Datainspektionen - DI-2019-3839

From GDPRhub
Revision as of 15:56, 14 April 2021 by Msm (talk | contribs)
Datainspektionen - DI-2019-3839
LogoSE.png
Authority: Datainspektionen (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.12.2020
Published: 02.12.2020
Fine: 4000000 SEK
Parties: Styrelsen för Karolinska Universitetssjukhuset
National Case Number/Name: DI-2019-3839
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Swedish
Original Source: Datainspektionen (in SV)
Initial Contributor: Charlotte Godhe

The Swedish DPA (Datainspektionen) held that access to medical records has to be restricted based on the individual care workers’ necessity to perform his/her job. The DPA therefore fined the Karolinska University Hospital approximately €391,000 for a breach of Articles 5 and 32 GDPR.

English Summary

Facts

The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity.

Dispute

Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR?

Holding

The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Data Inspectorate

DI-2019-3839

The Data Inspectorate's decision
The Swedish Data Protection Authority has found in its review on 27 March 2019 that
The Board of Karolinska University Hospital (Karolinska
University Hospital) processes personal data in breach of Article 5(1)(f) and
5(2) and Article 32(1) and (2) of the General Data Protection Regulation1 by
1.

Karolinska University Hospital in its capacity as
the controller does not comply with the requirement that it has
carried out a needs and risk analysis before the allocation of
authorisations are made in the TakeCare medical record system, in accordance with Chapter 4, Section 2
§ and Chapter 6. 7 § Patient Data Act (2008:355) and Chapter 4 § 2
The National Board of Health and Welfare's regulations and general advice (HSLF-FS 2016:40) on
record keeping and processing of personal data in health and
health care. This means that Karolinska University Hospital does not
has taken appropriate organisational measures to be able to
ensure and be able to demonstrate that the processing of personal data has
a level of security appropriate to the risks involved.

2. Karolinska University Hospital does not have limited
user permissions for accessing the medical record system
TakeCare to what is needed only for the user to
be able to carry out their duties in the health sector
under Chapter 4, Section 2 and Chapter 6. 7 of the Patient Data Act and Chapter 4, Section 2
HSLF-FS 2016:40. This means that Karolinska 
The University Hospital has not taken measures to
ensure and be able to demonstrate adequate security for
personal data.
The Data Protection Inspectorate decides on the basis of Articles 58(2) and 83 of the
the General Data Protection Regulation and Chapter 6, Section 2 of the Act (2018:218) with
supplementary provisions to the EU Data Protection Regulation that
Karolinska Universitetssjukhuset, for infringement of Article 5(1)(f) and (2)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free flow
of such data and repealing Directive 95/46/EC (General Data Protection
Data Protection Regulation).
1
and Article 32(1) and (2) of the General Data Protection Regulation shall pay a
an administrative fine of SEK 4 000 000 (four million).
The Data Protection Inspectorate, on the basis of Article 58(2)(d) of the
the General Data Protection Regulation Karolinska University Hospital to ensure that
the necessary needs and risk analysis is carried out and documented for
the TakeCare medical record system and then, with the support of needs and
risk analysis, each user is assigned individual access rights to
personal data to only what is necessary for the individual to
carry out their duties in the health sector, in accordance with
Article 5(1)(f) and Article 32(1) and (2) of the General Data Protection Regulation, Chapter 4, Section 2, and
Chapter 6. 7 § Patient Data Act and 4 ch. 2 § HSLF-FS 2016:40.

Description of the supervision case
The Swedish Data Protection Authority initiated supervision by letter on 22 March 2019 and has
on site on 27 March 2019 examined whether Karolinska University Hospital's
decisions on the allocation of authorisations have been preceded by a needs and
risk analysis. The audit has also covered how Karolinska
The University Hospital assigned permissions for access to
the main medical record system TakeCare, and what access possibilities they assigned
the competences provide within the framework of the internal secrecy according to chapter 4.
the Patient Data Act, as the coherent record keeping according to Chapter 6.
patient data law. In addition, the Swedish Data Protection Authority has also examined which
documentation of access (logs) available in the record system.
The Swedish Data Protection Authority has only examined users' access to
system, i.e. what health care documentation the user actually
can take part in and read. The review does not cover the functions that
included in the permission, i.e. what the user can actually do in
the medical record system (e.g. issuing prescriptions, writing referrals, etc.).
Previous review of Karolinska University Hospital's authorisation management
The Swedish Data Protection Authority has previously conducted an inspection of Karolinska
University Hospital's access control etc. By the Data Inspectorate
Decision 920-2012, notified on 26 August 2013, states
that Karolinska University Hospital was instructed, among other things, to carry out a needs and risk analysis as a basis for assigning authorisations in TakeCare. With


Following the decision, Karolinska University Hospital submitted a
written reply of 18 December 2013, stating, inter alia, that Karolinska
The university hospital had started work on an action plan
and a needs and risk analysis.
What has emerged in the case
Karolinska University Hospital has essentially stated the following.
Controller
Karolinska University Hospital is a separate authority within Region
Stockholm. The Board of Karolinska University Hospital is
controller for the processing of personal data by
Karolinska University Hospital performs in the main medical record system TakeCare.
Organisation
Care at Karolinska University Hospital is organised on the basis of
medical themes and a number of functions that bring together competences.
Wards, clinics and day care are organised according to themes.
Each theme is divided into a number of patient areas, which bring together similar
patient flows. Function is an area of expertise that cuts across
theme. A function assists with skills and resources, which are used in
many different patient groups and thus in several themes. There is a
a patient area manager and a functional area manager for each area.
Journal system
Karolinska University Hospital uses TakeCare as
main medical record system, and participates in TakeCare's coherent
journal entries.
Karolinska University Hospital manages TakeCare, and has
signed the contract with the supplier. Karolinska University Hospital has
thus a large number of data-processing and sub-processing agreements with
other health care providers.
There is both a regional and a local organisation for TakeCare. The
regional organisation consists of a management group (steering group), which
in addition to Karolinska University Hospital consists of representatives of six
other health care providers.

Users and patients
Karolinska University Hospital has almost 16,000 employees in total. The number
users of the medical record system TakeCare who are employed at Karolinska
University Hospital is 12 285, of which 1 328 users are
inactive. At the time of the inspection, there were therefore 10 957 active users.
A user account is automatically deactivated if no login has been made for 60
days.
The TakeCare medical record system contains records for about 3 million patients.
Of these, 1 970 000 patient records are registered on, and de facto patients
at, Karolinska University Hospital.
The unified record keeping in TakeCare covers about 200-400
health care providers. It is now possible to search for all personal identity numbers available
i TakeCare. However, there are discussions at regional level to limit in some cases
the possibility of seeking information for a limited number of patients, to
for example, patients in a particular residence.
Internal confidentiality
Needs and risk analysis
Karolinska University Hospital cannot submit any completed
needs and risk analysis for TakeCare. It is the respective patient area and
functional area manager who will carry out and document the needs and
risk analyses before assigning permissions. However, it is regularly investigated
what the needs are and what permissions should be assigned to employees,
e.g. for new hires. The template for needs and risk analyses
available in Karolinska University Hospital's guidelines are not filled in
regularly.
Karolinska University Hospital is unable to answer whether the work initiated
following the Data Inspectorate's previous supervisory decision of 26 August 2013
resulted in a needs and risk analysis for TakeCare.
Following the inspection, Karolinska University Hospital has begun work
to ensure that needs and risk assessments are carried out throughout the
organization. Among other things, a needs and risk analysis has been carried out for
the Perioperative Medicine and Intensive Care function in accordance with Karolinska
University Hospital Guidelines.


Granting access to personal data of patients
There are approximately 40 authorization profiles in TakeCare that contain functions
such as "reading recipes". Of these, 26 are so-called read functions. There are, for example, two authorisation profiles for nurses,
where the difference between the profiles is that one has automated login.
This means that logging in takes place automatically at the care unit you belong to for
one eligibility profile, but not for the other. Also for doctors there are
there are two eligibility profiles. The difference between the profiles is that one has
access to a so-called emergency ligature. As a user you can have several different
eligibility profiles, up to a maximum of five. For example, a medical candidate may have
been assigned permissions from multiple entities. Staff tick
cases themselves in the journal filter in TakeCare, which means that they make a
active choice to access patient information on different devices. If a
user ticks the "all devices" option, no further active
choice to access patient information from all units. Although it
are different access profiles, Karolinska states that users "have
access to all patients in TakeCare".
All accounts are individual, i.e. there is no account that multiple
users can use (group account).
In the policy document "Decision on the allocation of competences" from 2015 (latest
updated on 23 October 2018)2 provides a general description of the regulatory framework
and the conditions for assigning permissions. It also contains a
description of an approach to conducting a needs and risk analysis,
based on the user's need to have access to personal data concerning
patients in their work and refers to the assignment of eligibility profile. In the guideline
further recalls certain relevant issues. It is also stated that some
of the examples do not match with the eligibility profiles available.
After the inspection, Karolinska University Hospital carried out a needs and
risk analysis for the Perioperative Medicine and Intensive Care function. In this
the risks to be taken into account are those that arise if employees
within the business do not have access to relevant information, and risks
related to too broad or generous access to patient information.

The guideline "Assignment of permissions" has been developed by lawyers and established by
the Chief Medical Officer in the area of quality and patient safety.
2


Access to personal data of patients in the Stockholm County Health Care Area
During the inspection it was found that users at Karolinska
The University Hospital has access to data on patients in
The Stockholm County Health Authority (SLSO). According to Karolinska
University Hospital, this is due to the fact that Karolinska University Hospital
and SLSO are listed as "one and the same" care unit in TakeCare. This means that
users at Karolinska University Hospital technically have access
also to information on patients at SLSO within the internal confidentiality, and vice
versa.
Regarding the background and motives for Karolinska University Hospital
and SLSO is listed as a care unit in TakeCare, Karolinska
University Hospital referred to an enforcement decision dated 2010-01
and minutes of the Board meeting. The minutes show that
the director of the county council has established in the enforcement decision that
County Council (SLL) administrations that provide health care belong to
care provider SLL and that this means that Karolinska University Hospital
and SLSO, until further notice, shall remain unchanged as one and the same
healthcare providers in TakeCare.
Coherent record keeping
Needs and risk analysis
No needs and risks analysis has been carried out before the staff has
allowed access to other health care providers' health care documentation in the context of
coherent record keeping.
Granting access to personal data of patients
Users at Karolinska University Hospital have access to other
healthcare providers' data on patients in TakeCare within the framework of
coherent record keeping. Access is prepared on a patient basis, and requires
the patient's consent. When searching for a patient, the healthcare providers who
the patient has previously sought care from. This gives an indication that it may
there is information about the patient at another healthcare provider. Information
can be important when prescribing medicines, for example. By making a
active selection and clicking on a specific device, you can access
information.

There is a decision from the Stockholm Region that every care provider who chooses
to use the TakeCare medical record system must also be included in the
coherent record keeping.
Karolinska University Hospital has a policy document "Access to
patient record, guideline", effective from 17 August 20183. Guideline
contains a general description of the regulatory framework and sets out
the conditions for accessing the care documentation in TakeCare in certain
situations.
Technical limitations in TakeCare regarding access to
personal data of patients
The technical limitations on user access that
used by Karolinska University Hospital relates to so-called protected units
i TakeCare. There are currently six such units, including
ANNOVA, SESAM reception and the child protection team.
In the case of sheltered care units, it is not possible to limit
competences at individual level, but access to
medical record documentation for these patients is limited to a defined
user group. The protected devices are not visible when
record keeping and they are not included in the default profile role in the record filter.
Decisions on protected units have been preceded by an assessment based on both
a patient safety as well as a privacy perspective. Protected care units
is currently used only to a limited extent. This is because a more
widespread use would pose significant patient safety risks.
Karolinska University Hospital has stated in a supplementary statement
the following.
Technical restrictions on access by individual managers:
The TakeCare electronic health record system allows access to be restricted by
the healthcare facility can control what information each user group (usually professional group)
at the device can see and what each user group can do. The healthcare unit can also
control what information other user groups at other healthcare facilities can see or
do. However, as TakeCare is configured today, it only allows control on

The guideline "Access to patient records, guideline" is developed by lawyers and established by
the Chief Medical Officer in the area of quality and patient safety.
3

user group level. Any possibility of technical restriction for individual managers
access facilities are not available. This applies both to so-called internal confidentiality and to
the framework for access through single entry. As regards the hospital's so-called protected
it is also not possible to restrict permissions at the individual level, but
access to the medical records of these patients is limited to a defined
user group.
The possibility for a healthcare provider to opt out of access to the other healthcare providers'
patient documentation in TakeCare
Following a decision by the Stockholm Region, every healthcare provider who chooses to use
the TakeCare medical record system is also included in the coherent medical record system. This means that a
healthcare providers cannot restrict other healthcare providers' access to their own healthcare records.
However, the individual healthcare provider can control its users' access to data in the
coherent record keeping. The TakeCare journal system offers features that provide
the healthcare provider may restrict the access of its users in such a way that they can only
has access to medical records from, for example, a designated group with other
health care providers. To illustrate this, Karolinska University has referred to a screenshot,
showing eligibility by provider.

From the screenshot it can be seen that at the device level it is possible to control
the eligibility of a unit's users in relation to other healthcare providers
devices by setting them to "view documents" or "do not view
documents" lists. The latter list shows that it is possible to block
units of other health care providers. However, it does not appear that the function exists per
provider, but you have to block all devices of the current provider
if you want to block a healthcare provider.
Documentation of access (logs)
Karolinska University Hospital has presented various logs and stated in
essentially the following.
There are two types of logs, in-depth logs and targeted logs.
In-depth log information can be requested on either the user
(the employee) or on the patient. Targeted log information can be requested by
for example a patient.
From a screenshot, showing the documentation in logs, it appears that
data recorded in the log; patient, status, time, user, system,
the server call (action) performed and from which care unit the action was performed.




Grounds for the decision
Current rules
GDPR the primary source of law
The General Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and
is the primary legal framework for processing personal data. This
also applies to health care.
The basic principles for the processing of personal data are set out in
Article 5 of the General Data Protection Regulation. A fundamental principle is the requirement of
security under Article 5(1)(f), which states that personal data shall be processed
in a way that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against loss,
destruction or accidental damage, using appropriate
technical or organisational measures.
Article 5(2) sets out the so-called "accountability", i.e. that
the controller is responsible for and can demonstrate that the
the basic principles set out in paragraph 1 are complied with.
Article 24 deals with the responsibility of the controller. Article 24(1)
it is stated that the controller is responsible for implementing appropriate
technical and organisational measures to ensure and demonstrate that
the processing is carried out in accordance with the General Data Protection Regulation. The measures shall
be carried out taking into account the nature, scope, context of the processing
and purposes and the risks, of varying degrees of probability and severity, to
rights and freedoms of natural persons. The measures will be reviewed and updated
if necessary.
Article 32 regulates the security of the processing. According to paragraph 1
the controller and the processor shall take into account
of recent developments, implementation costs and treatment
nature, scope, context and purpose, and the risks, of varying
likelihood and severity, to the rights and freedoms of natural persons
take appropriate technical and organisational measures to ensure a
level of security appropriate to the risk (...). Paragraph 2 provides that
when assessing the appropriate level of safety, particular account is taken of the risks
processing, in particular from accidental or unlawful destruction,



loss or alteration or to unauthorised disclosure of or access to
the personal data transmitted, stored or otherwise processed.
Recital 75 states that in assessing the risk to natural persons
rights and freedoms, various factors must be taken into account. These include
personal data covered by the obligation of professional secrecy, data concerning health or
sexual life, if there is processing of personal data relating to vulnerable natural
persons, especially children, or if the treatment involves a large number of
personal data and concerns a large number of data subjects.
Furthermore, it follows from recital 76 that the likelihood and severity of the risk to the
rights and freedoms of data subjects should be determined on the basis of the
nature, scope, context and purpose. The risk should be evaluated on
on the basis of an objective assessment, which determines whether
the data processing involves a risk or a high risk.
Recitals 39 and 83 also contain wording providing guidance on the
more detailed meaning of the security requirements of the GDPR in
processing of personal data.
The General Data Protection Regulation and the relationship with complementary national
provisions
According to Article 5(1)(a) of the GDPR, personal data shall
treated in a lawful manner. For the processing to be considered lawful, it is necessary that
legal basis, in that at least one of the conditions laid down in Article 6(1) is fulfilled.
The provision of health care is a task of general interest
interest referred to in Article 6(1)(e).
In the health sector, the legal bases may also be legal
obligation under Article 6(1)(c) and the exercise of official authority under Article 6(1)(e)
updated.
When it comes to the legal grounds of legal obligation, general
interest or the exercise of official authority, Member States may, under Article
6.2, maintain or introduce more specific provisions to adapt
the application of the provisions of the Regulation to national circumstances.
National law may further define specific requirements for data processing
and other measures to ensure lawful and fair treatment. But
there is not only a possibility to introduce national rules but also a obligation; Article 6(3) states that the ground for processing referred to in
paragraph 1(c) and (e) shall be determined in accordance with Union law; or
the national law of the Member States. The legal basis may also include
specific provisions to adapt the application of the provisions of
the General Data Protection Regulation. Union law or Member States' national
right must meet an objective of general interest and be proportionate to the
legitimate objectives pursued.
Article 9 states that the processing of special categories of
personal data (so-called sensitive personal data) is prohibited. Sensitive
personal data includes health data. Article 9(2) states
the exceptions where sensitive personal data may still be processed.
Article 9(2)(h) states that processing of sensitive personal data may take place if
the processing is necessary for reasons related to, inter alia
the provision of healthcare on the basis of Union law or
national law of the Member States or by agreement with professionals in the
health and provided that the conditions and safeguards
referred to in paragraph 3 are fulfilled. Article 9(3) requires regulated professional secrecy.
This means that both the legal grounds of general interest,
exercise of official authority and legal obligation as processing of sensitive
personal data by virtue of the derogation in Article 9(2)(h) need
supplementary rules.
Additional national provisions
In the case of Sweden, both the basis for the treatment and the
specific conditions for processing personal data in the health and
healthcare regulated in the Patient Data Act (2008:355), and
the Patient Data Regulation (2008:360). In Chapter 1. 4 of the Patient Data Act states that
the Act complements the General Data Protection Regulation.
The purpose of the Patient Data Act is to ensure that information management in health and
health care should be organised in such a way as to ensure patient safety and
good quality and promotes cost efficiency. Its purpose is also to
personal data shall be designed and otherwise processed in such a way that the
the privacy of other data subjects is respected. In addition, documented
personal data is processed and stored in such a way that unauthorised persons cannot access it
them (Chapter 1, Section 2 of the Patient Data Act).


According to Chapter 2. 6 of the Patient Data Act, a healthcare provider is a data controller
for the processing of personal data carried out by the healthcare provider. In a region
and a municipality is any authority which provides health services
controller for the processing of personal data by
the authority performs.
The additional provisions of the Patient Data Act aim to
addressing both privacy and patient safety. The legislator has
Thus, the regulation strikes a balance in terms of how
information should be processed to meet both patient safety requirements
as the right to privacy in the processing of personal data.
The National Board of Health and Welfare has issued regulations under the Patient Data Regulation
and general guidance on record keeping and processing of personal data in
health care (HSLF-FS 2016:40). The regulations constitute such
supplementary rules, which shall apply to the processing by healthcare providers of
personal data in health care.
National rules complementing the requirements of the GDPR for
security is contained in Chapters 4 and 6 of the Patient Data Act and Chapters 3 and 4 of the Data Protection Act. HSLF-FS
2016:40.
Requirement to carry out needs and risk analysis
According to chapter 4, section 2 of HSLF-FS 2016:40, the care provider must make a needs and
risk analysis, before assigning permissions in the system.
The need for an analysis of both needs and risks is clear from the preparatory work
to the Patient Data Act, prop. 2007/08:126 p. 148-149, as follows.
Authorisation for electronic access by staff to patient data shall be limited to
what the official needs to perform his/her duties in the health and social services
health care. This includes monitoring and changing or restricting authorisations according to
as soon as changes in the duties of the individual officer so require.
The provision corresponds in principle to Section 8 of the Health Care Register Act. The purpose of the provision is to
inculcate the obligation for the responsible care provider to make active and individual
based on analyses of the details of the information that different
categories of staff and different types of activities need. But not only
needs assessments. Risk analyses must also be carried out, taking into account the different types of risks such as
may be associated with an excessive availability of certain types of data.
Protected personal data marked as confidential, data on publicly known persons, data from certain clinics or medical specialties are examples of categories that
may require specific risk assessments.
Generally speaking, the more comprehensive an information system is, the greater the amount of
different levels of authority must exist. Decisive for the decision on eligibility for e.g. different
categories of health professionals to electronic access to data in
medical records should be that the authorisation should be limited to what the manager needs
for the purpose of good and safe patient care. A broader or coarser mesh
assignment of access rights, even if it had merit from an efficiency point of view, should be considered as an unjustified dispersion of medical records within an organisation and as such should
not accepted.
Furthermore, data should be stored in different layers so that more sensitive data requires active choices or
otherwise not as easily accessible to staff as less sensitive data. When it
applies to staff involved in monitoring activities, producing statistics, central
financial administration and similar activities that are not individually oriented, it should
the majority of executives, it is sufficient to have access to information that can only be indirectly
to individual patients. Electronic access to code keys, social security numbers and other
data directly pointing to individual patients should in this area be able to be strongly
limited to single persons.

Internal confidentiality
The provisions of Chapter 4 of the Patient Data Act concern internal confidentiality, i.e.
say regulates how privacy is to be handled within a healthcare provider's
activities and, in particular, the ability of employees to access
personal data available electronically in a healthcare provider's
organisation.
Chapter 4, section 2 of the Patient Data Act states that the healthcare provider shall determine
conditions for granting access rights to such data on
patients who are fully or partially automated. Such authorisation shall
limited to what is necessary for the individual to fulfil his or her
tasks in health care.
According to chapter 4, section 2 of HSLF-FS 2016:40, the healthcare provider shall be responsible for ensuring that each
users are assigned an individual permission to access
personal data. The decision of the healthcare provider to grant authorisation shall
be preceded by a needs and risk analysis.
Coherent record keeping
Provisions in Chapter 6 of the Patient Data Act relate to coherent record keeping,
which means that a healthcare provider - under the conditions set out in § 2 of the same
chapter - may have direct access to personal data processed by other
health care providers for purposes related to health care documentation. Access to
information is provided by a healthcare provider making the information about a patient
that the healthcare provider records about the patient available to other healthcare providers
participating in the coherent record keeping (see prop. 2007/08:126 p. 247).
From Chapter 6. 7 § Patient Data Act follows that the provisions of Chapter 4 also apply to
for assigning access rights in the case of shared medical records. The requirement to
the healthcare provider must carry out a needs and risk analysis before assigning
permissions in the system, also applies in systems for coherent
journal entries.
Documentation of access (logs)
Chapter 4, section 3 of the Patient Data Act states that a healthcare provider must ensure that
access to such data on patients held in whole or in part
automatically documented and systematically controlled.
According to Chapter 4. 9 § HSLF-FS 2016:40, the care provider shall be responsible for
1. the documentation of the access (logs) shows which
actions that have been taken with the data of a patient,
2. the logs indicate the care unit or care process
the measures taken,
3. the logs show the time at which the measures were taken,
4. the identity of the user and the patient is shown in the logs.

The Data Inspectorate's assessment
Responsibility of the controller for security
As described above, the National Board of Health and Welfare's regulations give the
responsibility for information management in healthcare, such as
conduct a needs and risk analysis before assigning permissions in
system happens. In the public health sector, there is no coincidence
always the concept of the healthcare provider with the controller.
Both the fundamental principles of Article 5 and Article 24(1)
the General Data Protection Regulation, it is clear that it is the controller
who shall implement appropriate technical and organisational measures to
ensure and be able to demonstrate that the treatment is carried out in accordance with
the General Data Protection Regulation.

The Data Protection Inspectorate notes that the General Data Protection Regulation, as
EU regulation is directly applicable in Swedish law and that the regulation
specify when additional regulation should or may be introduced nationally. There are
for example, scope to regulate nationally who is
controller within the meaning of Article 4 of the General Data Protection Regulation. It is
however, it is not possible to give a different regulation concerning the
responsibility of the controller to take appropriate technical and
organisational measures to ensure a level of security appropriate to the
relation to the risk. This means that the National Board of Health and Welfare's
that it is the care provider who should take certain measures, does not change that
the responsibility to take appropriate security measures rests with the
controller under the General Data Protection Regulation. Data Protection Authority
can state that Karolinska University Hospital, in its capacity as
controller, is responsible for ensuring that these measures are taken.
As described above, Article 24(1) of the GDPR sets a
general requirement for the controller to implement appropriate technical
and organisational measures. The requirement aims to ensure that
the processing of personal data is carried out in accordance with
the General Data Protection Regulation, and that the controller should be able to
demonstrate that the processing of personal data is carried out in accordance with
the General Data Protection Regulation.
The security of processing is more specifically regulated in Article 5(1)(f)
and Article 32 of the General Data Protection Regulation.
Article 32(1) states that the appropriate measures shall be both technical and
organisational and they shall ensure a level of security appropriate in
in relation to the risks to the rights and freedoms of natural persons
treatment. It is therefore necessary to identify the possible
risks to the rights and freedoms of data subjects and assesses
the likelihood of the risks occurring and the severity if they do occur.
What is appropriate varies not only in relation to the risks but also
based on the nature, scope, context and purposes of the processing. It has
It is therefore important what personal data are processed, how many
data involved, how many people process the data, etc.

The health sector has a great need for information in its activities. The
is therefore natural that the possibilities of digitalisation are exploited as much as possible
possible in health care. Since the introduction of the Patient Data Act, a very
extensive digitalisation has taken place in healthcare. Both the data collections
size as the number of people sharing information with each other has increased
significantly. At the same time, this increase places greater demands on the
controller, as the assessment of what is an appropriate
safety is affected by the extent of treatment.
Moreover, sensitive personal data are involved. The data also concern
people who are in a situation of dependency when they are in need of care.
There is also often a lot of personal data about each of these
persons and the data may be processed over time by very
many people in healthcare. All this places great demands on the
controller.
The data processed must be protected both from outside actors
business as against unauthorised access from within the business. It is clear
of Article 32(2) that the controller, when assessing the appropriateness
level of security, shall in particular take into account the risks of accidental or unlawful
destruction, loss or unauthorised disclosure or access. In order to
to know what is an unauthorised access, it must
the controller is clear about what constitutes authorised access.
Needs and risk analysis
In chapter 4, section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016:40), which supplement
the Patient Data Act, it is stated that the healthcare provider must make a needs and
risk analysis before assigning permissions in the system. This means that
national law requires an appropriate organisational measure to be
be taken before assigning access rights to the medical record system.
A needs and risk analysis should include an analysis of the needs and a
analysis of the risks from a privacy perspective that may be associated with
with an excessive allocation of access rights to patient data.
Both the needs and the risks must be assessed on the basis of the data
need to be addressed in the business, what processes are involved and
the risks to the privacy of the individual.

Risk assessments need to be made at the organisational level, where
for example, a certain part of the activity or task may be more
privacy-sensitive than another, but also on an individual level, if it is
the question of special circumstances that need to be taken into account, such as
that it concerns protected personal data, publicly known persons or
otherwise particularly vulnerable persons. The size of the system also affects
the risk assessment. The preparatory work for the Patient Data Act shows that the more
comprehensive an information system is, the greater the variety of
levels of authority there must be. (prop. 2007/08:126 p. 149). It is thus
the question of a strategic analysis at the strategic level, which will provide a
an authorisation structure adapted to the business and this must be maintained
updated.
In summary, the regulation requires that the risk analysis identifies different categories of data (e.g. health data),
categories of data subjects (e.g. vulnerable natural persons and
child), or the scope (e.g. number of personal data and data subjects)
negative consequences for data subjects (e.g. injuries,
significant social or economic disadvantage, deprivation of rights
and freedoms)

and how they affect the risk to the rights and freedoms of natural persons in
processing of personal data. This applies both to internal confidentiality
as in the case of coherent record keeping.
The risk analysis shall also include specific risk assessments such as
on the basis of the existence of protected personal data that is
marked as confidential, information on publicly known persons, information from
certain clinics or medical specialties (prop. 2007/08:126 p. 148149).
The risk analysis shall also include an assessment of the likelihood and severity of
the risk to the rights and freedoms of data subjects is and in any event determine
whether it is a risk or a high risk (recital 76).
It is thus through the needs and risk analysis that the
the controller finds out who needs access, which data
data to be accessed, at what times and in what formats
context access is needed, while analysing the risks to the
rights and freedoms of individuals that the processing may lead to. The result should
then lead to the technical and organisational measures needed to
ensure that no access other than that required by the
the risk analysis shows to be justified shall be possible.
In the absence of a needs and risk analysis for the allocation of competences in
system, there is no basis for the controller to lawfully
be able to assign the correct permissions to its users. The
The controller is responsible for, and shall have control over, the
personal data processing carried out within the framework of the activity. To
assign users broad access to record systems, without this being based on
on the basis of a needs and risk analysis, means that the controller
does not have sufficient control over the processing of personal data carried out in
system, nor can he demonstrate that he has the control
required.
When the Swedish Data Protection Authority has requested a needs and risk analysis
Karolinska University Hospital referred to the policy document "Decision on
allocation of competences, guideline "4 (guidelines on the allocation of competences) and
stated that it is the respective patient area and functional area manager
to carry out and document needs and risk analyses before
assignment of permissions. According to Karolinska University Hospital
when assigning authorisations, for example in the case of new recruitment, regularly
an assessment of the employee's need for certification, even if
the template for needs and risk analysis provided in the guideline is not completed
regularly. Karolinska University Hospital could at the time of
the inspection does not show a needs and risk analysis, but has
subsequently stated that they had begun work to ensure that needs and
risk analyses are carried out in the business. They have also submitted a documented
"needs and risks analysis" for the functional area of Perioperative Medicine.
As stated above, a needs and risk analysis should address both the needs and
the risks are assessed on the basis of the data that need to be processed in
operations, the processes involved and the risks to the
integrity of the individual, both at organisational and individual level
4

"Decision on the assignment of competences, guideline" valid from 23 October 2018.

level. It is therefore a question of a strategic analysis at a strategic level, which
shall provide an authorisation structure adapted to the activities. It should
should lead to instructions on the assignment of authorisations, but it is
not the instructions to the permission assignor that is the analysis.
At the time of the inspection, Karolinska University Hospital was unable to
present any needs and risk analysis. The needs and risk analysis
the risk analysis for the Perioperative Medicine function does not meet
the data protection provisions' requirements for such an analysis under Chapter 4, Section 2 of HSLFFS 2016:40, as it constitutes a general description of tasks in
TakeCare for some specific professional categories. The document contains no
analysis of the data needed by employees to perform their tasks
tasks. The document does not contain an analysis of the risks that may
be associated with an excessive availability of different types of
personal data.
The Data Inspectorate further notes that the approach described in
guidelines on the assignment of authorisations to analyse which authorisation
to be assigned to an individual user is based on the existing
eligibility profiles. These are created based on what users need
be able to do with the tasks, for example reading or writing, and not from
what information about the patient the individual user needs to have
to carry out their work.
The needs and risk analyses described in Karolinska University Hospital's
guidelines on credentialing is not an analysis under the requirements of a
needs and risk analysis according to data protection regulations. Karolinska
The University Hospital has also failed to demonstrate that the work initiated
following the previous audit in 2013 resulted in the implementation of a
needs and risk analysis for TakeCare in accordance with the injunction.
The Data Inspectorate can therefore conclude that Karolinska
The allocation of authorisations by the University Hospital has not been preceded by a
necessary needs and risk analysis.
Granting of access rights to personal data concerning
wait
As explained above, a healthcare provider may have a legitimate interest in having
extensive processing of personal health data. Notwithstanding this



access to personal data of patients be limited to
what is necessary for the individual to perform his/her duties.
With regard to the granting of authorisation for electronic access under Chapter 4.
2 § and 6 chap. 7 § Patient Data Act, it is clear from the preparatory work, prop.
2007/08:126 pp. 148-149, including that there should be different
categories of access in the health record system and that the access
limited to what the user needs to provide the patient with a good and safe
care. It is also stated that "a broader or more coarse-meshed
allocation of competences should be considered as an unjustified proliferation of
medical records within a business and as such should not be accepted."
In health care, the person who needs the data in his or her work
who may be authorised to access them. This applies both within a
care providers as between care providers. It is, as already mentioned, through
the needs and risks analysis that the controller finds out who
who needs access, what data the access should cover, at what
when and in what contexts access is needed, and at the same time
analyses the risks to the rights and freedoms of individuals that
treatment may lead to. The result should then lead to the technical and
organisational measures necessary to ensure that no allocation
of access provides wider access possibilities than that provided by the
the risk analysis shows is justified. An important organisational measure is to provide
instructions to those authorised to grant authorisations on how to do so
and what should be taken into account so that, with the needs and risk analysis
as a basis, will be a correct assignment of authority in each case.
In addition to Karolinska University Hospital's guideline for allocation of
permissions, there is also a guidance document "Access to patient records,
guideline" (access guidelines), which will apply from 17 August 2018.5
However, the guidelines provide only a general description of the regulatory framework and
describes the conditions for the assignment of permissions respectively for
to access the care documentation in TakeCare in different situations.
The Data Inspectorate notes that although each user has de facto
assigned an individual permission, the permissions assigned have not
The guideline "access to patient records, guideline" is established by the head physician in the area
quality and patient safety, and lawyers have participated in the development area.
5

restricted in a way that ensures that the user does not have
access to more personal data of patients or personal data
about more patients than he needs to do his job. The allocated
permissions means that the user has access to virtually all
personal data of patients in TakeCare. This is because there are only two
eligibility profiles for nurses and doctors respectively, and where the only
that distinguishes the authorization profiles is that one
the nursing authorisation has automated login to the care unit
the staff belongs to and one medical authority has access to a so-called
acute care. The restriction that has otherwise emerged regarding
access to personal data in the medical record system refers to so-called
protected devices.
Against this background, the Data Inspectorate considers that, since the allocation
of permissions was not preceded by the necessary needs and risk analysis, not
there were conditions to restrict assigned permissions or there was support
to determine what is justified access for executives
at Karolinska University Hospital.
The fact that the allocation of permissions has not been preceded by a needs and
risk analysis means that Karolinska University Hospital has not analysed
the users' need for access to the data, the risks associated with this access
and thus not identified what access possibilities
justified to users on the basis of such an analysis. Karolinska
The university hospital has thus not taken appropriate organisational
measures, in accordance with Article 32 of the General Data Protection Regulation, to limit
users' access to personal data of patients in the medical record system.
This in turn has meant that there has been a risk of unauthorised access and
unwarranted dissemination of personal data in the context of the internal
confidentiality, on the one hand, and in the context of the single file management, on the other. The number of
users at Karolinska University Hospital is close to 11 000 and
TakeCare contains personal data of about 3 million patients, of which
about 2 million have been patients at Karolinska University Hospital.
In light of the above, the Swedish Data Protection Authority can conclude that
Karolinska University Hospital has processed personal data in breach of
Article 5(1)(f) and Article 32(1) and (2) of the General Data Protection Regulation by
Karolinska University Hospital has not restricted users


permissions for access to the TakeCare medical record system to what is
needed for the user to perform his/her tasks within the
health care pursuant to Chapter 4, Section 2 and Chapter 6. 7 § of the Patient Data Act and 4
Chapter 2 § HSLF-FS 2016:40. This means that Karolinska University Hospital
has not taken the measures necessary to ensure and, in accordance with Article
5.2 of the General Data Protection Regulation, be able to demonstrate adequate security for
personal data.
Documentation of access in logs
The Data Inspectorate notes that the logs in TakeCare show that
information about the specific patient, which user has opened the
the medical record, actions taken, which medical record has been
opened, the period of time the user has been in, all openings of
the medical record made on that patient during the selected time period and
the time and date of the last opening. According to the Data Inspectorate
assessment, this is consistent with the requirements for documentation of
accesses in the logs set out in the regulations of the National Board of Health and Welfare.

Choice of intervention
Legal regulation
If there has been a breach of the General Data Protection Regulation
The Data Protection Inspectorate has a number of remedial powers at its disposal under Article
58.2 a - j of the GDPR. The supervisory authority may, inter alia
order the controller to ensure that the processing is carried out in
in accordance with the Regulation and, if necessary, in a specific manner and within a
specific period.
It follows from Article 58(2) of the GDPR that the Data Protection Inspectorate in
in accordance with Article 83 shall impose penalties in addition to, or instead of,
other corrective measures referred to in Article 58(2), depending on
the circumstances of each case.
For public authorities, Article 83(7) of the GDPR allows national
rules specify that administrative penalties may be imposed on public authorities.
According to Chapter 6, Section 2 of the Data Protection Act, penalties may be imposed for
authorities, but not exceeding SEK 5 000 000 or SEK 10 000 000

depending on whether the infringement concerns articles covered by Article 83(4)
or 83.5 of the GDPR.
Article 83(2) sets out the factors to be taken into account in determining whether a
administrative penalty should be imposed, but also what should affect
the amount of the penalty. Central to the assessment of
the seriousness of the infringement is its nature, severity and duration. About
in the case of a minor infringement, the supervisory authority may, pursuant to recital
148 of the General Data Protection Regulation, issue a reprimand instead of imposing a
penalty fee.
Injunction
As mentioned, the health sector has a great need for information in its
activities and in recent years a very extensive digitalisation
occurred in the health care sector. Both the size of the data collections and the number of
sharing information with each other has increased significantly. This increases the demands on
the controller, since the assessment of what is an appropriate
safety is affected by the extent of treatment.
In health care, this means even greater responsibility for the
controller to protect the data from unauthorised access,
including by having a fine-grained allocation of competences. The
is therefore essential that there is a real analysis of the needs from different
businesses and different executives. It is equally important that there is a
actual analysis of the risks that may arise from a privacy perspective
in the case of an excessive allocation of access rights. Based on this analysis
then the individual officer's access shall be restricted. This
eligibility must then be monitored and modified or restricted as appropriate
that changes in the duties of the individual post holder result in
reason for it.
The Data Inspectorate's supervision has shown that Karolinska University Hospital does not
has taken appropriate security measures to provide protection to
personal data in the medical record system by Karolinska
The University Hospital, as data controller, failed to comply with the requirements
set out in the Patient Data Act and the National Board of Health and Welfare's regulations. Karolinska
The University Hospital has thereby failed to comply with the requirements of Article 5(1)(f)
and Article 32(1) and (2) of the General Data Protection Regulation. The failure includes


both the internal secrecy according to chapter 4 of the Patient Data Act and the
coherent record keeping according to Chapter 6 of the Patient Data Act.
The Data Inspectorate therefore orders, on the basis of 58.2(d) of the
the General Data Protection Regulation, Karolinska University Hospital to ensure that
the necessary needs and risk analysis for the TakeCare medical record system is carried out
within the framework of both internal secrecy and
coherent record keeping. The needs and risk analysis must be documented.
Karolinska University Hospital shall, with the support of the needs and
the risk analysis, assign each user individual access rights to
personal data limited to what is necessary for the
the individual is able to carry out his or her duties in the health care sector.
Penalty fee
The Data Protection Inspectorate notes that the infringements basically concern
Karolinska University Hospital's obligation to take appropriate
security measures to provide protection to personal data under
the General Data Protection Regulation.
In this case, it is a question of very large data collections with sensitive
personal data and wide-ranging permissions. The healthcare provider needs with
need to have extensive processing of data on individual health.
However, it must not be unrestricted but must be based on what individuals
employees need to perform their tasks. Data Protection Inspectorate
notes that the data in question involves direct identification
of the individual by name, contact details and personal identity number,
health data, but that it may also concern other private
information on, for example, family circumstances, sexual life and lifestyle. Patient
are dependent on receiving care and are therefore in a vulnerable situation. Data
the nature, extent and dependency of patients gives healthcare providers a
particular responsibility to ensure patients' rights to adequate protection of their
personal data.
Further aggravating circumstances are that the treatment of
patient data in the main record system is at the core of a healthcare provider's
activities, that the treatment covers many patients and the possibility of
access concerns a large proportion of the employees.
around 2 000 000 patients under the internal confidentiality regime and
around 1 000 000 additional patients under the coherent

record keeping. There are only six so-called protected units where
the data is not accessible to users outside these devices.
The Data Inspectorate can also state that Karolinska
The University Hospital did not comply with the Data Inspectorate's previous injunction from
of 26 August 2013 to carry out a needs and risk analysis that
the basis for the allocation of authorisations according to the then requirement in Chapter 2. 6
§ second paragraph second sentence SOSFS 2008:14, which corresponds to the current
provision in Chapter 4, Section 2 of HSLF-FS 2016:40. This is an aggravating
circumstance, pursuant to Article 83(2)(e) of the GDPR.
The deficiencies now identified have thus been known to Karolinska
the University Hospital for several years, which means that the action
intentional and therefore considered more serious.
In determining the gravity of the infringements, it can also be noted that
the infringements also include the fundamental principles of Article 5 of
the General Data Protection Regulation, which belongs to the categories of more serious
infringements which may give rise to a higher penalty under Article 83(5) of
the General Data Protection Regulation.
These factors taken together mean that the infringements are not to be assessed
as minor infringements without infringements that should lead to a
administrative penalty.
The Data Protection Inspectorate considers that these infringements are closely related to
each other. This assessment is based on the fact that the needs and risks analysis should
be the basis for the allocation of the permissions. The Swedish Data Protection Authority
therefore considers that these infringements are so closely linked
that they constitute linked processing operations within the meaning of Article 83(3) of the
the General Data Protection Regulation. The Data Protection Inspectorate therefore determines a common
penalties for these infringements.
The administrative penalty shall be effective, proportionate and
deterrent. This means that the amount should be determined in such a way that the
administrative penalty leads to correction, that it provides a preventive
effect, and that it is proportionate to both the current
infringements as to the ability of the supervised entity to pay.

The maximum amount of the fine in this case is SEK 10 million
pursuant to Chapter 6, Section 2 of the Act (2018:218) with supplementary provisions to the EU
Data Protection Regulation.
In view of the seriousness of the infringements and the fact that the administrative
the penalty shall be effective, proportionate and dissuasive
the Data Protection Inspectorate determines the administrative penalty fee for
Karolinska University Hospital to SEK 4 000 000 (four million).

This decision has been taken by the Director General Lena Lindgren Schelin after
presentation by cyber security specialist Magnus Bergström. At the final
Hans-Olof Lindblom, the Chief Legal Officer, the Heads of Unit
Katarina Tullstedt and Malin Blixt, and lawyer Maja Savic.

Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature)
Appendix:
How to pay the penalty fee
Copy for information to:
Data Protection Officer

How to appeal
If you wish to appeal against the decision, you should write to the Swedish Data Protection Authority. Please state in
the decision you are appealing and the change you are requesting.
The appeal must have been received by the Swedish Data Protection Authority no later than three weeks from
on the date of notification of the decision. If the appeal has been lodged in due time
the Data Inspectorate forwards it to the Administrative Court in Stockholm for
examination.
You can email the appeal to the Data Protection Authority if it does not contain
any privacy-sensitive personal data or data that may be covered by
confidentiality. The contact details of the authority are given on the first page of the decision.