Datainspektionen - DI-2019-3845: Difference between revisions

From GDPRhub
m (Links to GDPR articles)
mNo edit summary
Line 57: Line 57:


===Facts===
===Facts===
Kry provides health services via video calls. The patient downloads an app that is available for iOS and Android. The app allows the patient to have a video call with the doctor and renew certain prescriptions without a video call. At the time of the inspection, the caregiver's internal medical record system contained approximately 450,000 patient records accessible by 490 of the caregiver's employees.   
The caregiver Kry, provides health services via video calls. The patient downloads an app that is available for iOS and Android. The app allows the patient to have a video call with the doctor and renew certain prescriptions without a video call. At the time of the inspection, the caregiver's internal medical record system contained approximately 450,000 patient records accessible by 490 of the caregiver's employees.   


The DPA initiated the investigation on March 22, 2019 and conducted an on-site inspection on April 4, 2019.   
The DPA initiated the investigation on March 22, 2019 and conducted an on-site inspection on April 4, 2019.   
Line 65: Line 65:
'''Risk-needs analysis'''
'''Risk-needs analysis'''


* whether the caregiver had analyzed the risks to which data subjects were exposed as a result of the caregivers processing of personal data
*whether the caregiver had analyzed the risks to which data subjects were exposed as a result of the caregivers processing of personal data
* whether the caregiver had properly assessed which of its employees needed access to which data    
*whether the caregiver had properly assessed which of its employees needed access to which data


'''How access to medical data was defined'''
'''How access to medical data was defined'''


* how employees were granted access to the caregiver's internal medical records  
*how employees were granted access to the caregiver's internal medical records
* how staff were granted access to other caregiver's medical records through the coherent medical record system (sammanhållen journalföring).  
*how staff were granted access to other caregiver's medical records through the coherent medical record system (sammanhållen journalföring).
* whether access and permissions were properly defined based on the risk-needs analysis.
*whether access and permissions were properly defined based on the risk-needs analysis.


'''Logs'''   
'''Logs'''   


* How the caregiver logged whenever a staff member accessed a patient's data.  
*How the caregiver logged whenever a staff member accessed a patient's data.


===Dispute===
===Dispute===

Revision as of 10:50, 7 January 2021

Datainspektionen - DI-2019-3845
LogoSE.png
Authority: Datainspektionen (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.12.2020
Published:
Fine: None
Parties: Kry
National Case Number/Name: DI-2019-3845
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: Integritetsskyddsmyndigheten (in SV)
Initial Contributor: Kave Noori

The Swedish DPA, Integritetsskyddsmyndigheten, did not fine a healthcare provider for breaches that in most cases result in fines. The DPA considered it disproportionate as the healthcare provider proactively tried to comply with the rules.

English Summary

Facts

The caregiver Kry, provides health services via video calls. The patient downloads an app that is available for iOS and Android. The app allows the patient to have a video call with the doctor and renew certain prescriptions without a video call. At the time of the inspection, the caregiver's internal medical record system contained approximately 450,000 patient records accessible by 490 of the caregiver's employees.

The DPA initiated the investigation on March 22, 2019 and conducted an on-site inspection on April 4, 2019.

The inspection concerned:

Risk-needs analysis

  • whether the caregiver had analyzed the risks to which data subjects were exposed as a result of the caregivers processing of personal data
  • whether the caregiver had properly assessed which of its employees needed access to which data

How access to medical data was defined

  • how employees were granted access to the caregiver's internal medical records
  • how staff were granted access to other caregiver's medical records through the coherent medical record system (sammanhållen journalföring).
  • whether access and permissions were properly defined based on the risk-needs analysis.

Logs

  • How the caregiver logged whenever a staff member accessed a patient's data.

Dispute

Holding

Risk- needs analysis

The DPA concluded that the risk and necessity analysis did not meet all statutory requirements at the time of inspection. During the supervisory investigation, the caregiver submitted a revised risk analysis twice. The DPA considered the revisions to be significant improvements, but an even more thorough analysis was needed to meet the statutory requirements. The DPA said there was a need to assess risks based on categories of personal data, such as addictions, mental health, domestic violence.

Access to medical records

Although a caregiver has a legitimate interest in processing a lot of personal data about a person's health, permission to access personal data must be limited to what a healthcare worker needs to do their job. The risk and needs assessment is the caregiver's tool to determine who gets access to what. At the time of the inspection the caregiver had not implemented any technical means to limit what their staff can access within internal files or the coherent records (from other caregivers). The caregiver implemented organizational measures to prevent unauthorized access. The caregiver manually reviewed each instance in which a staff member had accessed medical records of a patient he was not currently treating. In addition, once a month the caregiver blocked a doctor's access to medical records if they were not due to attend work for the next 4 weeks.

The DPA considered the lack of technical restrictions on access to patient records as a breach of Article 5(1)(f), Article 32(1) and Article 32(2).

During the supervisory inspection, the caregiver made changes to restrict her employee's access to internal and coherent medical records. The changes resulted in the employee only being able to access the records of a patient for whom she had an appointment, and this access would be revoked four months later. The DPA considered these changes to be positive improvements but reminded the caregiver that the technical measures would need to be reevaluated once the risk and necessity analysis was completed, as required by the DPA.

Logging of unauthorized access

The caregiver logged access to internal medical records and the coherent medical records. After the inspection, the caregiver informed the DPA that he found that his system did not log when someone deleted an unsigned journal entry. The caregiver remedied this on May 16, 2019, and the DPA considered the caregiver's logging practices following the law as of that date.

Sanctions charge

The DPA considers violations of Article 5(1)(f), Article 32(1) and Article 32(2) to be sufficiently serious in most cases that a caregiver should be fined. In this case, the DPA found that the caregiver had made efforts to comply before and during the inspection. The DPA decided not to impose a financial penalty on the caregiver. Instead, the DPA directed the caregiver to take certain compliance measures.

Instruction to implement compliance measures.

The caregiver revised their needs and risk assessment twice during the inspection. The DPA considered these revisions before deciding to instruct the caregiver to make changes. The DPA found that the caregivers risk assessment had improved since the inspection began and it was now better at addressing the risks required by the law.

The DPA directed the caregiver to undertake a more detailed analysis of the risks to the rights and freedoms of data subjects. According to the DPA, this analysis should form the basis of a new assessment of the way in which access rights to patient records are defined for the caregiver’s staff. The DPA required that these changes be implemented by the end of February 2021.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                 Decision Diary No. 1 (31)
                                                 2020-12-02 DI-2019-3845





                                                Digital Medical Supply Sweden AB (KRY)
                                                Torsgatan 21

                                                113 21 Stockholm








                Supervision under the Data Protection Regulation and

                Patient Data Act - needs and risk analysis and

                questions about access in journal systems To Digital

                Medical Supply Sweden AB (KRY)







































Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se
Website: www.datainspektionen.se Phone: 08-657 61 00Datainspektionen DI-2019-3845 2 (31)







                        Content
                        The Data Inspectorate's decision ................................................ ..................................... 3

                        Report on the supervisory matter ............................................... ............................ 4

                        What has emerged in the case ............................................. .............................. 5

                           Personal data controller ................................................. .................................... 5

                           Operation................................................. .................................................. ..... 5

                           Journal system ................................................. .................................................. 5
                           Users and patients ............................................... ................................... 5

                           Internal privacy ................................................ .................................................. ... 6

                              Needs and risk analysis .............................................. .................................... 6

                              Authorization of access to personal data ............................ 9

                           Consolidated record keeping ................................................ .......................... 10

                              Needs and risk analysis .............................................. .................................. 10

                              Authorization of access to personal data about
                              patients ................................................. .................................................. .... 10

                           Documentation of access (logs) ............................................ ............... 11

                        Grounds for the decision ............................................... ........................................... 12

                           Applicable rules................................................ ........................................... 12

                              The Data Protection Regulation the primary source of law .................................... 12

                              The Data Protection Regulation and the relationship with complementary national
                              regulations ................................................. ........................................... 13

                              Supplementary national provisions ............................................... .. 14

                              Requirement to do needs and risk analysis .......................................... ........... 15

                              Internal privacy ................................................ .............................................. 16

                              Consolidated record keeping ................................................ ....................... 16

                              Documentation of access (logs) ............................................ .............. 17

                           The Data Inspectorate's assessment ................................................ ....................... 17

                              Responsibility of the data controller for security ....................................... 17

                              Needs and risk analysis .............................................. .................................. 18
                              Authorization for access to personal data about patients ... 23Data Inspectorate DI-2019-3845 3 (31)







                          Documentation of access (logs) ............................................ ......... 25

                       Choice of intervention ............................................... .............................................. 25

                          Legal regulation ................................................ .......................................... 25

                          Assessment of whether a penalty fee should be imposed ......................................... 26

                          Order................................................. ........................................... 28

                    How to appeal............................................... .............................................. 30







                    The Data Inspectorate's decision

                    During an on-site inspection on April 4, 2019, the Data Inspectorate has established that
                    Digital Medical Supply Sweden AB (KRY) processes personal data in violation

                    with Article 5 (1) (f) and (2) and Article 32 (1) and (2) of the Data Protection Regulation 1
                    by



                         1. KRY has not carried out needs and risk analyzes that meet
                             the requirements according to the provisions in ch. 4 § 2 and ch. 6 § 7

                             the Patient Data Act (2008: 355) and ch. 4 Section 2 of the National Board of Health and Welfare
                             regulations and general advice on record keeping and processing of

                             personal data in health care (HSLF-FS 2016: 40) before
                             allocation of permissions takes place in the journal system ProReNata and

                             National patient overview. This means that KRY is not in sufficient
                             to the extent that it has taken appropriate organizational measures to:

                             be able to ensure and be able to show that the treatment of
                             the personal data has a security that is appropriate in relation to

                             the risks.


                         2. KRY has not shown that KRY has restricted users' permissions for
                             access to the ProReNata medical record system and the National Patient Overview

                             limited to what is only needed for the user to be able to

                             perform their duties in health care accordingly

                    1
                      Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection
                    for natural persons with regard to the processing of personal data and on the free flow
                    of such information and repealing Directive 95/46 / EC (General
                    Data Protection Ordinance) .Data Inspectorate DI-2019-3845 4 (31)






                          with ch. 4 § 2 and ch. 6 Section 7 of the Patient Data Act and Chapter 4 § 2 HSLF-

                          FS 2016: 40. This means that KRY has not taken sufficient
                          measures to ensure and demonstrate appropriate security

                          for personal data.


                  The Data Inspectorate states that KRY since the inspection on April 4, 2019
                  has improved its needs and risk analyzes but that the analyzes are not in all

                  parts meet the requirements that apply according to ch. § 2 and ch. 6 § 7
                  the Patient Data Act (2008: 355) and ch. 4 Section 2 of the National Board of Health and Welfare's regulations and

                  general advice on record keeping and processing of personal data in health
                  and healthcare (HSLF-FS 2016: 40).


                  The Data Inspectorate submits pursuant to Article 58 (2) (d) i
                  the data protection ordinance KRY to supplement by the last February 2021

                  the needs and risk analyzes for the journal systems ProReNata and National
                  patient overview by developing the analysis of the risks for those registered

                  rights and freedoms and that thereafter, with the support of needs and
                  the risk analyzes, make a reassessment regarding the allocation of

                  permissions so that each user has access to only those
                  personal data needed for the user to be able to fulfill his

                  health care tasks, in accordance with Article 32 (1) and
                  32.2 of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 Section 7 of the Patient Data Act and

                  Chapter 4 2 § HSLF-FS 2016: 40.



                  Report on the supervisory matter

                  The Data Inspectorate initiated supervision by letter dated 22 March 2019 and
                  has on site on April 4, 2019 reviewed KRY's decision to award

                  authorizations have been preceded by a needs and risk analysis. Supervision has also
                  included how KRY assigned permissions for access to

                  the main medical record system ProReNata and the National Patient Overview and which
                  access opportunities the granted privileges provide within both the framework of

                  the internal secrecy according to ch. the Patient Data Act, as the cohesive one
                  record keeping according to ch. 6 patient data law. In addition to this has

                  The Data Inspectorate also examined the documentation of access (logs)
                  contained in the journal system.


                  The Data Inspectorate has only examined users' access to

                  journal systems, i.e. what care documentation can the user actually takeData Inspectorate DI-2019-3845 5 (31)






                  part of and read. Supervision does not include the functions included in

                  the competence, ie. what the user can actually do in the journal system
                  (eg issuing prescriptions, writing referrals, etc.).




                  What has emerged in the case

                  KRY has mainly stated the following.


                  Personal data manager
                  KRY is the care provider and personal data manager.


                  Operation

                  KRY conducts care via video meetings, so-called video care, which is done by
                  the patient downloads the app KRY. KRY is the technical platform and also

                  the brand that KRY uses externally towards patients. The app is available for
                  mobile devices with the operating systems iOS or Android.


                  It is KRY's parent company Webbhälsa AB (hereinafter Webbhälsa) that has

                  developed the app and which handles the operation of the technical platform.
                  Webbhälsa owns the brand KRY, develops the technology and services the care provider

                  KRY with licenses. There are two separate legal units but the staff is sitting
                  together in the same office.


                  There are historical reasons behind the fact that there are two companies but one

                  Operation. When KRY was created, Web Health turned to regions and
                  county council to offer the service, but it took a long time to get caregivers to

                  start using the service. That is why Webbhälsa started the company KRY as one
                  own care provider that conducts care via the app KRY.


                  Journal system

                  KRY has stated that the record system used by KRY is called ProReNata
                  and has been used since the business started in March 2016. For cohesive

                  record keeping, the National Patient Overview (NPÖ) system is used.


                  Users and patients
                  At the time of the inspection, there were 490 people with access to

                  ProReNata. On April 8, 2019, the total number of patients was registered in
                  ProReNata 450 331.Datainspektionen DI-2019-3845 6 (31)








                     Internal secrecy


                     Needs and risk analysis

                     During the inspection and subsequent inspection have essentially the following
                     arrived.



                     During the inspection on April 4, 2019, the Data Inspectorate took in a needs and
                     risk analysis dated 11 March 2019. On 10 May 2019, KRY submitted a

                     revised needs and risk analysis dated 2 May 2019 where also cohesive
                     record keeping is included but which otherwise essentially contains the same

                     and risk analysis as the document dated March 11, 2019. March 20, 2020

                     KRY came in with a new revised version dated March 1, 2020 that contains
                     a largely revised analysis.



                     The needs and risk analysis dated 11 March 2019 includes one
                     description of needs in the business, risks and risk management.



                     The document states, among other things, the following regarding needs in the business for
                     healthcare professionals:


                     Due to the business' medical focus, digital nature and absence of physical

                     presence in different geographical areas, health and medical staff at KRY are organized in
                     a single staff pool scheduled by administrative staff for meetings with all types of
                     patients. Healthcare professionals are thus not organized solely based on

                     necessary competence in the individual case (eg general practitioner, nurse or psychologist),
                     scheduling and availability. Although some type of treatment, e.g. treatment of children
                     under 6 months of age or treatment of certain symptoms typical of e.g. women, should be cared for

                     by certain specialized personnel, the work of this personnel is not limited to these symptoms then
                     they also meet other types of patients. In the event that KRY care operations change over time,

                     by e.g. a larger number of available staff, several different categories of healthcare staff or
                     care processes (such as specialist care), an updated needs and risk analysis will
                     carried out to ensure patient safety but also to ensure respect for the patient

                     integrity is constantly observed.

                     To ensure good quality, availability and cost efficiency, it is of utmost importance that

                     staff who participate in the actual care within the framework of KRY outpatient care and in a
                     patient relationship, has a good and sufficient knowledge of the patient's medical history. All
                     clinics and relevant administrative staff (such as medical secretaries who have relevant

                     training for their assignment) hired by KRY may meet all patients who apply
                     care via KRY and may then participate in the care of these and thus need access to
                     the patient's medical record in order to be able to fulfill their duties. Data Inspectorate DI-2019-3845 7 (31)






                   In summary, it is KRY's assessment that it is both business-like and unique

                   distinctiveness there is a great need not to limit eligibility for medical and relevant
                   administrative staff to certain geographically or demographically delimited patient groups in
                   the current situation. For other types of authorizations, there is a more limited need in accordance with what
                   as stated above.


                   Under the heading "risks" it is stated that KRY sees a number of risks with a broad
                   authorization and states that the risks in KRY's view are primarily:


                        Unauthorized access for healthcare professionals or relevant

                           administrative staff due to ignorance of rules and procedures
                           on confidentiality and patient safety;

                        Unauthorized access for healthcare professionals or relevant
                           administrative staff as a result of mistakes or otherwise due to

                           human factor;

                        Unauthorized access for healthcare professionals or relevant
                           administrative staff as a result of deliberate abuse;

                        Unauthorized access by third parties due to health and
                           healthcare professionals or relevant administrative staff lose

                           equipment or, knowingly or unknowingly, sharing
                           login information to systems; and

                        Unauthorized access by third parties due to data breaches.


                   Under the heading "risk management" it is stated that KRY's assessment is that they
                   risks arising from a broad allocation of privileges can be significantly limited

                   and to an acceptable level through the organizational and technical
                   safety measures taken by KRY, which mainly include:


                        Recruitment routines, including background checks, to

                           minimize the risk of inappropriate individuals being given access to
                           personal data about patients;

                        Routines for onboarding, which i.a. includes guidance and
                           training on the use of systems, equipment, relevant

                           statutes and routines regarding confidentiality and patient safety to
                           raise awareness of obligations, rights and responsibilities;

                        Signing of a reminder of confidentiality and / or confidentiality commitments for
                           to preventively reduce the risk of unauthorized access and to increase

                           knowledge of confidentiality and patient safety;
                        Use of equipment provided and controlled by

                           KRY; Datainspektionen DI-2019-3845 8 (31)






                        Routines for allocating, changing and removing permissions for

                           to preventively minimize the risk that authorizations are not adequate
                           over time;

                        Technical tools to preventively minimize the need for beatings in
                           the record system and thus the risk of illegal access, e.g. like one

                           results of mistakes or insufficient knowledge. In health and
                           healthcare professionals' work for digital care, will only be relevant

                           patient be available. In this system, no patient other than it can
                           which the meeting concerns to be opened. To be able to search for other patients

                           current personnel must actively make an unauthorized strike;
                        Obtaining patient approval before medical

                           secretaries make beatings in patient records; and
                        Clear information to relevant personnel and routine for logging and

                           control in order to prevent employees from refraining from doing so
                           access and to reactively detect and follow up around such

                           access. All journal openings that are not connected to one
                           active care relationship / performed patient meeting is logged and reviewed

                           manually.


                   Under the heading "conclusions" it is stated, among other things:

                   A broad competence for medical and administrative staff for patients

                   journals are therefore justified under current conditions in KRY to
                   be able to provide patient-safe care, provided that KRY operates one

                   continued effective security work to identify, evaluate and manage
                   risks in their business.


                   However, this conclusion needs to be reconsidered regularly and may come to

                   changes as KRY grows, changes medical orientation, develops
                   their business concept and in other similar circumstances. One
                   condition for being able to limit eligibility for different clinics, is that we

                   despite this can ensure accessibility for patients. A division between
                   clinics for which group of patients one has, presupposes a significant

                   greater staff than the one currently available for KRY, but is one
                   desirable goal to aim for in the long run.


                   In the second revision dated March 1, 2020, KRY has largely reworked

                   analysis and identified risks based on certain types of data and
                   patient groups in the form of information on persons with a protected identity, Datainspektionen DI-2019-3845 9 (31)






                   public figures, employees and staff's own tasks. Furthermore,

                   KRY in the revised analysis also assessed probability and consequence for
                   the identified risks. The analysis also contains more detailed information

                   review of access needs for the various staff categories. To
                   Unlike the previous versions of the analysis, KRY has come to the conclusion

                   that a narrow qualification is sufficient for doctors, nurses and psychologists,
                   except so-called plus doctors, plus psychologists and doctors on call. The tight

                   the authorization is stated to mean that users can only access information
                   about patients (both internal medical records and NPÖ) at patient meetings. Further

                   stated that access is granted in connection with the staff is scheduled with
                   patient and is automatically withdrawn 4 months after access was granted

                   and that before meeting with patient has taken place can not beat on such patient
                   happen.


                   Authorization for access to personal data
                   During the inspection, the following mainly emerged.


                   Clinical staff, at the time of inspection, doctors, nurses and

                   psychologists and administrative staff in the form of medical secretaries, have
                   actual access to all data in all patient records in ProReNata. The

                   there are limitations in the form of organizational and technical controls, which
                   according to KRY has been an important part of the assessment of authorization management there

                   KRY thought about what other security can be offered.


                   KRY systematically reviews all journal accesses. All access is reviewed and
                   matched against whether clinics had a meeting with the patient that day. In another

                   In this case, access is flagged and reviewed to see if there is another reasonable one
                   explanation of access. There is a check every four weeks for

                   active accounts (by reviewing the personnel schedule). If, for example, one
                   doctor does not have a passport booked for the next four weeks so is disabled

                   doctor's account. If a doctor with an inactive account has a passport they have entered
                   the account is activated for the next four weeks.


                   The design of the permissions is based on the digital nature of
                   the service that KRY offers, that care has a general focus and is not

                   specialized, that patients are spread across the country, that the queue time for
                   the patient should be as short as possible and that the staff is organized in one

                   only staff pool. A patient who calls in gets help from a doctor one day and
                   a completely different doctor the next day, and the doctors can sit in completely different places in the Data Inspectorate DI-2019-3845 1 0 (31)






                  Sweden. According to KRY, this requires that doctors must be able to see each other

                  journal information to be able to provide good care.


                  KRY has made the assessment that all information available about the patients is
                  relevant to healthcare professionals, but KRY is aware that this may come

                  to change as the organization grows.

                  In the needs and risk analysis dated 1 March 2020, KRY has done one more

                  detailed analysis of the need for access to data in ProReNata based on those
                  tasks of different categories of staff and concluded that a narrow

                  eligibility is sufficient for doctors, nurses and psychologists in that way
                  as described in the section above in the account of the revised needs and

                  the risk analysis.


                  Coherent record keeping


                  During the inspection and subsequent inspection have essentially the following
                  arrived.


                  Needs and risk analysis

                  During the inspection, there was no special needs and risk analysis for access to
                  NPÖ. KRY has submitted two revised needs and risk analyzes

                  dated 2 May 2019 and 1 March 2020 covering the use of national
                  patient overview (NPÖ) in the operation. The needs and risk analysis dated 2

                  May 2019 otherwise contains essentially the same needs and risk analysis as
                  the document dated March 11, 2019.


                  In the needs and risk analysis dated 1 March 2020, KRY has done one more

                  detailed analysis of the need for access to data in NPÖ based on the various
                  the tasks of the staff categories.


                  Authorization of access to personal data about patients
                  KRY has stated that the care provider is part of a system for cohesion

                  record keeping through NPÖ as a “consumer”. This means that the staff at
                  KRY can take part in the information in NPÖ, but KRY "produces" (makes available)

                  no own information in NPÖ.


                  At the time of the inspection, it emerged that all staff had access
                  to ProReNata also had access to NPÖ.Datainspektionen DI-2019-3845 1 1 (31)








                  The revised needs and risk analysis dated 1 March 2020 shows that
                  all personnel who have access to ProReNata as a starting point do not have one

                  need for access to data in NPÖ. Nurses and
                  care administrators are stated as a starting point to have a need for access to
                  ProReNata but not to NPÖ.



                  Documentation of access (logs)
                  KRY has stated the following.


                  For each strike in ProReNata, a log message is created with information

                  about which staff at a given time made a strike. Time
                  refers to both date and time. It is clear which patient it is,

                  the identity of the user, what action the user has taken, for example
                  signing, taking notes and reading. Because KRY is not organized in several
                  different care units appear only one unit that is the same for all

                  staff.


                  There are three different types of logs in ProReNata; visitor logs, server logs
                  and event logs. Visitor log shows when a user visited a journal and

                  when it left the journal. Server log shows when the system registered one
                  server calls to a journal and can mean that users have read but also

                  other reasons. Event log shows logged system events that affect one
                  user or patient, for example read, written or signed.


                  Access to NPÖ is logged by Inera and is available to administrators at

                  KRY.


                  After the inspection, KRY has noted that the specific measure
                  note cancellation (not signed) is not logged separately in ProReNata.

                  KRY has raised this with ProReNata AB, which at KRY's request has
                  developed such logging. Shreds of notes will also come

                  therefore to be logged from 16 May 2019 in order to give KRY even better
                  opportunities to follow up and ensure good and safe care.Datainspektionen DI-2019-3845 1 2 (31)







                  Grounds for the decision


                  Applicable rules


                  The Data Protection Regulation is the primary source of law
                  The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and

                  is the primary legal regulation in the processing of personal data. This
                  also applies to health care.


                  The basic principles for the processing of personal data are set out in
                  Article 5 of the Data Protection Regulation. A basic principle is the requirement

                  security pursuant to Article 5 (1) (f), which states that personal data shall be processed
                  in a way that ensures adequate security for personal data,

                  including protection against unauthorized or unauthorized treatment and against loss,
                  destruction or damage by accident, using appropriate

                  technical or organizational measures.


                  Article 5 (2) states the so-called liability, ie. that it
                  personal data controllers must be responsible for and be able to show that the basic

                  the principles set out in paragraph 1 are complied with.


                  Article 24 deals with the responsibility of the controller. Of Article 24 (1)
                  it appears that the person responsible for personal data is responsible for implementing appropriate

                  technical and organizational measures to ensure and demonstrate that
                  the processing is performed in accordance with the Data Protection Regulation. The measures shall

                  carried out taking into account the nature, scope, context of the treatment
                  and purposes and the risks, of varying degrees of probability and severity, for

                  freedoms and rights of natural persons. The measures must be reviewed and updated
                  if necessary.


                  Article 32 regulates the security associated with the processing. According to paragraph 1
                  the personal data controller and the personal data assistant shall take into account

                  of the latest developments, implementation costs and treatment
                  nature, scope, context and purpose as well as the risks, of varying

                  probability and seriousness, for the rights and freedoms of natural persons
                  take appropriate technical and organizational measures to ensure a

                  level of safety appropriate to the risk (…). According to paragraph 2,
                  when assessing the appropriate level of safety, special consideration is given to the risks

                  which the processing entails, in particular from accidental or unlawful destruction, Datainspektionen DI-2019-3845 1 3 (31)






                   loss or alteration or to unauthorized disclosure of or unauthorized access to

                   the personal data transferred, stored or otherwise processed.


                   Recital 75 states that in assessing the risk to natural persons
                   rights and freedoms, various factors must be taken into account. Among other things mentioned

                   personal data covered by professional secrecy, health data or
                   sexual life, if the processing of personal data concerning vulnerable physical persons takes place

                   persons, especially children, or if the treatment involves a large number
                   personal data and applies to a large number of registered persons.


                   Furthermore, it follows from recital 76 that the probable and serious risk of it

                   data subjects' rights and freedoms should be determined on the basis of processing
                   nature, scope, context and purpose. The risk should be evaluated on
                   on the basis of an objective assessment, which determines whether

                   the data processing involves a risk or a high risk.


                   Recitals 39 and 83 also contain writings that provide guidance on it
                   the meaning of the data protection regulation's requirements for security in

                   Processing of personal data.


                   The Data Protection Regulation and the relationship with complementary national
                   provisions

                   According to Article 5 (1) (a) of the Data Protection Regulation, personal data must:
                   treated in a lawful manner. In order for the treatment to be considered legal, it is required

                   legal basis by fulfilling at least one of the conditions of Article 6 (1).
                   The provision of health care is one such task of general

                   interest referred to in Article 6 (1) (e).


                   In health care, the legal bases can also be legal
                   obligation in Article 6 (1) (c) and the exercise of authority under Article 6 (1) (e)

                   updated.

                   When it comes to the legal bases legal obligation, in general

                   interest or exercise of authority by the Member States, in accordance with Article
                   6.2, maintain or introduce more specific provisions for adaptation

                   the application of the provisions of the Regulation to national circumstances.
                   National law may specify specific requirements for the processing of data

                   and other measures to ensure legal and equitable treatment. But
                   there is not only an opportunity to introduce national rules but also a Data Inspectorate DI-2019-3845 1 4 (31)






                   duty; Article 6 (3) states that the basis for the treatment referred to in

                   paragraph 1 (c) and (e) shall be determined in accordance with Union law or
                   national law of the Member States. The legal basis may also include

                   specific provisions to adapt the application of the provisions of
                   the Data Protection Regulation. Union law or the national law of the Member States

                   law must fulfill an objective of general interest and be proportionate to it
                   legitimate goals pursued.


                   Article 9 states that the treatment of specific categories of

                   personal data (so-called sensitive personal data) is prohibited. Sensitive
                   personal data includes data on health. Article 9 (2) states

                   except when sensitive personal data may still be processed.

                   Article 9 (2) (h) states that the processing of sensitive personal data may be repeated

                   the treatment is necessary for reasons related to, among other things
                   the provision of health care on the basis of Union law or

                   national law of the Member States or in accordance with agreements with professionals in
                   the field of health and provided that the conditions and protective measures provided for in

                   referred to in paragraph 3 are met. Article 9 (3) imposes a regulated duty of confidentiality.


                   This means that both the legal bases of general interest,
                   exercise of authority and legal obligation in the treatment of the vulnerable

                   personal data under the exemption in Article 9 (2) (h)
                   supplementary rules.


                   Supplementary national regulations

                   In the case of Sweden, both the basis for the treatment and those
                   special conditions for the processing of personal data in the field of health and

                   healthcare regulated in the Patient Data Act (2008: 355), and
                   the Patient Data Ordinance (2008: 360). I 1 kap. Section 4 of the Patient Data Act states that

                   the law complements the data protection regulation.

                   The purpose of the Patient Data Act is to provide information in health and

                   healthcare must be organized so as to meet patient safety and
                   good quality and promotes cost efficiency. Its purpose is also to

                   personal data shall be designed and otherwise processed so that patients and
                   the privacy of other data subjects is respected. In addition, must be documented

                   personal data is handled and stored so that unauthorized persons do not have access to it
                   them (Chapter 1, Section 2 of the Patient Data Act). The Data Inspectorate DI-2019-3845 1 5 (31)









                    The supplementary provisions in the Patient Data Act aim to:

                    take care of both privacy protection and patient safety. The legislator has
                    thus through the regulation made a balance as to how

                    the information must be processed to meet both the requirements for patient safety
                    as the right to privacy in the processing of personal data.



                    The National Board of Health and Welfare has, with the support of the Patient Data Ordinance, issued regulations
                    and general advice on record keeping and processing of personal data in

                    health care (HSLF-FS 2016: 40). The regulations constitute such

                    supplementary rules, which shall be applied in the care provider's treatment of
                    personal data in health care.


                    National provisions supplementing the requirements of the Data Protection Regulation

                    safety can be found in Chapters 4 and 6. the Patient Data Act and Chapters 3 and 4 HSLF-FS

                    2016: 40.


                    Requirement to do needs and risk analysis
                    According to ch. 4, the care provider must § 2 HSLF-FS 2016: 40 make a needs and

                    risk analysis, before the allocation of authorizations in the system takes place.


                    That the analysis requires both the needs and the risks is clear from the preparatory work

                    to the Patient Data Act, prop. 2007/08: 126 pp. 148-149, as follows.


                    Authorization for staff's electronic access to patient information shall be restricted to
                    what the executive needs to be able to perform his duties in health and
                    healthcare. This includes that authorizations must be followed up and changed or restricted accordingly

                    hand as changes in the tasks of the individual executive give rise to it.
                    The provision corresponds in principle to section 8 of the Health Care Register Act. The purpose of the provision is to
                    imprint the obligation of the responsible caregiver to make active and individual

                    eligibility assignments based on analyzes of which details are different
                    staff categories and different types of activities need. But it's not just needed
                    needs analyzes. Risk analyzes must also be done where different types of risks are taken into account, such as

                    may be associated with an overly availability of certain types of information.
                    Protected personal data that is classified, information about publicly known persons,
                    data from certain clinics or medical specialties are examples of categories such as

                    may require special risk assessments.

                    In general, it can be said that the more comprehensive an information system is, the greater the amount

                    there must be different levels of authorization. Decisive for decisions on eligibility for e.g. various
                    categories of healthcare professionals for electronic access to data in
                    patient records should be that the authorization should be limited to what the executive needsData Inspectorate DI-2019-3845 1 6 (31)







                    for the purpose a good and safe patient care. A more extensive or coarse-meshed
                    competence allocation should - even if it has points from the point of view of efficiency -
                    is considered an unjustified dissemination of journal information within a business and should as such

                    not accepted.

                    Furthermore, data should be stored in different layers so that more sensitive data require active choices or

                    otherwise not as easily accessible to staff as less sensitive tasks. When it
                    applies to personnel who work with business follow-up, statistics production, central
                    financial administration and similar activities that are not individual-oriented, it should be
                    most executives have enough access to information that can only be indirectly derived

                    to individual patients. Electronic access to code keys, social security numbers and others
                    data that directly point out individual patients should be able to be strong in this area
                    limited to individuals.


                    Internal secrecy

                    The provisions in ch. 4 The Patient Data Act concerns internal confidentiality, ie.

                    regulates how privacy protection is to be handled within a care provider's business
                    and especially employees' opportunities to prepare for

                    personal data that is electronically available in a healthcare provider
                    organisation.


                    It appears from ch. Section 2 of the Patient Data Act stipulates that the care provider must decide

                    conditions for granting access to such data
                    patients who are fully or partially automated. Such authorization shall

                    limited to what is needed for the individual to be able to fulfill theirs

                    tasks in health care.


                    According to ch. 4 § 2 HSLF-FS 2016: 40, the care provider shall be responsible for each
                    users are assigned an individual privilege to access

                    personal data. The caregiver's decision on the allocation of eligibility shall
                    preceded by a needs and risk analysis.



                    Coherent record keeping
                    The provisions in ch. 6 the Patient Data Act concerns cohesive record keeping,

                    which means that a care provider - under the conditions specified in § 2 of the same
                    chapter - may have direct access to personal data processed by others

                    caregivers for purposes related to care documentation. The access to
                    information is provided by a healthcare provider making the information about a patient

                    which the care provider registers if the patient is available to other care providers

                    who participate in the coherent record keeping (see Bill 2007/08: 126 p. 247). The Swedish Data Inspectorate DI-2019-3845 1 7 (31)






                   Of ch. 6 Section 7 of the Patient Data Act follows that the provisions in Chapter 4 § 2 also

                   applies to authorization allocation for coherent record keeping. The requirement of
                   that the care provider must perform a needs and risk analysis before allocating

                   permissions in the system take place, also applies in systems for cohesion
                   record keeping.


                   Documentation of access (logs)

                   Of ch. 4 Section 3 of the Patient Data Act states that a care provider must ensure that
                   access to such data on patients who are kept in whole or in part

                   automatically documented and systematically checked.


                   According to ch. 4 Section 9 HSLF-FS 2016: 40, the care provider shall be responsible for that
                       1. it appears from the documentation of the access (logs) which
                           measures taken with information on a patient,

                       2. it appears from the logs at which care unit or care process
                           measures have been taken,

                       3. the logs indicate the time at which the measures were taken;
                       4. the identity of the user and the patient is stated in the logs.


                   The Data Inspectorate's assessment


                   Personal data controller's responsibility for security

                   As previously described, Article 24 (1) of the Data Protection Regulation provides a
                   general requirement for the personal data controller to take appropriate technical

                   and organizational measures. The requirement is partly to ensure that
                   the processing of personal data is carried out in accordance with

                   the Data Protection Ordinance, and that the data controller must be able to
                   demonstrate that the processing of personal data is carried out in accordance with

                   the Data Protection Regulation.


                   The safety associated with the treatment is regulated more specifically in the articles
                   5.1 f and 32 of the Data Protection Regulation.


                   Article 32 (1) states that the appropriate measures shall be both technical and
                   organizational and they must ensure a level of security that is appropriate in

                   in relation to the risks to the rights and freedoms of natural persons which
                   the treatment entails. It is therefore necessary to identify the possible ones

                   the risks to the data subjects' rights and freedoms and assess
                   the probability that the risks will occur and the severity if they do occur.Datainspektionen DI-2019-3845 1 8 (31)






                   What is appropriate varies not only in relation to the risks but also

                   based on the nature, scope, context and purpose of the treatment. It has
                   thus the significance of what personal data is processed, how many

                   data, it is a question of how many people process the data, etc.


                   The health service has a great need for information in its operations. The
                   It is therefore natural that the possibilities of digitalisation are utilized as much as

                   possible in healthcare. Since the Patient Data Act was written, one has a lot
                   extensive digitization has taken place in healthcare. Both the data collections

                   size as the number of people sharing information with each other has increased
                   substantially. At the same time, this increase means that the demands on it increase

                   personal data controller, as the assessment of what is an appropriate
                   safety is affected by the extent of the treatment.


                   It is also a question of sensitive personal data and the data concerns
                   people who are in a situation of dependence when they are in need of care.

                   It is also often a question of a lot of personal information about each and every one
                   the data may over time be processed by very many people.

                   All in all, this places great demands on the person responsible for personal data.


                   The data processed must be protected from outside actors as well
                   the business as against unauthorized access from within the business. It can

                   It should be noted that Article 32 (2) states that the controller, at
                   assessment of the appropriate level of safety, in particular taking into account the risks of

                   unintentional or unlawful destruction, loss or unauthorized disclosure or
                   unauthorized access. To be able to know what is an unauthorized access must

                   the data controller must be clear about what an authorized access is.


                   Needs and risk analysis
                   The National Board of Health and Welfare's regulations that supplement the Patient Data Act contain it

                   stated in ch. 4 § 2 HSLF-FS 2016: 40, that the care provider shall make a needs and
                   risk analysis before the allocation of authorizations in the system takes place. This means that
                   national law prescribes requirements for an appropriate organizational measure that shall:

                   taken before the allocation of authorizations to journal systems takes place.


                   A needs and risk analysis must include an analysis of the needs and a
                   analysis of the risks from an integrity perspective that may be associated

                   with an excessive allocation of access to personal data
                   about patients. Both the needs and the risks must be assessed on the basis of the Data Inspectorate DI-2019-3845 1 9 (31)






                   tasks that need to be processed in the business, what processes it is

                   the question of whether and what risks to the privacy of the individual exist.
                   The assessments of the risks need to be made on the basis of organizational level, there

                   for example, a certain business part or task may be more
                   privacy sensitive than another, but also based on the individual level, if it is

                   the issue of, for example, protected personal data, generally known persons
                   or otherwise particularly vulnerable persons. Also the size of the system

                   affects the risk assessment. The preparatory work for the Patient Data Act states that
                   the more comprehensive an information system is, the greater the variety

                   eligibility levels must exist (Bill 2007/08: 126 p. 149).


                   It is thus a question of a strategic analysis at a strategic level, which should yield
                   an authorization structure that is adapted to the business and this should
                   kept up to date.


                   In summary, the regulation requires that the risk analysis identifies

                        different categories of tasks,
                       Categories of data subjects (eg vulnerable natural persons and

                          children), or
                        the scope (eg number of personal data and registered)

                        negative consequences for data subjects (eg injuries,
                          significant social or economic disadvantage, deprivation of rights

                          and freedoms),


                   and how they affect the risk to the rights and freedoms of natural persons
                   Processing of personal data. This applies both within internal secrecy

                   as in coherent record keeping.


                   The risk analysis must also include special risk assessments, for example
                   based on whether there is protected personal data that is

                   classified, information on public figures, information from
                   certain clinics or medical specialties (Bill 2007/08: 126 p. 148-

                   149).


                   The risk analysis must also include an assessment of how probable and serious
                   the risk to the data subjects' rights and freedoms is based on

                   the nature, scope, context and purpose of the treatment (recital 76). Data Inspectorate DI-2019-3845 2 0 (31)






                   It is thus through the needs and risk analysis that it

                   personal data controller finds out who needs access, which
                   data access shall include, at what times and at what

                   context access is needed, while analyzing the risks to it
                   the freedoms and rights of the individual that the treatment may lead to. The result should

                   then lead to the technical and organizational measures needed to
                   ensure that there is no access other than that which is needed and

                   the risk analysis shows that it should be justified.


                   When a needs and risk analysis is missing prior to the allocation of qualifications in
                   system, lacks the basis for the personal data controller on a legal

                   be able to assign their users a correct authorization. The
                   the data controller is responsible for, and shall have control over, the
                   personal data processing that takes place within the framework of the business. To

                   assign users a when accessing journal system, without this being founded
                   on a performed needs and risk analysis, means that the person responsible for personal data

                   does not have sufficient control over the personal data processing that takes place in
                   the journal system and also can not show that he has the control that

                   required.


                   When the Data Inspectorate during the inspection requested a documented
                   needs and risk analysis, KRY submitted a document dated 11 March 2019

                   with the heading "Authorization allocation Needs and risk analysis". KRY has
                   thereafter, on 10 May 2019, KRY submitted a revised needs and

                   risk analysis dated 2 May 2019, which also includes coherent record keeping
                   but which otherwise essentially contain the same needs and risk analysis as

                   the document dated 11 March 2019. On 20 March 2020, KRY submitted a new one
                   revised version dated March 1, 2020 which contains a largely

                   revised analysis.


                   In the needs and risk analysis from 11 March 2019, KRY has carried out an analysis
                   regarding internal confidentiality where the need for access to personal data in
                   the journal system has been weighed against risks that KRY considers to follow

                   access rights. It appears that the purpose is to land based on the analysis
                   in a model for authorization allocation in the business. In the analysis, KRY

                   identified and described the need for access based on how KRY conducts its
                   Operation. Furthermore, KRY has identified and described needs based on different

                   duties of staff categories. KRY has come to a conclusion after the Data Inspectorate DI-2019-3845 2 1 (31)






                   have weighed the need against the risks identified by KRY and the measures taken

                   to reduce the risks.


                   The Data Inspectorate can state that KRY has carried out a needs and
                   risk analysis that identifies and analyzes needs and risks. The analysis is

                   implemented at strategic level and shall form a basis for the business
                   authorization. The needs and partly also the risks are analyzed

                   based on the actual conditions in the business. KRY has based on it
                   analysis that has been carried out identified technical and organizational measures

                   to reduce the risk of unauthorized access.


                   In its initial analysis, however, KRY has not taken into account how negative
                   consequences for data subjects, different categories of data, categories of
                   registered, or the extent of the number of personal data and registered,

                   affects the risk to the rights and freedoms of natural persons at KRY
                   processing of personal data in ProReNata and National Patient Overview.

                   There are also no special risk assessments based on whether there are e.g.
                   protected personal data that are classified, general information

                   celebrities, information from certain clinics or medical
                   specialties or other factors that require special protection measures. The

                   there is also no assessment of how likely and serious the risk is for them
                   data subjects' rights and freedoms are deemed to be.


                   KRY has thus taken measures that are likely to reduce the risk of physical

                   rights and freedoms of persons. However, the needs are too general
                   analyzed and the risks to the data subjects' rights and freedoms are not in

                   adequately identified and assessed. Among other things, a deeper one is missing
                   analysis of the risks to the individual's integrity based on both different categories of

                   data as different categories of data subjects.


                   In summary, the Data Inspectorate states that KRY at
                   carried out a needs and risk analysis at strategic level,
                   but that it does not meet the requirements of the data protection regulations

                   such analysis because KRY has not considered the risks, of varying
                   probability and seriousness, for the rights and freedoms of natural persons and

                   not taken into account the different types of risks to the privacy of the individual that may be
                   associated with an overly accessible availability regarding certain types of data.

                   The Data Inspectorate states that KRY thereby at the time of the inspection
                   has not carried out a needs and risk analysis that meets the requirements that the Data Inspectorate DI-2019-3845 2 2 (31)






                   set in

                   Chapter 4 § 2 HSLF-FS 2016: 40, neither within the framework of internal secrecy
                   or within the framework of the unified record keeping, according to 4 respectively

                   Chapter 6 patient data law. This means that KRY has not taken appropriate
                   organizational measures in accordance with Article 5 (1) (f) and Article 31 (1) and (2) for

                   be able to ensure and, in accordance with Article 5 (2), be able to demonstrate that:
                   the processing of personal data has a security that is appropriate in

                   in relation to the risks.


                   KRY has supplemented with a needs and risk analysis dated 1 March
                   2020. In the new needs and risk analysis, KRY has largely reworked

                   analysis and identified risks based on certain types of data and
                   patient groups in the form of information on persons with a protected identity,
                   public figures, employees and staff's own tasks. Furthermore,

                   KRY in the revised analysis also assessed probability and consequence for
                   the identified risks. The analysis also contains more detailed information

                   review of access needs for the various staff categories.


                   Unlike the previous versions of the analysis, KRY has emerged
                   that a narrow qualification is sufficient for doctors, nurses and psychologists,

                   except so-called plus doctors, plus psychologists and doctors on call. The tight
                   the authorization is stated to mean that users can only access information

                   about patients (both internal medical records and NPÖ) at patient meetings. Further
                   stated that access is granted in connection with the staff is scheduled with

                   patient and is automatically withdrawn 4 months after access was granted
                   and that before meeting with patient has taken place can not beat on such patient

                   happen.


                   The Data Inspectorate can state that the new needs and risk analysis
                   contains an in-depth needs analysis where both organization, different

                   occupational categories and different tasks have been taken into account. Concerning
                   the risk assessment, it is also in-depth and at least takes into account different
                   categories of registered. It also includes an assessment of how likely

                   or the serious risk to the data subjects' rights and freedoms is. KRY has
                   based on the new roles created more limited access opportunities.


                   Based on its special activities, KRY does not have such a complex organization that

                   further needs assessments are required. As for the risks so
                   they are still not analyzed on the basis of categories of data. TasksData Inspectorate DI-2019-3845 2 3 (31)






                   which can be perceived as more privacy-sensitive are, for example, information such as

                   concerns sexual life, substance abuse, mental illness or threats or violence especially if it is in
                   close relations. Even the analysis based on categories of registered can

                   deepened by the categories that are actually dealt with in the business
                   undergone. The fact that the business has a homogeneous structure means that it will be

                   even more important to analyze these risks and assess if and how they can
                   be remedied because such a large proportion of staff need to be assigned the same type

                   of access.


                   Authorization for access to personal data about patients
                   As reported above, a caregiver may have a legitimate interest in having

                   a comprehensive processing of data on the health of individuals. Notwithstanding this shall
                   access to personal data about patients may be limited to
                   what is needed for the individual to be able to fulfill his or her duties.


                   With regard to the allocation of authorization for electronic access according to ch.

                   § 2 and ch. 6 Section 7 of the Patient Data Act states that in the preparatory work, Bill.
                   2007/08: 126 pp. 148-149, i.a. that there should be different eligibility categories in

                   the journal system and that the permissions should be limited to what the user
                   need to provide the patient with good and safe care. It also appears that “a

                   more extensive or coarse-grained eligibility should be considered as one
                   unauthorized dissemination of journal information within a business and should as

                   such is not accepted. "


                   In health care, it is the person who needs the information in their work
                   who may be authorized to access them. This applies both within a
                   caregivers as between caregivers. It is, as already mentioned, through

                   the needs and risk analysis that the person responsible for personal data finds out who
                   who need access, what information the access should include, at which

                   times and in which contexts access is needed, and at the same time
                   analyzes the risks to the individual's freedoms and rights

                   the treatment can lead to. The result should then lead to the technical and
                   organizational measures needed to ensure no allocation

                   of eligibility provides further access opportunities than the one that needs and
                   the risk analysis shows is justified. An important organizational measure is to provide

                   instruction to those who have the authority to assign authorizations on how this
                   should go to and what should be considered so that it, with the needs and risk analysis

                   as a basis, becomes a correct authorization allocation in each individual case.Datainspektionen DI-2019-3845 2 4 (31)






                   It appears that KRY at the time of the inspection had not limited

                   health care professionals and medical secretaries
                   access to data on patients either within its framework

                   internal confidentiality of the ProReNata medical record system, or within the framework of
                   coherent record keeping in the journal system NPÖ. KRY, on the other hand, had

                   introduced measures to avoid unauthorized access, including in the form of
                   logging and manual review of all journal openings that were not

                   linked to an active care relationship or performed patient meeting and deactivation
                   of accounts every four weeks for doctors without passports booked the next four

                   the weeks.


                   Because the needs and risk analysis that KRY had carried out
                   the time of the inspection did not take sufficient account of
                   the risks to the rights and freedoms of natural persons or the different types

                   risks that may be associated with an overly accessible regarding
                   certain types of information, KRY has not shown that the reading permissions have been restricted

                   in the manner required by the Data Protection Ordinance and the Patient Data Act.


                   This in turn has meant that there has been a risk of unauthorized access and
                   unjustified dissemination of personal data partly within the framework of the internal

                   secrecy, partly within the framework of the coherent record keeping. KRY
                   has, through subsequent measures taken, reduced that risk by improving

                   analyzes and subsequent measures taken.


                   In the light of the above, the Data Inspectorate can state that KRY at
                   the time of the inspection has processed personal data in violation of Article 5 (1) (f)

                   and Article 32 (1) and (2) of the Data Protection Regulation by KRY, in accordance with
                   with Article 5 (2) and (1), has not been able to show that KRY has restricted users'

                   permissions for access to the journal system ProReNata and National
                   patient overview to what is only needed for the user to be able to

                   fulfill their duties in health care according to ch. § 2 and
                   Chapter 6 Section 7 of the Patient Data Act and Chapter 4 2 § HSLF-FS 2016: 40.


                   The needs and risk analysis dated 1 March 2020 shows that KRY has introduced
                   restrictions on access to personal data about patients. Unlike

                   the previous versions of the analysis, KRY has come to the conclusion that a narrow
                   eligibility is sufficient for doctors, nurses and psychologists, except so-called

                   plus doctors, plus psychologists and doctors on call. The narrow authority
                   is stated to mean that users can only access information about patientsData Inspectorate DI-2019-3845 2 5 (31)






                  (both internal medical records and NPÖ) at patient meetings. It is further stated that access

                  assigned in connection with the staff is scheduled with the patient and drawn
                  automatically returned 4 months after access was granted and that before

                  meeting with patient has taken place, beating on such patient can not take place.


                  KRY has thus improved the restriction of access since the inspection.
                  As stated in the section above regarding the new needs and

                  However, the risk analysis still requires some additions to the analysis
                  must be comprehensive and be able to show that access has been restricted accordingly

                  with the requirements of the Data Protection Ordinance and the Patient Data Act. From
                  the result of these additions must then KRY assess its model for

                  authorization.

                  Documentation of access (logs)

                  The Data Inspectorate can state that from the logs in ProReNata and NPÖ
                  information on which staff made one at a given time

                  beating. Time refers to both date and time. It is clear which
                  patient it concerns, the user's identity, what the user has taken for

                  action, such as signing, taking notes, and reading. Because KRY is not
                  organized in several different care units, only one unit appears that is

                  the same for all staff.


                  After the inspection, KRY has noted that the specific measure
                  note cancellation (not signed) is not logged separately in ProReNata

                  but that KRY has stated that such logging has been introduced as of the 16th
                  May 2019. The Data Inspectorate notes that the documentation of the access

                  (the logs) in ProReNata and NPÖ are now in accordance with the requirements
                  which appears from ch. 4 9 § HSLF-FS 2016: 40.


                  Choice of intervention


                  Legal regulation

                  If there has been a violation of the Data Protection Regulation
                  The Data Inspectorate a number of corrective powers available under the article

                  58.2 a-j of the Data Protection Regulation. The supervisory authority can, among other things
                  instruct the data controller to ensure that the processing takes place in

                  in accordance with the Regulation and if required in a specific way and within a
                  specific period.Datainspektionen DI-2019-3845 2 6 (31)






                   It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate in

                   in accordance with Article 83 shall impose penalty charges in addition to or in lieu of
                   other corrective measures referred to in Article 58 (2),

                   the circumstances of each individual case. The overall starting point for
                   imposition of a penalty fee is that in the individual case it is judged to be

                   effective, proportionate and dissuasive (cf. Article 83 (1)).


                   Article 83 (2) sets out the factors to be taken into account in determining whether a
                   administrative penalty fee shall be imposed, but also what shall affect

                   the size of the penalty fee. Of central importance for the assessment of
                   the seriousness of the infringement is its nature, severity and duration. If

                   in the case of a minor infringement, the supervisory authority may, according to reasons
                   148 of the Data Protection Regulation, issue a reprimand instead of imposing one
                   penalty fee.


                   Assessment of whether a penalty fee should be imposed

                   The health service has a great need for information in its operations. The
                   It is therefore natural that the possibilities of digitalisation are utilized as much as

                   possible in healthcare. Since the Patient Data Act was written, one has a lot
                   extensive digitization has taken place in healthcare. Both the data collections

                   size as the number of people sharing information with each other has increased
                   substantially. At the same time, this increase means that the demands on it increase

                   personal data controller, as the assessment of what is an appropriate
                   safety is affected by the extent of the treatment.


                   In this context, it means an even greater responsibility for it

                   personal data controller to protect the data from unauthorized access,
                   among other things by having an authorization allocation that is even more

                   comminuted. It is therefore essential that there is a real analysis of the needs
                   based on different activities and different executives. Equally important is that

                   there is an actual analysis of the risks from an integrity perspective
                   may occur in the event of an override of access rights. From
                   this analysis must then restrict the access of the individual executive.

                   This authority must then be followed up and changed or restricted accordingly
                   hand that changes in the tasks of the individual executive provide

                   reason for it.


                   The Data Inspectorate has found that KRY at the Data Inspectorate's inspection
                   conducted a needs and risk analysis at a strategic level, but that the analysisData Inspectorate DI-2019-3845 2 7 (31)






                   not fully taken into account the risks, of varying degrees of probability and severity, for

                   the rights and freedoms of natural persons and that KRY has not taken different considerations into account
                   kind of risks to the privacy of the individual that may be associated with one

                   too in the case of availability regarding certain types of data. KRY then has in
                   March 2020 performed a new needs and risk analysis. The new needs and

                   the risk analysis goes deeper than the previous one and takes into account both organization and
                   different occupational categories and tasks. The risk assessment is also that

                   in-depth and now also includes an assessment of probability and
                   seriousness of risks to data subjects' fundamental freedoms and rights.

                   Although the needs analysis can now be considered acceptable, it is missing
                   still parts relating to the risk assessment. What needs closer

                   remedied, the Data Inspectorate describes below under the heading injunction.

                   The Data Inspectorate's inspection has thus shown that KRY has not met the requirement

                   to take appropriate security measures to protect the personal data in
                   the journal systems by not having fully complied with the requirements that follow

                   the Patient Data Act and the National Board of Health and Welfare's regulations on implementing
                   and risk analysis, before the allocation of authorizations in the system takes place. Thereby

                   KRY has also not been able to show that KRY has limited the authorization for
                   access to only what is needed for the individual to be able to fulfill

                   their duties in health care. This means that KRY does not
                   has also complied with the requirements of Article 5 (1) (f) and Article 32 (1) and (2) (i)

                   the Data Protection Regulation. The lack of compliance includes both
                   the internal secrecy according to ch. the Patient Data Act as the cohesive one

                   record keeping according to ch. 6 patient data law.


                   The Data Inspectorate can state that the violations are the starting point
                   serious in terms of provisions that are fundamental to ensuring that

                   the processing of personal data is subject to adequate security measures
                   to protect the data subjects' fundamental freedoms and rights. Also

                   the nature of the data, the number of data subjects concerned, which in this case amounts to
                   about
                   450,000 patients, as the number of employees and the availability of a large proportion of them

                   employees to these patients' tasks speak in an aggravating direction.


                   In determining the seriousness of the infringements, it can also be stated that
                   the infringements also cover the basic principles set out in Article 5 (i)

                   the Data Protection Ordinance, which belongs to the categories of more serious Data Inspectorate DI-2019-3845 2 8 (31)






                   infringements which may give rise to a higher penalty under Article 83 (5) (i)

                   the Data Protection Regulation.


                   It is thus typically not a question of minor infringements but
                   infringements which should normally lead to an administrative penalty charge.


                   When assessing whether a penalty fee should be imposed, it must be considered at the same time

                   if required, taking into account that it is a matter of a measure as in it
                   individual case is effective, proportionate and dissuasive.


                   As has been seen, at the time of the inspection, KRY had made a

                   and risk analysis at strategic level and taken measures as likely
                   reduces the risk to the rights and freedoms of natural persons. KRY has thus
                   tried to comply with the requirements for the processing of personal data and has

                   to a not insignificant extent taken measures in order to comply with the requirements and
                   reduce the risks. The Data Inspectorate assesses that KRY's lack of compliance

                   has not meant that the data subjects have been deprived of protection of their rights
                   and freedoms to the same extent as if none or only deficient

                   measures had been taken.


                   KRY has also taken steps to try to come to terms with it
                   shortcomings in the needs and risk analysis after the Data Inspectorate's inspection by

                   to establish and submit to the Data Inspectorate two revised needs
                   and risk analyzes. It should also be taken into account that KRY itself has drawn attention

                   lack of logging and taken measures to remedy that shortcoming.


                   In a weighted assessment, the Data Inspectorate finds that they are relevant
                   the infringements are admittedly typically of such a nature that a

                   administrative penalty fee should normally be imposed but that in the case
                   the case is not proportionate to such an intervention by

                   The Data Inspectorate. KRY should instead be ordered to take measures to ensure
                   that the processing takes place in accordance with the Data Protection Regulation.


                   Order
                   When deciding on an injunction, the Data Inspectorate considers the revisions of

                   the needs and risk analysis that KRY has done after the inspection.


                   During the supervision case, KRY has revised its needs and
                   risk analysis on two occasions. The first revision was made on 2 May 2019 and the Swedish Data Inspectorate DI-2019-3845 29 (31)






                   the second revision was made on March 1, 2020. Through the first revision

                   KRY adjusted the analysis to also include coherent record keeping in
                   NPÖ. In the second revision, KRY has largely reworked the analysis and

                   identified risks based on certain types of data and patient groups in form
                   of data on persons with a protected identity, public figures,

                   employees and the staff's own tasks.


                   Furthermore, in the revised analysis, KRY has also assessed probability and
                   impact on the identified risks. The analysis also contains more

                   detailed review of access needs for the various
                   staff categories. Unlike previous versions of the analysis

                   KRY has come to the conclusion that a narrow qualification is sufficient for doctors,
                   nurses and psychologists, except for so-called plus doctors and emergency services. The
                   tight privileges are said to mean that users can only take part

                   information about patients (both internal medical records and NPÖ) at patient meetings.
                   It is further stated that access is granted in connection with the staff

                   scheduled with patient and automatically withdrawn 4 months after
                   access granted and that before meeting with patient has taken place can not

                   beating on such patient happen.


                   The Data Inspectorate states that KRY since the inspection on April 4, 2019
                   has improved its needs and risk analysis so that it increasingly

                   meets the requirements for a needs and risk analysis. The Data Inspectorate
                   notes, however, that the analysis does not describe the risks for those registered on

                   other than that it is stated that there is a risk of disclosure of confidentiality and
                   privacy damage or privacy threat. The analysis lacks a more detailed description of

                   what such injury or threat consists of and the extent of the treatment
                   affects the risk.


                   The Data Inspectorate therefore submits KRY, pursuant to Article 58 (2) (d) i

                   the Data Protection Regulation, to be completed by the last February 2021 at the latest
                   the needs and risk analyzes for the journal systems ProReNata and National
                   patient overview by developing the analysis of the risks for those registered

                   rights and freedoms and that thereafter, with the support of needs and
                   the risk analyzes, make a reassessment regarding the allocation of

                   permissions so that each user has access to only those
                   personal data needed for the user to be able to fulfill his

                   tasks in health care, in accordance with Article 32 (1) and the Data Inspectorate DI-2019-3845 3 0 (31)







                   32.2 of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 Section 7 of the Patient Data Act and

                   Chapter 4 2 § HSLF-FS 2016: 40.




                   _______________________________________Data Inspectorate DI-2019-3845 3 1 (31)








                  This decision was made by Director General Lena Lindgren Schelin after
                  presentation by the IT security specialist Magnus Bergström. At the final

                  The case is also handled by Hans-Olof Lindblom, General Counsel
                  unit managers Malin Blixt and Katarina Tullstedt participated.







                  Lena Lindgren Schelin, 2020-12-02 (This is an electronic signature)




                  Appendix: Appendix 1 - How to pay a penalty fee




                  Copy for knowledge of:
                  Data Protection Officer





                  How to appeal



                  If you want to appeal the decision, you must write to the Data Inspectorate. Enter i
                  the letter which decision you are appealing and the change you are requesting.

                  The appeal must have been received by the Data Inspectorate no later than three weeks from
                  the day you received the decision. If the appeal has been received in due time
                  the Data Inspectorate forwards it to the Administrative Court in Stockholm

                  examination.


                  You can e-mail the appeal to the Data Inspectorate if it does not contain
                  any privacy-sensitive personal data or data that may be covered by

                  secrecy. The authority's contact information can be found on the first page of the decision.