Datainspektionen - DI-2019-3841

From GDPRhub
Revision as of 11:43, 7 April 2022 by Gb (talk | contribs) (Keep DPA’s old logo on old decisions)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datainspektionen - DI-2019-3841
LogoSE-Datainspektionen.png
Authority: Datainspektionen (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.12.2020
Published:
Fine: 2500000 SEK
Parties: Hälso- och sjukvårdsnämnden, Region Västerbotten
National Case Number/Name: DI-2019-3841
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: Integritetsskyddsmyndigheten (in SV)
Initial Contributor: Kave Noori

The Swedish DPA (Integritetsskyddsmyndigheten) fined the Region of Västerbotten approximately EUR 248 000. For the second time since 2015, the region failed to implement necessary organizational and technical measures to restrict access to medical records.

English Summary

Facts

The DPA opened an investigation against the Västerbotten Region Healthcare committee (Hälso- och sjukvårdsnämnden) on 22 March 2019. The DPA wanted to investigate whether a risk and needs assessment was carried out before healthcare workers were given access to patient files from their own department and files from other healthcare departments. The DPA had already found in 2015 that the Region of Västerbotten’ s needs and risk assessment did not comply with the requirements of the law and had instructed them to carry out a new assessment.

Swedish healthcare regulations require that a caregiving institution conducts a risk and necessity analysis before granting its employees access to medical records. The caregiving institution must analyze what privacy risks patients face and what information employees need access to. The caregiving institution must use the analysis as a tool to ensure that each employee has access only to what he or she needs to do his or her job.

The Healthcare committee is the executive body running the region's health care system. The committee's guideline on information security made the operational manager of each health care unit responsible to conduct a needs and risk analysis prior to giving a user account to a health care worker access to patient records.


Dispute

Holding

Risk/needs analysis and system privileges

The DPA held that the Västerbotten Region Healthcare committee did not have a needs and risk analysis that met the statutory requirements. The DPA did not accept the view of the Healthcare committee that it was the responsibility of the head of each health department to carry out the analysis. The DPA took the view that the central management of the healthcare committee was responsible for carrying out such an analysis and that it was an organizational measure carried out at a strategic level for the healthcare system it operated as a whole.

In addition, the DPA had comments on the risk and needs analysis outline that the healthcare committee gave to each health unit manager. The outline was intended as a practical tool to help the health unit determine how authorizations should be designed before creating an account for an individual health care worker. First, the DPA held that this document only addressed the needs of the health care provider to access certain data but lacked consideration of the risk of invasion of patient privacy. Second, the DPA pointed out that the needs and risk analysis is a strategic document that is needed as a tool in deciding the overall structure of granting privileges in the computer system. Third, the DPA concluded that instructions to the person creating the user account do not constitute the risk and needs analysis that the law requires.

The DPA also found that the health care committee did not limit individual health care workers' access to medical records to that which was necessary for the performance of their duties. The DPA found that the Healthcare committee violated Article 5(1)(f), Article 5(2), Article 32(1) and Article 32(2).

Access logs

The DPA investigated the logging practices of the healthcare committee and determined them to be compliant with the statutory requirements.

Order to take compliance measures

The DPA directed the Healthcare committee to conduct and document a needs and risk analysis as required by law. The analysis must include access to medical records from records held by the Healthcare committee as well as coherent medical records from other health care providers. The DPA directed the Healthcare committee to redefine health care worker access to medical records based on the analysis so that each health care worker has access only to the medical records they need to perform their job.

Sanction fee

The DPA imposed a fine of SEK 2.5 million on the Healthcare committee (Hälso- och sjukvårdsnämnden) of the Region of Västerbotten. The fine was based on several factors: patient data is inherently sensitive, approximately 650,000 patients were affected, and the DPA considered that the Healthcare committee knowingly failed to follow its instructions from 2015.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                             Decision Diary No. 1 (29)
                                                             2020-12-02 DI-2019-3841







                                                             The Health and Medical Care Board at
                                                             Västerbotten Region

                                                             Köksvägen 11
                                                             901 89 Umeå


                    Supervision under the Data Protection Regulation and

                    Patient Data Act - needs and risk analysis


                    and questions about access in journal systems


                    Table of Contents
                    The Data Inspectorate's decision ................................................ ..................................... 3

                    Report on the supervisory matter ............................................... ............................ 4

                      Previous review of needs and risk analyzes ........................................... 4

                      What has emerged in the case ............................................. .......................... 5

                         Personal data controller ................................................. ................................ 5
                         Journal system ................................................. ................................................ 5

                         Number of patients and staff .............................................. ...................... 6

                         Internal privacy ................................................ ........................................... 6

                         Needs and risk analysis .............................................. .................................... 6

                         Authorization of access to personal data about
                         patients ................................................. .................................................. ...... 7

                         Access opportunities (read access) to care documentation in NCS Cross

                         .................................................. .................................................. .................... 8

                         Restrictions on access to data in NCS Cross .................................... 9

                         Consolidated record keeping ................................................ ....................... 10
                         Needs and risk analysis .............................................. .................................. 10

                         Authorization of access to personal data about

                         patients ................................................. .................................................. .... 10

                         Access opportunities (read access) to care documentation in NCS Cross
                         .................................................. .................................................. ................... 10

                         Restrictions on access to data in NCS Cross .................................. 10




Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se
Website: www.datainspektionen.se Phone: 08-657 61 00
                                                     Page 1 of 29Datainspektionen DI-2019-3841 2 (29)






                           Documentation of access (logs) ............................................ .............. 10

                        Grounds for the decision ............................................... ........................................... 11

                           Applicable rules................................................ .................................................. 11

                              The Data Protection Regulation the primary source of law ..................................... 11

                              The Data Protection Regulation and the relationship with complementary national

                              regulations ................................................. ........................................... 13

                              Supplementary national provisions ............................................... .. 14

                              Requirement to do needs and risk analysis .......................................... ........... 15

                              Internal privacy ................................................ .............................................. 16

                              Consolidated record keeping ................................................ ....................... 16

                           Documentation of access (logs) ............................................ .................. 17

                        The Data Inspectorate's assessment ................................................ ........................... 17
                           Responsibility of the data controller for security ........................................... 17

                           Needs and risk analysis .............................................. ...................................... 18

                              The Health and Medical Care Board's work with needs and risk analysis ...... 20

                              A needs and risk analysis must be made at a strategic level ............................ 21

                              The Swedish Data Inspectorate's summary assessment ...................................... 21

                              Authorization of access to personal data about

                              patients ................................................. .................................................. .... 22

                           Documentation of access (logs) ............................................ ............. 24

                        Choice of intervention ............................................... .................................................. 25

                           Legal regulation ................................................ .............................................. 25

                           Order................................................. .................................................. 25

                           Penalty fee ................................................. ........................................... 26
                        How to appeal............................................... ........................................... 29

















                                                                Page 2 of 29Datainspektionen DI-2019-3841 3 (29)







                   The Data Inspectorate's decision

                   The Data Inspectorate has at the inspection on 14 May 2019 and 12 December
                   2019 established that the Health and Medical Care Board at Region Västerbotten

                   processes personal data in breach of Article 5 (1) (f) and (2) and Article 32 (1)
                                                        1
                   0ch 32.2 of the Data Protection Regulation by


                       1. The Health and Medical Care Board has not implemented needs and
                           risk analysis before allocation of authorizations takes place in the record system

                           NCS Cross, in accordance with ch. § 2 and ch. 6 Section 7 of the Patient Data Act
                           (2008: 355) and ch. 4 Section 2 of the National Board of Health and Welfare's regulations and general

                           advice (HSLF-FS 2016: 40) on record keeping and treatment of
                           personal data in health care. This means that Health and

                           the health care board has not taken appropriate organizational measures
                           to be able to ensure and be able to show that the treatment of

                           the personal data has a security that is appropriate in relation to
                           the risks.


                       2. The Health and Medical Care Board has not restricted users

                           permissions for accessing the NCS Cross journal system to what
                           only needed for the user to be able to fulfill theirs

                           tasks in health care in accordance with

                           Chapter 4 § 2 and ch. 6 Section 7 of the Patient Data Act and Chapter 4 § 2 HSLF-FS
                           2016: 40. This means that the Health and Medical Care Board does not have

                           taken measures to be able to ensure and be able to show a suitable
                           security of personal data.


                   The Data Inspectorate decides on the basis of Articles 58 (2) and 83 i

                   the Data Protection Ordinance and Chapter 6 § 2 of the law (2018: 218) with
                   supplementary provisions to the EU Data Protection Regulation that the

                   and the Board of Health, for the infringements of Article 5 (1) (f) and (2), and
                   Article 32 (1) and (2) of the Data Protection Regulation, shall pay a

                   administrative penalty fee of 2,500,000 (two million
                   five hundred thousand) kronor.



                   1
                     Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection
                   for natural persons with regard to the processing of personal data and on the free flow
                   of such information and repealing Directive 95/46 / EC (General
                   Data Protection Regulation).







                                                   Page 3 of 29Datainspektionen DI-2019-3841 4 (29)








                  The Data Inspectorate submits pursuant to Article 58 (2) (d) i
                  the Data Protection Ordinance, the Health and Medical Care Board to implement and

                  document the required needs and risk analysis for the NCS medical record system
                  Cross and then, with the support of the needs and risk analysis, assign each

                  user individual authorization for access to personal data to only
                  what is needed for the individual to be able to fulfill his or her duties

                  in the field of health, in accordance with Article 5 (1) (f) and Article 32 (1) and
                  32.2 of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 Section 7 of the Patient Data Act and

                  Chapter 4 2 § HSLF-FS 2016: 40.



                  Report on the supervisory matter

                  The Data Inspectorate initiated supervision by letter dated 22 March 2019 and
                  on the spot on 14 May 2019 and 12 December 2019 reviewed whether the Health

                  and the Health Care Board's decision on the allocation of authorizations has been preceded
                  of a needs and risk analysis. The review has also included how the Health

                  and the health care board assigned authorizations for access to
                  the main journal system NCS Cross, and what access possibilities they were allocated

                  the authorizations provide within the framework of the internal secrecy according to ch.
                  the Patient Data Act, as the cohesive record keeping according to ch.

                  patient data law. In addition to this, the Data Inspectorate has also examined which one
                  documentation of access (logs) contained in the record system.


                  The Data Inspectorate has only examined the user's access options to

                  the journal system, i.e. what care documentation the user can actually take
                  part of and read. Supervision does not include the functions included in
                  the competence, ie. what the user can actually do in the journal system

                  (eg issuing prescriptions, writing referrals, etc.).


                  Previous review of needs and risk analyzes

                  The Data Inspectorate has previously carried out an inspection regarding the then
                  The County Council Board, Västerbotten County Council had implemented one

                  documented needs and risk analysis according to ch. § 6 second paragraph second
                  the sentence of the National Board of Health and Welfare's regulations (SOSFS 2008: 14) on

                  information management and record keeping in health care. Of
                  The Data Inspectorate's decision with record number 1615-2013, announced on 27

                  March 2015, it appears that the County Council Board did not meet the requirement that






                                                 Page 4 of 29Datainspektionen DI-2019-3841 5 (29)






                  carry out a needs and risk analysis in accordance with the said regulations, and

                  was therefore instructed to implement one for the main record system.


                  What has emerged in the case
                  The Health and Medical Care Board has mainly stated the following.


                  Personal data manager

                  On January 1, 2019, a reorganization was made which meant that Region
                  Västerbotten was formed. There is no authority under Health and

                  the health care board. The Health and Medical Care Board conducts health and
                  healthcare within the region and is responsible for the processing of personal data

                  personal data that the business performs in the main record system NCS Cross.


                  Journal system
                  The main journal system used is called NCS Cross and stands for Nordic

                  Clinical Suite. It is possible to take part in care documentation in NCS Cross
                  from 1993 when the system was introduced. At that time was

                  the allocation of privileges was more limited and users had access to
                  fewer data than in the current system. The so-called Employee Assignments

                  was added in 2014–2015. Employee assignments regulate on which organizational
                  level access can be done in NCS Cross and is required to access the system.


                  NCS Cross is used within the framework of coherent record keeping
                  together with seven other care providers.


                  In connection with the Data Protection Ordinance began to apply

                  the supplier a general review of the system and informed that
                  no functional adjustments needed to be made.


                  There are 101 databases in NCS Cross based on the fact that each clinic basically has one

                  own database. Within Region Västerbotten, the number of units is 84 (active
                  databases). Within NCS Cross, there are so-called protected units.


                  In NCS Cross, it is possible to control the staff's access possibilities

                  different ways in terms of authorization management, including through
                  employee assignments and functions for blocking records.


                  Protected information, about patients with a protected identity at the Swedish Tax Agency, is

                  not available in NCS Cross.





                                                 Page 5 of 29Datainspektionen DI-2019-3841 6 (29)







                   The number of patients and employees
                   The number of unique registered patients in NCS Cross within the framework of the internal

                   the confidentiality is 652,995. The number of patients registered within the framework
                   for unified record keeping is 665,564.


                   There are approximately 10,000 employees in the Västerbotten Region. Within the region

                   9,139 users have a valid employee assignment and active account in NCS

                   Cross. The number of active user accounts in the region is 12,366. The reason
                   to the difference in the number of users is that the businesses have not reported

                   to the administration that the authorization is to be terminated. Access to NCS Cross
                   stopped anyway because the users who do not have an employee assignment

                   can not log in to the application. The process is automated so that the AD
                   the account and thus also the employee assignment is automatically closed when

                   the employment ends.


                   Internal secrecy


                   Needs and risk analysis
                   The Data Inspectorate's decision of 27 March 2015 states that

                   The County Council Board, Västerbotten County Council, was instructed to produce one
                   documented needs and risk analysis for the main record system.


                   Against this background, the Health and Medical Care Board has stated, among other things

                   following.


                   The Health and Medical Care Board has followed the Data Inspectorate's previous decisions
                   and produced the documents Guideline for information security and

                   management and operation and Template - Needs and risk analysis at

                   authorization. The control document and the template have been prepared to provide
                   the business managers tools in connection with the allocation of authority.

                   Documents User profiles are examples that clarify that permissions
                   not assigned generally but individually. The documents are also examples of

                   performed analyzes at actual eligibility assignments within various
                   devices. The needs and risk analysis is made from the business perspective and

                   not from an integrity perspective.





                   2
                    The documents have been received by the Data Inspectorate.





                                                   Page 6 of 29Datainspektionen DI-2019-3841 7 (29)






                   The board does not know to what extent the template Template - Needs and risk analysis

                   when allocating privileges is used in the business, when you only see
                   the result of the authorization order itself. The board has assumed that

                   the business managers make a needs and risk analysis before ordering
                   permissions. However, the committee has not seen any documented needs and

                   risk analysis neither for the internal confidentiality nor for the cohesive
                   record keeping.


                   The guidelines for information security state that authorization must be granted

                   after an analysis of what information different staff categories in different
                   businesses need. The guidelines also state that the risk analysis must take place

                   consideration of the risks it may entail if the staff has too little or too little
                   much access to various patient data. Then the needs vary between different
                   types of activities, the business manager is responsible for the needs and

                   risk analysis is performed at unit level. According to the guidelines, the business should
                   document the needs and risk analysis when allocating

                   the employee assignment.


                   The guidelines also state, among other things, that in addition to regular inspections
                   of the users' authorization needs, the authorizations shall be reviewed accordingly

                   organizational and system change.


                   Authorization of access to personal data about patients
                   The Health and Medical Care Board has mainly stated the following.


                   In order for an executive to be able to access personal data in NCS Cross

                   several conditions need to be met. The executive must have one
                   active user account in the region domain (AD). This in turn presupposes that

                   the executive is registered in the HR system. To be able to log in to
                   domain, executives need a SITHS card with one or more valid ones

                   certificate. To then be able to log in to NCS Cross needs
                   the executive partly have a valid so-called employee assignment, partly become
                   assigned a license in NCS Cross. The employee assignment regulates on which

                   organizational level access can be done in NCS Cross. It is
                   the heads of operations of the various units that decide on the allocation of

                   the employee assignment to his staff at the care unit.










                                                  Page 7 of 29Datainspektionen DI-2019-3841 8 (29)






                   Two-step authentication "that you really are who you are" and that access

                   closes to the user when he quits are examples of actual actions such as
                   taken to prevent unnecessary dissemination of personal data.


                   The qualifications assigned to the staff are based on the needs analysis that is performed

                   before the assignment, ie where and with what the employee works.
                   For example, counselors and physiotherapists may be employed in different units,

                   which means that they have more employee assignments and thus must be given
                   access to more devices. The same applies to emergency physicians who also have

                   access to more units than the own emergency database.


                   The staff's access to databases is based on the need that exists. One
                   employee assignments can thus mean that an employee can be authorized
                   to multiple databases. A nurse at Neurocentrum can, for example, get one

                   employee assignments with access to eight databases because the clinic has
                   eight databases and the nurse's work requires access to all of them.


                   Access opportunities (read access) to care documentation in NCS Cross

                   Each employee has a reading authority that is adapted based on the individual's
                   mission. If an employee is granted reading permission within the entire Region

                   Västerbotten only applies to care documentation. Protected devices are
                   excluded.


                   In the NCS Cross access control system, there are two types of access

                   Own competence, partly Service role.


                   Own competence means that an executive is given access to them
                   functions in the record system that are relevant to the executive
                   tasks, such as prescribing medicines. Own authority

                   also means that the executive is given permission to read and write to them
                   parts of the journal system (databases) that are linked to it or they

                   care units where the executive is active.


                   Eligibility according to the position role means that an executive is also given
                   read access to other databases in the journal system. The executive can

                   then the service role is given Reading permission VLL which means access
                   (read access) to all units' care documentation in the Region

                   Västerbotten, except for protected units. Executives can be assigned one
                   other reading permission than Reading permission VLL. Read access to






                                                  Page 8 of 29Datainspektionen DI-2019-3841 9 (29)






                  personal data of protected entities are provided only within the framework of the allocation of

                  Own authority.


                  The module that handles the journal in NCS Cross is heading
                  Care documentation. The module contains all documentation that is available

                  the patient in accordance with ch. 4 § 1 Patient Data Act. There are others as well
                  modules, such as Care Administration, which contain information in accordance

                  with ch. 2 4 § 2 of the Patient Data Act.


                  Doctors are almost always assigned a Reading Permit VLL. Regarding
                  the nurses are often ordered to read VLL, which means that a

                  majority of nurses are assigned this reading privilege. Have the staff
                  assigned write permission in the system, it means that the staff also has
                  readability in it. The number of executives who have Reading Authorization VLL in

                  NCS Cross has a total of 7,586. Of these, 2,290 are doctors, 3,759 are nurses,
                  124 are assistant nurses including pediatric nurses and 956 are paramedics.

                  The information is valid for December 2019.


                  Restrictions on access to data in NCS Cross
                  There are no direct obstacles to introducing restrictive features

                  read access and thus access in NCS Cross. The system enables
                  allocating permissions that give users different access options.

                  It can be done on an individual level. You can also restrict access to some
                  devices. Technically, for example, it is possible to exclude BUP from

                  access possibilities. Operations managers can restrict access and control
                  privileges so that the staff of a unit has access to data only

                  about care and treatment at the relevant unit and not such information at others
                  devices.


                  Within NCS Cross 84 units, there are the following six protected units. 1) The device
                  clinical genetics, 2) Unit for Child and Adolescent Habilitation 3) Section

                  child and adolescent habilitation within the unit child and adolescent clinic
                  Västerbotten 4) Section for orphanages, within the unit for children and

                  youth psychiatry Västerbotten 5) Occupational health care 6) The LSS units
                  in disability activities, visual and hearing rehabilitation and support and

                  habilitation for adults and the section on the exercise of authority in the Support unit
                  and habilitation for adults.









                                                 Page 9 of 29Data Inspectorate DI-2019-3841 1 0 (29)






                  An active choice for access is required by the user when the patient has blocked his

                  care documentation.


                  Coherent record keeping
                  The Health and Medical Care Board has mainly stated the following.


                  Needs and risk analysis

                  Template Template - Needs and risk analysis when granting eligibility also applies
                  for the unified record keeping. Needs analysis done before
                  authorization allocation also includes analysis for access within the framework of

                  coherent record keeping.


                  Authorization of access to personal data about patients
                  If an employee has been granted reading permission in the internal secrecy, it means

                  that he has also been granted reading permission for the unified record keeping.


                  Access opportunities (read access) to care documentation in NCS Cross
                  The reading authority within the coherent record keeping is the same as

                  for internal secrecy. This means that the staff can take part in everything
                  care documentation about all patients who are in the system for it
                  coherent record keeping. The basis for this lies

                  employee assignment.


                  Restrictions on access to data in NCS Cross
                  Employees must make active choices to access information in it

                  keep records in mind, ie answer the question of whether the patient has given
                  their consent or state that there is an emergency to be able to take part

                  of the data.


                  Documentation of access (logs)
                  The Health and Medical Care Board has stated, among other things, the following.


                  Each time a user enters NCS Cross, the activity is logged. The search on

                  a patient can be done on social security number or backup number. According to
                  guidelines, the system must once a month select ten users on one

                  unit. In such a log check, all patient records are displayed as respective
                  users opened for login during the checked log period as well

                  all activities done in the care portal: time, activity, social security number,







                                                 Page 10 of 29Datainspektionen DI-2019-3841 1 1 (29)






                  patient, journal, information, staff, title, location, client, purpose

                  and date.


                  In the log extract, it is stated under the heading Client at which unit
                  the measures have been taken, ie which care unit's employee assignment

                  the user used at login. Under the heading Journal it is stated
                  database from which the staff retrieved data, ie at which

                  care unit documentation the user reads in.


                  The database called Medicincentrum contains care documentation from two
                  care units, partly Medicincentrum, partly Hjärtcentrum. If, for example

                  login is done in the database Medicincentrum by a doctor who works at
                  the unit Medicincentrum, the log extract will state Medicincentrum
                  both under the heading Client and the heading Journal. About the doctor

                  on the other hand, working at the Heart Center, it appears in the log extract under the heading
                  Client to be specified Heart Center.


                  The log entries generated refer to both the internal confidentiality and the

                  coherent record keeping.


                  The Health and Medical Care Board has submitted to the Swedish Data Inspectorate
                  log extract with documentation of the accesses (logs) that were created with

                  due to the inspection of the inspection.



                  Grounds for the decision


                  Applicable rules


                  The Data Protection Regulation is the primary source of law

                  The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and
                  is the primary legal regulation in the processing of personal data. This

                  also applies to health care.


                  The basic principles for the processing of personal data are set out in
                  Article 5 of the Data Protection Regulation. A basic principle is the requirement

                  security pursuant to Article 5 (1) (f), which states that personal data shall be processed
                  in a way that ensures adequate security for personal data,

                  including protection against unauthorized or unauthorized treatment and against loss,





                                                Page 11 of 29Datainspektionen DI-2019-3841 1 2 (29)






                   destruction or damage by accident, using appropriate

                   technical or organizational measures.


                   Article 5 (2) states the so-called liability, ie. that it
                   personal data controllers must be responsible for and be able to show that the basic

                   the principles set out in paragraph 1 are complied with.


                   Article 24 deals with the responsibility of the controller. Of Article 24 (1)
                   it appears that the person responsible for personal data is responsible for implementing appropriate

                   technical and organizational measures to ensure and demonstrate that
                   the processing is performed in accordance with the Data Protection Regulation. The measures shall

                   carried out taking into account the nature, scope, context of the treatment
                   and purposes and the risks, of varying degrees of probability and severity, for
                   freedoms and rights of natural persons. The measures must be reviewed and updated

                   if necessary.


                   Article 32 regulates the security associated with the processing. According to paragraph 1
                   the personal data controller and the personal data assistant shall take into account

                   of the latest developments, implementation costs and treatment
                   nature, scope, context and purpose as well as the risks, of varying

                   probability and seriousness, for the rights and freedoms of natural persons
                   take appropriate technical and organizational measures to ensure a

                   level of safety appropriate to the risk (…). According to paragraph 2,
                   when assessing the appropriate level of safety, special consideration is given to the risks

                   which the treatment entails, in particular from accidental or unlawful destruction,
                   loss or alteration or to unauthorized disclosure of or unauthorized access to

                   the personal data transferred, stored or otherwise processed.


                   Recital 75 states that in assessing the risk to natural persons
                   rights and freedoms, various factors must be taken into account. Among other things mentioned

                   personal data covered by professional secrecy, health data or
                   sexual life, if the processing of personal data concerning vulnerable physical persons takes place
                   persons, especially children, or if the treatment involves a large number

                   personal data and applies to a large number of registered persons.


                   Furthermore, it follows from recital 76 that the probable and serious risk of it
                   data subjects' rights and freedoms should be determined on the basis of processing

                   nature, scope, context and purpose. The risk should be evaluated on







                                                  Page 12 of 29Datainspektionen DI-2019-3841 1 3 (29)






                   on the basis of an objective assessment, which determines whether

                   the data processing involves a risk or a high risk.


                   Recitals 39 and 83 also contain writings that provide guidance on it
                   the meaning of the data protection regulation's requirements for security in

                   Processing of personal data.


                   The Data Protection Regulation and the relationship with complementary national
                   provisions

                   According to Article 5 (1). a in the Data Protection Regulation, the personal data shall
                   treated in a lawful manner. In order for the treatment to be considered legal, it is required

                   legal basis by fulfilling at least one of the conditions of Article 6 (1).
                   The provision of health care is one such task of general
                   interest referred to in Article 6 (1). e.


                   In health care, the legal bases can also be legal

                   obligation under Article 6 (1). c and the exercise of authority under Article 6 (1) (e)
                   updated.


                   When it comes to the legal bases legal obligation, in general

                   interest or exercise of authority by the Member States, in accordance with Article
                   6.2, maintain or introduce more specific provisions for adaptation

                   the application of the provisions of the Regulation to national circumstances.
                   National law may specify specific requirements for the processing of data

                   and other measures to ensure legal and equitable treatment. But
                   there is not only one possibility to introduce national rules but also one

                   duty; Article 6 (3) states that the basis for the treatment referred to in
                   paragraph 1 (c) and (e) shall be determined in accordance with Union law or

                   national law of the Member States. The legal basis may also include
                   specific provisions to adapt the application of the provisions of

                   the Data Protection Regulation. Union law or the national law of the Member States
                   law must fulfill an objective of general interest and be proportionate to it
                   legitimate goals pursued.


                   Article 9 states that the treatment of specific categories of

                   personal data (so-called sensitive personal data) is prohibited. Sensitive
                   personal data includes data on health. Article 9 (2) states

                   except when sensitive personal data may still be processed.







                                                   Page 13 of 29Datainspektionen DI-2019-3841 1 4 (29)






                   Article 9 (2) (h) states that the processing of sensitive personal data may be repeated

                   the treatment is necessary for reasons related to, among other things
                   the provision of health care on the basis of Union law or

                   national law of the Member States or in accordance with agreements with professionals in
                   the field of health and provided that the conditions and protective measures provided for in

                   referred to in paragraph 3 are met. Article 9 (3) imposes a regulated duty of confidentiality.


                   This means that both the legal bases of general interest,
                   exercise of authority and legal obligation in the treatment of the vulnerable

                   personal data under the exemption in Article 9 (2). h need
                   supplementary rules.


                   Supplementary national regulations
                   In the case of Sweden, both the basis for the treatment and those

                   special conditions for the processing of personal data in the field of health and
                   healthcare regulated in the Patient Data Act (2008: 355), and

                   the Patient Data Ordinance (2008: 360). I 1 kap. Section 4 of the Patient Data Act states that
                   the law complements the data protection regulation.


                   The purpose of the Patient Data Act is to provide information in health and

                   healthcare must be organized so as to meet patient safety and
                   good quality and promotes cost efficiency. Its purpose is also to

                   personal data shall be designed and otherwise processed so that patients and
                   the privacy of other data subjects is respected. In addition, must be documented

                   personal data is handled and stored so that unauthorized persons do not have access to it
                   them (Chapter 1, Section 2 of the Patient Data Act).


                   The supplementary provisions in the Patient Data Act aim to:

                   take care of both privacy protection and patient safety. The legislator has
                   thus through the regulation made a balance as to how

                   the information must be processed to meet both the requirements for patient safety
                   as the right to privacy in the processing of personal data.


                   The National Board of Health and Welfare has, with the support of the Patient Data Ordinance, issued regulations
                   and general advice on record keeping and processing of personal data in

                   health care (HSLF-FS 2016: 40). The regulations constitute such
                   supplementary rules, which shall be applied in the care provider's treatment of

                   personal data in health care.







                                                  Page 14 of 29Datainspektionen DI-2019-3841 1 5 (29)







                     National provisions supplementing the requirements of the Data Protection Regulation

                     safety can be found in Chapters 4 and 6. the Patient Data Act and Chapters 3 and 4 HSLF-FS

                     2016: 40.


                     Requirement to do needs and risk analysis

                     The care provider must, according to ch. § 2 HSLF-FS 2016: 40 make a needs and
                     risk analysis, before the allocation of authorizations in the system takes place.



                     That the analysis requires both the needs and the risks is clear from the preparatory work

                     to the Patient Data Act, prop. 2007/08: 126 pp. 148-149, as follows.


                        Authorization for staff's electronic access to patient information shall
                        limited to what the executive needs to be able to perform his

                        tasks in health care. This includes that permissions should
                        followed up and changed or reduced over time as changes in the individual
                        the executive's duties give rise to it. The provision

                        corresponds in principle to section 8 of the Health Care Register Act. The purpose of the provision is to
                        imprint the obligation of the responsible caregiver to make active and

                        individual eligibility assignments based on analyzes of which details
                        information different staff categories and different types of activities need. But
                        not only needs analyzes are needed. Risk analyzes must also be done where you take them

                        taking into account various types of risks that may be associated with an excessively wide
                        availability of certain types of data. Protected personal data that is
                        classified, information on public figures, information from certain

                        receptions or medical specialties are examples of categories that can
                        require special risk assessments.


                        In general, it can be said that the more comprehensive an information system is, the more
                        there must be a greater variety of eligibility levels. Decisive for decision on

                        eligibility for e.g. different categories of health care professionals to
                        electronic access to information in patient records should be that the authorization should

                        limited to what the executive needs for the purpose a good and safe
                        patient care. A more extensive or coarse-grained allocation of competences should -
                        even if it would have points from an efficiency point of view - considered as one

                        unjustified dissemination of journal information within a business and should as such
                        not accepted.


                        Furthermore, data should be stored in different layers so that sensitive information is required to be active
                        choices or otherwise are not as easily accessible to staff as less sensitive

                        tasks. In the case of staff working with business follow-up,
                        statistical production, central financial administration and similar activities

                        which is not individual-oriented, this should be sufficient for most executives
                        access to data that can only be indirectly derived from individual patients.
                        Electronic access to code keys, social security numbers and other information such as









                                                        Page 15 of 29Datainspektionen DI-2019-3841 1 6 (29)






                      directly pointing out individual patients should be able to be strong in this area

                      limited to individuals.

                   Internal secrecy

                   The provisions in ch. 4 The Patient Data Act concerns internal confidentiality, ie.
                   regulates how privacy protection is to be handled within a care provider's business

                   and especially employees' opportunities to prepare for
                   personal data that is electronically available in a healthcare provider

                   organisation.


                   It appears from ch. Section 2 of the Patient Data Act, that the care provider shall decide
                   conditions for granting access to such data

                   patients who are fully or partially automated. Such authorization shall
                   limited to what is needed for the individual to be able to fulfill theirs

                   tasks in health care.


                   According to ch. 4 § 2 HSLF-FS 2016: 40, the care provider shall be responsible for each
                   users are assigned an individual privilege to access

                   personal data. The caregiver's decision on the allocation of eligibility shall
                   preceded by a needs and risk analysis.


                   Coherent record keeping

                   The provisions in ch. 6 the Patient Data Act concerns cohesive record keeping,
                   which means that a care provider - under the conditions specified in § 2 the same

                   chapter - may have direct access to personal data processed by others
                   caregivers for purposes related to care documentation. The access to

                   information is provided by a healthcare provider making the information about a patient
                   which the care provider registers if the patient is available to other care providers

                   who participate in the coherent record keeping (see Bill 2007/08: 126 p. 247).


                   Of ch. 6 Section 7 of the Patient Data Act follows that the provisions in Chapter 4 § 2 also
                   applies to authorization allocation for coherent record keeping. The requirement of

                   that the care provider must perform a needs and risk analysis before allocating
                   permissions in the system take place, thus also applies in systems for cohesion

                   record keeping.












                                                   Page 16 of 29Datainspektionen DI-2019-3841 1 7 (29)






                   Documentation of access (logs)

                   Of ch. 4 Section 3 of the Patient Data Act states that a care provider must ensure that
                   access to such data on patients who are kept in whole or in part

                   automatically documented and systematically checked.


                   According to ch. 4 Section 9 HSLF-FS 2016: 40, the care provider shall be responsible for that
                       1. it appears from the documentation of the access (logs) which

                          measures taken with information on a patient,
                       2. it appears from the logs at which care unit or care process

                          measures have been taken,
                       3. the logs indicate the time at which the measures were taken;

                       4. the identity of the user and the patient is stated in the logs.



                   The Data Inspectorate's assessment


                   Personal data controller's responsibility for security

                   As previously described, Article 24 (1) of the Data Protection Regulation provides a
                   general requirement for the personal data controller to take appropriate technical

                   and organizational measures. The requirement is partly to ensure that
                   the processing of personal data is carried out in accordance with

                   the Data Protection Ordinance, and that the data controller must be able to
                   demonstrate that the processing of personal data is carried out in accordance with

                   the Data Protection Regulation.


                   The safety associated with the treatment is regulated more specifically in the articles
                   5.1 (f) and Article 32 of the Data Protection Regulation.


                   Article 32 (1) states that the appropriate measures shall be both technical and

                   organizational and that they must ensure an appropriate level of security in
                   in relation to the risks to the rights and freedoms of natural persons which
                   the treatment entails. It is therefore necessary to identify the possible ones

                   the risks to the data subjects' rights and freedoms and assess
                   the probability of the risks occurring and the severity if they occur.

                   What is appropriate varies not only in relation to the risks but also
                   based on the nature, scope, context and purpose of the treatment. It has

                   thus the significance of what personal data is processed, how many
                   data, it is a question of how many people process the data, etc.







                                                  Page 17 of 29Datainspektionen DI-2019-3841 1 8 (29)






                   The health service has a great need for information in its operations. The

                   It is therefore natural that the possibilities of digitalisation are utilized as much as
                   possible in healthcare. Since the Patient Data Act was introduced, a lot

                   extensive digitization has taken place in healthcare. Both the data collections
                   size as the number of people sharing information with each other has increased

                   substantially. At the same time, this increase means that the demands on it increase
                   personal data controller, as the assessment of what is an appropriate

                   safety is affected by the extent of the treatment.


                   It is also a question of sensitive personal data. The information concerns
                   people who are in a situation of dependence when they are in need of care.

                   It is also often a question of a lot of personal information about each of these
                   people and the data may over time may be processed by very

                   many people in healthcare. All in all, this places great demands on it
                   personal data controllers.


                   The data processed must be protected from outside actors as well

                   the business as against unauthorized access from within the business. It appears
                   of Article 32 (2) that the data controller, in assessing the appropriate

                   level of safety, in particular shall take into account the risks of unintentional or illegal
                   destruction, loss or unauthorized disclosure or unauthorized access. In order to

                   be able to know what is an unauthorized access it must
                   personal data controllers must be clear about what is an authorized access.


                   Needs and risk analysis

                   I 4 kap. Section 2 of the National Board of Health and Welfare's regulations (HSLF-FS 2016: 40), which supplement

                   In the Patient Data Act, it is stated that the care provider must make a needs and
                   risk analysis before the allocation of authorizations in the system takes place. This means that

                   national law prescribes requirements for an appropriate organizational measure that shall:
                   taken before the allocation of authorizations to journal systems takes place.


                   A needs and risk analysis must include an analysis of the needs and a

                   analysis of the risks from an integrity perspective that may be associated
                   with an overly allotment of access to personal data

                   about patients. Both the needs and the risks must be assessed on the basis of them
                   tasks that need to be processed in the business, what processes it is

                   the question of whether and what risks to the privacy of the individual exist.








                                                  Page 18 of 29Datainspektionen DI-2019-3841 1 9 (29)






                   The assessments of the risks need to be made on the basis of organizational level, there

                   for example, a certain business part or task may be more
                   privacy sensitive than another, but also based on the individual level, if it is

                   the issue of special circumstances that need to be taken into account, such as
                   that it is a question of protected personal data or data of general

                   famous people. The size of the system also affects the risk assessment. Of
                   The preparatory work for the Patient Data Act states that the more comprehensive one

                   information system is, the greater the variety of authorization levels required
                   there is. (Prop. 2007/08: 126 p. 149).


                   It is thus a question of a strategic analysis at a strategic level, which should give one

                   authorization structure that is adapted to the business and this must be maintained
                   updated.


                   In summary, the regulation requires that the risk analysis identifies
                        different categories of data (eg data on health),

                       Categories of data subjects (eg vulnerable natural persons and
                          children), or

                        the scope (eg number of personal data and registered)

                        negative consequences for data subjects (eg injuries,
                          significant social or economic disadvantage, deprivation of rights
                          and freedoms),


                   and how they affect the risk to the rights and freedoms of natural persons

                   Processing of personal data. This applies both within internal secrecy
                   as in coherent record keeping.


                   The risk analysis must also include special risk assessments, for example

                   based on whether there is protected personal data that is
                   classified, information on public figures, information from

                   certain clinics or medical specialties (Bill 2007/08: 126 p. 148-
                   149).


                   The risk analysis must also include an assessment of how probable and serious

                   the risk to the data subjects' rights and freedoms is and in any case determined
                   whether it is a risk or a high risk (recital 76).


                   It is thus through the needs and risk analysis that it

                   personal data controller finds out who needs access, which





                                                  Page 19 of 29Datainspektionen DI-2019-3841 2 0 (29)






                   information the accessibility shall include, at what times and at what

                   context access is needed, while analyzing the risks to it
                   the freedoms and rights of the individual that the treatment may lead to. The result should

                   then lead to the technical and organizational measures needed to
                   ensure that no one other than the one who needs and

                   the risk analysis shows that it should be justified.


                   When a needs and risk analysis is missing prior to the allocation of qualifications in
                   system, lacks the basis for the personal data controller on a legal

                   be able to assign their users a correct authorization. The
                   the data controller is responsible for, and shall have control over, the

                   personal data processing that takes place within the framework of the business. To
                   assign users a when accessing journal system, without this being founded
                   on a performed needs and risk analysis, means that the person responsible for personal data

                   does not have sufficient control over the personal data processing that takes place in
                   the journal system and also can not show that he has the control that

                   required.


                   The Health and Medical Care Board's work with needs and risk analysis
                   When the Data Inspectorate has requested a documented needs and

                   risk analysis, the Health and Medical Care Board has stated that the board has done
                   a needs and risk analysis, but only from the business perspective, not

                   from the integrity perspective. The Data Inspectorate therefore wants to emphasize that
                   is not enough to do a needs analysis. As previously described,

                   appears from Article 32 of the Data Protection Ordinance and the National Board of Health and Welfare
                   regulations, it is required that the Health and Medical Care Board must also make one

                   risk analysis where the board considers various risks that may be associated with
                   one too in the availability of different types of personal data about patients for

                   to then weigh the needs of the business against the risks for the individual
                   integrity. In addition, the personal data controller, according to i

                   the requirements of the Data Protection Regulation under Article 5, be able to
                   show that, among other things, appropriate organizational measures have been taken.


                   The Health and Medical Care Board has referred to the heads of operations
                   is responsible for a needs and risk analysis. The Data Inspectorate therefore wants

                   also emphasize that the board as the person responsible for personal data can not waive
                   take responsibility for the analysis and, on the basis of it, take appropriate technical and

                   organizational measures. This means that the board should have ensured







                                                  Page 20 of 29Datainspektionen DI-2019-3841 2 1 (29)






                   the implementation of a needs and risk analysis according to ch. § 2 HSLF-FS

                   2016: 40 and documented it.


                   A needs and risk analysis must be performed at a strategic level
                   The Health and Medical Care Board has stated that the board after

                   The Data Inspectorate's previous injunction produced documents to provide
                   business managers tools for assigning permissions. The committee has

                   referred to the documents Guideline for information security - management and
                   operation and the template Template- Needs and risk analysis when allocating authorization


                   The Data Inspectorate states that the guidelines and the template are about

                   allocation of authorizations and that the documents are based on a need and
                   risk analysis must be done in connection with the actual allocation. (In the guidelines
                   states, for example, that a risk analysis must be performed to shed light on different types of risks

                   associated with too extensive availability and that documentation of
                   completed needs and risk analysis must be archived at the unit. In the template

                   referred to the Patient Data Act and that a decision on allocation must be preceded by a
                   needs and risk analysis). The Data Inspectorate therefore wants to emphasize that a

                   needs and risk analysis shall establish an overall competence structure
                   which in turn should form the basis for the allocation of qualifications to be made

                   for each individual executive. The strategic analysis to be taken is
                   thus further than the analysis made at the actual allocation of

                   the powers. A properly conducted needs and risk analysis is one
                   prerequisite for a correct allocation of authorizations.


                   The Health and Medical Care Board has also referred to the documents

                   User profiles as examples of analyzes performed at actual
                   authorization assignments. The Data Inspectorate also finds in this case that

                   it is not a question of any needs and risk analysis.


                   The Swedish Data Inspectorate's summary assessment
                   As stated above, in a needs and risk analysis, both the needs and
                   the risks are assessed on the basis of the data that need to be processed in

                   the business, what processes are involved and what are the risks for it
                   individual integrity that exists on both organizational and individual

                   level. It is thus a question of a strategic analysis at a strategic level, which should
                   provide a basis for an authorization structure that is adapted to the activities.

                   It should result in authorization assignments but it is not
                   the instructions to the person who assigns the permissions that are the analysis.






                                                  Page 21 of 29Datainspektionen DI-2019-3841 2 2 (29)








                   In summary, the Data Inspectorate states that the Health and
                   the health care board has not submitted any documented needs

                   and risk analysis. The committee has also stated that it has not seen anyone
                   documented such. The Health and Medical Care Board has thus not been able to

                   show that the board has carried out a needs and risk analysis in the sense that
                   referred to in ch. 4 § 2 HSLF-FS 2016: 40, neither within the framework of the internal

                   confidentiality or within the framework of coherent record keeping. This
                   means that the Health and Medical Care Board has not taken appropriate

                   organizational measures in accordance with Article 5 (1) (f) and Article 31 (1) and (2) for
                   be able to ensure and, in accordance with Article 5 (2), be able to demonstrate that:

                   the processing of personal data has a security that is appropriate in
                   in relation to the risks.


                   Authorization of access to personal data about patients
                   As reported above, a caregiver may have a legitimate interest in having

                   a comprehensive processing of data on the health of individuals. Notwithstanding this shall
                   access to personal data about patients may be limited to

                   what is needed for the individual to be able to fulfill his or her duties.


                   With regard to the allocation of authorization for electronic access according to ch.
                   § 2 and ch. 6 Section 7 of the Patient Data Act states that in the preparatory work, Bill.

                   2007/08: 126 pp. 148-149, i.a. that there should be different eligibility categories in
                   the journal system and that the permissions should be limited to what the user

                   need to provide the patient with good and safe care. It also appears that “a
                   more extensive or coarse-grained eligibility should be considered as one

                   unauthorized dissemination of journal information within a business and should as
                   such is not accepted ”.


                   In health care, it is the person who needs the information in their work

                   who may be authorized to access them. This applies both within a
                   caregivers as between caregivers. It is, as already mentioned, through
                   the needs and risk analysis that the person responsible for personal data finds out who

                   who need access, what information the access should include, at which
                   times and in which contexts access is needed, and at the same time

                   analyzes the risks to the individual's freedoms and rights
                   the treatment can lead to. The result should then lead to the technical and

                   organizational measures needed to ensure no allocation
                   of eligibility provides further access opportunities than the one that needs and






                                                  Page 22 of 29Datainspektionen DI-2019-3841 2 3 (29)






                   the risk analysis shows is justified. An important organizational measure is to provide

                   instruction to those who have the authority to assign authorizations on how this
                   should go to and what should be considered so that it, with the needs and risk analysis

                   as a basis, becomes a correct authorization allocation in each individual case.


                   That the Health and Medical Care Board's allocation of qualifications does not have
                   preceded by a needs and risk analysis means that the board has not

                   analyzed users' need for access to the data, the risks that
                   this access may entail and thus also not identified which

                   access that is justified to users based on such an analysis. The committee
                   has therefore not taken appropriate action in accordance with Article 32 of

                   the Data Protection Regulation, to restrict users' access to
                   patients' personal data in the medical record system.


                   This in turn has meant that there has been a risk of unauthorized access and
                   unjustified dissemination of personal data partly within the framework of the internal

                   secrecy, partly within the framework of the coherent record keeping.


                   In the case, it has emerged that the number of registered patients in NCS Cross
                   within the internal secrecy is just over 650,000 and within the framework of

                   cohesive record keeping just over 665,000. The case has also emerged
                   that there are about 10,000 employees in the region and that just over 7,500

                   executives have been awarded Reading VLL in NCS Cross. This
                   authorization gives access (read access) to all devices

                   care documentation in the Västerbotten Region, except the one prepared on
                   protected devices. Of a total of 84 units, six are protected

                   devices. In summary, the Data Inspectorate states that this means
                   that the majority of the employees have had actual access to

                   the care documentation of the majority of patients in NCS Cross.


                   Care documentation means that it is a question of health information, so-called
                   sensitive personal data within the meaning of Article 9 (1) of the Data Protection Regulation. By
                   that the personal data controller only restricted access to permissions

                   in NCS Cross to data available on protected devices thus has
                   there has been a risk of unauthorized access and unauthorized distribution of

                   personal data partly within the framework of internal secrecy, partly within the framework
                   for the unified record keeping.









                                                  Page 23 of 29Datainspektionen DI-2019-3841 2 4 (29)






                  The Health and Medical Care Board has stated that an active choice for access is required

                  by the user when the patient has blocked their care documentation.
                  The Data Inspectorate wants to emphasize that an active choice is an enhancement of integrity

                  measure but does not constitute such an access restriction as referred to in ch. § 2
                  patient data law. This provision requires that the jurisdiction be restricted

                  to what is needed for the individual to be able to fulfill his
                  tasks in health care, ie. only those in need

                  the data must have access to them. Of the preparatory work for
                  Patient Data Act, prop. 2007/08: 126, p. 149, it appears that information in addition

                  need to be stored in different layers so that more sensitive data require active choices
                  or otherwise are not as easily accessible to staff as less sensitive

                  tasks.

                  Against this background, the Data Inspectorate can state that the Health and

                  the Health Care Board has processed personal data in violation of Article 5 (1) (f)
                  and Article 32 (1) and (2) of the Data Protection Regulation by the Board not

                  has restricted users' permissions to access the journal system
                  NCS Cross to what is only needed for the user to be able to fulfill

                  their duties in health and medical care according to ch. § 2 and ch. 6 7
                  § the Patient Data Act and ch. 4 2 § HSLF-FS 2016: 40. This means that the Health

                  and the health care board has not taken measures to be able to ensure
                  and, in accordance with Article 5 (2) of the Data Protection Regulation, be able to display a

                  appropriate security for personal data.


                  Documentation of access (logs)
                  Based on the logs created as a result of the inspection

                  reviews together with the information provided by the board
                  the heading in the log extracts, the Data Inspectorate states that of

                  the log extracts show the following:
                       under the heading Activity, what measures have been taken

                          information about a patient, for example to "read".
                       under the headings Journal at which care unit or care process

                          measures have been taken
                       under the heading Time at which time the measures were taken

                       under the headings Patient and Personal of the user and the patient
                          identity.


                  The Data Inspectorate finds that the documentation of the access (the logs)

                  in NCS Cross is in accordance with the requirements set out in ch. § 9 HSLF-





                                                 Page 24 of 29Datainspektionen DI-2019-3841 2 5 (29)






                  FS 2016: 40 and that the Health and Medical Care Board thus in this part has

                  have taken appropriate technical measures in accordance with Article 32 i
                  the Data Protection Regulation.




                  Choice of intervention


                  Legal regulation
                  If there has been a violation of the provisions of the Data Protection Regulation

                  the Data Inspectorate has a number of corrective powers available according to
                  Article 58 (2) (a) to (j) of the Data Protection Regulation. The supervisory authority may include

                  otherwise instruct the person responsible for personal data to ensure that the processing takes place
                  in accordance with the Regulation and if required in a specific way and within

                  a specific period.


                  It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate in
                  in accordance with Article 83 shall impose penalty charges in addition to or in lieu of

                  other corrective measures referred to in Article 58 (2),
                  the circumstances of each individual case.


                  For the purposes of Article 83 (7) of the Data Protection Regulation, national authorities may:

                  rules state that administrative sanctions may be imposed on authorities.
                  According to ch. 6 Section 2 of the Data Protection Act allows for penalty fees to be decided

                  authorities, but to a maximum of SEK 5,000,000 or SEK 10,000,000
                  depending on whether the infringement concerns articles covered by Article 83 (4)

                  or 83.5 of the Data Protection Regulation.

                  Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account for

                  to decide whether to impose an administrative penalty fee, but also
                  what is to affect the size of the penalty fee. Of central importance to

                  the assessment of the gravity of the infringement is its nature, severity and
                  duration. In the case of a minor infringement may

                  the regulatory authority, in accordance with recital 148 of the Data Protection Regulation, issue a
                  reprimand instead of imposing a penalty fee.


                  Order

                  The health service has a great need for information in its operations. The

                  It is therefore natural that the possibilities of digitalisation are utilized as much as






                                                 Page 25 of 29Datainspektionen DI-2019-3841 2 6 (29)






                   possible in healthcare. Since the Patient Data Act was written, one has a lot

                   extensive digitization has taken place in healthcare. Both the data collections
                   size as the number of people sharing information with each other has increased

                   substantially. At the same time, this increase means that the demands on it increase
                   personal data controller, as the assessment of what is an appropriate

                   safety is affected by the extent of the treatment.


                   In health care, this means a great responsibility for it
                   personal data controller to protect the data from unauthorized access,

                   among other things by having an authorization allocation that is even more
                   comminuted. It is therefore essential that there is a real analysis of the needs

                   based on different activities and different executives. Equally important is that
                   there is an actual analysis of the risks from an integrity perspective
                   may occur in the event of an override of access rights. From

                   this analysis must then be restricted to the individual executive.
                   This authority must then be followed up and changed or restricted accordingly

                   hand that changes in the tasks of the individual executive provide
                   reason for it.


                   The Data Inspectorate's inspection has shown that the Health and Medical Care Board has

                   failed to take appropriate security measures to provide protection to
                   the personal data in the journal system NCS Cross by not complying with the requirements

                   which is set in the Patient Data Act and the National Board of Health and Welfare's regulations and thereby
                   does not meet the requirements of Article 5 (1) (f) and Article 32 (1) and (2) (i)

                   the Data Protection Regulation. Failure includes both the interior
                   the secrecy according to ch. 4 the Patient Data Act as the cohesive one

                   record keeping according to ch. 6 patient data law.


                   The Data Inspectorate therefore submits, with the support of 58.2 d i
                   the Data Protection Ordinance, the Health and Medical Care Board to implement and

                   document the required needs and risk analysis for the NCS medical record system
                   Cross within the framework of both internal secrecy and within the framework of it
                   coherent record keeping. The Health and Medical Care Board shall further,

                   with the support of the needs and risk analysis, assign each user individually
                   authorization for access to personal data limited to what only

                   necessary for the individual to be able to fulfill his duties within
                   Healthcare.









                                                  Page 26 of 29Datainspektionen DI-2019-3841 2 7 (29)






                  Penalty fee

                  The Data Inspectorate can state that the violations basically concern the Health

                  and the healthcare board's obligation to take appropriate safety measures for
                  to provide protection for personal data in accordance with the Data Protection Regulation.


                  In this case, it is a matter of large collections of data with sensitive

                  personal data and extensive powers. The caregiver needs to be involved
                  necessity to have a comprehensive processing of data on the health of individuals.

                  However, it must not be unrestricted but should be based on what individual
                  employees need to be able to perform their tasks. The Data Inspectorate

                  notes that this is information that includes direct identification of
                  the individual through name, contact information and social security number,
                  health information, but it may also be other private information about

                  for example, family relationships, sexual life and lifestyle. The patient is addicted
                  of receiving care and is thus in a vulnerable situation. The nature of the data,

                  scope and the patients' position of dependence give caregivers a special
                  responsibility to ensure patients' right to adequate protection for their

                  personal data.


                  Additional aggravating circumstances are the treatment of
                  personal data about patients in the main medical record system belongs to the core of a

                  the activities of caregivers, that the treatment covers many patients and
                  the possibility of access refers to a large proportion of the employees. In this case, stir

                  it is about 650,000 number of patients within the framework of the internal
                  confidentiality and about 665,000 patients under it

                  coherent record keeping. Of a total of 84 care units are available
                  restrictions on access to only six units, the so-called

                  protected devices.


                  The Data Inspectorate can also state that the Health and
                  The Health Care Board did not follow the Data Inspectorate's decision of 27 March 2015.

                  The decision was presented to the then County Council Board in Västerbotten County
                  county council to carry out a documented needs and risk analysis accordingly

                  then requirement in ch. 2 Section 6, second paragraph, second sentence SOSFS 2008: 14,
                  which corresponds to the current provision in Chapter 4. 2 § HSLF-FS 2016: 40. This

                  is an aggravating circumstance, in accordance with Article 83 (2) (e) (i)
                  the Data Protection Regulation.









                                                 Page 27 of 29Datainspektionen DI-2019-3841 2 8 (29)






                   The shortcomings that have now been established have thus been known to Hälso- och

                   the health care board for several years, which means that the action took place
                   intentionally and thus is considered more serious. The Data Inspectorate

                   also notes that the Health and Medical Care Board's information that they
                   analyzes that have subsequently been made are solely based on the business perspective,

                   which is particularly serious.


                   In determining the seriousness of the infringements, it can also be stated that
                   the infringements also cover the basic principles set out in Article 5 (i)

                   the Data Protection Regulation, which is one of the more serious infringements that can
                   provide a higher penalty fee under Article 83 (5) of the Data Protection Regulation.


                   Taken together, these factors mean that they are not to be judged as minor
                   infringements without infringements that should lead to an administrative

                   penalty fee.


                   The Data Inspectorate considers that these violations are closely related to
                   each other. That assessment is based on the need and risk analysis

                   form the basis for the allocation of the authorizations. The Data Inspectorate
                   therefore considers that these infringements are so closely linked

                   that they constitute interconnected data processing within the meaning of Article 83 (3) (i)
                   the Data Protection Regulation. The Data Inspectorate therefore decides on a joint

                   penalty fee for these infringements.


                   The administrative penalty fee shall be effective, proportionate and
                   deterrent. This means that the amount must be determined so that it

                   the administrative penalty fee leads to correction, that it provides a preventive
                   effect and that it is also proportional in relation to both current

                   violations as to the ability of the supervised entity to pay.


                   The maximum amount for the penalty fee in this case is SEK 10 million
                   according to ch. 6 Section 2 of the Act (2018: 218) with supplementary provisions to the EU
                   data protection regulation.


                   Given the seriousness of the infringements and that the administrative

                   the penalty fee must be effective, proportionate and dissuasive
                   the Data Inspectorate determines the administrative sanction fee for

                   Health and Medical Care Board to 2,500,000 (two million five hundred thousand)
                   kronor.






                                                  Page 28 of 29Datainspektionen DI-2019-3841 2 9 (29)











                  This decision was made by Director General Lena Lindgren Schelin after
                  presentation by the IT security specialist Magnus Bergström. At the final

                  The case is also handled by the General Counsel Hans-Olof Lindblom, the unit managers
                  Katarina Tullstedt and Malin Blixt and the lawyer Caroline Cruz Julander

                  participated.



                  Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature)









                  Appendix: How to pay a penalty fee


                  Copy for information to the Data Protection Officer







                  How to appeal


                  If you want to appeal the decision, you must write to the Data Inspectorate. Enter i
                  the letter which decision you are appealing and the change you are requesting.

                  The appeal must have been received by the Data Inspectorate no later than three weeks from
                  on the day the decision was announced. If the appeal has been received in due time

                  the Data Inspectorate forwards it to the Administrative Court in Stockholm
                  examination.


                  You can e-mail the appeal to the Data Inspectorate if it does not contain

                  any privacy-sensitive personal data or data that may be covered by
                  secrecy. The authority's contact information can be found on the first page of the decision.










                                                 Page 29 of 29