Datatilsynet (Denmark) - 2023-432-0016
From GDPRhub
| Datatilsynet - 2023-432-0016 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 4(11) GDPR Article 5(1) GDPR Article 6(1)(a) GDPR Article 9(2)(a) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 27.11.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | The Central Denmark Region |
| National Case Number/Name: | 2023-432-0016 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | ar |
Examining the publication by a hospital of patients' data on Instagram, the Danish DPA found a violation of Article 6(1)(a) and Article 9(2)(a) GDPR. The DPA stated that the processing could not be based on consent since, due to the power asymmetries between patients and the hospital, patients could not have given their consent freely.
English Summary
Facts
A Danish citizen brought a complaint to the Danish DPA concerning a picture of themselves being published on the Instagram account of Aarhus University Hospital (AUH). Based on this, on 19 December 2022, the DPA initiated an investigation against the Central Denmark Region (the controller).
During the investigation, the DPA found that the Instagram account regularly published photos and videos of daily life at AUH. It showed pictures of patients, staff and relatives, and the account has been active since June 2015; it had more than 15,000 followers and more than 1,400 posts. A review of the account also revealed that there were posts with pictures and information about patients dating back to 2016. In some cases, these included information on health conditions.
The controller explained that the information on the account is published to inform the outside world about the hospital’s activities and daily life. It further clarified that posts containing information about citizens, including patients, were published on the basis of consent under Article 6(1)(a) GDPR and Article 9(2)(a) GDPR. Consent was obtained in writing before the publication of the post, and granting it or not did not affect the health treatment offered to the patient. The controller also stated that its processing met the principles of lawfulness, fairness and transparency under Article 5(1)(a) GDPR, as well as the principle of data minimisation pursuant to Article 5(1)(c) GDPR, since they did not process personal data not necessary for the hospital purposes. To limit the processing of personal data, they were attentive to whether information such as social security numbers and names were displayed on monitors, medical records and patient wristbands appearing in the pictures. Lastly, the controller claimed to observe also the principle of storage limitation of Article 5(1)(e) GDPR since data subjects could make erasure requests.
Holding
The Danish DPA found that the data processed in this case could be considered health data, as the images in question were accompanied, in several cases, by information about the hospital department and what the patient was suffering from or was examined for.
Thus, explicit consent was needed under Article 9(2) GDPR and the conditions for consent pursuant to Article 4(11) GDPR had to be assessed in light of the relevant circumstances in which the consent was obtained. The DPA, hence, found that in situations where a patient is typically in a vulnerable position when hospitalised or being treated at a hospital, there are power asymmetries between the patient and the hospital and hospital staff, which could entail that the patient may have experienced pressure when requesting consent, affecting the patient's free choice. The DPA also clarified that under the GDPR public authorities’ processing of personal data cannot be based on consent due to the inherent unequal relationship between the controller and the citizen.
In light of this, the DPA found that the conditions under Article 4(11) GDPR were not met. Consequently, it found that the controller's processing of personal data in connection with the present investigation was not in accordance with Article 9(2)(a) GDPR and Article 6(1)(a) GDPR. Thus, the Danish DPA held that the processing was also not following the principles of Article 5(1) GDPR.
Against this background, the Danish DPA reprimanded the controller. Additionally, under Article 58(2)(d) GDPR, it ordered the controller to delete posts containing health information about patients from the Instagram account within four weeks from the day of the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Skip the main navigation
Search
Hospital cannot use consent to publish pictures of patients on Instagram
Date: 27-11-2023
Decision Public authorities Serious criticism Injunction Supervision / self-operating case Basis of processing Images and video Processed by the Data Council
In an independent case, the Data Protection Authority has assessed that the publication of information about patients on Instagram by Aarhus University Hospital (Central Jutland Region) cannot be done within the framework of the data protection legal regulations.
Journal number: 2023-432-0016.
1. Preliminary remarks
The Danish Data Protection Authority hereby returns to the case, where on 19 December 2022 the Danish Data Protection Authority initiated an investigation of its own initiative into Aarhus University Hospital's (AUH) publication of pictures of patients with associated information about the patients' health conditions on Instagram.
2. Decision and order
The Danish Data Protection Authority finds – after the case has been submitted to the Data Council – that Region Central Jutland's processing of personal data in connection with the publication of photos of patients on AUH's Instagram account is not in accordance with the Data Protection Regulation[1] Article 9, subsection 2, letter a, and Article 6, subsection 1, letter a, cf. article 4, no. 11.
Furthermore, the Danish Data Protection Authority finds that the processing is not in accordance with the principles of the data protection regulation, article 5, subsection 1.
Against this background, the Danish Data Protection Authority expresses serious criticism of the Central Jutland Region.
Furthermore, the Data Protection Authority announces pursuant to the data protection regulation article 58, subsection 2, letter d, order for Region Central Jutland to delete posts containing health information about patients from the Instagram account auhdk.
The injunction includes all photos of identifiable patients posted on that account.
The deadline for compliance with the order is 4 weeks from today's date. The region of Midtjylland is asked – within the same deadline – to inform the Danish Data Protection Authority that the order has been complied with.
The Norwegian Data Protection Authority draws attention to the fact that, according to the Data Protection Act § 41, subsection 2, no. 5, it is a criminal offense to fail to comply with an order issued by the Danish Data Protection Authority in accordance with Article 58, subsection of the Data Protection Regulation. 2. Pursuant to section 41, subsection 6, 2nd point, public authorities can also be punished.
Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
3. Case presentation
Based on a complaint from a citizen about a picture of the person in question on AUH's Instagram account, on 19 December 2022 the Data Protection Authority initiated a closer investigation of its own operation vis-à-vis Region Central Jutland as the data controller for the processing of personal data on the Instagram account auhdk.
Through this investigation, the Danish Data Protection Authority was able to establish that information in the form of pictures, in some cases names and information, which directly or indirectly in several cases constitute information about health conditions, had been published on AUH's Instagram account. The information predominantly concerns natural persons, including children and young people, who can be directly identified from the postings.
The Instagram account regularly publishes pictures and videos of daily life at AUH. The images show patients, staff and relatives and are shared as posts or in stories that either disappear after 24 hours or are saved as a highlight[2] that can be accessed later.
The account, which has been active since June 2015, has more than 15,000 followers and more than 1,400 posts have been shared. When reviewing the account, it was also found that there were posts with pictures of and information about patients from 2016.
By letters of 16 January and 16 March 2023, Region Central Jutland has answered a number of questions from the Data Protection Authority.
3.1.
Region Midtjylland has stated the following in its responses about the purpose of the postings on Instagram:
"The information at auhdk is processed with the aim of informing the outside world about the hospital's operations. The notices focus on general information for citizens regarding health and/or the daily life of the hospital. The posts often have a personal angle to make the communication more present and relevant"
In addition, it appears from the region's "Guidelines for lending - Instagram takeovers", which the region has submitted in connection with answering questions from the Data Protection Authority, that the purpose of the postings is to recruit new employees.
The guidelines also state that the region lends the Instagram account to various departments at the hospital (a so-called "takeover"). At least one post per day must be published in connection with the individual departments' takeovers lasting one week, and employees are encouraged to use hashtags and respond to any comments. Region Central Jutland has stated that the notices are generally made by a limited circle of employees in the hospital's communications department. However, it is the individual departments at the hospital that prepare the notices that are published during the weekly "takeovers", where you follow different departments at the hospital.
3.2.
Region Midtjylland has generally stated that notices containing information about citizens, including patients, are published pursuant to Article 6, paragraph 1 of the Data Protection Regulation. 1, letter a, and Article 9, subsection 2, letter a. Consent is obtained in writing prior to the publication of the notice, and the giving of consent does not affect the healthcare treatment offered to the patient. When selecting patients, consideration is given to the individual's physical health and income, and the patient is given time to think before signing the consent form. The patient is also given the opportunity to approve the content of the posting. Region Central Jutland has stated that the criterion of voluntariness is met, as the patients have a real free choice in relation to whether they want their personal data published on Instagram.
Region Midtjylland has stated in this connection that the region - i.a. in view of the relationship of trust between the hospital/region and the patients – has not been able to identify a more suitable treatment basis for the treatment in question in the case.
3.3.
Regarding the principle in the data protection regulation, article 5, subsection 1, letter a, on legality, reasonableness and transparency, Region Central Jutland has stated that the processing is legal, as it is based on consent from the data subjects. The criteria of reasonableness and transparency are also observed in that the processing is based on consent. This must be seen in the light of the fact that the publication of information is voluntary, and that the publication thereby always takes place in agreement with the patient.
Region Midtjylland has, regarding the principle of data minimization in the data protection regulation, article 5, subsection 1, letter c, states that no more personal data is processed than is necessary for the purpose. In order to limit the processing of personal data, the region pays attention to whether information about social security numbers, names or other information appears on e.g. monitors, medical records and patient bracelets in the images. There is a general focus on not publishing images of patients in situations that may seem offensive, transgressive or otherwise inappropriate. In addition, in the proportionality assessment, weight should be given to the fact that the publication of the information is based on voluntariness and consent.
As far as the principle of storage limitation in the data protection regulation article 5, subsection 1, letter e, it appears that the principle is observed by the fact that the registered person has the opportunity to request deletion. If the registered person requests this, the post will be removed from Region Central Jutland's own social media.
Region Midtjylland has stated that, at the time of the Danish Data Protection Authority's initiation of the investigation, the region had not decided on a general erasure deadline for processing information on social media.
4. Legal basis
4.1.
Processing of personal data can take place if one of the conditions in the data protection regulation, article 6, subsection 1, is fulfilled, while the processing of health information is generally prohibited. However, processing of health information can still take place if the data controller can identify an exception in the regulation's Article 9, subsection 2.
It follows from the data protection regulation's article 9, subsection 2, letter a, that the processing of health information – as an exception to the prohibition in subsection 1 – can take place if the data subject has given express consent to the processing of his personal data for one or more specific purposes.
Consent from the data subject is defined in Article 4, No. 11 of the Data Protection Regulation as:
"Any voluntary, specific, informed and unequivocal declaration of intent whereby the data subject, by declaration or clear confirmation, consents to personal data relating to the person concerned being made the subject of processing."
The European Data Protection Board (EDPB) has adopted guidelines on consent, where the understanding of the regulation's definition of a consent – including the requirement of voluntariness – is described[3].
According to the EDPB's guidelines, a consent cannot generally be considered to have been given voluntarily if the data subject does not have a real free choice. Any form of inappropriate pressure or influence on the data subject's free will means that the consent is invalid.
Furthermore, it follows from preamble recital no. 43 to the data protection regulation:
”[…] In order to ensure that consent is voluntarily given, consent should not constitute a valid legal basis for the processing of personal data in a specific case if there is a clear bias between the data subject and the data controller, in particular if the data controller is a public authority and it is therefore unlikely that the consent was given voluntarily, taking into account all the circumstances characterizing the specific situation.”
Accordingly, it follows from the EDPB's guidelines for consent that there is only a narrow area for public authorities to use consent.
4.2.
In order to be valid, a consent must also meet the conditions in Article 7 of the Data Protection Regulation.
It follows from the data protection regulation's article 7, subsection 1, that if processing is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of his personal data.
The provision implies that the data controller has an express obligation to demonstrate that a data subject has given valid consent to the processing of that person's personal data[4]. The requirement not only implies that the data controller can demonstrate that the data subject has given consent to the processing, but also that the obtained consent meets all relevant criteria for a valid consent – thus also the requirement of voluntariness.
4.3.
It follows from the data protection regulation's article 5, subsection 1, letter a, that personal data must be processed legally, fairly and in a transparent manner in relation to the data subject ("legality, fairness and transparency").
Furthermore, it appears from preamble no. 39 to the data protection regulation, among other things, that personal data should only be processed if the purpose cannot reasonably be fulfilled in another way.
5. Reason for the Data Protection Authority's decision
5.1.
Processing of personal data, for example images with accompanying text, can take place if one of the conditions in the data protection regulation, article 6, subsection 1, is fulfilled, while the processing of health information is generally prohibited. Processing of health information can, however, take place if the data controller can identify an exception in the regulation's article 9, subsection 2. In addition, the basic principles for processing personal data in Article 5 must be met.
On the basis of the information in the case, the Danish Data Protection Authority must assume that a number of personal data on identifiable persons are processed on AUH's Instagram account, including information on patients covered by Article 6 of the Data Protection Regulation and information covered by Article 9 of the Regulation on special categories of personal data in the form of health information.
When assessing the question of whether it is health information, the Danish Data Protection Authority has, among other things, emphasis has been placed on the fact that the images in question are in several cases accompanied by information about the hospital department and information about what the patient is doing wrong or needs to be examined for. In relation to images of patients during "takeovers", it is possible to specifically derive information about the department the patient is admitted to or is being treated at, as the name of the individual department being monitored is disclosed during a takeover.
The pictures of the patients are publicly available and can be accessed by anyone, regardless of whether you have an account on Instagram.
Consent as a basis for processing appears in the data protection regulation, article 6, subsection 1, letter a.
It follows from the requirement for express consent according to the regulation's article 9, subsection 2, letter a, as well as the requirement for proof according to Article 7, subsection 1, that there must be no doubt about the validity of the consent.
When assessing whether a consent meets the conditions in the provision in Article 4, no. 11, the conditions for the validity of the consent must be assessed based on the relevant circumstances when the consent was obtained. This means that the situation of the registered person must be included in, among other things the question of whether a consent can be considered voluntary.
The Danish Data Protection Authority considers that the circumstances that a patient typically finds themselves in, when you as a patient are generally in a vulnerable situation, when you are hospitalized or undergoing treatment in a hospital, should be given importance.
It is the Danish Data Protection Authority's assessment that such a vulnerability creates an inequality between the patient and the hospital and the hospital's staff, which may entail a risk that the patient may feel pressured when a request for consent is made.
It can also affect the patient's experience of having a real free choice or create pressure for the patient that Aarhus University Hospital is a public authority that offers a healthcare service that the registered person needs.
When assessing whether public authorities can use consent as a basis for processing, it is included whether the data controller and the data subject can be considered equal in the specific situation, and whether the data subject experiences a real free choice.
The Danish Data Protection Authority has attached the importance that the starting point for public authorities' processing of personal data is that consent according to the data protection regulation cannot be used as a basis for processing, as a result of the built-in unequal relationship between the data controller and the registered citizen. The Danish Data Protection Authority has found no basis for deviating from this starting point, as the data controller and the data subject in the specific situation cannot be considered to be equal.
The statement by Region Midtjylland that in the selection of patients the individual's physical health and income are taken into account, as well as that the patient is given time to think before signing the declaration of consent, and that the opportunity to approve the content of the notice is given, cannot lead to a different result .
In a situation such as the present one, in the Data Protection Authority's view, there are stricter requirements for the assessment of consent as a basis for the processing of personal data about patients, with reference to the category of the information to which the processing relates, the intrusive nature of the processing in the form of publication and the fact that a patient relationship exists. It is then the Danish Data Protection Authority's assessment that the condition that a consent according to Article 4, No. 11 of the Data Protection Regulation must be voluntary, cannot therefore be considered fulfilled.
On this basis, the Danish Data Protection Authority finds that the publication of personal data about patients on AUH's Instagram account is not in accordance with the Data Protection Regulation, Article 9, subsection 2, letter a, and Article 6, subsection 1, letter a, cf. article 4, no. 11.
The Norwegian Data Protection Authority notes that an objective of informing the outside world about the hospital's operations and recruiting employees can be achieved in a way that is less intrusive to the fundamental rights of the persons concerned, in particular their right to respect for privacy and to the protection of personal data.
The Danish Data Protection Authority therefore finds that Region Central Jutland's processing of personal data is also not in accordance with the principles in the data protection regulation, article 5, subsection 1.
5.2.
The Danish Data Protection Authority finds grounds for expressing serious criticism of Region Central Jutland's processing of personal data.
Furthermore, the Data Protection Authority announces pursuant to the data protection regulation article 58, subsection 2, letter d, order for Region Central Jutland to delete posts containing health information about patients from the Instagram account auhdk.
The injunction includes all photos of identifiable patients posted on that account.
The deadline for compliance with the order is 4 weeks from today's date. The region of Midtjylland is asked – within the same deadline – to inform the Danish Data Protection Authority that the order has been complied with.
The Norwegian Data Protection Authority draws attention to the fact that, according to the Data Protection Act § 41, subsection 2, no. 5, it is a criminal offense to fail to comply with an order issued by the Danish Data Protection Authority in accordance with Article 58, subsection of the Data Protection Regulation. 2. Pursuant to section 41, subsection 6, 2nd point, public authorities can also be punished.
5.3.
In conclusion, the Danish Data Protection Authority adds that in its decision the Danish Data Protection Authority has not taken a position on the question of a breach of the rules on confidentiality in the Health Act.
As regards compliance with the rules on storage according to the data protection regulation, article 5, subsection 1, letter e, the Danish Data Protection Authority must encourage the Central Jutland Region to pay attention to this in general, so that general deadlines are set for the storage of personal data, where such deadlines do not follow from health law regulations.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general data protection regulation)
[2] By making use of highlights, it becomes possible to save the stories that otherwise disappear after 24 hours. The use of highlights thus means that the stories can still be accessed by other users after 24 hours.
[3] EDBP's guidelines 5/2020 regarding consent in accordance with regulation 2016/679, section 3.1, pp. 7-14 and the Danish Data Protection Authority's guidance on consent, May 2021, section 2.3, pp. 5-10.
[4] EDBP's guidelines 5/2020 regarding consent according to regulation 2016/679, section 5.1, point 107.
The Norwegian Data Protection Authority
Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk
About us
About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement
Shortcuts
Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme
follow us
The Norwegian Data Protection Authority on LinkedIn
Hospital cannot use consent to publish pictures of patients on Instagram
Date: 27-11-2023
Decision Public authorities Serious criticism Injunction Supervision / self-operating case Basis of processing Images and video Processed by the Data Council
In an independent case, the Data Protection Authority has assessed that the publication of information about patients on Instagram by Aarhus University Hospital (Central Jutland Region) cannot be done within the framework of the data protection legal regulations.
Journal number: 2023-432-0016.
1. Preliminary remarks
The Danish Data Protection Authority hereby returns to the case, where on 19 December 2022 the Danish Data Protection Authority initiated an investigation of its own initiative into Aarhus University Hospital's (AUH) publication of pictures of patients with associated information about the patients' health conditions on Instagram.
2. Decision and order
The Danish Data Protection Authority finds – after the case has been submitted to the Data Council – that Region Central Jutland's processing of personal data in connection with the publication of photos of patients on AUH's Instagram account is not in accordance with the Data Protection Regulation[1] Article 9, subsection 2, letter a, and Article 6, subsection 1, letter a, cf. article 4, no. 11.
Furthermore, the Danish Data Protection Authority finds that the processing is not in accordance with the principles of the data protection regulation, article 5, subsection 1.
Against this background, the Danish Data Protection Authority expresses serious criticism of the Central Jutland Region.
Furthermore, the Data Protection Authority announces pursuant to the data protection regulation article 58, subsection 2, letter d, order for Region Central Jutland to delete posts containing health information about patients from the Instagram account auhdk.
The injunction includes all photos of identifiable patients posted on that account.
The deadline for compliance with the order is 4 weeks from today's date. The region of Midtjylland is asked – within the same deadline – to inform the Danish Data Protection Authority that the order has been complied with.
The Norwegian Data Protection Authority draws attention to the fact that, according to the Data Protection Act § 41, subsection 2, no. 5, it is a criminal offense to fail to comply with an order issued by the Danish Data Protection Authority in accordance with Article 58, subsection of the Data Protection Regulation. 2. Pursuant to section 41, subsection 6, 2nd point, public authorities can also be punished.
Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
3. Case presentation
Based on a complaint from a citizen about a picture of the person in question on AUH's Instagram account, on 19 December 2022 the Data Protection Authority initiated a closer investigation of its own operation vis-à-vis Region Central Jutland as the data controller for the processing of personal data on the Instagram account auhdk.
Through this investigation, the Danish Data Protection Authority was able to establish that information in the form of pictures, in some cases names and information, which directly or indirectly in several cases constitute information about health conditions, had been published on AUH's Instagram account. The information predominantly concerns natural persons, including children and young people, who can be directly identified from the postings.
The Instagram account regularly publishes pictures and videos of daily life at AUH. The images show patients, staff and relatives and are shared as posts or in stories that either disappear after 24 hours or are saved as a highlight[2] that can be accessed later.
The account, which has been active since June 2015, has more than 15,000 followers and more than 1,400 posts have been shared. When reviewing the account, it was also found that there were posts with pictures of and information about patients from 2016.
By letters of 16 January and 16 March 2023, Region Central Jutland has answered a number of questions from the Data Protection Authority.
3.1.
Region Midtjylland has stated the following in its responses about the purpose of the postings on Instagram:
"The information at auhdk is processed with the aim of informing the outside world about the hospital's operations. The notices focus on general information for citizens regarding health and/or the daily life of the hospital. The posts often have a personal angle to make the communication more present and relevant"
In addition, it appears from the region's "Guidelines for lending - Instagram takeovers", which the region has submitted in connection with answering questions from the Data Protection Authority, that the purpose of the postings is to recruit new employees.
The guidelines also state that the region lends the Instagram account to various departments at the hospital (a so-called "takeover"). At least one post per day must be published in connection with the individual departments' takeovers lasting one week, and employees are encouraged to use hashtags and respond to any comments. Region Central Jutland has stated that the notices are generally made by a limited circle of employees in the hospital's communications department. However, it is the individual departments at the hospital that prepare the notices that are published during the weekly "takeovers", where you follow different departments at the hospital.
3.2.
Region Midtjylland has generally stated that notices containing information about citizens, including patients, are published pursuant to Article 6, paragraph 1 of the Data Protection Regulation. 1, letter a, and Article 9, subsection 2, letter a. Consent is obtained in writing prior to the publication of the notice, and the giving of consent does not affect the healthcare treatment offered to the patient. When selecting patients, consideration is given to the individual's physical health and income, and the patient is given time to think before signing the consent form. The patient is also given the opportunity to approve the content of the posting. Region Central Jutland has stated that the criterion of voluntariness is met, as the patients have a real free choice in relation to whether they want their personal data published on Instagram.
Region Midtjylland has stated in this connection that the region - i.a. in view of the relationship of trust between the hospital/region and the patients – has not been able to identify a more suitable treatment basis for the treatment in question in the case.
3.3.
Regarding the principle in the data protection regulation, article 5, subsection 1, letter a, on legality, reasonableness and transparency, Region Central Jutland has stated that the processing is legal, as it is based on consent from the data subjects. The criteria of reasonableness and transparency are also observed in that the processing is based on consent. This must be seen in the light of the fact that the publication of information is voluntary, and that the publication thereby always takes place in agreement with the patient.
Region Midtjylland has, regarding the principle of data minimization in the data protection regulation, article 5, subsection 1, letter c, states that no more personal data is processed than is necessary for the purpose. In order to limit the processing of personal data, the region pays attention to whether information about social security numbers, names or other information appears on e.g. monitors, medical records and patient bracelets in the images. There is a general focus on not publishing images of patients in situations that may seem offensive, transgressive or otherwise inappropriate. In addition, in the proportionality assessment, weight should be given to the fact that the publication of the information is based on voluntariness and consent.
As far as the principle of storage limitation in the data protection regulation article 5, subsection 1, letter e, it appears that the principle is observed by the fact that the registered person has the opportunity to request deletion. If the registered person requests this, the post will be removed from Region Central Jutland's own social media.
Region Midtjylland has stated that, at the time of the Danish Data Protection Authority's initiation of the investigation, the region had not decided on a general erasure deadline for processing information on social media.
4. Legal basis
4.1.
Processing of personal data can take place if one of the conditions in the data protection regulation, article 6, subsection 1, is fulfilled, while the processing of health information is generally prohibited. However, processing of health information can still take place if the data controller can identify an exception in the regulation's Article 9, subsection 2.
It follows from the data protection regulation's article 9, subsection 2, letter a, that the processing of health information – as an exception to the prohibition in subsection 1 – can take place if the data subject has given express consent to the processing of his personal data for one or more specific purposes.
Consent from the data subject is defined in Article 4, No. 11 of the Data Protection Regulation as:
"Any voluntary, specific, informed and unequivocal declaration of intent whereby the data subject, by declaration or clear confirmation, consents to personal data relating to the person concerned being made the subject of processing."
The European Data Protection Board (EDPB) has adopted guidelines on consent, where the understanding of the regulation's definition of a consent – including the requirement of voluntariness – is described[3].
According to the EDPB's guidelines, a consent cannot generally be considered to have been given voluntarily if the data subject does not have a real free choice. Any form of inappropriate pressure or influence on the data subject's free will means that the consent is invalid.
Furthermore, it follows from preamble recital no. 43 to the data protection regulation:
”[…] In order to ensure that consent is voluntarily given, consent should not constitute a valid legal basis for the processing of personal data in a specific case if there is a clear bias between the data subject and the data controller, in particular if the data controller is a public authority and it is therefore unlikely that the consent was given voluntarily, taking into account all the circumstances characterizing the specific situation.”
Accordingly, it follows from the EDPB's guidelines for consent that there is only a narrow area for public authorities to use consent.
4.2.
In order to be valid, a consent must also meet the conditions in Article 7 of the Data Protection Regulation.
It follows from the data protection regulation's article 7, subsection 1, that if processing is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of his personal data.
The provision implies that the data controller has an express obligation to demonstrate that a data subject has given valid consent to the processing of that person's personal data[4]. The requirement not only implies that the data controller can demonstrate that the data subject has given consent to the processing, but also that the obtained consent meets all relevant criteria for a valid consent – thus also the requirement of voluntariness.
4.3.
It follows from the data protection regulation's article 5, subsection 1, letter a, that personal data must be processed legally, fairly and in a transparent manner in relation to the data subject ("legality, fairness and transparency").
Furthermore, it appears from preamble no. 39 to the data protection regulation, among other things, that personal data should only be processed if the purpose cannot reasonably be fulfilled in another way.
5. Reason for the Data Protection Authority's decision
5.1.
Processing of personal data, for example images with accompanying text, can take place if one of the conditions in the data protection regulation, article 6, subsection 1, is fulfilled, while the processing of health information is generally prohibited. Processing of health information can, however, take place if the data controller can identify an exception in the regulation's article 9, subsection 2. In addition, the basic principles for processing personal data in Article 5 must be met.
On the basis of the information in the case, the Danish Data Protection Authority must assume that a number of personal data on identifiable persons are processed on AUH's Instagram account, including information on patients covered by Article 6 of the Data Protection Regulation and information covered by Article 9 of the Regulation on special categories of personal data in the form of health information.
When assessing the question of whether it is health information, the Danish Data Protection Authority has, among other things, emphasis has been placed on the fact that the images in question are in several cases accompanied by information about the hospital department and information about what the patient is doing wrong or needs to be examined for. In relation to images of patients during "takeovers", it is possible to derive concrete information about the department the patient is admitted to or is being treated at, as the name of the individual department being monitored is disclosed during a takeover.
The pictures of the patients are publicly available and can be accessed by anyone, regardless of whether you have an account on Instagram.
Consent as a basis for processing appears in the data protection regulation, article 6, subsection 1, letter a.
It follows from the requirement for express consent according to the regulation's article 9, subsection 2, letter a, as well as the requirement for proof according to Article 7, subsection 1, that there must be no doubt about the validity of the consent.
When assessing whether a consent meets the conditions in the provision in Article 4, no. 11, the conditions for the validity of the consent must be assessed based on the relevant circumstances when the consent was obtained. This means that the situation of the registered person must be included in, among other things the question of whether a consent can be considered voluntary.
The Danish Data Protection Authority considers that the circumstances that a patient typically finds themselves in, when you as a patient are generally in a vulnerable situation, when you are hospitalized or undergoing treatment in a hospital, should be given importance.
It is the Danish Data Protection Authority's assessment that such a vulnerability creates an inequality between the patient and the hospital and the hospital's staff, which may entail a risk that the patient may feel pressured when a request for consent is made.
It can also affect the patient's experience of having a real free choice or create pressure for the patient that Aarhus University Hospital is a public authority that offers a healthcare service that the registered person needs.
When assessing whether public authorities can use consent as a basis for processing, it is included whether the data controller and the data subject can be considered equal in the specific situation, and whether the data subject experiences a real free choice.
The Danish Data Protection Authority has attached the importance that the starting point for public authorities' processing of personal data is that consent according to the data protection regulation cannot be used as a basis for processing, as a result of the built-in unequal relationship between the data controller and the registered citizen. The Danish Data Protection Authority has found no basis for deviating from this starting point, as the data controller and the data subject in the specific situation cannot be considered to be equal.
The statement by Region Midtjylland that in the selection of patients the individual's physical health and income are taken into account, as well as that the patient is given time to think before signing the declaration of consent, and that the opportunity to approve the content of the notice is given, cannot lead to a different result .
In a situation such as the present one, in the Data Protection Authority's view, there are stricter requirements for the assessment of consent as a basis for the processing of personal data about patients, with reference to the category of the information to which the processing relates, the intrusive nature of the processing in the form of publication and the fact that a patient relationship exists. It is then the Danish Data Protection Authority's assessment that the condition that a consent according to Article 4, No. 11 of the Data Protection Regulation must be voluntary, cannot therefore be considered fulfilled.
On this basis, the Danish Data Protection Authority finds that the publication of personal data about patients on AUH's Instagram account is not in accordance with the Data Protection Regulation, Article 9, subsection 2, letter a, and Article 6, subsection 1, letter a, cf. article 4, no. 11.
The Norwegian Data Protection Authority notes that an objective of informing the outside world about the hospital's operations and recruiting employees can be achieved in a way that is less intrusive to the fundamental rights of the persons concerned, in particular their right to respect for privacy and to the protection of personal data.
The Danish Data Protection Authority therefore finds that Region Central Jutland's processing of personal data is also not in accordance with the principles in the data protection regulation, article 5, subsection 1.
5.2.
The Danish Data Protection Authority finds grounds for expressing serious criticism of Region Central Jutland's processing of personal data.
Furthermore, the Data Protection Authority announces pursuant to the data protection regulation article 58, subsection 2, letter d, order for Region Central Jutland to delete posts containing health information about patients from the Instagram account auhdk.
The injunction includes all photos of identifiable patients posted on that account.
The deadline for compliance with the order is 4 weeks from today's date. The region of Midtjylland is asked – within the same deadline – to inform the Danish Data Protection Authority that the order has been complied with.
The Norwegian Data Protection Authority draws attention to the fact that, according to the Data Protection Act § 41, subsection 2, no. 5, it is a criminal offense to fail to comply with an order issued by the Danish Data Protection Authority in accordance with Article 58, subsection of the Data Protection Regulation. 2. Pursuant to section 41, subsection 6, 2nd point, public authorities can also be punished.
5.3.
In conclusion, the Danish Data Protection Authority adds that in its decision the Danish Data Protection Authority has not taken a position on the question of a breach of the rules on confidentiality in the Health Act.
As regards compliance with the rules on storage according to the data protection regulation, article 5, subsection 1, letter e, the Danish Data Protection Authority must encourage the Central Jutland Region to pay attention to this in general, so that general deadlines are set for the storage of personal data, where such deadlines do not follow from health law regulations.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general data protection regulation)
[2] By making use of highlights, it becomes possible to save the stories that otherwise disappear after 24 hours. The use of highlights thus means that the stories can still be accessed by other users after 24 hours.
[3] EDBP's guidelines 5/2020 regarding consent in accordance with regulation 2016/679, section 3.1, pp. 7-14 and the Danish Data Protection Authority's guidance on consent, May 2021, section 2.3, pp. 5-10.
[4] EDBP's guidelines 5/2020 regarding consent according to regulation 2016/679, section 5.1, point 107.
