Datainspektionen - DI-2019-3839: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSK.png |DPA_Abbrevation=Datainspektionen |DPA_With_Country=Datainspektionen (Sweden) |Case_Number_Name=DI-2...")
 
m (Corrected which DPA-logo that is displayed)
Line 3: Line 3:
|Jurisdiction=Sweden
|Jurisdiction=Sweden
|DPA-BG-Color=
|DPA-BG-Color=
|DPAlogo=LogoSK.png
|DPAlogo=LogoSE.png
|DPA_Abbrevation=Datainspektionen
|DPA_Abbrevation=Datainspektionen
|DPA_With_Country=Datainspektionen (Sweden)
|DPA_With_Country=Datainspektionen (Sweden)
Line 56: Line 56:
The Swedish DPA holds that access to medical records has to be restricted based on the individual care workers’ necessity to access it to perform his/her job under Article 32 GDPR.   
The Swedish DPA holds that access to medical records has to be restricted based on the individual care workers’ necessity to access it to perform his/her job under Article 32 GDPR.   


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity.  
The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity.  


=== Dispute ===
===Dispute===
Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR?
Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR?


=== Holding ===
===Holding===
The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.  
The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.  


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.



Revision as of 22:45, 13 December 2020

Datainspektionen - DI-2019-3839
LogoSE.png
Authority: Datainspektionen (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.12.2020
Published: 02.12.2020
Fine: 4000000 SEK
Parties: Styrelsen för Karolinska Universitetssjukhuset
National Case Number/Name: DI-2019-3839
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Swedish
Original Source: Datainspektionen (in SV)
Initial Contributor: Charlotte Godhe

The Swedish DPA holds that access to medical records has to be restricted based on the individual care workers’ necessity to access it to perform his/her job under Article 32 GDPR.

English Summary

Facts

The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity.

Dispute

Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR?

Holding

The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.