Datainspektionen - DI-2020-1539

From GDPRhub
Datainspektionen - DI-2020-1539
LogoSE-Datainspektionen.png
Authority: Datainspektionen (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 9(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 11.05.2020
Published: 11.05.2020
Fine: 120000 SEK
Parties: n/a
National Case Number/Name: DI-2020-1539
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: DPA Webpage (in SV)
Initial Contributor: n/a

The Swedish DPA fined a Health and Medical Committee about €11,350 (SEK 120,000) for publishing sensitive personal data of a patient on a webpage without a legal basis. The DPA further ruled that instead of orally instructions written ones are needed for the publication on the webpage.

English Summary

Facts

The DPA received a complaint against the Health and Medical Committee in the Örebro County Region, which claimed that sensitive personal information about a patient admitted to a forensic psychiatric clinic was published on the region's website.

Holding

The examination by the DPA shows that there were no written procedures concerning the publication of documents and personal data on the website. Procedures for publishing were only communicated orally. In this case, the oral procedures had not been followed and the document was inadvertently published, which indicated that the Comittee had not taken adequate organizational measures to ensure that personal data is protected from being incorrectly published on the region's website.

Therefore, the DPA decided that the Board had to produce written instructions and introduce procedures that ensure that the person who publishes personal data on the website does so in accordance with those instructions.

Further, the DPA ruled that the Comittee had neither a legitimate purpose, a legal basis nor a reason for exempting from the prohibition in the Data Protection Regulation against the handling of sensitive personal data.

The DPA also issued an administrative penalty fee of SEK 120,000 against the Committee.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

The Board of Health in the Region
Örebro County
Health Board of the Örebro County Region -
supervision under the Data Protection Regulation
Decision of the Data Inspectorate
The Data Inspectorate finds that the Health Board in the Region
Örebro county treated between September 2019 and January 2020
personal data contrary to Article 5, Article 6 and Article 9 i
data protection regulation. This by publishing sensitive
personal data on Region Örebro County's website without being compatible
with the principles of purpose limitation and data minimization, without
there was a legal basis for it and in violation of the ban on treatment
sensitive personal data. The Board of Health in the Region of Örebro County
has also processed personal data in violation of the same publication
Article 87 of the Data Protection Regulation and Chapter 3. § 10 layer (2018: 218) with
supplementary provisions to the EU Data Protection Regulation
(data protection law) by having processed social security numbers without having support
for it.
The Data Inspectorate finds that the Health Board in the Region
Örebro County was examined at the February 2020 review
personal data in violation of Article 32 of the Data Protection Regulation by:
not having taken sufficient organizational measures to ensure that
personal data is protected from unauthorized publication on the region's website,
such as establishing written instructions and ensuring that the person who
publishes personal information on the site does so in accordance with
instructions.
The Data Inspectorate decides on the basis of Articles 58 (2) and 83 (i)
the Data Protection Regulation and Chapter 6. Section 2 of the Data Protection Act that Health and
the Medical Board of the Region of Örebro County for the violations of Article 5,
Articles 9 and 32 of the Data Protection Regulation and Chapter 3. § 10
the Data Protection Act must pay an administrative penalty of 120,000 crowns. Of this amount, SEK 80,000 refers to the violations of Articles 5,
6 and 9 and chap. Section 10 of the Data Protection Regulation and SEK 40,000 apply
infringement of Article 32.
The Data Inspectorate submits on the basis of Article 58 (2) (d)
the data protection regulation The Health and Medical Board of the Örebro County Region
to prepare written instructions and to introduce procedures to ensure that
the person who publishes personal data on open websites does this in
according to the instructions.
An account of the supervisory matter
The Data Inspectorate received a complaint against the Health and Medical Board i
Region Örebro county regarding a notification to JO against forensic psychiatry
the clinic in Örebro had been published in its entirety on the region's open
website. The publication had taken place before a committee meeting on 25
September 2019. The notification contained the notifier's identity information (including
personal identification number), contact details, information that the notifier was posted on
the forensic psychiatric clinic and information that the notifier was the subject of
urine sampling. As a result, the Data Inspectorate decided at the end
of January 2020 to initiate an oversight of the Health and Medical Board i
Region Örebro county with the purpose of investigating the board's handling of
personal data in web publishing. In connection with the commencement of supervision
and the Data Inspectorate alerted the committee if the publication took place
the board removed the publication that the complaint concerned.
The Board of Health in the Region of Örebro County has mainly stated
following.
The published document was immediately removed from the open site.
Furthermore, all published summons and minutes were reviewed for the purpose of
check that no additional grubbing had occurred. Then one was made
personal incident report to the Data Inspectorate, an internal one
the deviation notification was established and what could be done for it was investigated
that something like that would never happen again.
Region Örebro County normally publishes personal data in summons and
protocols on their website that refer to elected politicians or
service personnel in their service / trust assignments. For web publishing the Region of Örebro County is deemed to be able to invoke public interest in publishing
protocols and summonses, including personal data, on the basis of Article 6 (i)
the Data Protection Regulation and Chapter 2. Section 2 of the Data Protection Act. Sensitive
personal data in accordance with Article 9 of the Data Protection Regulation and Chapter 3. § 3
the Data Protection Act should never be published on the region's website. In the present
the case should not have been published.
The Board of Health does not have written procedures regarding publication
of documents and personal data on the website. There are a few people
which has the task of publishing the Health Board
calls and minutes on the website. Routines around publishing are served
orally. In this case, the oral procedures have not been followed and the action
was published by mistake.
The Örebro County Region has begun work on creating written guidelines and
routines for serving summonses and minutes to elected representatives and for
publishing on the site.
Other information that has emerged in the case
The Data Inspectorate has gone through the information provided by the Board
about the incident in a personal data report (no. PUI-2020-339). Board
states in this document, inter alia, that the incident occurred due to
"Human factor: failure in the individual case" (a suppressed response option), that
the action has been removed from the external web, the removal of
the document was accompanied by an immediate review of all published
calls and protocols to ensure that no disclosure has occurred
otherwise or in other documents, that a date is set for information
and a review of the relevant staff group regarding rules for publication on
the web, and that the data subject was informed about the incident.
In an annex to the notification of personal data incident, the region wrote the following.
“The region of Örebro County considers it very important to personal data
are handled correctly and in accordance with the rules in force at any given time.
Therefore, Region Örebro County strives to be in the various stages of preparation of
cases, pay attention to the existence of personal data in different types of
documents, and that if it is not necessary that they be there, either take
remove them or present them in such a way that they cannot be derived
separate individual. This work is done systematically and through a number
preparation steps./…/ In the present case, however, they have been current information as a result of an error, which is not in the usual way
noted in the preparation process, has followed in the publication on
the public web. "
Justification of decision
The Data Inspectorate finds that among the personal data that
was published on Region Örebro County's open website there were information that
been sensitive in accordance with Article 9 of the Data Protection Regulation. This is the case for
the information that the data subject is admitted to the forensic psychiatrist
clinic and that they are subject to urine sampling. This then it
the former task reveals that the person can suffer from a serious mental illness
disorder and the latter statement that the person has or has had one
drug problems. Thus, they constitute data on health. Furthermore, the
social security number covered by the publication.
Legal regulation
Personal data may only be processed if there is a legal basis for it
as stated in Article 6 of the Data Protection Regulation. Such legal support
may for example consist of the treatment necessary to perform one
task of general interest, such as giving the public access to it
municipal operations. Processing of sensitive personal data is like
generally prohibited and such personal data may only be processed if
processing is subject to an exception in Article 9 of the Data Protection Regulation.
Social security numbers may only be processed with the support of Chapter 3. § 10
the Data Protection Act, that is, if it exists (one according to
the provisions of the Data Protection Regulation valid) consent or if
the treatment is clearly justified for the purpose of
the treatment, the importance of a secure identification or any other consideration
reason.
Those who process personal data must, in addition to having a legal basis
always comply with the basic principles set out in Article 5 (i)
data protection regulation. Among other things, personal data may only be used
for specific, explicit and justifiable purposes (the principle of
purpose restriction) and no more personal data may be processed than
necessary for the purposes (data minimization principle). Of Article 32 It follows that the data controller has to take appropriate technical and
organizational measures for personal data to secure one
level of security appropriate to the risk to natural persons
rights and freedoms. Furthermore, the data controller shall, according to
Article 32 (4), take steps to ensure that every natural person performing
work under the supervision of the data controller, and who receives
access to personal data, only processes these on instruction from it
personal data.
Assessment of the publication by the Data Inspectorate
The data inspection assesses the publication of a private person
correspondence to an authority went beyond a conceivable purpose of:
publish parts of the current case on the web (to give the public access to
municipal activities). Thus, there was nothing special,
explicitly stated and justified with the publication of the relevant ones
personal data. Furthermore, there has been no legal basis for that
publish personal data and the publication has not been covered by anything
exceptions to the prohibition on processing sensitive personal data.
Social security numbers have been published without the conditions stated in Chapter 3. § 10
the data protection law has been complied with.
The Board of Health has only worked with oral
instructions to the employees responsible for publishing the committee's
actions on the web. The publication should have been preceded by an assessment of
if permitted by the Data Protection Regulation. That this has not happened indicates
that the board failed in the instructions to those working under the board
supervision. This means that the board has not taken appropriate steps
organizational security measures to protect against unauthorized publishing of
personal information on the web.
The Data Inspectorate has in a number of decisions about municipalities' web publications
according to the Personal Data Act 1 stated that an appropriate organizational measure for
Protecting personal data from unauthorized publication is a written procedure for
Web Publishing. Such routines should be used by staff and should
determine when personal data may be published, who should do it
1 The Personal Data Act (1998: 204), PuL, came into force on 24 October 1998 and ceased to
valid on May 24, 2018. The Data Inspectorate was a supervisory authority according to PuL until that
The Data Protection Regulation began to apply on 25 May 2018.
the assessment, how long the data will be kept on the web, work routine for
masking of sensitive or confidential information, handling of linked
documents and stating who is responsible for publishing and
possible deletion of data. 2 Other suitable measures may be to be seen
to ensure that staff receive adequate training in the Data Protection Regulation and how
it should work so that personal data is not handled in violation of the regulations.
Such training can ensure that the person publishing personal data on
the website does this in accordance with the instructions provided by it
personal data.
The routines that the Board of Health has had are not enough to
protect personal data from publication in violation of the Data Protection Regulation.
Sufficient measures have not been taken to ensure that those who
publishes personal data under the supervision of the board, doing so in accordance
with the committee's instructions for publication.
The Data Inspectorate therefore finds that the Board of Health i
The Örebro County Region has violated Articles 5, 6, 9 and 32 i
the Data Protection Regulation, and Chapter 3. Section 10 of the Data Protection Act.
Choice of intervention
The Data Inspectorate has found that the Board has published sensitive data
personal information and social security numbers on Region Örebro County's website and
that the Board lacks written procedures for web publishing. The publication
which has occurred has no legitimate purpose and legal basis. The publication
has not been covered by any of the exceptions to the ban on treatment
sensitive personal data. This means that the board has dealt with it
personal data contrary to the principles of purpose limitation and
data minimization in Article 5 of the Data Protection Regulation;
legal treatment in Article 6 and the prohibition on the treatment of sensitive
personal data in Article 9. The publication of social security numbers is not sufficient
the terms of Chapter 3. § 10 of the Data Protection Act and therefore contravenes it
provision.
Article 58 of the Data Protection Regulation lists all the Data Inspection Authority
powers. The data inspection has in case of violations of
2 See, for example, DI-1309-2011, DI-1787-2011 and DI-1057-2016.
the Data Protection Regulation a number of corrective powers to be granted under
Article 58 (2) (a) to (j), including reprimand, injunction and penalty fees.
It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate i
in accordance with Article 83 shall impose penalties in addition to or instead of
other corrective measures referred to in Article 58 (2), depending on:
the circumstances of each case. If it is a minor
infringement shall be given to the supervisory authority, according to recital 148 (i)
the Data Protection Regulation, issue a reprimand instead of imposing one
penalty.
Penalty fee shall be paid
The Data Inspectorate has determined that the Board has violated Articles 5, 6, 9
and 32 of the Data Protection Regulation and 3 chap. Section 10 of the Data Protection Act, adopted
on the basis of Article 87 of the Data Protection Regulation. These articles are covered
of Articles 83 (4) and 83 (5). In case of an infringement of these shall
the supervisory authority consider imposing administrative penalties
in addition to, or instead of, other corrective actions.
The Data Inspectorate considers that this is not a minor infringement.
This is in light of the fact that the personal data that was published were sensitive
and touched a patient. Furthermore, the person could not reasonably expect that
his correspondence was made available to a large circle. In addition, was
the personal data was published for a long time without being discovered
Board. There is no reason to replace the penalty charge with anyone else
Corrective Action. The Board of Health should thus be applied to one
administrative penalty charge.
Determination of the amount of the penalty amount
According to Article 83 (1) of the Data Protection Regulation, each supervisory authority shall
ensure that the imposition of administrative penalties in each individual
cases are effective, proportionate and dissuasive.
For authorities, according to Chapter 6. Section 2, second paragraph of the Data Protection Act that
the penalty fee shall be set at a maximum of SEK 5,000,000 at
infringements referred to in Article 83 (4) of the Data Protection Regulation and at most
SEK 10,000,000 for violations referred to in Article 83 (5). Violations of
Articles 5, 6, 9 and 3 Chap. Section 10 of the Data Protection Act (adopted on the basis of
Article 87) is subject to the higher penalties provided for in Article 83 (5) and
violations of Article 32 are covered by the lower maximum amount according to Article
83.4.
Article 83 (2) of the Data Protection Regulation specifies factors to be taken into account
determining the amount of the penalty charge. These factors include:
the nature, severity and duration of the infringement; (b) the infringement
(c) the measures taken by it
the personal data controller has taken to alleviate the damage they have
(d) the degree of responsibility of the data controller with
having regard to the technical measures implemented in accordance with Article 32,
(g) the categories of personal data covered by the infringement;
ways in which the breach came to the attention of the regulator, in particular
whether and to what extent the data controller reported
infringement.
The Data Inspectorate's assessment of the size of the penalty fee has regard
taken to the following.
The violation has involved sensitive personal data concerning a person in
dependency position for which the publication of the information may have been obtained
serious consequences. Furthermore, the information has been published openly
the region's website for a long time. The lack of appropriate technical
and organizational measures to ensure such personal data does not
Being published poses a risk that similar events will occur again.
The lack of appropriate security measures is reflected in the fact that the Board does not
himself discovered the incorrect publication. However, the publication does not
has been done deliberately and there is nothing to suggest that more than one person in
the reality would have been affected by erroneous publications of sensitive
personal data. In addition, the Board will as soon as it becomes aware
if the event acted by removing the published action,
inform the registered and inform the personnel concerned and that
work has begun on developing written routines. Data inspection Board
also notes that the region has made a personal incident report
on behalf of the Board to the Data Inspectorate and followed the regulations which
is in that respect.
The publication of personal data on the board's open website concerns one
and the same action and includes violation of Articles 5, 6 and 9 i
the Data Protection Regulation and Chapter 3. Section 10 of the Data Protection Act.
The penalty charge for the violation of Article 32 relates to that of the Board
organizational security measures when publishing on open websites and
is thus determined separately.
The Data Inspectorate decides on the basis of an overall assessment that Health and
the Medical Board of the Örebro County Region shall pay an administrative fee
penalty fee of SEK 120,000 for the violations of Articles 5, 6, 9 and
32 of the Data Protection Regulation and 3 chap. Section 10 of the Data Protection Act. Of this
the amount refers to SEK 80,000 violations of Articles 5, 6 and 9 i
the Data Protection Regulation and Chapter 3. Section 10 of the Data Protection Act and 40,000
SEK refers to the violation of Article 32 of the Data Protection Regulation.
Order for additional organizational measures
According to Article 58 (2) (d), the Data Inspectorate has the power to submit one
person responsible for personal data to ensure that a processing is carried out in accordance with
the provisions of the Data Protection Regulation. Article 58 (2) states that
administrative penalty fees can be combined with injunctions.
The Health Board has not taken sufficient organizational measures
measures under Article 32 of the Data Protection Regulation to ensure that:
personal data is protected from unauthorized publication on the region's website,
such as establishing written instructions and ensuring that the person who
publishes personal information on the site does so in accordance with
instructions.
The Health Committee in Region Örebro County should therefore be submitted to
Establish written instructions and put in place procedures to ensure it
publishing personal information on open websites does this in accordance
with the instructions.
This decision has been taken by Director General Lena Lindgren Schelin after
presentation by [lawyer] Elin Hallström. At the final processing
also has Chief Counsel Hans-Olof Lindblom, Head of Unit Malin Blixt and
Head of Unit Katarina Tullstedt participated. IT security specialist Magnus
Bergström has participated in the assessments relating to information security.