DPC - Health Service Executive - August 2020 (IN-19-9-1)

From GDPRhub
Revision as of 20:40, 24 February 2021 by Cellular (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=Hea...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC - Health Service Executive - August 2020 (IN-19-9-1)
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 18.08.2020
Published:
Fine: 65000 EUR
Parties: Health Service Executive
National Case Number/Name: Health Service Executive - August 2020 (IN-19-9-1)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: Cellular

The DPC commenced inquiry IN-19-9-1 in respect of one personal data breach notified by the HSE to the DPC. The personal data breach occurred when documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, were disposed of in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County.

The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.

English Summary

Facts

One personal data breach has been notified by the HSE to the DPC. The personal data breach occurred when documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, were disposed of in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County.

Dispute

Holding

The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.

Comment

Decision IN-19-9-1 was issued in August 2020 and Decision IN-19-9-2 was issued in September 2020. These decisions should be read in conjunction with one another in circumstances where they concern the same processing operations, undertaken by the same controller, and concern the same time period.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=DPC_-_Health_Service_Executive_-_August_2020_(IN-19-9-1)&oldid=13779"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki