DPC - Health Service Executive - August 2020 (IN-19-9-1)
DPC - Health Service Executive - August 2020 (IN-19-9-1) | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 18.08.2020 |
Published: | |
Fine: | 65000 EUR |
Parties: | Health Service Executive |
National Case Number/Name: | Health Service Executive - August 2020 (IN-19-9-1) |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Data Protection Commission (in EN) |
Initial Contributor: | Cellular |
The DPC commenced inquiry IN-19-9-1 in respect of one personal data breach notified by the HSE to the DPC. The personal data breach occurred when documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, were disposed of in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County.
The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.
English Summary
Facts
One personal data breach has been notified by the HSE to the DPC. The personal data breach occurred when documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, were disposed of in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County.
Dispute
Holding
The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.
Comment
Decision IN-19-9-1 was issued in August 2020 and Decision IN-19-9-2 was issued in September 2020. These decisions should be read in conjunction with one another in circumstances where they concern the same processing operations, undertaken by the same controller, and concern the same time period.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.