Datainspektionen - DI-2020-1539
|Datainspektionen - DI-2020-1539
|Article 9(1) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|DPA Webpage (in SV)
The Swedish DPA fined a Health and Medical Committee about €11,350 (SEK 120,000) for publishing sensitive personal data of a patient on a webpage without a legal basis. The DPA further ruled that instead of orally instructions written ones are needed for the publication on the webpage.
English Summary[edit | edit source]
Facts[edit | edit source]
The DPA received a complaint against the Health and Medical Committee in the Örebro County Region, which claimed that sensitive personal information about a patient admitted to a forensic psychiatric clinic was published on the region's website.
Holding[edit | edit source]
The examination by the DPA shows that there were no written procedures concerning the publication of documents and personal data on the website. Procedures for publishing were only communicated orally. In this case, the oral procedures had not been followed and the document was inadvertently published, which indicated that the Comittee had not taken adequate organizational measures to ensure that personal data is protected from being incorrectly published on the region's website.
Therefore, the DPA decided that the Board had to produce written instructions and introduce procedures that ensure that the person who publishes personal data on the website does so in accordance with those instructions.
Further, the DPA ruled that the Comittee had neither a legitimate purpose, a legal basis nor a reason for exempting from the prohibition in the Data Protection Regulation against the handling of sensitive personal data.
The DPA also issued an administrative penalty fee of SEK 120,000 against the Committee.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
The Board of Health in the Region Örebro County Health Board of the Örebro County Region - supervision under the Data Protection Regulation Decision of the Data Inspectorate The Data Inspectorate finds that the Health Board in the Region Örebro county treated between September 2019 and January 2020 personal data contrary to Article 5, Article 6 and Article 9 i data protection regulation. This by publishing sensitive personal data on Region Örebro County's website without being compatible with the principles of purpose limitation and data minimization, without there was a legal basis for it and in violation of the ban on treatment sensitive personal data. The Board of Health in the Region of Örebro County has also processed personal data in violation of the same publication Article 87 of the Data Protection Regulation and Chapter 3. § 10 layer (2018: 218) with supplementary provisions to the EU Data Protection Regulation (data protection law) by having processed social security numbers without having support for it. The Data Inspectorate finds that the Health Board in the Region Örebro County was examined at the February 2020 review personal data in violation of Article 32 of the Data Protection Regulation by: not having taken sufficient organizational measures to ensure that personal data is protected from unauthorized publication on the region's website, such as establishing written instructions and ensuring that the person who publishes personal information on the site does so in accordance with instructions. The Data Inspectorate decides on the basis of Articles 58 (2) and 83 (i) the Data Protection Regulation and Chapter 6. Section 2 of the Data Protection Act that Health and the Medical Board of the Region of Örebro County for the violations of Article 5, Articles 9 and 32 of the Data Protection Regulation and Chapter 3. § 10 the Data Protection Act must pay an administrative penalty of 120,000 crowns. Of this amount, SEK 80,000 refers to the violations of Articles 5, 6 and 9 and chap. Section 10 of the Data Protection Regulation and SEK 40,000 apply infringement of Article 32. The Data Inspectorate submits on the basis of Article 58 (2) (d) the data protection regulation The Health and Medical Board of the Örebro County Region to prepare written instructions and to introduce procedures to ensure that the person who publishes personal data on open websites does this in according to the instructions. An account of the supervisory matter The Data Inspectorate received a complaint against the Health and Medical Board i Region Örebro county regarding a notification to JO against forensic psychiatry the clinic in Örebro had been published in its entirety on the region's open website. The publication had taken place before a committee meeting on 25 September 2019. The notification contained the notifier's identity information (including personal identification number), contact details, information that the notifier was posted on the forensic psychiatric clinic and information that the notifier was the subject of urine sampling. As a result, the Data Inspectorate decided at the end of January 2020 to initiate an oversight of the Health and Medical Board i Region Örebro county with the purpose of investigating the board's handling of personal data in web publishing. In connection with the commencement of supervision and the Data Inspectorate alerted the committee if the publication took place the board removed the publication that the complaint concerned. The Board of Health in the Region of Örebro County has mainly stated following. The published document was immediately removed from the open site. Furthermore, all published summons and minutes were reviewed for the purpose of check that no additional grubbing had occurred. Then one was made personal incident report to the Data Inspectorate, an internal one the deviation notification was established and what could be done for it was investigated that something like that would never happen again. Region Örebro County normally publishes personal data in summons and protocols on their website that refer to elected politicians or service personnel in their service / trust assignments. For web publishing the Region of Örebro County is deemed to be able to invoke public interest in publishing protocols and summonses, including personal data, on the basis of Article 6 (i) the Data Protection Regulation and Chapter 2. Section 2 of the Data Protection Act. Sensitive personal data in accordance with Article 9 of the Data Protection Regulation and Chapter 3. § 3 the Data Protection Act should never be published on the region's website. In the present the case should not have been published. The Board of Health does not have written procedures regarding publication of documents and personal data on the website. There are a few people which has the task of publishing the Health Board calls and minutes on the website. Routines around publishing are served orally. In this case, the oral procedures have not been followed and the action was published by mistake. The Örebro County Region has begun work on creating written guidelines and routines for serving summonses and minutes to elected representatives and for publishing on the site. Other information that has emerged in the case The Data Inspectorate has gone through the information provided by the Board about the incident in a personal data report (no. PUI-2020-339). Board states in this document, inter alia, that the incident occurred due to "Human factor: failure in the individual case" (a suppressed response option), that the action has been removed from the external web, the removal of the document was accompanied by an immediate review of all published calls and protocols to ensure that no disclosure has occurred otherwise or in other documents, that a date is set for information and a review of the relevant staff group regarding rules for publication on the web, and that the data subject was informed about the incident. In an annex to the notification of personal data incident, the region wrote the following. “The region of Örebro County considers it very important to personal data are handled correctly and in accordance with the rules in force at any given time. Therefore, Region Örebro County strives to be in the various stages of preparation of cases, pay attention to the existence of personal data in different types of documents, and that if it is not necessary that they be there, either take remove them or present them in such a way that they cannot be derived separate individual. This work is done systematically and through a number preparation steps./…/ In the present case, however, they have been current information as a result of an error, which is not in the usual way noted in the preparation process, has followed in the publication on the public web. " Justification of decision The Data Inspectorate finds that among the personal data that was published on Region Örebro County's open website there were information that been sensitive in accordance with Article 9 of the Data Protection Regulation. This is the case for the information that the data subject is admitted to the forensic psychiatrist clinic and that they are subject to urine sampling. This then it the former task reveals that the person can suffer from a serious mental illness disorder and the latter statement that the person has or has had one drug problems. Thus, they constitute data on health. Furthermore, the social security number covered by the publication. Legal regulation Personal data may only be processed if there is a legal basis for it as stated in Article 6 of the Data Protection Regulation. Such legal support may for example consist of the treatment necessary to perform one task of general interest, such as giving the public access to it municipal operations. Processing of sensitive personal data is like generally prohibited and such personal data may only be processed if processing is subject to an exception in Article 9 of the Data Protection Regulation. Social security numbers may only be processed with the support of Chapter 3. § 10 the Data Protection Act, that is, if it exists (one according to the provisions of the Data Protection Regulation valid) consent or if the treatment is clearly justified for the purpose of the treatment, the importance of a secure identification or any other consideration reason. Those who process personal data must, in addition to having a legal basis always comply with the basic principles set out in Article 5 (i) data protection regulation. Among other things, personal data may only be used for specific, explicit and justifiable purposes (the principle of purpose restriction) and no more personal data may be processed than necessary for the purposes (data minimization principle). Of Article 32 It follows that the data controller has to take appropriate technical and organizational measures for personal data to secure one level of security appropriate to the risk to natural persons rights and freedoms. Furthermore, the data controller shall, according to Article 32 (4), take steps to ensure that every natural person performing work under the supervision of the data controller, and who receives access to personal data, only processes these on instruction from it personal data. Assessment of the publication by the Data Inspectorate The data inspection assesses the publication of a private person correspondence to an authority went beyond a conceivable purpose of: publish parts of the current case on the web (to give the public access to municipal activities). Thus, there was nothing special, explicitly stated and justified with the publication of the relevant ones personal data. Furthermore, there has been no legal basis for that publish personal data and the publication has not been covered by anything exceptions to the prohibition on processing sensitive personal data. Social security numbers have been published without the conditions stated in Chapter 3. § 10 the data protection law has been complied with. The Board of Health has only worked with oral instructions to the employees responsible for publishing the committee's actions on the web. The publication should have been preceded by an assessment of if permitted by the Data Protection Regulation. That this has not happened indicates that the board failed in the instructions to those working under the board supervision. This means that the board has not taken appropriate steps organizational security measures to protect against unauthorized publishing of personal information on the web. The Data Inspectorate has in a number of decisions about municipalities' web publications according to the Personal Data Act 1 stated that an appropriate organizational measure for Protecting personal data from unauthorized publication is a written procedure for Web Publishing. Such routines should be used by staff and should determine when personal data may be published, who should do it 1 The Personal Data Act (1998: 204), PuL, came into force on 24 October 1998 and ceased to valid on May 24, 2018. The Data Inspectorate was a supervisory authority according to PuL until that The Data Protection Regulation began to apply on 25 May 2018. the assessment, how long the data will be kept on the web, work routine for masking of sensitive or confidential information, handling of linked documents and stating who is responsible for publishing and possible deletion of data. 2 Other suitable measures may be to be seen to ensure that staff receive adequate training in the Data Protection Regulation and how it should work so that personal data is not handled in violation of the regulations. Such training can ensure that the person publishing personal data on the website does this in accordance with the instructions provided by it personal data. The routines that the Board of Health has had are not enough to protect personal data from publication in violation of the Data Protection Regulation. Sufficient measures have not been taken to ensure that those who publishes personal data under the supervision of the board, doing so in accordance with the committee's instructions for publication. The Data Inspectorate therefore finds that the Board of Health i The Örebro County Region has violated Articles 5, 6, 9 and 32 i the Data Protection Regulation, and Chapter 3. Section 10 of the Data Protection Act. Choice of intervention The Data Inspectorate has found that the Board has published sensitive data personal information and social security numbers on Region Örebro County's website and that the Board lacks written procedures for web publishing. The publication which has occurred has no legitimate purpose and legal basis. The publication has not been covered by any of the exceptions to the ban on treatment sensitive personal data. This means that the board has dealt with it personal data contrary to the principles of purpose limitation and data minimization in Article 5 of the Data Protection Regulation; legal treatment in Article 6 and the prohibition on the treatment of sensitive personal data in Article 9. The publication of social security numbers is not sufficient the terms of Chapter 3. § 10 of the Data Protection Act and therefore contravenes it provision. Article 58 of the Data Protection Regulation lists all the Data Inspection Authority powers. The data inspection has in case of violations of 2 See, for example, DI-1309-2011, DI-1787-2011 and DI-1057-2016. the Data Protection Regulation a number of corrective powers to be granted under Article 58 (2) (a) to (j), including reprimand, injunction and penalty fees. It follows from Article 58 (2) of the Data Protection Regulation that the Data Inspectorate i in accordance with Article 83 shall impose penalties in addition to or instead of other corrective measures referred to in Article 58 (2), depending on: the circumstances of each case. If it is a minor infringement shall be given to the supervisory authority, according to recital 148 (i) the Data Protection Regulation, issue a reprimand instead of imposing one penalty. Penalty fee shall be paid The Data Inspectorate has determined that the Board has violated Articles 5, 6, 9 and 32 of the Data Protection Regulation and 3 chap. Section 10 of the Data Protection Act, adopted on the basis of Article 87 of the Data Protection Regulation. These articles are covered of Articles 83 (4) and 83 (5). In case of an infringement of these shall the supervisory authority consider imposing administrative penalties in addition to, or instead of, other corrective actions. The Data Inspectorate considers that this is not a minor infringement. This is in light of the fact that the personal data that was published were sensitive and touched a patient. Furthermore, the person could not reasonably expect that his correspondence was made available to a large circle. In addition, was the personal data was published for a long time without being discovered Board. There is no reason to replace the penalty charge with anyone else Corrective Action. The Board of Health should thus be applied to one administrative penalty charge. Determination of the amount of the penalty amount According to Article 83 (1) of the Data Protection Regulation, each supervisory authority shall ensure that the imposition of administrative penalties in each individual cases are effective, proportionate and dissuasive. For authorities, according to Chapter 6. Section 2, second paragraph of the Data Protection Act that the penalty fee shall be set at a maximum of SEK 5,000,000 at infringements referred to in Article 83 (4) of the Data Protection Regulation and at most SEK 10,000,000 for violations referred to in Article 83 (5). Violations of Articles 5, 6, 9 and 3 Chap. Section 10 of the Data Protection Act (adopted on the basis of Article 87) is subject to the higher penalties provided for in Article 83 (5) and violations of Article 32 are covered by the lower maximum amount according to Article 83.4. Article 83 (2) of the Data Protection Regulation specifies factors to be taken into account determining the amount of the penalty charge. These factors include: the nature, severity and duration of the infringement; (b) the infringement (c) the measures taken by it the personal data controller has taken to alleviate the damage they have (d) the degree of responsibility of the data controller with having regard to the technical measures implemented in accordance with Article 32, (g) the categories of personal data covered by the infringement; ways in which the breach came to the attention of the regulator, in particular whether and to what extent the data controller reported infringement. The Data Inspectorate's assessment of the size of the penalty fee has regard taken to the following. The violation has involved sensitive personal data concerning a person in dependency position for which the publication of the information may have been obtained serious consequences. Furthermore, the information has been published openly the region's website for a long time. The lack of appropriate technical and organizational measures to ensure such personal data does not Being published poses a risk that similar events will occur again. The lack of appropriate security measures is reflected in the fact that the Board does not himself discovered the incorrect publication. However, the publication does not has been done deliberately and there is nothing to suggest that more than one person in the reality would have been affected by erroneous publications of sensitive personal data. In addition, the Board will as soon as it becomes aware if the event acted by removing the published action, inform the registered and inform the personnel concerned and that work has begun on developing written routines. Data inspection Board also notes that the region has made a personal incident report on behalf of the Board to the Data Inspectorate and followed the regulations which is in that respect. The publication of personal data on the board's open website concerns one and the same action and includes violation of Articles 5, 6 and 9 i the Data Protection Regulation and Chapter 3. Section 10 of the Data Protection Act. The penalty charge for the violation of Article 32 relates to that of the Board organizational security measures when publishing on open websites and is thus determined separately. The Data Inspectorate decides on the basis of an overall assessment that Health and the Medical Board of the Örebro County Region shall pay an administrative fee penalty fee of SEK 120,000 for the violations of Articles 5, 6, 9 and 32 of the Data Protection Regulation and 3 chap. Section 10 of the Data Protection Act. Of this the amount refers to SEK 80,000 violations of Articles 5, 6 and 9 i the Data Protection Regulation and Chapter 3. Section 10 of the Data Protection Act and 40,000 SEK refers to the violation of Article 32 of the Data Protection Regulation. Order for additional organizational measures According to Article 58 (2) (d), the Data Inspectorate has the power to submit one person responsible for personal data to ensure that a processing is carried out in accordance with the provisions of the Data Protection Regulation. Article 58 (2) states that administrative penalty fees can be combined with injunctions. The Health Board has not taken sufficient organizational measures measures under Article 32 of the Data Protection Regulation to ensure that: personal data is protected from unauthorized publication on the region's website, such as establishing written instructions and ensuring that the person who publishes personal information on the site does so in accordance with instructions. The Health Committee in Region Örebro County should therefore be submitted to Establish written instructions and put in place procedures to ensure it publishing personal information on open websites does this in accordance with the instructions. This decision has been taken by Director General Lena Lindgren Schelin after presentation by [lawyer] Elin Hallström. At the final processing also has Chief Counsel Hans-Olof Lindblom, Head of Unit Malin Blixt and Head of Unit Katarina Tullstedt participated. IT security specialist Magnus Bergström has participated in the assessments relating to information security.