review process. 3.7 The Case Officer identified additional information that was required in light of the submissions and wrote to the HSE on 20 January 2020 requesting that information. The HSE made further submissions on 7 February 2020. Those submissions clarified matters pertaining to the HSE’s Internal Audit function, the Controls Assurance Process, and External Review Process. The HSE also emphasised the importance of collaboration with the training schools, while accepting that responsibility for providing security of personal data rests with the HSE. 3.8 On 3 March 2020, the Case Officer invited submissions from the HSE regarding the measures that were in place at the time of the personal data breach to comply with Article 32 GDPR and by reference to the principle set down in Article 5(1)(f) GDPR. In particular, this request concerned the HSE’s assessment of risk and measures for ensuring and testing the security of processing. The HSE replied on 6 April 2020 confirming that the measures outlined in previous submissions were in place at the time of the personal data breach. 3.9 On 27 April 2020, the Case Officer completed the final Inquiry Report and submitted it to me as decision-maker. I have considered the Inquiry Report and all relevant correspondence and submissions. The HSE was provided with my Draft Decision on 23 July 2020 was afforded the opportunity to make submissions on the infringements that were provisionally identified therein and the corrective powers that I proposed to exercise. On 12 August 2020, the HSE confirmed that it has commenced a process in conjunction with the National Director of Acute Operations to re-focus efforts in relation to mitigation of risks associated with the management of paper records and, in particular patient lists. The HSE stated that it would not be making any further submissions in relation to this Inquiry. I have reached final conclusions that infringements of data protection legislation have occurred and that it is necessary to exercise certain corrective powers. Those infringements and corrective powers are set out in this Decision. 4. Scope of the Inquiry and the Application of the GDPR 4.1 The scope of the Inquiry, which was set out in the Notice of the Commencement of the Inquiry, is to examine whether or not the HSE has discharged its obligations in connection with the subject matter of personal data breach BN-19-6-237 and determine whether or not any provision(s) of the Act and/or the GDPR has been contravened by the HSE in that context. In this regard, the Notice of Commencement of Inquiry specified that the Inquiry would focus on Data Protection Governance; Training and Awareness; Records Management; and Security of Personal Data. 7 4.2 Personal data breach BN-19-6-237 occurred when a student nurse took an inpatient list outside of Cork University Maternity Hospital and disposed of it in a public recycling area. A member of the public found the document and reported it to the HSE. The inpatient list contained the personal data of 78 patients, including personal data concerning health in respect of 6 data subjects. In line with the subject matter of this personal data breach, this Decision considers the HSE’s obligations under Articles 5(1)(f) and 32(1) in respect of its use and disposal of hardcopy documents containing patients’ personal data. The HSE is obliged to implement an appropriate level of security in respect of those processing operations. 4.3 The Notice of Commencement of Inquiry referred to 7 other personal data breaches notified by the HSE to the DPC. The information obtained in relation to those personal data breaches are relevant to the scope of the Inquiry insofar as they detail the level of security implemented by the HSE regarding its use and disposal of hardcopy documents. BN-19-1- 281, BN-19-3-68, BN-19-3-233, BN-19-3-381, BN-19-5-5, and BN-19-6-237 all concern instances where hardcopy documents containing personal data concerning health were found outside of the hospital by members of the public or other hospital staff. BN-19-5-323 occurred when hardcopy files containing personal data were misplaced during a department move to a new building. There was no special category data involved in this breach. BN-19- 2-219 occurred when a quantity of hardcopy documents were found on a disused hospital site. This was reported to the DPC, however it was later confirmed that the documents did not contain personal data. 4.4 Article 2(1) of the GDPR defines the Regulation’s scope as follows: “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” 4.5 The manual processing of hardcopy documents falls within the scope of the GDPR only if the personal data within those documents form part of a filing system or are intended to form part of a filing system. 4.6 Article 4(6) of the GDPR defines “filing system”: “‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;” 4.7 Recital 15 provides guidance for interpreting the material scope of the GDPR: “In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as 8 well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.” 4.8 Medical files form part of a “filing system” because they contain the personal data of patients and are accessible according to specific criteria, such as the patient’s name or other identifier. Therefore, any personal data processed by the HSE that are intended to form part of medical files fall within the scope of the GDPR, regardless of whether such personal data are actually stored in such files. This prevents controllers from attempting to circumvent the GDPR by processing personal data manually and/or outside of their usual filing systems. The hardcopy documents in BN-19-1-28, BN-19-3-68, BN-19-3-233, BN-19-3-381, BN-19-5-5 and BN-19-6-237 all contained special category personal data concerning health. Therefore, I am satisfied that some of the personal data on the handover lists and inpatient lists are also intended to be recorded separately in a filing system. Therefore, even where that personal data are recorded separate to the filing system, the GDPR is applicable on the basis that the personal data concerning health is intended to be recorded in the medical files. 4.9 BN-19-5-323 did not involve special category health data. This personal data breach occurred when files were misplaced during a department’s move to a new building. The personal data in the files included the names, surnames and dates of birth of two vulnerable data subjects. Both of the files were eventually found by the HSE, however, they were missing for 8 months and 10 months respectively. The HSE did not utilise any audit trails during the department’s move between buildings, meaning that there was no record of how the files were transferred or lost. I am satisfied that these hardcopy files contain personal data and form part of a filing system. Therefore, they fall within the scope of the GDPR. 4.10 The HSE initially assumed that the files found in BN-19-2-219 contained personal data. However, following analysis by an expert company, the HSE confirmed that the files, in fact, did not. Therefore, those hardcopy documents fall outside the scope of the GDPR and the information obtained in BN-19-2-219 is not relevant for the purposes of this Decision. As outlined above, the processing of personal data in the remaining 7 personal data breaches falls within the scope of the GDPR and the information obtained in relation to those breaches are relevant to this Decision. 5. Analysis and Findings 5.1 Having reviewed the Inquiry Report and the other materials provided to me, I consider that the issue in respect of which I must make a decision is whether the HSE has complied with its obligations under Articles 5(1)(f) and 32(1) of the GDPR in connection with its use and disposal of hardcopy documents containing patients’ personal data. I must determine whetherthe HSE implemented appropriate technical and organisational measures in respect of those processing operations. 5.2 Article 5(1)(f) of the GDPR provides for the principle of integrity and confidentiality. It requires that personal data shall be: 9 “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” 5.3 Article 32(1) of the GDPR elaborates on the principle in Article 5(1)(f) by setting out criteria for assessing what constitutes “appropriate security” and “appropriate technical or organisational measures”: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” 5.4 Articles 5(1)(f) and 32(1) of the GDPR oblige controllers and processors to implement a level of security appropriate to the risks presented by its processing of personal data. The processing operations within the scope of this Decision concern the HSE’s use and disposal of hardcopy documents containing patients’ details. In considering the technical and organisational measures that the HSE was obliged to implement, regard must be had to the risk presented to the rights and freedoms of natural persons by those processing operations. Therefore, the first step is to assess this risk. The HSE did not document any such risk assessment before the personal data breaches occurred. i. Assessing Risk 5.5 The HSE’s use and disposal of hardcopy documents containing patients’ personal data creates the risk of an unauthorised disclosure of personal data to third parties where the documents are not stored or disposed of securely. The technical and organisational measures that the HSE is obliged to implement must be appropriate to this risk. 5.6 Recital 76 of the GDPR provides guidance as to how risk should be evaluated: 10 “The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.” 5.7 Digital Rights Ireland v Minister for Communications, Marine and Natural Resources and others2 provides further guidance on this risk assessment. In this case, the CJEU declared the Data Retention Directive3 invalid. The Directive required electronic communication service providers to retain certain data for a period of time. The Court held that the directive did not ensure effective protection of the data retained against the risk of abuse and unlawful access in circumstances where it did not lay down specific rules in relation to (i) the vast quantity of data retained, (ii) the sensitive nature of the data, and (iii) the risk of unlawful access. 5.8 Risk is assessed objectively by reference to (i) the likelihood of the risk to the rights and freedoms of natural persons, and (ii) the severity of that risk. Hence, the risk assessment must consider, first, the likelihood of unauthorised disclosure of, or access to, hardcopy documents containing patients’ personal data, and, second, the severity of that risk in respect of the rights and freedoms of the data subjects. These objective assessments are made by reference to the nature, scope, context and purposes of the processing. In considering these factors, regard must also be had to the quantity of personal data processed and the sensitivity of that data. 5.9 The quantity of patients’ personal data processed by the HSE in hardcopy documents is at the higher end of the scale. The quantity of personal data on a given document varies according to the circumstances. For example, the personal data in BN-19-5-323 concerned the names and dates of birth of 2 data subjects. However, the personal data in BN-19-6-237 concerned the personal data of 78 data subjects, including data concerning health regarding 6 of those data subjects. The HSE’s investigation into this personal data breach found that the personal data on the list included patient name, consultant name, patient current medical situation, previous background history, and a list of upcoming plans for assessments and treatment. Further, there is a significant possibility of one of the 78 data subjects being identifiable to the member of the public who found the list in light of the number of data subjects and that the list was found in the same county as the hospital. The quantity of documents generated by the HSE containing personal data is high. In addition to the patient files in BN 19-9-1, the personal data breaches concerned handover lists and impatient lists. The HSE’s investigation into BN-19-6-237 details how it generates the lists to identify patients who come under staff care at each shift change and how the lists are necessary for continuing patient care and 2 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, Commissioner of the Garda Síochána, Ireland, The Attorney General, intervener: Irish Human Rights Commission, and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others, judgment of 8 April 2014 (ECLI:EU:C:2014:238). 3 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC 11 treatment. These lists can contain a large quantity of sensitive personal data4 . The speed at which the HSE generates and disposes of the lists creates a higher risk of unauthorised disclosure and access. 5.10 The sensitivity of the personal data processed by the HSE in hardcopy form is also at the higher end of the scale. 6 out of the 7 personal data breaches relevant to this Decision involved special category personal data. Data concerning health5 is special category personal data pursuant to Article 9 of the GDPR. This personal data, by its very nature, is particularly sensitive with regard to the fundamental rights and freedoms of data subjects. 5.11 It is necessary to turn now to the nature, scope, context and purposes of the processing. The nature of the HSE’s use and disposal of hardcopy documents containing patients’ personal data is highly sensitive in circumstances where it includes data concerning health. The HSE has statutory responsibility for the management and delivery of health and personal social services to the population of Ireland and describes itself as the largest employer in the State6 . It is clear that the HSE has a significant body of staff who are required to handle hardcopy documentation containing sensitive personal data, including students on work placement7 . 5.12 The scope of the HSE’s processing is broad. Handover lists and impatient lists may contain contemporaneous accounts of the medical care provided to a large number of patients. The scope of processing in patient files may include patients’ comprehensive medical histories. 5.13 The context of the HSE’s processing is inherently transient in some instances. The HSE creates handover lists and inpatient lists daily for the purpose of shift changes. This means that the lists may remain relevant for a short time-period before becoming superseded. This creates a higher risk that staff may fail to store or dispose of the lists securely in the absence of appropriate measures. It also increases the likelihood of staff accidentally taking the lists outside the hospital at shift changes. This contrasts with the context in which personal data in patient files are processed. Patient files are more permanent, which may result in a lower risk of them being taken outside the hospital or disposed of without an appropriate level of security. 5.14 The purposes of the HSE’s use and disposal of hardcopy documents containing patients’ personal data relates to the HSE’s functions of managing and delivering health and personal social services. Such purposes may justify significant processing operations concerning sensitive personal data. These purposes may also require the sharing of personal data among a large team of staff in the HSE in order to deliver medical care. This heightens the risk to the rights and freedoms of data subjects. 4 For example, the list in BN-19-3-68 contained clinical information concerning 14 data subjects, the list in BN19-6-237 contained clinical information concerning 6 of the 78 data subjects affected, and the list in BN-19-3- 381 contained clinical information concerning 55 data subjects. 5 Article 4(15) of the GDPR provides: data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. 6Appendix 9 to HSE’s submissions on 26th November 2019. 7 See BN-19-6-237. 12 5.15 I find that there is a high risk, both in likelihood and severity, to the rights and freedoms of natural persons, from the HSE’s use and disposal of hardcopy documents containing patients’ personal data. In particular, the risk relates to the potential for an unauthorised disclosure of patient personal data where hardcopy documents are not stored or disposed of securely. The number of staff, the quantity of documentation that they are required to handle, and the transient nature of some of that documentation creates a high risk that the documents may not be stored or disposed of securely. A risk of unauthorised disclosure naturally follows from this risk. The high severity of the risk to the rights and freedoms of natural persons occurs due to the sensitive nature of the processing that the HSE undertakes and the purposes for which it is undertaken. The provision of health and personal social services is intrinsically linked to the rights and freedoms of patients, and unauthorised disclosures of health data has significant capacity to infringe those rights and freedoms. ii. Security Measures Implemented by the HSE 5.16 The HSE’s submissions outline the technical and organisational measures that it had in place at the time of personal data breach BN-19-6-237. The measures relevant to the HSE’s use and disposal of hardcopy documents containing patients’ personal data can be categorised as: a) Policies and Procedures, b) Training and Awareness, and c) Testing, Assessing and Evaluating the Effectiveness of its Measures. (a) Policies and Procedures 5.17 The HSE’s Data Protection Policy, Version 1.0, dated 25 May 2018, was in place at the time of the notified personal data breaches. The Policy applies to all HSE staff, students, interns and work experience candidates, amongst others. Section 6.8 provides: “All persons covered under this policy are prohibited from disclosing a data subject’s confidential information (including personal data or special categories of personal data), unless this policy or a legal basis allows for such disclosures.” 5.18 The HSE Waste Management Awareness Handbook, Rev A, dated 2014, sets out polices for various types of waste. It requires that confidential paper files and documents are shredded before recycling8 . Furthermore, the HSE submitted that it has increased the number of confidential waste bins available at strategic locations. However, the Waste Management Awareness Handbook, and the other documents submitted, do not set out any procedure for how confidential shredding is to be implemented by the HSE in its hospitals. There is no process that determines how confidential waste is to be stored pending its disposal, responsibility for ensuring secure disposal, or how waste paper consoles are installed and maintained. Furthermore, the HSE does not have any standard operating procedure that 8 At page 17. 13 determines how the particularly high-risk handover lists and inpatient lists must be created, used, and disposed of. 5.19 Cork University Hospital’s booklet titled “Clincal Placement Information for BSc (Hons) Nursing Students” provides guidance to students regarding clinical placements. This includes guidance regarding confidentiality at section 7.1: “Confidentiality: Information regarding a patient’s history, treatment and state of health is privileged and confidential information (Code of Professional Conduct and Ethics for Registered Nurses and Midwives, NMBI 2014. All enquiries regarding patients/clients must be referred to qualified staff. Patient/clients details must not be discussed outside the ward environment. Please discard carefully all hand written notes pertaining to patients at the end of your shift in the confidentiality bin.” 5.20 Cork University Hospital’s Hospital booklet titled “Hospital Orientation Information for BSc Undergraduate Nursing Students”, dated November 2019, repeats that patient information must be kept confidential and that confidential reports should be discarded in the confidentiality bins provided9 . 5.21 The HSE also made submissions on codes and manuals implemented by the Nursing and Midwifery Board of Ireland (the “NMBI”). The NMBI is a statutory body that regulates the nursing and midwifery professions in Ireland and registration with the NMBI is a pre-requisite to employment with the HSE as a nurse or midwife. NMBI Codes and manuals are not measures implemented by the HSE and the HSE, as data controller, is ultimately responsible for ensuring an appropriate level of security. However, in assessing the appropriate level of security, it is appropriate to have regard to the context in which the processing occurs. Therefore, I consider that binding professional standards imposed on members of regulated professions may be relevant to a controller’s assessment of the technical and organisational measures that it is obliged to implement. Without prejudice to the obligation on the HSE, as controller, to implement an appropriate level of security, in assessing the appropriate technical and organisational measures that must be implemented, I accept that I must have regard to collaboration between the HSE, training schools, and the regulated professions. However, as acknowledged by the HSE in its submissions dated 7 February 2020, while this context is relevant to assessing the measures that are appropriate to the risk, the HSE, as data controller, is responsible for ensuring that appropriate security measures are implemented. 5.22 The HSE submitted the NMBI’s “Code of Professional Conduct and Ethics for Registered Nurses and Registered Midwives”, dated December 2014. The code details the principle of trust and confidentiality and provides that “Patients have a right to expect that their personal information remains private”10. The HSE also submitted the NMBI’s professional guidance “Recording Clinical Practice”, dated November 2015. This document sets out records management practices for nurses and midwives and provides that “Confidentiality concerning 9 At page 9. 10 At page 23. 14 the patient record is an expression of the trust inherent in the therapeutic relationship with a patient”11 . 5.23 The HSE also submitted its Information Technology Security Policy12 and Access Control Policy13 . These policies concern information technology security and resources. These policies are not applicable to the risk presented by the HSE’s use and disposal of hardcopy documents containing patients’ personal data. Therefore, the content of those policies fall outside the scope of this Decision. (b) Training and Awareness 5.24 The HSE implemented an online “Fundamentals of GDPR” training programme. The programme provides a comprehensive introduction to the GDPR and was made available to all staff. As of 26th November 2019, 40,000 staff had completed the programme. The HSE also provided customised GDPR Awareness sessions to hospitals and community services. The HSE promotes GDPR training with its staff using national broadcast emails and on the HSE intranet. It facilitated a number of “town hall” style GDPR awareness sessions in hospitals to improve data privacy vigilance. 5.25 The HSE implemented a template Practice Placement Agreement between the HSE, University College Cork, and students on the BSc Nursing Programme. Nursing students agree to act according to NMBI’s Code of Professional Conduct and Ethics for Registered Nurses and Midwives. In this agreement, students also undertake to familiarise themselves and comply with the HSE’s policies. Clause 10 of the agreement provides: “I understand and accept to be bound by the principle of confidentiality of individuals’ records and data. I will therefore take all necessary precautions to ensure that any personal data concerning individuals, which I have learned by virtue of my position as a nursing student, will be kept confidential. I confirm that I will not discuss individuals with any other party outside the clinical setting, except anonymously. When recording data or discussing care outside the clinical setting, I will ensure that individuals cannot be identified by others. I will respect all Health Service Providers’ and individuals’ records.” 5.26 The HSE implemented a management system for its policies, procedures, protocols and guidelines. This system makes the most up to date versions of data protection related policies available to staff. The Department of Nurse Practice and Development in Cork University Hospital require nursing staff to maintain a Practice Development Record, which includes the review of data protection policies and procedures. 11 At page 5. 12 HSE Information Technology (I.T.) Security Policy, Version 3.0, dated February 2013. 13 HSE Access Control Policy, Version 3.0, dated February 2013. 15 5.27 The HSE has strategically placed confidential waste bins to make it easier for employees to dispose of documents securely. It also placed posters in staff areas and exits to encourage staff to dispose of personal data before leaving their department at the end of each shift. (c) Testing, Assessing and Evaluating the Effectiveness of its Measures 5.28 The HSE Internal Audit Programme commenced in 2019 and data protection audits have taken place in the Human Resource Investigation Unit and Connolly Hospital, Blanchardstown. The audit findings are not available because the audits have not been finalised. 5.29 The HSE seeks assurance from its managers regarding compliance with its Data Protection Policy through annual Controls Assurance Statements. These statements ask managers to confirm as follows: “I am aware of the data protection requirements that affect my area of responsibility and in compliance with the revised HSE Data Protection Policy and revised Subject Access Request Procedure and Data Breach Reporting Procedures following the introduction of the Data Protection 2018 (GDPR).” iii. The Appropriate Level of Security 5.30 Having regard to the high risk to the rights and freedoms of data subjects, in terms of both likelihood and severity, presented by the HSE’s use and disposal of hardcopy documents containing patients’ personal data, an appropriate level of security must include a standard operating procedure setting out how secure shredding is to be implemented. I note the HSE’s policy that confidential paper files and documents must be shredded before being disposed of. However, in light of the quantity of sensitive hardcopy documents that the HSE handles, a standard operating procedure for putting this policy into action is appropriate to the risk. This procedure should set out accountability for ensuring secure disposal of confidential waste, how confidential waste is to be stored pending its disposal, and how waste paper consoles are located and maintained. 5.31 Having regard to the particularly high risk presented by the HSE’s use and disposal of handover lists and inpatient lists, I find that an appropriate level of security must also include a standard operating procedure that sets out responsibility for the secure creation, use and disposal of those lists. The HSE cited various policies during the Inquiry concerning the confidentiality of patients’ health data. For example, the Data Protection Policy prohibits the disclosure of personal data without a legal basis. However, there remains a significant risk that staff may inadvertently disclose or lose handover lists and inpatient lists. General prohibitions on unlawful disclosures are not sufficient to protect against this risk. A specific process that incorporates data secure practices is appropriate in light of the sensitivity of personal data contained on the lists and the speed at which the HSE generates and disposes of the lists. This procedure, once implemented, must be communicated to all relevant staff. 16 5.32 The HSE must determine the provisions of the standard operating procedures based on its own risk assessment and in light of its own functions. I note that the HSE is currently considering an IT solution or another solution for identifying staff responsibility in respect of printed lists14 and that it has commenced a process to further mitigate the risks associated with the management of paper records and, in particular patient lists15 . Another measure that may be considered is a sign-off sheet where staff confirm that they have safely disposed of lists16. Whether these measures are adopted, and the precise content of the procedures, must be determined by the HSE in light of a broader assessment of its functions and the risk. However, the handover and inpatient lists procedure must provide clear instructions to staff as to how the lists can be shared, when and how they must be disposed of, and responsibility for ensuring they are disposed of securely. The HSE’s investigation into personal data breach BN-19-6-237 found that the list was “inadvertently disposed of”. Therefore, in addition to the requirement that confidential documents must be shredded, the risk could be mitigated by a rule that prohibits the removal of handover lists and inpatient lists from the hospital premises and that mandates that secure shredding must occur on site. The procedure should also set out the managerial responsibility for bringing the procedure to the attention of staff members. I have had regard to the state of the art and the cost of implementing standard operating procedures for handover inpatient lists, and for secure shredding. I am satisfied that implementing the procedures would not impose a cost that is disproportionate to the risk. Therefore, the failure to implement procedures infringes Article 5(1)(f) and 32(1) of the GDPR in the circumstances. 5.33 Creating policies and processes is essential to implementing an appropriate level of security. However, where staff handle sensitive personal data, the provision of appropriate staff training and awareness is also essential. An appropriate level of security includes organisational measures to ensure that staff members give effect to the HSE’s policies and processes. I find that the organisational measures implemented by the HSE regarding staff training and awareness were not appropriate to the risk. The HSE provided online “Fundamentals of GDPR” training, supplemented by broadcast emails and “town hall” style sessions. The amount and nature of the training provided was not appropriate to the HSE’s high risk processing. The Inquiry found no evidence of measures in place to ensure completion of the “Fundamentals of GDPR”. As of 26th November 2019, over 18 months after the GDPR came into force, a majority of the national HSE workforce had not completed the training17 . The Inquiry found no evidence of regular refresher training for staff. Regular refresher training is appropriate in light of the high risk presented by the processing, in particular the frequency with which staff are required to handle highly sensitive personal data in hardcopy form. Furthermore, the Inquiry found no evidence of data protection training provided to students. The HSE’s duty regarding training and awareness is not limited to permanent staff, and extends to all persons at the place of work. In light of the sensitivity of the personal data handled by students, I find that an appropriate level of security must include training on data 14 HSE Investigation Report on BN-19-3-68 at page 3. 15 HSE email to the DPC dated 12 August 2020. 16This recommendation was made by the Special Investigations Unit of the DPC in its report, “Data Protection Investigation in the Hospital Sector”, dated May 2018. 17 As noted in the Inquiry Report, 40,000 staff represents 39% of the national HSE workforce. 17 protection to those students. The undertaking in the Practice Placement Agreement, requiring nursing students to familiarise themselves and comply with the HSE’s policies, is not sufficient to address the risk and this must be supplemented by training. 5.34 I have had regard to the cost of implementing measures to ensure the completion of existing HSE training, regular refresher training, and training to students. I find that such measures would not impose a cost that is disproportionate to the risk presented by the HSE’s processing. Therefore, the HSE’s failure to implement these measures infringes Articles 5(1)(f) and 32(1) of the GDPR. 5.35 Article 32(1)(d) specifies that appropriate technical and organisational measures may include processes for testing, assessing and evaluating the effectiveness of existing measures. Such testing, assessing and evaluating applies to both technical and organisational measures. Personal data breaches may cause significant harm to data subjects and, pursuant to Article 32(1)(d), controllers must take the initiative to test, assess, and evaluate their security measures. As outlined above, the HSE included two data protection audits in its Internal Audit Programme in 2019. The HSE also requires managers to confirm compliance with data protection requirements in their areas of responsibility. 5.36 I find that the HSE failed to implement an adequate process for regularly testing, assessing and evaluating those measures. The HSE has identified staff failure to apply existing policies as a cause of a number of the personal data breaches18. However, the Inquiry found no evidence of any processes in place to test staff awareness of, and compliance with, the HSE policies. Such testing could have identified ineffectiveness in the HSE’s policies and training before the breaches occurred. This could have resulted in amendments to existing policies, the adoption of new policies, and additional training for staff. Appropriate testing could have taken the form of generalised surveys or more formal testing. I find that a process for regularly testing staff awareness of, and compliance with, HSE policies would not impose a cost that is disproportionate to the risk. Therefore, I find that the HSE’s failure to implement such measures infringes Articles 5(1)(f) and 32(1) of the GDPR in the circumstances. 5.37 Department moves present a risk to the security of personal data where hardcopy documents are moved from one building to another. In BN-19-5-323 the HSE lost 2 files for 8 months and 10 months respectively during a department move. The HSE did not document the location of the files during the move, nor did it document accountability for the files. The files in question were moved to a certain location, but could not be found due to the lack of such records. I find that an appropriate level of security during such office moves requires the implementation of measures for recording the location of, and accountability for, files containing personal data. The HSE’s failure to record the location of the files during the move, in the circumstances, constitutes and infringement of Articles 5(1)(f) and 32(1) of the GDPR. 18 For example, HSE Investigation Report BN-19-6-237 concludes that “there is a breach of HSE Waste Management Policy and HSE Data Protection Policy”. Breach notifications BN-19-5-5 and BN-19-6-237 identify the causes of those personal data breaches as “non-compliance with organisation records management policy” and “employee error or omission” respectively. 18 iv. Finding 5.38 I find that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data. The measures that ought to have been implemented include: a standard operating procedure setting out how secure shredding is to be implemented in hospitals; a standard operating procedure that sets out responsibility for the secure creation, use and disposal of handover lists and inpatient lists; the implementation of measures to ensure completion of existing HSE data protection training, regular refresher data protection training, and data protection training to students; a process for regularly testing, assessing and evaluating the effectiveness of its existing security measures; and the implementation of measures for recording the location of, and accountability for, hardcopy documents containing personal data throughout future office moves. 6. Corrective Powers 6.1 I have set out above, pursuant to Section 111(1)(a) of the 2018 Act, my decision to the effect that the HSE has infringed Articles 5(1)(f) and 32(1) of the GDPR. Under Section 111(2) of the 2018 Act, where the Commission makes a decision (in accordance with Section 111(1)(a)), it must, in addition, make a decision as to whether a corrective power should be exercised in respect of the controller or processor concerned and, if so, the corrective power to be exercised. Having carefully considered the infringements, identified in this Decision, I have decided to exercise corrective powers in accordance with Section 115 of the 2018 Act and Article 58(2) of the GDPR. I set out below the corrective powers that are appropriate to address the infringements and are effective, proportionate and dissuasive in the particular circumstances, and the reasons for that decision, having considered all of the corrective powers set out in Article 58(2): (i) Article 58(2)(d) – I have decided to order the HSE to bring its processing into compliance with Articles 5(1)(f) and 32(1) of the GDPR, (ii) Article 58(2)(b) – I have decided to issue a reprimand to the HSE in respect of its infringements of Articles 5(1)(f) and 32(1) of the GPPR, and (iii) Article 58(2)(i) – I have decided to impose an administrative fine, pursuant to Article 83, in respect of the HSE’s infringements of Articles 5(1)(f) and 32(1) of the GDPR. A. Order to Bring Processing into Compliance 6.2 In accordance with Article 58(2)(d) of the GDPR, I have decided to order the HSE to bring its processing operations regarding the use and disposal of hardcopy documents containing patients’ personal data into compliance with Articles 5(1)(f) and 32(1) of the GDPR. This order requires the HSE to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. 6.3 My decision to impose this order is made to ensure that full effect is given to the HSE’s obligation to implement appropriate technical and organisational measures. In deciding that an order is appropriate to achieve this end, I have had particular regard to the high quantity 19 of highly sensitive personal data processed by the HSE. The HSE must perform the necessary risk assessment to inform the measures that it must implement. However, as outlined above, those measures must include: a) A standard operating procedure setting out how secure shredding is to be implemented in hospitals; b) A standard operating procedure that sets out responsibility for the secure creation, use and disposal of handover lists and inpatient lists; c) The implementation of measures to ensure completion of existing HSE data protection training, regular refresher data protection training, and data protection training to students; d) A process for regularly testing, assessing and evaluating the effectiveness of its existing security measures; and e) The implementation of measures for recording the location of, and accountability for, hardcopy documents containing personal data throughout future office moves. 6.4 I direct the HSE to submit a report to the DPC outlining the steps it has taken in respect of each of these measures on or before 18 December 2020. . It must be noted that implementing these measures does not relieve the HSE of its obligation to continually evaluate the effectiveness of its measures and the measures that are necessary to ensure a level of security that is appropriate to the dynamic risk presented by use and disposal of hardcopy documents containing patients’ personal data. B. Reprimand 6.5 I issue the HSE with a reprimand in respect of its infringements of Article 5(1)(f) and 32(1) of the GDPR. Article 58(2)(b) provides that a supervisory authority shall have the power to “issue reprimands to a controller or processor where processing operations have infringed provisions of this Regulation.” In imposing a corrective power, and in accordance with Recital 129, I must ensure that it is “…necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case…”. 6.6 Recital 148 is provides: “In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.” 6.7 Accordingly, it is clear from the GDPR that a reprimand does not have to be issued in isolation to the exercise of any other corrective power. In this respect, I consider it necessary and proportionate to impose a reprimand in addition to the order in Part 6(A) of this Decision and the administrative fine detailed below. The decision to impose a reprimand is based on the nature of the infringements of Articles 5(1)(f) and 32(1). The objective of these Articles is to ensure that controllers and processors implement a level of security that is appropriate to the risk presented by their processing operations. The HSE’s infringements of these Articles is particularly serious in light of the sensitivity of personal data that it processes. I consider that the imposition of a reprimand is both necessary and proportionate in light of the 20 importance of ensuring compliance with Articles 5(1)(f) and 32(1) in the context of protecting the fundamental rights and freedoms of data subjects. I consider that it is necessary and proportionate to recognise the seriousness of non-compliance of this nature with a reprimand in light of that objective of ensuring compliance with Articles 5(1)(f) and 32(1). C. Administrative Fine 6.8 In addition to the corrective powers under Article 58(2)(b) & (d), I have also decided to impose an administrative fine on the HSE for its infringements of Articles 5(1)(f) and 32(1) of the GDPR. i. Decision to Impose an Administrative Fine 6.9 In order to determine whether an administrative fine should be imposed under Article 58(2)(i) GPDR, and to decide on the value of the fine(s) if applicable, I must give due regard to the criteria set out in Article 83(2) GDPR: “Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (i) where measuresreferred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; 21 (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.” 6.10 I will now proceed to consider each of these criteria in turn in respect of the HSE’s infringements of Articles 5(1)(f) and 32(1) of the GDPR: a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; 6.11 The nature of the HSE’s infringements of Articles 5(1)(f) and 32(1) comprise a failure to comply with its obligation to implement an appropriate level of security in respect of its processing operations concerning the use and disposal of hardcopy documents containing patients’ personal data. The objective of Articles 5(1)(f) and 32(1) is to protect the rights and freedoms of natural persons by ensuring that their personal data are processed in a manner that ensures appropriate security. A failure to implement an appropriate level of security increases the risk of personal data breaches. This, in turn, poses a threat to the rights and freedoms of data subjects because of the potential for damage to data subjects where personal data breaches occur. Therefore, compliance with Articles 5(1)(f) and 32(1) is central to the protection of the rights and freedoms of natural persons pursuant to the GDPR. As such, non-compliance with this obligation has serious consequences in that it has the potential to result in damage to data subjects. 6.12 The gravity of the infringements of Articles 5(1)(f) and 32(1) isserious in circumstances where the infringements resulted in 7 personal data breaches. A significant number of data subjects were affected, with BN-19-3-381 and BN-19-6-237 affecting 55 and 78 data subjects respectively19 . Assessed objectively, I consider that the level of damage suffered by the data subjects had the potential to be high when considered in light of the scope and purpose of the HSE’s processing. As outlined above, the scope of the processing of personal data in the personal data breaches is broad and includes special category data concerning health in 6 of the breaches. The purposes of the processing relates to the HSE’s functions of managing and delivering health and personal social services. In this context, personal data breaches have the inherent capacity to cause damage to data subjects. In this regard, 5 of the personal data breaches occurred when documents were found by members of the public20. The inadvertent disclosure of personal data to members of the public entails a serious infringement on the rights and freedoms of the data subjects. Furthermore, BN-19-5-5 resulted in a non-redacted photograph of the personal data, including special category personal data, being published in a national daily newspaper. In light of the personal data breaches that flowed from the HSE’s infringements of Articles 5(1)(f) and 32(1), I assess those infringements to be on the high end of the scale of gravity. 6.13 Regarding the duration of the infringements of Articles 5(1)(f) and 32(1), it is significant that the breaches occurred between 15th January 2019 and 4th June 2019. It is also clear that the 19 The Breach Notification originally assessed this figure at 71, however the subsequent HSE investigation reassessed the figure to 55. 20 BN-19-1-281, BN-19-3-68, BN-19-3-381, BN-19-5-5, and BN-19-6-237. 22 infringements of Articles 5(1)(f) and 32(1) commenced at the enactment of the GDPR in May 2018. This Decision considers the security measures that the HSE implemented at the time of the personal data breaches and it does not make findings in relation to the level of security that it currently implements. Therefore, the duration of the infringements, for the purposes of this Decision, must be assessed as commencing at 25th May 2018 and ending on the date of the latest personal data breach on 4th June 2019. Therefore, the duration is just over 1 year in length. b) the intentional or negligent character of the infringement; 6.14 The Article 29 Working Party Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 provide that: “In general, “intent” includes both knowledge and wilfulness in relation to the characteristics of an offence, whereas “unintentional” means that there was no intention to cause the infringement although the controller/processor breached the duty of care which is required in the law.”21 6.15 I do not consider that there was “intent” on the part of the HSE in respect of its infringements of Articles 5(1)(f) and 32(1) in the sense that there was “knowledge” or “wilfulness’” on the their part in respect of their failure to implement an appropriate level of security. In this regard, I have had regard to the measures that were implemented by the HSE, including its strategic placement of confidential waste bins and posters. However, I am satisfied that the HSE was negligent and breached the duty of care required of it by omitting to carry out a risk assessment to assess the risks of varying likelihood and severity associated with processing of personal data in hardcopy form and in failing to implement a level of security appropriate to those risks. In the circumstances, I consider that there was a negligent character to the HSE’s infringements of Articles 5(1)(f) and 32(1). c) Any action taken by the controller or processor to mitigate the damage suffered by data subjects; 6.16 The infringements of Articles 5(1)(f) and 32(1) resulted in 7 personal data breaches. The personal data was retrieved in each instance. In most instances, members of the public found the personal data and handed it in to the HSE. This cannot be considered mitigating. However, in BN-19-3-233, a HSE staff member retrieved the documents soon after another staff member had lost them. This significantly reduced the potential for unauthorised access to that personal data and is mitigating in the HSE’s favour. In BN-19-6-237, the HSE conducted a full search of the area in which the documents were found by a member of the public to ensure all of the personal data was retrieved. The HSE also sought confirmation from the individual who found the documents that the contents were not copied or disclosed to third parties. 6.17 The HSE took steps to reduce the likelihood of similar personal data breaches occurring again. The HSE circulated reminders to staff to create awareness of keeping personal data secure and installed additional posters and secure waste bins. It also carried out investigations in relation to BN-19-3-381, BN-19-3-68, and BN-19-6-237. The investigations made findings in 21 Article 29 Data Protection Working Party ‘Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, at page 11. 23 relation to the causes of the breaches and made recommendations to mitigate the risk going forward. 6.18 The HSE also contacted some of the data subjects pursuant to its obligation under Article 34 of the GDPR. Action, taken by a controller where it is mandated to do so on foot of an obligation under the GDPR cannot be viewed as a mitigating factor. Therefore, I do not consider these notifications mitigating in the circumstances. d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; 6.19 As outlined above, the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures regarding its use and disposal of hardcopy documents containing patients’ personal data. I consider that the HSE holds a high degree of responsibility for this failure and that the absence of such measures must be deterred. However, in circumstances where this factor forms the basis for the finding of the infringements of Articles 5(1)(f) and 32(1) against the HSE, this factor cannot be considered aggravating in respect of those infringements. e) any relevant previous infringements by the controller or processor; 6.20 There are no relevant previous infringements by the HSE. f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; 6.21 The HSE cooperated fully with the DPC to remedy the infringements and to mitigate their adverse effects. In its breach notifications and breach investigations, it illustrated the steps that it had taken and was in the course of taking to remedy the infringements and the possible adverse effects. These steps included, amongst others, notifying the data subjects, circulating emails to staff advising them of accountability regarding the disposal of confidential waste, the provision of signage and posters, and its consideration of IT solutions to mitigate the risk. After receipt of the Draft Decision, the HSE confirmed that it has commenced a process to refocus efforts in relation to mitigation of risks associated with the management of paper records and, in particular patient lists. g) the categories of personal data affected by the infringement; 6.22 The categories of personal data affected by the infringements are highly sensitive. The HSE’s use and disposal of hardcopy documents containing patients’ personal data is likely to include special category data in most instances, which is reflected in how 6 of the 7 personal data breaches included data concerning health. This is in line the nature of the HSE’s functions and how the processing of personal data concerning health is intrinsic to those functions. This aggravates the HSE’s failure to implement an appropriate level of security. Unauthorised disclosures of personal data concerning health is high risk and can cause immediate damage and distress to data subjects. 24 h) The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; 6.23 The Inquiry was conducted to examine whether or not the HSE has discharged its obligations in connection with the subject matter of personal data breach BN-19-6-237. The Notice of the Commencement of the Inquiry also referred to 7 other personal data breaches notified to the DPC. Hence, the HSE’s notification of the personal data breaches contributed to the infringements becoming known to the DPC. I am satisfied that the HSE fully complied with its obligation, under Article 33 of the GDPR, to notify the DPC without undue delay after becoming aware of those personal data breaches, in respect of all 7 personal data breach notifications. 6.24 The Administrative Fines Guidelines consider the relevance of such notifications regarding administrative fines: “The controller has an obligation according to the Regulation to notify the supervisory authority about personal data breaches. Where the controller merely fulfils this obligation, compliance with the obligation cannot be interpreted as an attenuating/ mitigating factor.”22 6.25 The HSE’s compliance with its own obligation to notify personal data breaches under Article 33(1) cannot be considered mitigating in respect of the infringements of Articles 5(1)(f) and 32(1). i) Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; 6.26 Corrective powers have not previously been ordered against the HSE with regard to the subject-matter of this Decision j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; 6.27 Not applicable. k) Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. 6.28 I consider that the matters considered under Article 83(2)(a) – (j) reflect an exhaustive account of both the aggravating and mitigating factors applicable in the circumstances of the case. Given the specific circumstances of the case at hand, and having particular regard to the matters discussed under Article 83(2)(a) – (j) cumulatively, I consider it appropriate to 22 Article 29 Data Protection Working Party ‘Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, at page 15. 25 impose an administrative fine in addition to the order and reprimand imposed at parts 6(A) & (B) of this Decision. 6.29 When imposing corrective measure(s), I am obliged to select the measure(s) that are effective, proportionate and dissuasive in response to the particular infringements. The assessment of what is effective, proportionate and dissuasive must be made in the context of the objective pursued by the corrective measures. Administrative Fines Guidelines provide that: “The assessment of what is effective, proportional and dissuasive in each case will have to also reflect the objective pursued by the corrective measure chosen, that is either to reestablish compliance with the rules, or to punish unlawful behavior (or both).”23 6.30 I find that an administrative fine is necessary in order to effectively pursue the objective of re-establishing compliance with the Articles 5(1)(f) and 32(1) of the GDPR and in providing an effective, proportionate and dissuasive response in the particular circumstances of this case. In order to re-establish compliance with Articles 5(1)(f) and 32(1), it is necessary to dissuade non-compliance. 6.31 In reaching the Decision to impose an administrative fine, I have had regard to all of the corrective powers available to me as set out in Article 58(2) of the GDPR. In particular, I have had regard to the order and reprimand made in parts 6(A) and (B) of this Decision. The order has significant value in re-establishing compliance because it obliges the HSE to take certain specified steps in implementing technical and organisational measures. The reprimand, on the other hand, is of significant value in dissuading future non-compliance. This formal recognition of the seriousness of the HSE’s infringements is likely contribute to ensuring an appropriate level of security going forward. 6.32 However, having regard to the nature of the infringements of Articles 5(1)(f) and 32(1), I find that those corrective powers alone are not effective and proportionate in re-establishing compliance and in dissuading future non-compliance. Articles 5(1)(f) and 32(1) place a continuous obligation on controllers and processors to regularly test, assess and evaluate the effectiveness of the technical and organisational measures that it has implemented. Furthermore, the appropriate level of security must be continually re-assessed in light of the dynamic risk presented by the HSE’s processing and the state of the art. Therefore, compliance with the order in Part 6(A) of this Decision alone cannot ensure perpetual compliance with Articles 5(1)(f)and 32(1) going forward, as the risk changes and as new measures emerge in respect of these processing operations. Furthermore, I do not consider that the reprimand alone is an effective and proportionate response to the infringements in light of the need to re-establish compliance and to dissuade non-compliance. In coming to the conclusion that an administrative fine is necessary, I have particular regard to the highly sensitive categories of personal data processed by the HSE in hardcopy form (as assessed in accordance with Article 83(2)(g) above) and the nature of the infringements. Those infringements pose a threat to the rights and freedoms of data subjects because of the potential for damage to data subjects where personal data breaches occur (as assessed in accordance with Article 83(2)(a) above). I consider that an administrative fine is necessary in light of the potential for damage to data subjects by such non-compliance. This is because an 23 Article 29 Data Protection Working Party ‘Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, at page 11. 26 administrative fine is necessary to effectively protect those rights by re-establishing compliance and to deterring future non-compliance. 6.33 Having decided that the infringements identified warrant the imposition of an administrative fine in the circumstances of this case, I must next proceed to decide on the amount of the administrative fine. ii. The Same or Linked Processing Operations 6.34 Article 83(3) of the GDPR provides: “If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.” 6.35 The findings of infringements of Articles 5(1)(f) and 32(1) relate to the same processing operations regarding the HSE’s use and disposal of hardcopy documents containing patients’ personal data. Article 32(1) elaborates on the requirement for appropriate security in Article 5(1)(f). In the circumstances, the infringements of Articles 5(1)(f) and 32(1) arise from the same omission on the part of the HSE to implement an appropriate level of security. Therefore, the limit in Article 83(3) is applicable and the total amount of the administrative fine must not exceed the amount for the gravest infringement. In those circumstances, it is appropriate to calculate and apply a single administrative fine. Therefore, the fine will be calculated by reference to the infringement of Article 5(1)(f) only. iii. The Permitted Range 6.36 It is necessary now to consider the appropriate cap for the fine as a matter of law. This cap determines the permitted range for the fine, from a range of zero to the cap. However, the cap is not a starting point for the fine. After identifying the permitted range, this Decision will calculate the figure for the fine. 6.37 Section 141(4) of the 2018 Act provides a cap on administrative fines concerning public bodies that do not act as undertakings: “Where the Commission decides to impose an administrative fine on a controller or processor that— (a) is a public authority or a public body, but (b) is not a public authority or a public body that acts as an undertaking within the meaning of the Competition Act 2002 , the amount of the administrative fine concerned shall not exceed €1,000,000.” 6.38 Section 3 of the Competition Act 2002 defines “undertaking” as: “a person being an individual, a body corporate or an unincorporated body of persons engaged for gain in the production, supply or distribution of goods or the provision of 27 a service and, where the context so admits, shall include an association of undertakings.” 6.39 The HSE is a body corporate24 that is engaged in the provision of health services to the population of Ireland. However, in order to meet the definition of “undertaking”, the HSE must be “engaged for gain” in providing those services. In Deane and others v VHI25 the Supreme Court held that the expression “engaged for gain” does not require the provision of those goods or services for profit. Finlay C.J. held that: “I am, therefore, driven to the conclusion that the true construction of this section is that the words ‘for gain’ connote merely an activity carried on or a service supplied, as it is in this case, which is done in return for a charge or payment…”26 6.40 An entity may fulfil the definition of “undertaking” in respect of some of its activity, while also not fulfilling that definition in respect of other activity. This is illustrated in two High Court judgments regarding the HSE’s activities concerning the provision of ambulances. In Lifeline Ambulance Services v HSE27 Cooke J held: “…in the particular circumstances of the operation of ambulance services in the State a clear distinction for competition law purposes has to be made between on the one hand, emergency services and the services for the transport of public patients for which the HSE has a statutory responsibility; and on the other, services provided for the transport of private patients in respect of which there is a distinct market as was held in the Medicall case.”28 6.41 In this case, the Court held that the HSE was not engaged for gain in the provision of a service when using its fleet of ambulances for emergency services and for the transport of public patients. However, in line with the judgment in Medicall Ambulance Limited v HSE29 , the HSE fulfils the definition of “undertaking” in respect of its activity of providing its fleet of ambulances on the commercial market for private ambulance services for which it made a non-profit charge. Therefore, I am satisfied that the HSE fulfils the definition of “undertaking” in respect of some, but not all of its activity. 6.42 Section 141(4) of the 2018 Act excludes public authorities30 that act as undertakings from the cap provided for in that subsection. Once a public body acts as an undertaking in respect of any of its activities, the cap in Section 141(4) cannot apply. Therefore, the cap in Section 141(4) is not applicable to the HSE. 6.43 The permitted range for the administrative fine must, therefore, be calculated on the basis of Article 83(5) of the GDPR, which provides that infringements of the basic principles for processing under Article 5 of the GDPR: 24 See section 6(2) Health Act 2004. 25 [1992] 2 I.R. 319. 26 Ibid. 27 [2012] IEHC 432. 28 Ibid. 29 [2011] IEHC76. 30 The HSE is a public authority. Public authority is defined in Section 2 of the 2018 Act as including “any other person established by or under an enactment (other than the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act)”. The HSE was established by Ministerial Order in accordance with the provisions of the Health Act 2004. 28 “…shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher…” 6.44 The turnover of the HSE in 2018 was €16,021,179,000, which is calculated by reference to the total reported income stream in the HSE’s Annual Report and Financial Statements 201831, these being the most recently available figures. As regards the maximum amount (the “cap”) for the fine which may be imposed in this case, the relevant cap for any fine in respect of the infringement is €640,847,160 – that is, 4% of the HSE’s turnover. This figure is not a starting point, but rather the cap on the permitted range as provided for in Article 83(5) of the GDPR. iv. Calculating the Administrative Fine 6.45 In the absence of specific EU-level guidelines on the calculation of fines in this context, I am not bound to apply any particular methodology32 . The methodology that I have followed in calculating the administrative fine is as follows. The first step in calculating the administrative fine is to consider the permitted range and to locate the infringement on the permitted range. In this regard, the cap provided for in Article 83(5) is not a starting point for the fine. Rather, it is relevant to determining the permitted range. The determination of where on the permitted range the appropriate figure lies is made by reference to nature, gravity, and duration of the infringement, as considered in relation to Article 83(2)(a) above, and the other aggravating factors. The determination is made in the context of the objectives of reestablishing compliance, including through deterrence, and to provide a proportionate response to the unlawful behaviour. The second step in calculating the administrative fine is to apply the mitigating factors to reduce the fine where applicable. Finally, the third step is to consider whether the figure arrived at is “effective, proportionate and dissuasive” in the circumstances in accordance with Article 83(1) of the GDPR. The Draft Decision set out proposed ranges for the administrative fines and the factors to be considered, and the methodology to be used when calculating the fines, in order to provide the HSE with the opportunity comment in accordance with fair procedures. 6.46 In locating the fine on the permitted range, I have had regard to the nature, gravity and duration of the infringement as assessed in accordance with Article 83(2)(a) above. I have also had regard to the aggravating factors, specifically the negligent character of the infringement and the sensitive categories of personal data affected by the infringement as assessed in accordance with Article 83(2)(b)&(g) above. I consider that the figure of €130,000 is appropriate in the circumstances of this case before applying the mitigating factors. In arriving at this figure, I have considered the serious nature of the infringement and the direct link between deterring such non-compliance and protecting the rights and freedoms of data subjects. The range also reflects the gravity of the infringement. The potential for a high level of damage being suffered by the data subjects as a result of the 7 personal data breaches is relevant to assessing this fine so that the fine provides a proportionate response to the unlawful behaviour. I have also had regard to the duration of the infringement, which is over 1 year in length, in the context of the need to re-establish compliance. The level of the fine must have a deterrent effect and it cannot pay off for the HSE to have such a long period of 31 At page 142. 32 See by analogy Electrabel v Commission, T 332/09, ECLI:EU:T:2012:672, para 228, Marine Harvest ASA v Commission, T-704/14, ECLI:EU:T:2017:753, para 450. 29 non-compliance. I have had regard to the negligent character of the infringement, as assessed in accordance with Article 83(2)(b) above. Finally, I have also had regard to the highly sensitive categories of personal data affected by the infringement, as assessed in accordance with Article 83(2)(g) above. The high risk caused by the HSE’s infringement, in light of the sensitivity of the personal data, must be reflected in the starting figure for the fine in order to provide a proportionate response to the unlawful behaviour and to deter such future non-compliance. 6.47 I consider that the mitigating factors warrant a significant reduction in the fine. Specifically, I consider the factors identified above under Articles 83(2)(c), 83(2)(e), and 83(2)(f) of the GDPR mitigating. To account for the action taken by the HSE to mitigate the damage suffered by the data subjects, I have reduced the fine by €25,000 in accordance with Article 83(2)(c). To account for the HSE’s lack of previous infringements, I have reduced the fine by €20,000, in accordance with Article 83(2)(e). To account for the cooperation that the HSE engaged with the DPC to remedy the infringement, I have reduced the figure by €20,000 in accordance with Article 83(2)(f). Thus, the total amount of reductions in light of the mitigating factors is €65,000. 6.48 Applying the mitigating factors, the figure for this administrative fine is €65,000. I have considered this figure in light of the requirement in Article 83(1) that administrative fines shall be “effective, proportionate and dissuasive”. In considering the application of these principles, I consider that a fine cannot be effective if it does not have significance relative to the revenue of the data controller. Moreover, the principle of proportionality cannot be adhered to if the infringement is considered in the abstract, regardless of the impact on the controller. Therefore, I note the HSE’s turnover in 2018 as identified above. As decisionmaker for the Commission, I consider it important to strongly discourage non-compliance with the obligation to implement appropriate security measures in relation to the HSE’s use and disposal of hardcopy documents containing patients’ personal data. I am of the view that when calculating a fine that is effective, proportionate and dissuasive, the fine must have a significant element of deterrence, particularly in respect of serious infringements, such as the infringement in issue. Having regard to the foregoing, I consider that the figure of €65,000 meets the requirements of effectiveness, proportionality and dissuasiveness in respect of the infringement and data controller in issue. 7. Right of Appeal 7.1 This Decision is issued in accordance with Section 111 of the 2018 Act. Pursuant to Section 150(5) of the 2018 Act, the HSE has the right to appeal against this Decision within 28 days from the date on which notice of the Decision is received by it. Furthermore, as this Decision includes a decision to impose an administrative fine, pursuant to Section 142 of the 2018 Act, the HSE also has the right to appeal against that decision to impose an administrative fine within 28 days from the date on which notice of the decision is given to it. Helen Dixon Commissioner for Data Protection 30 Appendix: Schedule of Materials Considered for the Purposes of this Decision The Case Officer delivered the Final Inquiry Report to me on 27 April 2020. I was also provided with all of the correspondence and submissions received in compiling the report, including: i. The DPC’s Final Inquiry Report, Inquiry Reference IN-19-9-01; ii. Health Service Executive Code of Governance, Chapter 2 (Appendix D.1 to the Final Inquiry Report); iii. The 7 Personal Data Breach Notifications submitted to the DPC and their related email correspondence (Appendix D.1 to the Final Inquiry Report); iv. HSE Investigation Report concerning BN-19-6-237 (Part of Appendix D.2 to the Final Inquiry Report); v. Redacted HSE Investigation Report concerning BN-19-3-68 (Part of Appendix D.2 to the Final Inquiry Report); vi. Redacted HSE Investigation Report concerning BN-19-3-381 (Part of Appendix D.2 to the Final Inquiry Report); vii. DPC Notice of Commencement of an Inquiry, dated 17 October 2019 (Appendix D.3 to the Final Inquiry Report); viii. Email from the HSE, dated 22October 2019, acknowledging receipt of the Notice of Commencement of an Inquiry and nominating a HSE point of contact; ix. Correspondence from the Case Officer to the HSE, dated 6 November 2019, inviting submissions from the HSE; x. HSE submissions in response to the commencement of the Inquiry, dated 26 November 2019 (Appendix D.4 to the Final Inquiry Report); xi. “Code of Professional Conduct and Ethics for Registered Nurses and Registered Midwives”, Nursing and Midwifery Board of Ireland, dated December 2014 (Part of Appendix D.4 to the Final Inquiry Report); xii. “Recording Clinical Practice Professional Guidance”, Nursing and Midwifery Board of Ireland, dated November 2015 (Part of Appendix D.4 to the Final Inquiry Report); xiii. “Clinical Placement Information For BSc (Hons) Nursing Students”, HSE, dated September 2016 (Part of Appendix D.4 to the Final Inquiry Report); xiv. “Hospital Orientation Information for BSc Undergraduate Nursing Students”, HSE, dated November 2019 (Part of Appendix D.4 to the Final Inquiry Report); xv. Template Practice Placement Agreement 2019 for Nurses and Midwives (Part of Appendix D.4 to the Final Inquiry Report); xvi. The HSE’s Waste Management Awareness Handbook, dated 2014 (Part of Appendix D.4 to the Final Inquiry Report); xvii. The HSE’s sample poster from its campaign regarding GDPR in practice (Part of Appendix D.4 to the Final Inquiry Report); xviii. HSE document “About Human Resources” (Part of Appendix D.4 to the Final Inquiry Report); xix. DPC Report “Data Protection Investigation in the Hospitals Sector”, dated May 2018 (Part of Appendix D.5 to the Final Inquiry Report); 31 xx. The HSE’s Data Protection Quality Improvement Action Plan, dated October 2017 (Appendix D.6 to the Final Inquiry Report); xxi. HSE Data Protection Policy, dated 25 May 2018 (Appendix D.7 to the Final Inquiry Report); xxii. HSE Information Technology Security Policy, dated February 2013 (Appendix D.8 to the Final Inquiry Report); xxiii. HSE Access Control Policy, dated February 2013 (Appendix D.9 to the Final Inquiry Report); xxiv. HSE submissions on the Draft Inquiry Report, dated 16 January 2019 (in error) (Appendix D.10 to the Final Inquiry Report); xxv. HSE External Review Process (Part of Appendix D.10 to the Final Inquiry Report); xxvi. Letter from the DPC to , dated 20 January 2020 (Appendix D.11 to the Final Inquiry Report); xxvii. HSE submission, dated 7 February 2020 (Appendix D.12 to the Final Inquiry Report); xxviii. Letter from the DPC to , dated 3 March 2020 (Part of Appendix D.13 to the Final Inquiry Report); xxix. HSE submission, dated 6 April 2020 (Appendix D.14 to the Final Inquiry Report); xxx. Redacted Practice Placement Agreement, dated 10 September 2018 (Part of Appendix D.14 to the Final Inquiry Report); xxxi. Media Report, dated 3rd May 2019 (Appendix D.15 to the Final Inquiry Report); xxxii. HSE Annual Report and Financial Statements 2018, published May 2019; xxxiii. The HSE’s email to the DPC, , dated 12 August 2020. In the matter of the General Data Protection Regulation DPC Case Reference: IN-19-9-2 In the matter of The Health Service Executive (Our Lady of Lourdes Hospital, Drogheda) Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act 2018 Further to an own-volition inquiry commenced pursuant to Section 110 of the Data Protection Act 2018 DECISION Decision-Maker for the Commission: Helen Dixon Commissioner for Data Protection 29 September 2020 Data Protection Commission 2 Fitzwilliam Square South Dublin 2, Ireland Contents 1. Introduction ....................................................................................................................................4 2. Legal Framework for the Inquiry and the Decision.........................................................................4 i. Legal Basis for the Inquiry........................................................................................................4 ii. Data Controller ..........................................................................................................................5 iii. Legal Basis for the Decision......................................................................................................5 3. Factual Background.........................................................................................................................5 4. Scope of the Inquiry and the Application of the GDPR...................................................................7 5. Inquiry IN-19-9-1.............................................................................................................................8 6. Analysis and Findings....................................................................................................................10 i. Assessing Risk............................................................................................................................11 ii. Security Measures Implemented by the HSE............................................................................11 a) Measures implemented locally.............................................................................................11 b) Measures implemented nationally .......................................................................................12 iii. The Appropriate level of Security .............................................................................................14 iv. Finding.......................................................................................................................................16 7. Decision on Corrective Powers.....................................................................................................16 8. Right of Appeal..............................................................................................................................16 Appendix: Schedule of Materials Considered for the Purposes of this Decision...............................18 1. Introduction 1.1 This document (“the Decision”) is the decision made by the Data Protection Commission (“the DPC”) in accordance with Section 111 of the Data Protection Act 2018 (“the 2018 Act”). I make this Decision having considered the information obtained in the separate own volition inquiry (“the Inquiry”) conducted by an Authorised Officer of the DPC (“the Case Officer”) pursuant to Section 110 of the 2018 Act. The Case Officer provided the Health Service Executive (“the HSE”) with the Draft Inquiry Report and the Final Inquiry Report. The scope of the Inquiry is to examine whether or not the HSE has discharged its obligations in connection with the subject matter of personal data breach BN-19-5-26 and determine whether or not any provision(s) of the 2018 Act and/or the General Data Protection Regulation (“the GDPR”) has been contravened by the HSE in that context. 1.2 The HSE was provided with the Draft Decision on this Inquiry on 24 August 2020 to provide it with a final opportunity to make submissions. The HSE made submissions on 14 September 2020 and those submissions have been given full consideration for the purposes of this Decision. This Decision is being provided to the HSE pursuant to Section 116(1)(a) of the 2018 Act in order to give the HSE notice of the Decision and the reasons for it. 2. Legal Framework for the Inquiry and the Decision i. Legal Basis for the Inquiry 2.1 The GDPR is the legal regime covering the processing of personal data in the European Union. As a regulation, the GDPR is directly applicable in EU member states. The GDPR is given further effect in Irish law by the 2018 Act. As stated above, the Inquiry was commenced pursuant to Section 110 of the 2018 Act. By way of background in this regard, under Part 6 of the 2018 Act, the Commission has the power to commence an inquiry on several bases, including on foot of a complaint, or of its own volition. 2.2 Section 110(1) of the 2018 Act provides that the Commission may, for the purpose of Section 109(5)(e) or Section 113(2) of the 2018 Act, or of its own volition, cause such inquiry as it thinks fit to be conducted, in order to ascertain whether an infringement has occurred or is occurring of the GDPR or a provision of the 2018 Act, or regulation under the Act, that gives further effect to the GDPR. Section 110(2) of the 2018 Act provides that the Commission may, for the purposes of Section 110(1), where it considers it appropriate to do so, cause any of its powers under Chapter 4 of Part 6 of the 2018 Act (excluding Section 135 of the 2018 Act) to be exercised and / or cause an investigation under Chapter 5 of Part 6 of the 2018 Act to be carried out. ii. Data Controller 2.3 In commencing the Inquiry, the Case Officer considered that the HSE may be the controller, within the meaning of Article 4(7) of the GDPR, in respect of the personal data that was the subject of Breach BN-19-5-26. In this regard, the submissions made by HSE during the course of the Inquiry made clear that it determines the purposes and means of the processing under consideration, and, thus, is a data controller in respect of the personal data subject to BN-19- 5-26. iii. Legal Basis for the Decision 2.4 The decision-making process for this Inquiry is provided for under Section 111 of the 2018 Act, and requires that the Commission must consider the information obtained during the Inquiry; to decide whether an infringement is occurring or has occurred; and if so, to decide on the corrective powers, if any, to be exercised. As the sole member of the Commission, I perform this function in my role as the decision-maker in the Commission. In so doing, I am required to carry out an independent assessment of all of the materials provided to me by the Case Officer as well as any other materials which have been furnished to me by the HSE, and any other materials which I consider to be relevant, in the course of the decision-making process. 2.5 The Final Inquiry Report was transmitted to me on 27 April 2020, together with the Case Officer’s file, containing copies of all correspondence exchanged between the Case Officer and the HSE; and copies of all submissions made by the HSE, including the submissions made by the HSE in respect of the Draft Inquiry Report. A full schedule of all documentation considered by me for the purpose of my preparation of this Decision is appended hereto. I issued a letter to the HSE on 5 August 2020 to notify it of the commencement of the decisionmaking process. 2.6 Having reviewed the Final Inquiry Report, and the other materials provided to me by the Case Officer (including the submissions made by the HSE), I was satisfied that the Inquiry was correctly conducted and that fair procedures were followed throughout, including, but not limited to, notifications to the controller and opportunities for the controller to comment on the Draft Inquiry Report before it was submitted to me as decision-maker. 3. Factual Background 3.1 The HSE notified the DPC of personal data breach BN-19-5-26 on 1 May 2019. The HSE became aware of the personal data breach on 30 April 2019 when a member of the public informed them that they had found documents in their front garden, which is near Our Lady of Lourdes Hospital. The documents in question were handover notes, generated by the HSE to identify patients who come under staff care at each shift change. The notes are necessary for continuing patient care and treatment. The notes contained the personal data of 15 data subjects and included data relating to clinical information and treatments received. The notes were printed on 11 April 2019, but the HSE was unable to specify the date on which the breach initially occurred. The notes have not been accounted for between the date they were printed and when they were found. A member of the HSE’s Quality & Risk Department retrieved the pages from the member of the public immediately after being notified. The HSE subsequently contacted the data subjects and informed them of the breach. 3.2 The HSE initiated an investigation into the personal data breach. The investigation report, dated 17 June 2019, outlines how the nurse who lost the notes intended to dispose of them before leaving the hospital at the end of shift. However, they forgot to dispose of them and lost them on the way home. Following the breach, the HSE circulated a notice to all staff in Our Lady of Lourdes Hospital reminding them of their obligation to comply with the hospital’s standard operating procedures for the use of confidential paper waste consoles. 3.3 The Case Officer informed the HSE of the commencement of the Inquiry by way of a Notice of Commencement of Inquiry (“the Notice”) on 26 November 2019. The Notice set out the scope and legal basis of the Inquiry. The decision to commence the Inquiry was taken having regard to the circumstances of personal data breach BN-19-5-26. The Notice informed the HSE that the Inquiry would examine whether or not the HSE discharged its obligations in connection with the subject matter of that personal data breach and determine whether or not any provision(s) of the 2018 Act and/or the GDPR had been contravened by the HSE in that context. In this regard, the scope of the Inquiry was expressly stated to include Articles 5(1)(f) and 32(1) of the GDPR, with focus on the areas of Data Protection Governance, Training and Awareness, Records Management, and Security of Personal Data. The Notice also stated that personal data breach BN-19-5-26 was the second such occurrence involving the inappropriate disposal of patient records in the HSE Dublin North East region, and noted the similarities with the breach that occurred on 6 March 2019 (BN-19-3-179). The Notice set out that the Inquiry would formally document the facts as they relate to the subject of the Inquiry. The facts, as established during the course of the Inquiry, are set out below. The Notice also invited the HSE to make submissions on the background outlined in the Notice and to make submissions regarding its compliance with Articles 5(1)(f) and 32(1) of the GDPR. 3.4 The HSE acknowledged receipt of the Notice by telephone on 10 December 2019. The Case Officer provided the HSE with the Draft Inquiry Report on 31 January 2020. The Draft Inquiry Report set out the Case Officer’s provisional views as to the facts identified and views as to whether the HSE had complied with its obligations under the 2018 Act and the GDPR. The HSE made submissions on the Draft Inquiry Report on 3 March 2020. Those submissions identified factual inaccuracies in the Draft Inquiry Report and made submissions on Data Protection Governance, Training and Awareness, Record Management, and Security of Personal Data at Our Lady of Lourdes Hospital and the HSE. Those submissions also appended a number of documents relevant to the scope of the Inquiry. Those documents are considered throughout this Decision and are listed in the Schedule appended to this Decision at numbers (xiii) – (xxv). 3.5 The Case Officer wrote to the HSE on 5 March 2020 enclosing a number of specific follow up questions and seeking further submissions on the measures that were in place at the time of the personal data breach to comply with Articles 5(1)(f) and 32(1) of the GDPR. The HSE made further submissions on 20 March 2020. These submissions added to the submissions made on 3 March 2020 and detailed the availability of shredding bins and the standard operating procedure that was in place for their use. The submissions also set out the education, training and awareness that was in place, including signage on all wards and training areas and how self-accountability is promoted. The submissions also outlined how the IPIMs and Trendcare systems automatically print the name of the person who printed lists at the end of the pages. 3.6 On 27 April 2020, the Case Officer completed the final Inquiry Report and submitted it to me as decision-maker. I have considered the Inquiry Report and all relevant correspondence and submissions. The HSE was provided with my Draft Decision on 24 August 2020 and was afforded the opportunity to make submissions on the infringements that were provisionally identified therein. On 14 September 2020, the HSE made submissions and I have given full consideration to those submissions. I have reached final conclusions that infringements of data protection legislation have occurred. Those infringements are set out in this Decision. 4. Scope of the Inquiry and the Application of the GDPR 4.1 The scope of the Inquiry, which was set out in the Notice of the Commencement of the Inquiry, is to examine whether or not the HSE has discharged its obligations in connection with the subject matter of personal data breach BN-19-5-26 and determine whether or not any provision(s) of the Act and/or the GDPR have been contravened by the HSE in that context. In this regard, the Notice of Commencement of Inquiry specified that the Inquiry would focus on Data Protection Governance; Training and Awareness; Records Management; and Security of Personal Data. 4.2 As outlined above, personal data breach BN-19-5-26 occurred when a nurse inadvertently took handover documents outside of Our Lady of Lourdes Hospital in their coat pocket and lost the documents. Having reviewed the Inquiry Report and the other materials provided to me, I consider that the issue in respect of which I must make a decision is whether the HSE has complied with its obligations under Articles 5(1)(f) and 32(1) of the GDPR, in connection with personal data breach BN-19-5-26, regarding its use and disposal of hardcopy documents containing patients’ personal data. Articles 5(1)(f) and 32(1) oblige the HSE to implement an appropriate level of security in respect of those processing operations. 4.3 The Notice of Commencement of Inquiry referred to another personal data breach that the HSE notified to the DPC. The information obtained in relation to that personal data breach is relevant to the scope of the Inquiry insofar as it details the level of security implemented by the HSE regarding its use and disposal of hardcopy documents. BN-19-3-173 concerns a similar incident to BN-19-5-26, in which a staff member accidentally took hardcopy documents containing medical information outside the hospital and lost them. 4.4 Article 2(1) of the GDPR defines the Regulation’s scope as follows: “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” 4.5 The manual processing of hardcopy documents falls within the scope of the GDPR only if the personal data within those documents form part of a filing system or are intended to form part of a filing system. 4.6 Article 4(6) of the GDPR defines “filing system”: “‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;” 4.7 Recital 15 provides guidance for interpreting the material scope of the GDPR: “In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.” 4.8 Medical files form part of a “filing system” because they contain the personal data of patients and are accessible according to specific criteria, such as the patient’s name or other identifier. Therefore, any personal data processed by the HSE that are intended to form part of medical files fall within the scope of the GDPR, regardless of whether such personal data are actually stored in such files. This prevents controllers from attempting to circumvent the GDPR by processing personal data manually and/or outside of their usual filing systems. The handover lists in BN-19-5-26 contained special category personal data concerning health. Therefore, I am satisfied that some of the personal data on those documents are also intended to be recorded separately in a filing system. Therefore, even where that personal data are recorded separate to the filing system, the GDPR is applicable on the basis that the personal data concerning health is intended to be recorded in the medical files. 5. Inquiry IN-19-9-1 5.1 The DPC commenced a separate inquiry (IN-19-9-1) on 17 October 2019 in respect of a personal data breach that occurred in Cork University Maternity Hospital. The scope of that Inquiry was to examine whether or not the HSE discharged its obligations in connection with the subject matter of that personal data breach and to determine whether any provision(s) of the 2018 Act and/or the GDPR has been contravened. The personal data breach in IN-19-9-1 occurred when documents were taken outside of Cork University Maternity Hospital and disposed of it in a public recycling area. Thus, the Decision in respect of IN-19-9-1 considered whether the HSE has complied with its obligations under Articles 5(1)(f) and 32(1) of the GDPR in connection with its processing operations concerning its use and disposal of hardcopy documents containing patients’ personal data. The DPC issued its Decision to the HSE on 18 August 2020 and found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by those processing operations. The duration of those infringements found in that Decision concerned the period of 25th May 2018 to 4th June 2019. 5.2 Regarding Inquiry IN-19-9-2, the personal data breaches under consideration in this Decision occurred on 6 March 2019 and 30 April 2019 respectively. As outlined above, the processing under consideration in this Decision also concerns the HSE’s use and disposal of hardcopy documents containing patients’ personal data. The issue for consideration in this Decision is whether the HSE has complied with its obligations under Articles 5(1)(f) and 32(1) of the GDPR in respect of these processing operations. Therefore, the same processing operations are under consideration in this Decision as were under consideration in Decision IN-19-9-1. Furthermore, the personal data breaches under consideration in this Decision occurred during the period under consideration in Decision IN-19-9-1. 5.3 This Decision must independently consider the appropriateness of the measures implemented by the HSE at the time of BN-19-5-26. The HSE’s submissions make clear that it implemented certain measures in Our Lady of Lourdes Hospital that were not implemented in the hospital where the breach in Decision IN-19-9-1 occurred. The scope of this Inquiry is specific to personal data breach BN-19-5-26 and, therefore, this Decision must consider measures that were implemented in Our Lady of Lourdes Hospital, even if those measures had not been implemented by the HSE in other regions. Therefore, it does not necessarily follow from the findings of infringements in Decision IN-19-9-1 that the HSE has failed to discharge its obligations in connection with the subject matter of personal data breach BN19-5-26. This Decision must consider the technical and organisational measures that the HSE implemented both on an organisation-wide basis and locally to determine whether it has discharged its obligations in connection with the subject matter of personal data breach BN19-5-26. 5.4 Inquiries IN-19-9-1 and IN-19-9-2 were each commenced to document the facts, and to assess, as appropriate, whether or not the HSE has discharged its obligations in connection with the respective personal data breaches under consideration in each inquiry. Both inquiries were conducted in a manner that ensured that fair procedures were followed throughout, including by ensuring that there was no pre-judgment of the issues arising for consideration in each inquiry. Articles 5(1)(f) and 32(1) of the GDPR oblige controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data. Hence, controllers and processors must consider the risk presented by each of its processing operations and must implement appropriate measures in respect of each of those processing operations. The HSE, as controller of the personal data subject to personal data breach BN-19-5-26, and as controller of the personal data subject to the breach considered in Decision IN-19-9-1, is responsible for implementing an appropriate level of security and for demonstrating compliance pursuant to Articles 5(2) and 24(1) of the GDPR. The processing operations in both inquiries concern the HSE’s use and disposal of hardcopy documents containing patients’ personal data and the Commission must make a decision under Section 111 of the 2018 Act in respect of each inquiry commenced under Section 110 of that same Act. 6. Analysis and Findings 6.1 Having reviewed the Inquiry Report and the other materials provided to me, I consider that the issue in respect of which I must make a decision is whether the HSE has discharged its obligations, in connection with the subject matter of personal data breach BN-19-5-26, by implementing appropriate technical and organisational measures pursuant to Articles 5(1)(f) and 32(1) of the GDPR regarding its use and disposal of hardcopy documents containing patients’ personal data. 6.2 Article 5(1)(f) of the GDPR provides for the principle of integrity and confidentiality. It requires that personal data shall be: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” 6.3 Article 32(1) of the GDPR elaborates on the principle in Article 5(1)(f) by setting out criteria for assessing what constitutes “appropriate security” and “appropriate technical or organisational measures”: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” 6.4 Articles 5(1)(f) and 32(1) of the GDPR oblige controllers and processors to implement a level of security appropriate to the risks presented by its processing of personal data. The processing operations within the scope of this Decision concern the HSE’s use and disposal of hardcopy documents containing patients’ details. In considering the technical and organisational measures that the HSE was obliged to implement, regard must be had to the risk presented to the rights and freedoms of natural persons by those processing operations. Therefore, the first step is to assess this risk. i. Assessing Risk 6.5 The HSE confirmed in its submissions dated 20 March 2020 that it had not conducted a risk assessment in respect of the processing at the time of personal data breach BN-19-5-26. As outlined in Decision IN-19-9-1, the HSE’s use and disposal of hardcopy documents containing patients’ personal data presents a high risk, both in likelihood and severity, to the rights and freedoms of natural persons. The risk relates to the potential for an unauthorised disclosure of patient personal data where hardcopy documents are not stored or disposed of securely. The number of staff, the quantity of documentation that they are required to handle, and the transient nature of some of that documentation creates a high risk that the documents may not be stored or disposed of securely. A risk of unauthorised disclosure naturally follows from this risk. The high severity of the risk to the rights and freedoms of natural persons occurs due to the sensitive nature of the processing that the HSE undertakes and the purposes for which it is undertaken. The provision of health and personal social services is intrinsically linked to the rights and freedoms of patients, and unauthorised disclosures of health data has significant capacity to infringe those rights and freedoms. The technical and organisational measures that the HSE is obliged to implement must be appropriate to this risk. ii. Security Measures Implemented by the HSE 6.6 The HSE’s submissions outline the technical and organisational measures that it had in place at the time of personal data breach BN-19-5-26. The submissions detail measures that are specific to Our Lady of Lourdes Hospital and measures that were implemented on an organisation-wide basis by the HSE. This Decision will first consider the measures implemented locally, and, second, the measures implemented nationally. a) Measures implemented locally 6.7 The HSE made submissions in relation to its procedure titled, “Louth Hospitals Procedure for Use of Confidential Paper Waste Console”, which was developed in June 2018 and issued to staff on numerous occasions since 2018. This standard operating procedure defines how secure shredding is implemented at Our Lady of Lourdes Hospital and Louth County Hospital. It provides that all staff are responsible for ensuring the proper disposal of confidential material that they handle and requires ward and department managers to communicate the procedure to all staff. The procedure sets out a process for how confidential waste is to be stored pending its disposal, and how waste paper consoles are to be located and maintained. A contracted company carries out confidential waste shredding and it issues a certificate of destruction on completion. 6.8 The HSE submitted a list of the locations of confidential waste consoles throughout Our Lady of Lourdes Hospitals and submitted that the consoles display a notification regarding the shredding of handover sheets. Posters are located throughout the hospital to remind staff to dispose of the handover sheets prior to departing from the Hospital. There is an annual audit carried out at Louth Hospitals in relation to Healthcare records to ensure adherence to the standard imposed by the hospitals. 6.9 The HSE’s submissions outline how it promotes training and awareness on data protection to staff specifically at Our Lady of Lourdes Hospital. Data protection training forms part of the induction programme for new starters at Louth Hospitals. Training events and presentations were arranged for existing staff at Louth Hospitals in 2018 in advance of the GDPR coming into force. The HSE Deputy Data Protection Officer and the Consumer Affairs unit provide ongoing face-to-face presentations and training at Louth Hospitals on data protection. 881 staff have attended that training up to the end of 2019. The HSE’s submissions dated 3 March 2020 outline a significant amount of communications made by the Deputy Data Protection Officer to staff at Our Lady of Lourdes Hospital in order to raise awareness about data protection requirements. The General Manager of Our Lady of Lourdes Hospital made similar communications to the heads of departments and to staff generally, including communications concerning security of data and confidential waste shredding. A GDPR Survey was also undertaken at Our Lady of Lourdes Hospital to promote awareness of data protection. 6.10 The HSE implemented a programme of data protection compliance inspections, with 157 such inspections being undertaken in the Dublin North East region from 2014 – 2018. The inspections entail face-to-face interviews with staff. Some inspections are unannounced and undertaken following personal data breaches. 6.11 Regarding handover lists, the HSE submitted that the number of lists printed each day is limited to number of staff rostered. Furthermore, the IPIMS management system and the Trendcare Access system promote accountability by including a footer on each page identifying the username and time of printing. However, this does not promote individual accountability for each list because the lists are printed and then circulated amongst staff. In this regard, the HSE submitted that staff will be required staff to sign the lists when receiving them in the future. b) Measures implemented nationally 6.12 The HSE’s Data Protection Policy, Version 1.0, dated 25 May 2018, was in place at the time of the notified personal data breaches. The Policy applies to all HSE staff, students, interns and work experience candidates, amongst others. Section 6.8 provides: “All persons covered under this policy are prohibited from disclosing a data subject’s confidential information (including personal data or special categories of personal data), unless this policy or a legal basis allows for such disclosures.” 6.13 The HSE’s booklet, “Data Protection is Everyone’s Responsibility”, includes a confirmation to all managers that staff in their area have read and understand the Data Protection Policy. The HSE requires all managers to hold a copy of the signed undertaking in relation to staff in their respective areas of responsibility1 . 6.14 The HSE “Waste Management Awareness Handbook”, Rev A, dated 2014, sets out polices for various types of waste. It requires shredding of confidential documents before recycling. However, the HSE does not have any standard operating procedure that determines how the particularly high-risk handover lists and inpatient lists must be created, used, and disposed of. 6.15 The HSE’s “Standards and Recommended Practices for Healthcare Records Management”, Rev 3.0., dated May 2014, comprehensively sets out standards for the HSE’s responsibilities in respect of healthcare records management. It places responsibility on all line managers to ensure adequate training of staff and to apply the appropriate recommended practices in relation to healthcare records management2 . The document also provides for security, stating that “Every healthcare record is confidential and as such should be kept secure at all times”3 . 6.16 The HSE also made submissions on codes and manuals implemented by the Nursing and Midwifery Board of Ireland (the “NMBI”) and the Code of Ethics for the lrish Medical Council (“the IMC”). The NMBI and IMC are statutory bodies that regulate the nursing and midwifery professions and doctors in Ireland. Such codes and manuals are not measures implemented by the HSE and the HSE, as data controller, is ultimately responsible for ensuring an appropriate level of security. However, in assessing the appropriate level of security, it is appropriate to have regard to the context in which the processing occurs. Therefore, I consider that binding professional standards imposed on members of regulated professions may be relevant to a controller’s assessment of the technical and organisational measures that it is obliged to implement. Without prejudice to the obligation on the HSE, as controller, to implement an appropriate level of security, in assessing the appropriate technical and organisational measures that must be implemented, I accept that I must have regard to collaboration between the HSE, training schools, and the regulated professions. While this context is relevant to assessing the measures that are appropriate to the risk, the HSE, as data controller, is responsible for ensuring that appropriate security measures are implemented. The NMBI’s “Code of Professional Conduct and Ethics for Registered Nurses and Registered Midwives”, dated December 2014, details the principle of trust and confidentiality and provides that “Patients have a right to expect that their personal information remains private”. The HSE’s submissions also outlined how its Doctors work under the Code of Ethics for the Irish Medical Council and how confidentiality forms part of the HSE contract for all staff. 1 HSE submissions on the Draft Decision, dated 13 September 2020. 2 At page 123. 3 At page 131. 6.17 The HSE also submitted its “Information Technology Security Policy”, Rev 3.0, dated February 2013. This policy concerns information technology security and resources. This policy is not applicable to the risk presented by the HSE’s use and disposal of hardcopy documents containing patients’ personal data. Therefore, the content of those policies fall outside the scope of this Decision. 6.18 The HSE implemented an online “Fundamentals of GDPR” training programme. The programme provides a comprehensive introduction to the GDPR. As of 31 December 2019, 2,270 staff from the RCSI Hospital Group had completed the programme. The HSE was unable to provide individual hospital statistics. The HSE also provided customised GDPR Awareness sessions to hospitals and community services. The HSE promotes GDPR training with its staff using national broadcast emails and on the HSE intranet. The HSE, at corporate level, has issued broadcasts to staff regarding data protection since 2013. It facilitated a number of “town hall” style GDPR awareness sessions in hospitals to improve data privacy vigilance. 6.19 The HSE tests and evaluates the effectiveness of its technical and organisational measures through a Data Protection Audit Programme in the Dublin North East region. Furthermore, all managers commensurate with Grade Vlll and above are required to sign a Controls Assurance Statement, which confirms compliance with Data Protection Policies and Procedures. As outlined above, the HSE also undertakes a significant number of data protection compliance inspections in the Dublin North East region. iii. The Appropriate level of Security 6.20 Decision IN-19-9-1 considered the level of security implemented in Cork University Maternity Hospital, and found that the lack of a standard operating procedure concerning secure shredding infringed Articles 5(1)(f) and 32(1) of the GDPR. It is important to acknowledge that Louth Hospitals did have an appropriate procedure in place at the time of personal data breach BN-19-5-26. As outlined above, the HSE implemented a standard operating procedure setting out how secure shredding is to be implemented in Louth Hospitals. The document titled “Louth Hospitals Procedure for Use of Confidential Paper Waste Console” gives clear instruction for putting into practice the HSE’s policy of shredding confidential documents. It sets out accountability for ensuring secure disposal of confidential waste, how confidential waste is to be stored pending its disposal, and how waste paper consoles are located and maintained. The existence of this procedure in Louth Hospitals must be commended, despite the fact that equivalent procedures are not available in other HSE regions. 6.21 However, the procedure for the use of confidential consoles alone is not sufficient in respect of the risks presented by the HSE’s processing. Having regard to the particularly high risk presented by the HSE’s use and disposal of handover lists, I find that an appropriate level of security must also include a standard operating procedure for handover lists, which sets out responsibility for the secure creation, use, and disposal of the lists. The HSE implemented various policies concerning the confidentiality of patients’ health data. Furthermore, Our Lady of Lourdes Hospital has undertaken significant steps to promote staff awareness of the secure disposal of handover lists. However, in light of the frequency with which the lists are created and disposed of, there remains a significant risk that staff may inadvertently disclose or lose handover lists. General prohibitions on unlawful disclosures are not sufficient to protect against this risk. A specific process that incorporates data secure practices is appropriate in light of the sensitivity of personal data contained on the lists and the speed at which the HSE generates and disposes of the lists. 6.22 The HSE must determine the provisions of the handover list standard operating procedure based on its own risk assessment and in light of its own functions. I note the HSE’s submission that staff will be required to sign the lists when receiving them to promote accountability. The HSE may also consider an IT solution or a sign-off sheet where staff confirm that they have safely disposed of lists at the end of each shift. The HSE must determine which measures to adopt to ensure accountability for secure disposal of the lists, and the precise content of the procedure, in light of a broader assessment of its functions and the risk. However, the handover lists procedure must provide clear instructions to staff as to how the lists can be shared, when and how they must be disposed of, and responsibility for ensuring they are disposed of securely. In addition to general awareness amongst staff, a process for promoting individual accountability for the disposal of the lists at the end of each shift is also appropriate. The procedure should also set out the managerial responsibility for bringing the procedure to the attention of staff members. 6.23 Having regard to the high risk to the rights and freedoms of data subjects presented by the HSE’s use and disposal of hardcopy documents containing patients’ personal data, an appropriate level of security must include significant staff training to ensure that staff give effect to the HSE’s policies and processes. As outlined above, Louth Hospitals provide data protection training to new staff and on-going training for existing staff. The HSE also provides the online “Fundamentals of GDPR” training on an organisation-wide basis. The HSE has also issued a number of broadcasts to staff with regard to data protection since 2013. However, the HSE presented no evidence of measures in place to ensure that existing staff partake in the on-going refresher training provided in Louth Hospitals. Furthermore, the HSE presented no evidence of measures in place to ensure that staff complete the “Fundamentals of GDPR” training. 2,270 staff from the RCSI Hospital Group had completed the programme as of 31 December 2019, however this is a fraction of the total number of staff employed in the Group, and no hospital-specific figures are available. I find that the appropriate level of security requires measures to ensure completion of available training by all staff. I find that the organisational measures implemented by the HSE in this regard were not appropriate to the risk. 6.24 I have had regard to the state of the art and the cost of implementing a standard operating procedure for handover lists and measures to ensure the completion of existing HSE training. I am satisfied that implementing the measures would not impose a cost that is disproportionate to the risk. Therefore, the failure to implement the measures infringes Article 5(1)(f) and 32(1) of the GDPR in the circumstances. iv. Finding 6.25 I find that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data in connection with the subject matter of personal data breach BN-19-5-26. The measures that ought to have been implemented include a standard operating procedure that sets out responsibility for the secure creation, use, and disposal of handover lists; and measures to ensure completion of existing HSE data protection training. 7. Decision on Corrective Powers 7.1 I have set out above, pursuant to Section 111(1)(a) of the 2018 Act, my decision to the effect that the HSE has infringed Articles 5(1)(f) and 32(1) of the GDPR. Under Section 111(2) of the 2018 Act, where the Commission makes a decision (in accordance with Section 111(1)(a)), it must, in addition, make a decision as to whether a corrective power should be exercised in respect of the controller or processor concerned and, if so, the corrective power to be exercised. 7.2 Pursuant to Section 111(2), I have decided that it is not appropriate to exercise corrective powers in this Decision. I have made this decision in light of the findings of infringements and the corrective powers exercised in Decision IN-19-9-1. That Decision considered the same processing operations, undertaken by the same controller, during the same period under consideration in this Decision. Furthermore, the finding of infringements found in this Decision mirror the infringements found in Decision IN-19-9-1 and do not identify any additional measures that the HSE ought to have implemented. 7.3 Decision IN-19-9-1 ordered the HSE to bring its processing operations, regarding the use and disposal of hardcopy documents containing patients’ personal data, into compliance with Articles 5(1)(f) and 32(1) of the GDPR. The HSE has commenced a process to mitigate the risk associated with those processing operations. The order made in Decision IN-19-9-1 sets out measures that must be implemented by the HSE. I consider that, if this Decision made an order, it would simply repeat the order already made. Furthermore, the imposition of other corrective measures in this Decision, would not be appropriate in circumstances where Decision IN-19-9-1 has already imposed a reprimand and an administrative fine in respect of the HSE’s failure to implement the measures identified in this Decision. Therefore, this Decision will not exercise corrective powers in respect of the infringements found herein. 8. Right of Appeal 8.1 This Decision is issued in accordance with Section 111 of the 2018 Act. Pursuant to Section 150(5) of the 2018 Act, the HSE has the right to appeal against this Decision within 28 days from the date on which notice of the Decision is received by it. Helen Dixon Commissioner for Data Protection Appendix: Schedule of Materials Considered for the Purposes of this Decision The Case Officer delivered the Final Inquiry Report to me on 27 April 2020. I was also provided with all of the correspondence and submissions received in compiling the report, including: i. The DPC’s Final Inquiry Report, Inquiry Reference IN-19-9-02; ii. Breach Notification Form BN-19-3-172; iii. Correspondence between the DPC and the HSE in respect of Breach Notification Form BN-19-3-172; iv. Breach Notification Form BN-19-5-26; v. HSE investigation regarding BN-19-5-26, dated 17 June 2019; vi. The HSE’s Waste Management Awareness Handbook, dated 2014 vii. HSE Data Protection Policy, dated 25 May 2018 viii. HSE Information Technology Security Policy, dated February 2013; ix. DPC Notice of Commencement of an Inquiry, dated 17 November 2019 ; x. HSE Code of Governance, dated July 2011; xi. DPC Report “Data Protection Investigation in the Hospitals Sector”, dated May 2018; xii. HSE’s submissions on the Draft Inquiry Report, dated 3 March 2020; xiii. Summary of information provided by the Deputy Data Protection Officer to heads of department at Louth Hospitals, xiv. List of HSE GDPR/Data Protection Policies, xv. Document outlining how data protection matters were communicated to heads of department from the Regional Manager of Consumer Affairs from 2012 – 2017, xvi. List of HSE National IT Security Policies, xvii. Memorandum from the Director of Nursing to the Nursing Team dated 2 May 2019; xviii. Template data breach checklist; xix. List of training awareness events held in advance of the GDPR coming into force in 2018; xx. Pre-GDPR emails regarding data protection notices and alerts; xxi. Confidential console lists including locations; xxii. Louth Hospitals Procedure for Use of Confidential Paper Waste Console; xxiii. Memorandum addressed to staff in Louth Hospitals concerning security and confidentiality under the Data Protection Acts 1988 and 2003; xxiv. Statement by Our Lady of Lourdes Hospital regarding the personal data breach; xxv. The GDPR poster awareness campaign November/December 2018; xxvi. Correspondence from the DPC to the HSE dated 5 March 2020; xxvii. HSE submissions from 20 March 2020; xxviii. HSE document, “About Human Resources”, dated 16 April 2020; xxix. Chapter 9 of the HSE Code of Governance, submitted separately to the HSE Code of Governance, dated July 2011; xxx. HSE “Standards and Recommended Practices for Healthcare Records Management”, Rev 3.0, dated May 2014; and xxxi. The HSE’s submissions on the Draft Decision by email, dated 14 September 2020.