DVI (Latvia) - Nacionālajam veselības dienestam

From GDPRhub
DVI - Nacionālajam veselības dienestam
LogoLV.png
Authority: DVI (Latvia)
Jurisdiction: Latvia
Relevant Law: Article 24(1) GDPR
Article 32(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 22.05.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Nacionālajam veselības dienestam
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Latvian
Original Source: DVI (Latvia) (in LV)
Initial Contributor: mg

The Latvian DPA found the use of a personal unique identifier was insufficient to clearly identify a data subject and prevent unlawful disclosure of special categories of data by the national health service provider. The use of additional criteria, such as the data subject's name, was necessary.

English Summary

Facts

A Latvian court requested the Latvian National Health Service to share some data concerning a minor. In such an order, the data subject was identified by name and surname and a numerical code, which turned out to be wrong.

The National Health Service, the controller, identified a wrong data subject by means of the personal numerical code and disclosed their health data to the court.

The Latvian DPA started an investigation against the controller.

Holding

The DPA pointed out that Latvian law imposes the use of a unique identifier as the safest way to store and process personal data of citizens. This system is the safest and minimises mistakes such as the unlawful disclosure of health data of people other than the one whose data are requested by a public institution – in this case the court.

However, the DPA also held that this system, taken alone, was not sufficient to avoid unlawful disclosures. In particular, the National Health Service should have relied on additional criteria, such as name and surname of the data subject - which was already known to them. The need of a double check became apparent in the case at issue, where matching the code with these additional pieces of information would have easily prevented the controller from disclosing sensitive data of another data subject.

Therefore, the controller did not put in place technical and organisational measures to minimise risks of unauthorised disclosure and violated Articles 24(1) and 32(1)(b) GDPR. Processing was thus unlawful and infringed Articles 6(1)(a) and (f) and 9(2) GDPR.

In light of the above, the DPA held proportionate to order the controller pursuant to Article 58(2)(d) GDPR to adapt its technical and organisational measures, without imposing a fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.

Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv



                                                  Riga



                                                                                                      [..]


                                                                   For the National Health Service
                                                                         in the eAddress information system


                                              The decision


Riga, 22.05.2023. [..]


On the application of the corrective measure

      [1] On October 11, 2022, the Data State Inspectorate (hereinafter - DVI) received the Health Inspection
letter (hereinafter - Letter) about the National Health Service (hereinafter - Service) carried out [..]

(hereinafter - Data subject) processing of personal data.
      The information provided in the letter indicated that the Riga Orphan's Court (hereinafter - the Orphan's Court), requesting
The service has information on whether the electronic information of the unified health sector

the system (hereinafter - the E-health system) includes information on the health data of the Data subject,
in his request indicated the first and last name of the Data Subject and an incorrect one - for another natural person
would be assigned a personal code, while the Service, in response to the request of the Orphan's Court, issued

information as if about the Data subject, stating the name and surname of the Data subject in the letter, but not specifying it
personal code and adding the data obtained from the E-health system about the person whose personal code
was stated in the request of the Orphan's Court.
      [2] In order to verify the legality of the Service's actions and in accordance with the Data of Natural Persons

processing law (hereinafter - FPDAL) Article 4, Paragraph 1, Clause 1 and Article 5, Paragraph 1, Clause 1,
General Data Protection Regulation (hereinafter referred to as GDPR) Article 57, Clause 1, subparagraphs a) and h) and
GDPR, Article 58, Clause 1, letter a), d), e), DVI started an inspection case on November 24, 2022

[..] on the compliance of personal data processing carried out by the Service with GDPR requirements. 5
      [2.1] As part of the inspection, DVI with the letter of November 25, 2022 (hereinafter - Request)
invited the Service to provide information on the questions asked in the Request. Service with 2022



1DVI registered with [..]
2 Letter of the Orphan's Court of June 21, 2022 [..]
3 Service's letter of July 4, 2022 [..]
4 Regulation No. 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of natural persons in relation to
processing of personal data and free movement of such data and repealing Directive 95/46/EC
5
 DVI letter of November 25, 2022 [..] 2

                    6
The letter of December 7 informed that:
      [2.1.1] The service selects natural persons (data subjects) in the E-health system and
health data only by personal code;

      [2.1.2] In the opinion of the Service, the personal code is the only information selection criterion that E-health
the system ensures error-free, unambiguous and secure processing of personal and health data. In addition, in this
in this way, the principle of data minimization is observed - unnecessary data is not processed (obtained).
for the specific purpose - to provide an answer to the authorities about whether the person is included in the E-health system

card of a narcological patient, as well as a card for a patient with mental and behavioral disorders -
to achieve;
      [2.1.3] by entering the personal codes indicated in the requests of institutions into the E-health system, the Service

the employee receives only the following information: a list of documents containing the following fields: date,
ID number of the document, type of document and medical institution where the specific services will be received;
      [2.1.4] without performing additional personal and health data processing in the E-health system, for the Service
it is not possible to check/compare the personal data specified in the institution's requests with E-Health

for the data selected in the system. At the same time, the Service stated that it is not entitled to expand data processing if
specific information is requested in the institution's requests. In response to information from the authorities
for requests in which specific and accurate information is requested, the Service refers to the specific ones
the outgoing document number of the institution and the name of the person about whom information is requested and

surname to avoid incorrect personal codes;
      [2.1.5] until the day of preparation of the answer, the Service has information on two cases
(including this one) when the Service, based on the personal code specified in the institution's request, has

provided incorrect information. The Service has not received complaints from data subjects;
      [2.1.6] in consultation with information requesters, the Service will evaluate the possibility of restoring the practice
in the reply letters to the authorities, indicate the personal code of the data subject, instead of the name and surname of the data subject,
as so far;

      [3.] DVI has taken steps to clarify the addressee's opinion and in accordance with 1.- of this decision
The findings in point 2 are concluded:
      [3.1.] GDPR aims to protect the fundamental rights and freedoms of natural persons and, in particular, their rights
to the protection of personal data.

      According to Article 4, Clauses 1, 2 and 15 of GDPR, "personal data" is any information related to
to an identified or identifiable natural person ("data subject"), "health data" means personal data,
related to the physical or mental health of an individual, including health care services
                                                      8
provision, while "processing" refers to any operations with personal data that are fully or partially performed
by automated means, as well as operations with such personal data that form or are intended to,
to form part of the file. Therefore, a person's name, surname and personal identification number are personal data,
information about health care services provided to a person is health data, but with them

the activity performed, including acquisition and disclosure, is personal data processing pursuant to Article 4, Clause 2 of GDPR
comprehension.



6 Service's letter of December 7, 2022 [..]
7 An identifiable natural person is one that the public can indirectly identify by specifically referring to an identifier, for example
name, surname, identification number, location data, online identifier or the said person
physical, economic, cultural, social identities, etc. specific to the natural person. factors
8 For example, collecting, organizing, structuring, storing, adapting or transforming, viewing, using,
disclosure by sending, distribution or otherwise making available, matching or combining, restriction, or deletion.
9 Processing of personal data by automated means includes data processing in information systems where selection is possible
person by specific identifiers, for example, using information technology systems
10
  Any structured set of personal data that is accessible according to specific criteria, regardless of whether the data
the set is centralized, decentralized or dispersed based on functional or geographical motivation 3

                                                                                          11
      The manager is responsible for the compliance of personal data processing with GDPR requirements. Appropriately
Cabinet of Ministers Regulation No. 134 of March 11, 2014 "Regulations on the unified health sector
electronic information system" to point 2 and published on the website of the E-health system

for information, the Service is considered the controller.
      In order to recognize the data processing performed by the controller as legal and lawful, the controller must comply with the GDPR
The principles of personal data processing determined in Article 5, Clause 1, according to which the processing carried out must be
for an appropriate legal basis 14 and personal data must be processed in such a way as to ensure

adequate security of personal data, including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage using appropriate technical or
organizational measures. 15

      Paragraph 1 of Article 6 GDPR states that the processing is legal only to the extent and only if there is
at least one of the legal bases is applicable: consent, contract performance, legal obligation,
public interest, protection of vital interests and observance of legitimate interests. According to the GDPR
Paragraph 1 of Article 9 prohibits the processing of personal health data, if it is not applicable to such processing

any of the justifications mentioned in Article 9, Clause 2 of GDPR. Thus, only if any of
GDPR Article 6, Clause 1, Article 9, Clause 2 of the legal grounds and in compliance with GDPR
The principles of personal data processing defined in Article 5, Clause 1, personal data processing performed by the manager
is recognized as legal.

      In accordance with GDPR Article 24, Clause 1, the manager implements appropriate technical and organizational measures
measures to ensure and be able to demonstrably demonstrate that the processing takes place in accordance with the GDPR. Yes
if necessary, the mentioned measures are reviewed and updated. Paragraph 1 of Article 32 GDPR states that taking

taking into account the state of the art, the costs of implementation and the nature, extent, context and purposes of the processing, how
also different possibilities and degrees of severity of risk in relation to the rights and freedoms of natural persons,
the manager and the processor implement appropriate technical and organizational measures to ensure
a level of security appropriate to the risk, including continuity of processing systems and services
                                                     16
confidentiality, integrity, availability and resilience. On the other hand, in accordance with GDPR Article 32, Clause 2,
assessing the appropriate level of security shall take into account in particular the risks posed by the processing, in particular accidental or
illegal destruction, loss of sent, stored or otherwise processed personal data,
modification, unauthorized disclosure or access to them.

      At the same time, the GDPR leaves the controller a free choice in the selection of the mentioned measures, subject to its actions
existing resources, technical capabilities, etc. criteria. Namely, the legislator has determined the goal, which would be
achievable, but the means by which to ensure the security of personal data processing and compliance with the GDPR

requirements, must be chosen by the manager himself.
      [3.2] DVI concludes that in the specific case the Service has chosen to select data in the E-health system
only according to one selection criterion, i.e. personal code. In addition, when selecting information only by personal code,
The service does not have the possibility to compare the personal data specified in the requests of the institutions (name, surname,

personal code) with the personal data in the E-health system, because according to the created E-health
for the specifics of the system, only the following information is available to the Service employee: personal code and
the ID number of the relevant documents, the type of document and the medical institution where the specific documents were received
services.

      DVI shares the opinion of the Service that the personal code is the most secure identifier that is unique


11 Pursuant to Article 4, Clause 7 of GDPR, the controller is a natural or legal person, public institution, agency or other body,
which alone or jointly with others determine the purposes and means of personal data processing
12https://likumi.lv/ta/id/264943-rules-for-the-single-health-industry-electronic-information-system
13https://eveseliba.gov.lv/sakums/datu-aizsardz%C4%ABba
14VDAR Article 5, Clause 1, subparagraph a)
15
16VDAR, Article 5, Clause 1, subparagraph f).
  GDPR, Article 32, Clause 1, Clause b) 4

and assigned to one person only. However, both the specific case and the other case in the Service
the received information indicates that using only one selection criterion (personal code) does not
correct and safe processing of personal data in the E-health system is ensured. Therefore, the Service

the technical and organizational measures implemented may not be sufficient to ensure safe and
Processing of personal data in accordance with GDPR requirements.
      At the discretion of DVI, if the Service, implementing technical and organizational measures, E-health
would have introduced additional selection criteria into the system, for example by first name or last name or if, by entering
personal code, the Service employee would be able to see a larger amount of information (at least of the data subject
name and surname), then this type of violation would not have occurred. Namely, if the institution in its request
would have indicated an incorrect personal code belonging to another person or an incorrect first and last name,

then the Service, entering these data in the E-health system, would have the opportunity to compare them with the E-health system
to the existing personal data (name, surname, personal code) and react accordingly, not allowing others
processing (acquisition and disclosure) of a person's personal and health data. Taking into account that myself
the name and surname are already indicated in the requests, the Service employees already know this information and
no additional information will be disclosed.
      Taking into account the aforementioned, the set of information obtained within the scope of the inspection is sufficient and allows to conclude,

that, the Service, choosing to select data in the E-health system only according to one selection criterion (persons
code), has not evaluated all possible risks of personal data processing and has not successively implemented appropriate ones
technical and organizational measures, thus allowing illegal third party persons and
processing (acquisition and disclosure) of health data. Thus, the Service has violated Article 5 of GDPR
The persons mentioned in points a) and f) of point 1, point 1 of Article 6 of GDPR, point 2 of Article 9 of GDPR
principles of data processing and Article 24, Clause 1 and Article 32 of GDPR. the provisions of Article 1, Clause "b".
requirements.

      At the same time, DVI takes into account the fact that in the specific case the Orphan's Court itself provided the Service
incorrect information, as well as the fact that the Service has not received the data until the day of preparation of the decision
complaints of subjects in connection with the provision of incorrect information to the authorities. Likewise, DVI takes into account its own
The service recognized that additional information is a selection criterion, such as the first and last name of the data subject
use, would reduce the risk of processing incorrect personal and health data.
      [4] According to Article 58, Clause 2, Subsection d) of GDPR, each supervisory authority has powers
to issue an order to the manager or processor to align the processing activities with GDPR regulations,

if necessary - in a specific way and in a specific period of time. Article 23 of GDPR stipulates that DVI,
when making decisions regarding the imposition of a legal obligation, the Law on Administrative Procedure shall be applied.
      Taking into account the above and the fact that a violation of the provisions of the GDPR has been found in the Service's operation, DVI
in accordance with the first part of Article 66 of the Administrative Procedure Law, it is necessary to decide on the administrative
the utility of issuing the act.
      [4.1] Evaluating the necessity and necessity of the administrative act, DVI concludes that the decision

adoption is both necessary and necessary to achieve the goal of preventing the GDPR provision
violation. Namely, to prevent unlawful personal and health data in the future operation of the Service
processing (acquisition and disclosure) in the E-health system.
      [4.2.] The administrative act is a suitable means to achieve the goal, because it creates a legal
the duty of the Service to prevent the detected violations, as well as to prevent the occurrence of similar violations
in the future.
      [4.3] The administrative act is considered the most proportionate means to achieve the goal, because

compared to the decision on the imposition of an administrative penalty, it is considered more lenient. At the same time
the imposition of the legal obligation is aimed at the data subject in GDPR, FPDAL and other regulatory acts
provision of the expected basic rights to personal data protection. 5

      In compliance with the above, DVI, based on Article 3, paragraph 2, Article 5, paragraph 1 a), f) of GDPR

subsection, Article 6(1), Article 9(2), Article 58(2)(d), GDPR
Article 23 and Article 63, Part One, Clause 2 of the Law on Administrative Procedure,

                                              decides:


      to oblige the Service to review the existing practice in fulfilling the requests of institutions, including
evaluate the technical and organizational measures implemented in the E-health system (for example,
providing the Service employee with the opportunity to obtain a larger amount of information, i.e. also the data subject
first and last name), updating existing or developing new personal data processing accordingly
safety regulations and other internal/external regulations.


      Based on Article 58, Clause 1, subparagraph e) of GDPR and the first part of Article 5 of FPDAL
Paragraph 3, notify DVI about planned actions to fulfill the aforementioned obligation in writing by
By July 24, 2023, by submitting to DVI information about the services carried out and planned by the Service
events.


      In accordance with the second part of Article 24 of the FPDAL, the first and the second of Article 76 of the Administrative Procedure Law
part, the second part of Article 188 and the third part of Article 189 and the decision of the Council of Justice of May 18, 2022
No. 32 "On courts, their operational territories and locations", this decision can be appealed within one month
during the day of its entry into force in the Riga Courthouse of the Administrative District Court.



Director p.i. L. Dilba





























17 is the last day for submitting an answer by mail or sending it with a secure electronic signature